<TABLE width=500>. d1 C8 s J1 `8 H( b1 Y
<TBODY>
$ p+ v. S" |, G5 n! }<TR>
4 J0 a) |" A$ G* ?; _0 T" Y<TD><PRE>Method 01 4 J# Q% a8 v1 H) z E! l
=========
- {( Z Q& \2 B8 }" ~* M" |. C4 T. s$ ?+ Z# `
This method of detection of SoftICE (as well as the following one) is+ p: f0 @3 ]4 t: A8 N9 b
used by the majority of packers/encryptors found on Internet.7 O# E+ G7 o. S( p0 r* a, L
It seeks the signature of BoundsChecker in SoftICE: t& K' C6 M7 r. r+ A/ E; a- ^ y
# s5 g$ Z% @1 Z, e
mov ebp, 04243484Bh ; 'BCHK'
. H/ Q2 w% t* O: r/ R mov ax, 04h
+ S4 e% @' m9 X6 c int 3
* F: t4 F/ D. P cmp al,4
/ ?; A8 T: }* P; L7 M, Z" [ jnz SoftICE_Detected5 `' y+ N- [9 C c( Z) J
/ \9 {4 ^9 [- E/ ~% K
___________________________________________________________________________& @# o* `$ t$ y+ E- a
: |& Y1 d1 y/ _6 \! VMethod 02
9 B9 }& |9 |4 ]9 d% A2 T=========
! L+ r* H& r, ?; s' A! k* v9 t5 @# `& Z
Still a method very much used (perhaps the most frequent one). It is used: x' [8 l+ m! n' }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- |+ x; ?" g, z% } x* ?! i2 O
or execute SoftICE commands...% ]+ c+ k8 B9 ^3 X
It is also used to crash SoftICE and to force it to execute any commands
* y1 M( A! b/ J7 K3 M4 {(HBOOT...) :-((
+ E s4 T, f# F+ U! N# h; C7 X' U0 P) }+ r
Here is a quick description: Y( s7 j+ m5 e( q4 Q( W
-AX = 0910h (Display string in SIce windows)
( L% A- a/ _$ W* S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 }" x$ {# j0 z1 F-AX = 0912h (Get breakpoint infos)# z' `; c1 ^% _3 Y2 q- e: ~
-AX = 0913h (Set Sice breakpoints)" R+ M7 v- a- R6 j
-AX = 0914h (Remove SIce breakoints)
6 {8 b: D6 `! F
) ]& ]$ L" {! A5 bEach time you'll meet this trick, you'll see:
* f3 T8 E4 O% A1 I8 w; F-SI = 4647h
4 W j! Y. v* a/ N9 |0 W2 p6 R-DI = 4A4Dh# W* ]! i6 d" o& H
Which are the 'magic values' used by SoftIce.
: {) x$ ^8 ^% Y5 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' a+ U" n2 t9 V* m- ?
m: \% s/ \$ {- \" g% EHere is one example from the file "Haspinst.exe" which is the dongle HASP8 `% i% j+ Y- d1 g9 Z! z
Envelope utility use to protect DOS applications:
X: r5 N: E+ k* @
. `) j9 l2 w" I# T" G
3 D8 g+ U/ V9 ]$ O2 U$ ~3 t8 R4C19:0095 MOV AX,0911 ; execute command.
# c) R+ V4 T- O, J+ A" v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- I! U( R: M; {4C19:009A MOV SI,4647 ; 1st magic value., L9 q, H& D/ P% a) ?$ E; B% g* X
4C19:009D MOV DI,4A4D ; 2nd magic value.6 G4 Z% D9 E) O) X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 }5 q) E% z' a7 K: ]. B3 B4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( O. U" ?. B6 O. \7 i, y3 j4C19:00A4 INC CX
+ v. q" t* ]; b3 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# C' }1 a4 c$ ~' Z s4C19:00A8 JB 0095 ; 6 different commands.
* v6 |/ G U% n9 w4C19:00AA JMP 0002 ; Bad_Guy jmp back.# f; h% _/ S* c* t0 l9 K
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- V. G9 g& f8 X. W$ v& E0 ?9 L
" M4 g3 Q5 R) |2 d4 y
The program will execute 6 different SIce commands located at ds:dx, which/ R Z& U7 {2 L1 C7 \% o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ c* W+ i8 W$ m. T, A
& o0 J. S- k J- ^) y8 J; `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, k x, I6 G6 {; G3 z___________________________________________________________________________9 W) U: k. x6 [+ y) p
r- c4 v6 `" O# P
7 k r1 L2 t' x2 U' i- [Method 03' |) }; J& F( z" {2 L
=========+ f8 h7 L! W A- e! B" Y3 c+ A5 M
+ h" Q; \+ D8 |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 E, v$ v' [9 ~- Z- i7 M: v(API Get entry point)
4 k7 H! C' u5 j+ r! p8 F* r- G+ x . d+ X3 w/ D7 u0 G" g, a8 F
# V& \& Z, T& k* g4 G0 @! L0 s xor di,di' H( d4 d! @% l# q3 q E
mov es,di2 G0 j2 M7 k( d
mov ax, 1684h ! X6 G7 r2 L0 }1 v8 f6 Y# }
mov bx, 0202h ; VxD ID of winice
$ z& ]% ]& ]& N) u4 I# q* c) G int 2Fh; y3 u* g2 H" y% N/ j) l6 z
mov ax, es ; ES:DI -> VxD API entry point
# ^/ [2 j6 C9 o7 h add ax, di8 J0 c O4 `# y8 F) G) `9 y" S
test ax,ax
, e7 Y6 l; k! y& h jnz SoftICE_Detected' b7 n# T7 d2 ?+ N p. x
, D+ i2 A2 ~: I) V___________________________________________________________________________$ N9 h& ?$ ^; E& ~) E8 c4 X2 r
* V. f5 A, |- V1 }Method 04
6 {6 d, Z# k: q3 u& I$ ^=========
: {" C# n& G$ B q5 v1 j1 H* ^/ s4 a
! }* T5 s! ~# w3 e4 _Method identical to the preceding one except that it seeks the ID of SoftICE+ W( d9 g; ?; ?0 F
GFX VxD.5 q a5 ]) _) T; q2 D/ {
- @0 e3 T5 z( L6 I3 C! ]/ ? xor di,di, L; M5 Q5 `0 C
mov es,di
4 ~0 }0 s; J3 I W mov ax, 1684h 3 B; i; n0 E2 @6 L
mov bx, 7a5Fh ; VxD ID of SIWVID# \" T$ u- k0 @# |& ~5 i/ ~
int 2fh
! ?* }$ [5 U% }" U5 M mov ax, es ; ES:DI -> VxD API entry point) h% j9 B" U5 }8 w# k' K9 D" @! H
add ax, di
- g7 P2 J Y+ ~ test ax,ax
; C- i( e( T4 k jnz SoftICE_Detected" j e/ x: t0 c& l) X, c4 x* W
3 k9 w9 `( [& ~
__________________________________________________________________________: b+ {, g1 B/ e# M) ]( e
\2 l ^9 ?( i. O( `) q# z
- m! I- g2 h9 g# \0 eMethod 05
2 Y1 t! p4 D( U3 n% G( u=========
$ [ [, a+ J [* h& X0 M
7 S9 Q2 D2 Q5 g" o: V4 }( V* E% bMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 J0 X- |+ @/ \7 D
debugger. It calls the int 41h, function 4Fh.3 O3 v. c% u: [7 w9 k4 J
There are several alternatives.
+ }) x7 O+ a: ~$ r c, [( q* z6 }* y1 d6 d3 n3 B
The following one is the simplest:5 v5 S6 @: g, C5 _
6 t: o5 R* n0 ~* D) ]( c$ A mov ax,4fh! K2 E4 r8 j, o+ K# B7 k
int 41h* u- X5 e/ U: T1 \7 [. v- `4 b
cmp ax, 0F386/ ]# c d# } f1 {
jz SoftICE_detected
0 d1 A: A0 [7 K' g8 A6 R3 W
4 u% Z# \7 _: U( N z/ Z
- r! E- ]$ W( i/ z9 k' |" R8 ONext method as well as the following one are 2 examples from Stone's
6 W2 t1 e2 q' y- G"stn-wid.zip" (www.cracking.net):: V8 r7 Z( ~" ]2 _7 d
2 ~, n( G; m0 }6 F; d# R6 { mov bx, cs
6 S+ U7 O' a- e* y6 |9 v( @4 H lea dx, int41handler2$ N: s9 P2 r; g& K7 o, t; q
xchg dx, es:[41h*4]- n) [/ y' g a: a
xchg bx, es:[41h*4+2]
5 I, h' F" N0 G [9 Q! U2 F mov ax,4fh
O: M7 E' w" A5 i% `, V ?, o int 41h
6 I: a& x2 H5 z: i! G xchg dx, es:[41h*4]1 g' ]; v$ l9 F6 g' n8 D
xchg bx, es:[41h*4+2]
( x4 |5 U& h/ x0 f8 `0 e( F! I cmp ax, 0f386h
; ^/ I7 t) A3 v jz SoftICE_detected
% G3 R' N# |: X1 V. J5 W7 b0 ^' D& N! M
. t* h! n$ ] Q# D' Fint41handler2 PROC
6 K) j) w3 c( ?% B* X% g2 v$ M iret
* F% T" D( }4 n% tint41handler2 ENDP
% h9 P1 p0 M7 P0 \2 h6 c P- t- N
6 w- `7 e$ C8 |7 w- a1 v. v5 B_________________________________________________________________________
3 z- a, r# t! y# z! |2 M/ \, D; z, B: {/ w9 S1 b0 |
. {0 {! ]( \0 u4 r- r. aMethod 06
) G4 ~9 L1 G; B+ e. o: B8 y1 m=========: S/ L. G( q1 s8 s! f1 f
2 Q& ~ ^ C8 F0 J0 w" I. ]$ E6 K4 q# q2 Y1 ]; q* b& K s
2nd method similar to the preceding one but more difficult to detect:
- Q+ n3 J) Z9 A) Q( w- I2 ~. ]& t1 t+ z" }
1 C0 E& X+ h. H& X" gint41handler PROC
$ c4 ]6 U- v/ l# o+ Z! P mov cl,al
% ?' O8 n J& }# N9 C4 d iret
3 H& B# f1 ]4 d/ w+ I- Y2 aint41handler ENDP
1 \6 S6 B% K# V- {) g5 A/ `3 {- e
& g. V& Y3 U( x" I/ t# [: D' q' m% \ @7 O5 y
xor ax,ax
/ l- ^( L5 N- @ mov es,ax
8 X3 N9 _" D- w; s5 T* X mov bx, cs
) ~5 E% \4 b/ \6 g O0 d* a lea dx, int41handler
3 Q8 `! S+ l& [; f, X xchg dx, es:[41h*4]0 h `; l- i- l r6 B, e
xchg bx, es:[41h*4+2]
, i* N$ q5 U0 M0 q in al, 40h
3 u0 J/ ~* S& C$ Y# N+ x' Z' k xor cx,cx3 x1 B" N* E3 H3 N) O
int 41h
5 b% b) X" g9 m+ }0 L% X xchg dx, es:[41h*4] I5 o0 J5 F# A( T& {( [
xchg bx, es:[41h*4+2]
x: n1 k& T6 |5 c( D" ~ cmp cl,al: b. u, i: B* b6 ]
jnz SoftICE_detected5 O# q- Z5 b7 x3 A3 |
. Z1 v5 D* U" ?* @* Y
_________________________________________________________________________
) w' @' o% Z% Q/ `' M1 A" Y1 i4 ~$ }4 z. l: O! |
Method 07
+ J+ X! \1 ]# G( f/ `: `$ C) R K=========
7 V, g$ o( V/ ~7 e' M6 Z* S: J4 i; }# J/ }4 N! t) v8 X
Method of detection of the WinICE handler in the int68h (V86)
! D8 Z5 `+ g+ I2 H2 f( k
9 t5 z ]. v% ?. o; E mov ah,43h
) Z! i+ G5 ]3 U$ P) {2 p5 E int 68h2 o1 _- U% _) w8 I, B
cmp ax,0F386h
0 W, r9 N/ t1 e* _; v/ | jz SoftICE_Detected
- A* q9 q2 F* ?& G& u1 f' H& o; f5 A) a( W
! N1 ]) b8 t* c( W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 T; m- {5 P( X! W( j% W7 B) |
app like this:: P& U: K3 g( A0 \/ U+ i
' Z" H- Z6 j2 E6 j; F
BPX exec_int if ax==68
8 H' H3 f8 v! l' t (function called is located at byte ptr [ebp+1Dh] and client eip is
2 V% g2 I- Y I7 i p/ P" a located at [ebp+48h] for 32Bit apps)
6 X# M. R# Y$ c$ Q# ]__________________________________________________________________________
4 f4 P: u N/ C# D6 s7 ^
( s6 d3 ?* M0 Z% N' u7 m0 r9 ?" D/ M4 E, v, p- ]0 M* U
Method 08
" H" ]6 D1 E6 x M% Y/ n) _=========
; C5 E) k+ E5 ~) r5 u* }2 d; E6 ^! \! r5 L
It is not a method of detection of SoftICE but a possibility to crash the
x2 [1 ^1 i; K' h# Q! j9 n, bsystem by intercepting int 01h and int 03h and redirecting them to another6 G2 X) X. i7 [# u! v
routine.$ j& Y) y+ _/ o/ q* x* J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: x; S* m, W& w) @3 @8 `to the new routine to execute (hangs computer...)
, a. I9 k `% e$ g& o
( w% I) L* Y. D% C1 k! M mov ah, 25h
1 I6 P! c/ F2 f7 x. @ y mov al, Int_Number (01h or 03h)
( _/ X0 \; D2 M- | mov dx, offset New_Int_Routine
( X+ P8 c$ q+ v! ]3 X* l1 ? int 21h
4 J5 [+ o- J/ }9 E) T% I$ o9 w* Z c, \! w% Z% H: t, f
__________________________________________________________________________
5 z1 d7 d$ t3 w. A1 ?# l6 Y1 n) }) {6 j" c- E* D
Method 09
1 E- _8 N) Z- m/ L0 [! x7 Y=========! M% a; a8 V& L
% f2 T! s" k+ D: I( KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 G8 h2 ?/ K2 m0 bperformed in ring0 (VxD or a ring3 app using the VxdCall).
' _( D4 e! S5 p7 a( HThe Get_DDB service is used to determine whether or not a VxD is installed
/ \( }5 P e, c/ u% b* s. T! G7 Efor the specified device and returns a Device Description Block (in ecx) for
- _: o; K* H. t9 ]that device if it is installed.2 ]; M& e, E* J/ N
7 ^) q) X2 `) c8 ~7 ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID: U5 c& {9 z" `' f6 I3 W* z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). z1 c9 d1 P5 i$ l
VMMCall Get_DDB! V% W; f0 @$ l! C6 z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; E( Y( {6 t, t% q. R" Q
1 b6 I) X X& U5 a+ Z* FNote as well that you can easily detect this method with SoftICE:: E T8 O: h1 D- Y) s& q/ m
bpx Get_DDB if ax==0202 || ax==7a5fh
! O# w& t' C8 I" S- g' d$ b$ g
4 H& H2 {3 |/ d* D( o. f__________________________________________________________________________8 F0 f5 I4 r( v" {. I$ B* m; F
. C7 a: r/ k G& B- ]5 S
Method 10. E4 ^9 i G3 O$ Y, b- Y7 l
=========" u- a( o+ i. G( G- U9 V
6 E m6 ]3 ^8 n$ O. N=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ Q' F1 M9 O; ]; C+ w SoftICE while the option is enable!!
* n8 X6 u: X% Z. s' E9 l! q! m
7 M3 S, O6 A4 n7 uThis trick is very efficient:4 H; |# z4 [6 z! b% ?$ f
by checking the Debug Registers, you can detect if SoftICE is loaded8 s( x4 H* o% @" L* z+ j% F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 S9 m2 Z$ G* U) @! H5 d' c4 G$ |there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ S, @/ N' ]- c5 l/ fvalue (in ring0 only). Values can be manipulated and or changed as well* T" G5 n! X1 J5 u
(clearing BPMs for instance)
3 P8 B) I8 Z; l* f+ r" w+ G9 F6 P
__________________________________________________________________________
) l) w7 J5 M* s4 H' j8 ^# i& F2 [- X' X0 v5 c' f H3 g$ r+ q0 W
Method 11: y+ [& D& h' M, p2 z" R
=========* b# b9 s" ^0 Y( e5 T% C d* A0 ^- p
' O! T/ j# ^& \This method is most known as 'MeltICE' because it has been freely distributed
. M. z6 r5 i3 O* jvia www.winfiles.com. However it was first used by NuMega people to allow) s" k% x" p }3 M6 T
Symbol Loader to check if SoftICE was active or not (the code is located$ \8 O2 C9 v2 @4 y
inside nmtrans.dll).
7 Y& ?) ?' ~9 i; y
z" X v3 t+ W8 B( ZThe way it works is very simple:
! s& w" B- i% i1 K0 v3 S0 X5 h. k5 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ X3 P7 V& |- q# _( I4 L* S8 p: Y1 FWinNT) with the CreateFileA API.9 n3 z& V( Z1 G7 l, u
1 i! @9 h* v) a6 x3 L% X( `* b PHere is a sample (checking for 'SICE'):: y3 O5 V! ~: c- \6 p2 Y
9 V8 U: C" h1 B2 Q/ M' h3 y
BOOL IsSoftIce95Loaded(), B9 j: ^& D2 T. b/ w
{
) ?; }0 y N0 i HANDLE hFile;
1 n9 e+ C0 N8 |7 b& H+ { p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ J9 x3 k! F' Y* b9 {3 E
FILE_SHARE_READ | FILE_SHARE_WRITE,
, B1 a6 M; A1 g! l) o% F NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, V+ d+ N7 w0 k6 v5 t3 H0 o
if( hFile != INVALID_HANDLE_VALUE )) ]3 u( ]5 A7 I8 `1 e
{
; @& t% Y3 R4 C2 l8 H' O: \/ K1 c CloseHandle(hFile);0 k' L8 I& B0 X* `9 N9 ^6 A
return TRUE;3 S) t) P1 x5 n7 g f
}
; `2 n0 E* p9 k2 j, D3 {% Z9 ] return FALSE;6 h6 }6 Q0 u9 u; J3 Z
}
- _6 l* G. |7 F: a* f D6 q/ g- L1 N- k. T7 |5 G# _6 N
Although this trick calls the CreateFileA function, don't even expect to be
8 L) Y. I1 W( Cable to intercept it by installing a IFS hook: it will not work, no way!7 T- q$ h1 P2 w! l" V/ c# @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( K0 y, R G# \/ h k+ xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a# O+ E7 l" w3 w) M, R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 n1 s+ {* \( T: C2 l2 U. W N0 i" a
field.
# W' t2 P2 T$ ^; f1 nIn fact, its purpose is not to load/unload VxDs but only to send a
0 p: _. B! d2 b$ a+ `, t) R$ CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 }0 g8 ?: i1 S- o7 x/ }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- {( }* }/ ~) e5 m4 j2 B5 U" B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# X' R/ K/ s" P) p- k) @) G( \If the VxD is loaded, it will always clear eax and the Carry flag to allow g e" [. F7 H$ D! `
its handle to be opened and then, will be detected.
: F& Y3 H7 P' A3 ]0 e# H3 \# kYou can check that simply by hooking Winice.exe control proc entry point0 }% ?' R! G, \# V7 W# y8 e# w
while running MeltICE." p! l4 y" R8 I0 e& w3 l
4 l. p( ?0 A% B: k
6 N) T2 {6 s: ~
00401067: push 00402025 ; \\.\SICE0 e g. P! V" v# `) @! B
0040106C: call CreateFileA' H+ |' [6 O: D" U
00401071: cmp eax,-001
" [: F# r9 Z+ r# R/ v; ?; ` 00401074: je 00401091
! A) f; L; E0 R/ J! P7 I2 i6 V/ o$ V4 @% M
@4 U6 ^6 F# l/ c; dThere could be hundreds of BPX you could use to detect this trick.4 A1 T p2 j' q& `0 H0 Z8 J* j' {# C
-The most classical one is: s, `9 }5 P, }/ P8 g ?9 ]$ u# `' t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% H1 y2 T( Y' m/ m *(esp->4+4)=='NTIC'" R4 u* Y/ n" |4 a9 l3 a" C8 f
4 N7 _2 j9 q. h/ ?-The most exotic ones (could be very slooooow :-(0 B, [& g. j& I1 I9 B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
# Z; W( Y1 F. u( ?* k ;will break 3 times :-(
; O* @2 J3 U$ R( h$ Y
- B4 ?& S# A' f7 [7 a-or (a bit) faster: * T8 U0 ]+ e; | z" \) u
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- ]8 Q& `1 a7 A. u8 r* {/ H; V @% ]5 `8 r: Z+ z& N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- r, q4 K/ [+ L* H2 o1 ~ ;will break 3 times :-(
7 O& M% U) K5 i' `5 d* w7 F( P. a% M/ v3 S y
-Much faster:+ j ~4 A7 D, y q4 P) J) e
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( h- }/ Y( w% F8 {+ o( q# \# Z' I
5 |; V( V5 a/ e& `) l0 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# {; D5 G0 W% ]) x; W3 M( _
function to do the same job:' I) s! A8 s4 B, J4 L; T
" d% l, z) g1 O" F4 c- W push 00 ; OF_READ4 T/ i" V2 N6 k7 w
mov eax,[00656634] ; '\\.\SICE',0
' j! q3 ~6 D8 { push eax
" T6 N7 R2 i0 G7 ? call KERNEL32!_lopen# R! ~+ `; u0 d( S
inc eax% ]1 t- i( P# m8 |; R
jnz 00650589 ; detected2 z* X" \( ^: e+ L/ s6 V
push 00 ; OF_READ
: S0 u- F+ S" ^5 t' R* o" J5 k mov eax,[00656638] ; '\\.\SICE': o4 ?) {, o$ F" X7 [) ?
push eax7 @; E, x# {6 K9 O7 A
call KERNEL32!_lopen
: o" o. a- J$ n ~& R j inc eax
3 f0 L7 @7 X) Z! Z1 u" ? jz 006505ae ; not detected' h& C/ z' r$ W* t( r0 ^% e
/ v. w/ \5 t+ ]9 ], j; Z! i
6 n' y/ t$ j; A$ n! V
__________________________________________________________________________2 K0 G; e8 S! M9 ^
9 u# F% Z- G( P) G oMethod 12
1 \5 g: b# M* L8 Q0 {=========4 E& t; r3 k1 d0 g0 N% H
# i' a# o6 s, H) Y# `7 V
This trick is similar to int41h/4fh Debugger installation check (code 05
! h4 v/ Q. t1 T0 p# E+ m1 K; x& 06) but very limited because it's only available for Win95/98 (not NT)
4 z) w: {# ^3 d5 ]3 a! W6 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# w- ~8 B+ Z4 ], M; n7 C- l: B4 T8 `2 \( v7 q
push 0000004fh ; function 4fh
4 U( w; _* h1 t+ ]7 i7 |$ S push 002a002ah ; high word specifies which VxD (VWIN32)$ F2 ~2 A# {& [3 F0 v
; low word specifies which service6 R& P, a* K$ {( W
(VWIN32_Int41Dispatch)! G; h2 T4 r2 f- r8 |; X5 }
call Kernel32!ORD_001 ; VxdCall
x: o4 i' v- [; C cmp ax, 0f386h ; magic number returned by system debuggers
. h5 n: N2 L2 s% z5 x& Z& u jz SoftICE_detected
7 Z; t8 j( p# ^* m+ K4 l5 ] C9 j5 g7 y- h0 h
Here again, several ways to detect it:
) p/ G2 O2 Q) R0 O1 z' m
, G2 e" r4 R. ]0 u0 u BPINT 41 if ax==4f5 V8 M* k) v4 }+ V0 Y7 m
" z, U8 N- J" n4 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( K" h1 Q1 g; {
. u3 i) ]" f/ l, } | BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 B3 r( a8 z: y
* Q7 l0 k7 f3 c1 g5 H; Q/ [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 T! C1 }# t+ b: _3 w- |0 N! ~$ \
* [7 k1 O6 o1 v. H__________________________________________________________________________
0 q4 @5 y# t* `% S* x p5 ?4 O* ~0 v3 A- ]
Method 13. C8 `% k' @0 @ T7 Z: v u* `
=========1 h/ g9 [/ D2 P0 E
% N7 G }/ X1 fNot a real method of detection, but a good way to know if SoftICE is% t% P* n) F2 Q& r
installed on a computer and to locate its installation directory.& r7 [0 r3 A O. X0 `& f
It is used by few softs which access the following registry keys (usually #2) :' K \$ {" X" ]
8 k7 p7 d- b1 e% x1 S5 U8 r: a; T% E, p: ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ F/ D# [7 B* A. S# Z+ g% f
\Uninstall\SoftICE6 y9 }8 y L! F V6 G! q9 d' K* o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 Q! j0 A5 z$ }4 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 C, J9 X4 i6 y- Y6 ]+ D9 L. X7 v* S\App Paths\Loader32.Exe0 {0 M, b$ ^8 f) v% B" a" n
; ~+ |: ^9 U7 ?9 B+ W
4 K: F1 ?: C8 H: V% F8 x$ {
Note that some nasty apps could then erase all files from SoftICE directory8 R3 h8 J2 Q: Q/ `/ ^/ g
(I faced that once :-(
# M8 H4 ?- X2 s1 L6 |5 R" f4 |
[6 l! `; V# m3 H4 Q! tUseful breakpoint to detect it:
7 |% r R: y o9 t+ N. O6 S9 S2 N1 j, K: x+ w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 y5 ~) x. z- t8 M, }9 b" a1 ~! [
) O3 N/ U! b! q__________________________________________________________________________
# o9 {+ l1 S; K3 J& Z( }% m
$ s% U) }5 t( @+ m: Y. P3 U) T# B# F3 T( A9 Y7 w+ o
Method 14
8 L7 U8 u. V9 c k2 e=========
/ k( B" a5 _$ j" G% o, ? G ^+ `
* V$ z0 `5 T! R1 ~- s2 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 ]6 T7 _* d- L& m$ R, Q5 c
is to determines whether a debugger is running on your system (ring0 only).7 H e1 K3 i9 S* O+ j7 d
$ C' Z; w5 D V+ ]5 k4 H VMMCall Test_Debug_Installed/ R7 U8 A) O: G& g
je not_installed
6 v" V$ [- u" S% b
3 X$ O8 v0 k$ {2 Y7 h' @+ y5 vThis service just checks a flag.$ o, ?2 v6 K/ V) R/ a. j3 F
</PRE></TD></TR></TBODY></TABLE> |