<TABLE width=500>5 N* [/ v' O# v/ ^
<TBODY>" f# }" J) C/ M1 _) l7 S5 _
<TR>! {, g( P. ^) J8 @2 ]$ F( C
<TD><PRE>Method 01 ! D9 k7 ]! B1 J
=========
! i6 ]& }# w$ i, T" J4 ~6 M" N7 C! e- y
This method of detection of SoftICE (as well as the following one) is
X. u9 Y8 Q8 b, z$ r6 hused by the majority of packers/encryptors found on Internet.+ ^. l4 |7 [6 v) D# m. f
It seeks the signature of BoundsChecker in SoftICE
, u" T; W7 N( @2 m: Q! ^
- k* d+ \0 q) ?# v! f$ F F! c mov ebp, 04243484Bh ; 'BCHK'. ~5 B: M, O# ?2 d! a/ _" W2 c; T& K; \
mov ax, 04h
/ ~( _ b. E* m2 h! G3 e( i int 3 $ @) w4 i0 L L& P B& Q
cmp al,4
9 i% [+ ~/ C, e$ ]/ w jnz SoftICE_Detected. @" t2 N2 E$ R! u$ e
3 b* I9 n( ?" X, o( m7 A5 A6 W+ E___________________________________________________________________________
9 c. h/ L2 l+ @2 s* O( C0 q+ \# y, z- I$ Z
Method 02' h: _. I8 q# `5 | ]5 y
=========% }" J0 L. s/ G6 c: j: |
2 b' u* R; j$ u8 ?+ w3 CStill a method very much used (perhaps the most frequent one). It is used
& v: ?3 J \8 z5 m& j4 ~6 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! e' S* I" I% ^' i& c& ?or execute SoftICE commands...9 a& A" I2 S7 S3 Q4 q* X. k, ]
It is also used to crash SoftICE and to force it to execute any commands
" D3 g9 b/ H4 Z" V(HBOOT...) :-(( d( d% V0 A9 Y* \8 z; E
3 Q: w! w, V3 X4 j5 c) fHere is a quick description:
! c2 Q3 V# P. L! F1 }# A2 s1 m-AX = 0910h (Display string in SIce windows)
7 b+ U9 M3 Z6 W& r% v5 N3 H! Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). [- F+ Y( Y# M! Q) C
-AX = 0912h (Get breakpoint infos)$ z' [9 {1 u' Z7 o7 e3 k4 Y
-AX = 0913h (Set Sice breakpoints)" Q3 o5 V" i* V
-AX = 0914h (Remove SIce breakoints)
( i- Z2 S' d) k' x1 S O$ @7 K R" G& F& k& @5 I3 w# w
Each time you'll meet this trick, you'll see:
& A8 E8 s5 @" D-SI = 4647h
/ Z$ ]) G( y' m8 ^4 T-DI = 4A4Dh+ M; X$ M. t1 ] ?, X) f
Which are the 'magic values' used by SoftIce.; l; j3 l$ `3 B# _$ k2 ]5 J+ F: v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; u% G# T9 i9 y2 x5 O0 t
H' H' U. ]* ?# a) x+ ~$ yHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 u6 l4 ~( b( Q8 L/ zEnvelope utility use to protect DOS applications:
6 V4 U& L2 P) a* x% v% \ r. y8 \% B- W: x3 ]( t b
: T9 F8 k# y' I+ W+ w4C19:0095 MOV AX,0911 ; execute command.
2 l0 `' L }; x: J: F4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. ~7 @( o! I1 ^. ]" _. i( i4C19:009A MOV SI,4647 ; 1st magic value.$ a+ c3 f5 p* h; S* h7 l' @
4C19:009D MOV DI,4A4D ; 2nd magic value.9 E$ P' r; Z, j6 i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 ]7 T6 m8 t, ]1 I' V6 y$ a( l) t
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 r& h. y( N; z0 a! I
4C19:00A4 INC CX
+ A5 V7 E7 @( i8 b8 K8 A4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: p3 z0 V, v$ O( O1 s
4C19:00A8 JB 0095 ; 6 different commands.
0 r. A j0 |" M4C19:00AA JMP 0002 ; Bad_Guy jmp back.* R) x5 l( N* d, N: v
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ `0 x! Z3 F( y- H7 I) }. U5 l
) x& w$ w9 x) ]0 N+ {6 ?
The program will execute 6 different SIce commands located at ds:dx, which
* Z2 `; Y( M% S3 Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 f* k( A# ]. x$ D, w, k% B" {) D: r2 ?0 Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; P7 R$ G4 y0 k% I5 y___________________________________________________________________________5 M! J! p1 G. K
& U5 F# ?, p& i( |' }4 a
( D* _0 A/ P: N7 h* z' SMethod 03
( J* u$ Q8 H U: ]& F; ~8 X4 V1 {=========
. G5 U1 R+ q+ F7 {# a- ~% \8 |3 M; e0 }% q( ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; R; d0 s- A# n7 y" y" @8 W
(API Get entry point)
! t* F/ @) Q, ?" w* e
* N) F. S% Z. z+ u/ N4 F0 j5 H
$ T5 a0 l1 h$ K3 A+ t& _ xor di,di
% ~* E7 W' h9 ]1 w mov es,di: K$ n: k$ v: s6 d6 E z
mov ax, 1684h
: W( Z7 [/ d O mov bx, 0202h ; VxD ID of winice
3 D8 J' ^; L. T! Y int 2Fh
& k% w* ]+ O% {3 j: S mov ax, es ; ES:DI -> VxD API entry point* Y! `, o. V+ T- ?# W
add ax, di
- n2 @& w( x7 D/ `( A* E, W" _" B test ax,ax+ k) h; c5 F W- e6 S3 h
jnz SoftICE_Detected
0 k) x6 O& O; ]3 B# j9 V0 ^8 o+ O! U( O7 x. [/ } \1 m' X( m. K
___________________________________________________________________________
7 N- w% s2 B. p T# d z
% d1 W( T5 l( b+ X# ^Method 04( c/ i6 D, |7 l2 [* D8 z3 U
=========
" H; K, m/ b' H! R+ q5 e0 v" n
6 x0 _) u) k3 r5 f, |Method identical to the preceding one except that it seeks the ID of SoftICE' _* Y( r) t$ [% E, r
GFX VxD.
, Z4 I. ]9 x% G$ j4 P+ u' ?
8 E7 G$ r8 J1 b% x xor di,di( `- S6 `& g0 M: r6 ]9 ^: V
mov es,di5 X5 w; y7 P2 r' Z
mov ax, 1684h
) {9 I7 }# p' }5 F- C mov bx, 7a5Fh ; VxD ID of SIWVID0 {3 d/ F2 o9 B: M
int 2fh7 q8 y* X' h A/ v, H
mov ax, es ; ES:DI -> VxD API entry point! `! U& |$ }5 F7 e. E5 W$ ^
add ax, di. d( p9 A, C+ J+ f% E/ _" w
test ax,ax/ ]0 L G9 D. S7 J# r3 p
jnz SoftICE_Detected; ?6 K6 M3 e' C, U. c" [0 b- w l
6 U: I9 V" N5 o9 e) t% l
__________________________________________________________________________
5 q& K1 z. T3 n' e U
* |7 G! A0 d: b8 Q$ F
. |& v$ r4 Z0 ~( i3 _) m& C6 l: }Method 05- d3 P5 I% F& p: E; M6 D; }% v
=========
. }% E: O% g- r) t) t9 r. i) Y" J/ X- z& k- [+ }% |5 r
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 u# |; g; g. O4 i( s
debugger. It calls the int 41h, function 4Fh.
" _' D! {7 z+ G' @8 u7 SThere are several alternatives. ; e( P7 p0 U4 R- r/ H, c& i
6 d+ l& v5 v5 y( k
The following one is the simplest:5 I c1 j% R0 H( b1 U
$ Y ~9 w, s5 M/ e mov ax,4fh; O+ \" _$ k1 | Z6 x: q
int 41h- w6 z/ I1 r: f% s
cmp ax, 0F386
! x% O0 p- }/ a9 L7 ` jz SoftICE_detected
: f' W& H+ I" F/ T6 |5 u& b- ^
% l* k% l& n; R" J5 ]8 _( I
( z. f& H z0 n, |2 r: E) l3 ]Next method as well as the following one are 2 examples from Stone's
% p* P/ }2 A8 c" r"stn-wid.zip" (www.cracking.net):
) m- i1 b4 V8 A6 p$ |; x" d
* ?: J. h; x K0 [% Z9 x mov bx, cs
: W5 s. h. O4 D+ J* L, N lea dx, int41handler2" p+ A8 v2 J" h2 K+ N2 n
xchg dx, es:[41h*4]& c. E2 i: O5 N0 X0 v6 r$ i% c8 Y
xchg bx, es:[41h*4+2]
8 @+ u" |2 L1 b5 P& g mov ax,4fh
0 I5 q' i ~2 @$ h int 41h( p) A) q3 |& n+ i4 X
xchg dx, es:[41h*4]
) _& s& w4 n$ `# E! v xchg bx, es:[41h*4+2]% ]" k+ D6 L$ Y# t
cmp ax, 0f386h: u- q8 k9 d* a) y8 n$ A# e! }
jz SoftICE_detected& [" X' Z7 D3 w( A
3 n. R# C- I% ?8 H+ _
int41handler2 PROC
4 M% V* ?4 ~$ @0 L$ w0 s @. O iret/ |; E; k* A( [: l+ W* @, p3 P
int41handler2 ENDP( z9 j; M/ B) ~, }: x% Q( z
& `; b8 f. e: c8 r( f: e5 P# a
. [' C% G- P/ {# `_________________________________________________________________________8 k8 l) e$ V) ~5 O
7 P& s% v; [+ S$ ]: j9 q7 K) G# X0 F, k
, S5 z6 X* G/ m) o& g9 k& ]Method 06
" Z- l% o- c. _# m$ w. M$ o- h+ U=========
# B1 f8 J: |$ ]+ S; ?3 Y; h# l3 d# l
6 x' F* ?& ]1 X
2nd method similar to the preceding one but more difficult to detect:- q# v) d0 d4 V& O( u
1 I7 A# U7 G) I- i( x. A* A, X% e
; B/ T9 T3 w( b' Z, sint41handler PROC" U: Y0 U' H2 O( \
mov cl,al
; _! {6 Z+ U" v: Y2 M+ Y9 S4 b iret
$ D/ }. e7 j N& m8 x& Pint41handler ENDP
" s# ^' y7 R, N+ I8 l6 C$ `% V8 W \' H
( y$ f( K0 G5 G! k
xor ax,ax5 z1 l) p& P, e- U6 e9 b. R& M8 { B
mov es,ax- Y1 U5 p# m5 K
mov bx, cs, R6 X+ Q: C1 b6 y1 ]' ^. J3 x
lea dx, int41handler' k2 b/ ^" }" w5 _8 _. V& Y
xchg dx, es:[41h*4]
% i' s" f8 I& M Z. n/ ^ xchg bx, es:[41h*4+2]
. P% T& u3 Y- e; @$ u8 _" w in al, 40h
3 _9 |- I2 K& X8 I xor cx,cx
4 {! ^9 n* l8 V+ ~( b int 41h
2 G, ^1 k( K2 q$ {, |) J+ q xchg dx, es:[41h*4]
4 e5 R/ h5 d4 J+ F) B. X xchg bx, es:[41h*4+2]
; y1 y6 S5 s @) I cmp cl,al
6 ]: Q+ O- N3 V2 J m: N jnz SoftICE_detected
0 g- y& r" W1 A( k: f( u$ j4 l
. Q# e, H5 `& a0 s5 U: n6 U' s_________________________________________________________________________- f6 n0 P6 N! X! A) g0 W. V+ `
# ~# n) V* r) _4 F6 X9 t' n2 |
Method 07$ o8 O2 ^7 t. E: [7 _) ]7 R
=========
* G4 W; u `* b' n) r8 y( f, f3 _0 {2 q0 B! K9 v0 x3 Q( m) y
Method of detection of the WinICE handler in the int68h (V86)( E: w- K- Q: {3 {5 \% w
" E+ ]9 E" e) g) x2 |9 v$ c
mov ah,43h
# R) f3 s) O: I& p/ S int 68h
$ u! W! b% ^( F' m* | cmp ax,0F386h) L4 _* `. G4 k W
jz SoftICE_Detected. j- U( G& n8 H
; r9 n( k7 Z6 n7 \2 W& `* B
. p2 t1 I2 `. W% m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 r5 j/ u+ h4 q6 d7 ?. K- |3 ? app like this:
- P- p. e7 V9 B0 b" L! }; o' h* Z2 t4 U6 r
BPX exec_int if ax==68
; A1 R F* |% f" U3 k (function called is located at byte ptr [ebp+1Dh] and client eip is! L% ~- _8 H9 R& j1 t
located at [ebp+48h] for 32Bit apps)
2 @3 Y4 c2 o: o; H z. G5 \, f__________________________________________________________________________
9 ~6 G1 N1 C6 F6 E. L# k: d
4 G1 G. C$ |2 d `
$ _; n; g5 u+ w4 mMethod 08
3 F2 F& r* N. v/ |; B$ [. ?=========
# z+ d" |# V2 b2 O4 E7 E8 G$ @. X# N5 C$ H! ?+ K
It is not a method of detection of SoftICE but a possibility to crash the8 ]4 ?* j# | {( i$ E
system by intercepting int 01h and int 03h and redirecting them to another, m: E9 {- a2 h, s, Y: Y
routine.( J# ^+ y& A, O4 a& y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 E9 X! l# W; `4 V
to the new routine to execute (hangs computer...)2 V( L$ e2 ^! T/ ^1 e) N; z- ]5 I4 G
" F7 m1 i3 w/ r
mov ah, 25h
" ~$ ]3 t- A& W2 M3 C* D6 v4 d! A mov al, Int_Number (01h or 03h)
$ k; b- I3 b" c7 @; o+ M mov dx, offset New_Int_Routine
+ M# i; c- q, [ int 21h
( Y! ~ V8 g4 a1 Y7 f
6 p$ ]9 _ P+ r E+ m__________________________________________________________________________
, ~- y' ^; v1 J# ~% x) k, ?' t' O) q
2 {; w! a/ N! j. ]/ KMethod 09; O; I$ e7 ~; W
=========, ^1 T% {* X' K, u+ y
$ `. m: e/ V' f( o+ X O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- J U: {( ^. Q; ^, }" r7 }
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 z1 x$ C5 l" jThe Get_DDB service is used to determine whether or not a VxD is installed
- b0 z. _/ P' @for the specified device and returns a Device Description Block (in ecx) for! o2 U6 f* R9 f4 b
that device if it is installed.
" p- M6 K) }! _1 X% ?# P: \1 b1 {% q* ~7 U, d# A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% c k. o& _% ]( P$ z1 r
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ w% o \' P- X2 m, Z- V VMMCall Get_DDB5 Y0 o% V+ g# T; R% c7 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 O, l% v$ |: z) K* e0 K5 n
! i+ X5 c' ~/ PNote as well that you can easily detect this method with SoftICE:
+ N: W7 N+ e2 Z; L! {/ S/ B bpx Get_DDB if ax==0202 || ax==7a5fh
- V, K4 q5 j7 A7 C5 F) J- l8 l+ H5 ?0 | ^3 t* E) u* i
__________________________________________________________________________8 r2 F. c/ w1 g4 O5 S; X
$ l' v2 n# H- C( K' Y0 C
Method 10
- D' C( K8 H0 Z# f7 i3 u=========: W6 ^9 G5 c$ j( l2 j
5 |. E: {8 F @5 n2 H6 d% I6 e
=>Disable or clear breakpoints before using this feature. DO NOT trace with x7 n/ r6 l1 b
SoftICE while the option is enable!!# r/ w) ?5 N5 j- M" ]
3 T: R! R3 P, iThis trick is very efficient:. h) [3 d* j) N( d
by checking the Debug Registers, you can detect if SoftICE is loaded
7 q5 L- Q U) `6 A3 X' n5 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 T6 g$ [8 e5 a! u! T9 F3 S
there are some memory breakpoints set (dr0 to dr3) simply by reading their, e! @' S' k. ~. u
value (in ring0 only). Values can be manipulated and or changed as well7 T( w- Q! s$ e. z: Q( `
(clearing BPMs for instance)
! |9 ?2 b' m& w4 D
- o' M1 j( L+ T1 Z__________________________________________________________________________
' e' I% O1 r& K s# x7 F5 T2 I: u9 `# E7 d1 [, K
Method 11
C' b; @: I; Q1 W) B=========, `: J& z" Y) {# `
5 _; [ C$ [. t+ t) H! x2 t; t- YThis method is most known as 'MeltICE' because it has been freely distributed; t+ _: {1 ?8 O" T! L9 G/ g( H9 T
via www.winfiles.com. However it was first used by NuMega people to allow0 h4 A3 a6 g; L# g
Symbol Loader to check if SoftICE was active or not (the code is located
# R W2 c+ g9 `' k( einside nmtrans.dll). s, n* |* L; n- m9 j" s) e
' {; ]4 _' v# h' X V2 n
The way it works is very simple:
3 y& \" Z" Y& C8 h- Y( ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
z8 j1 c* C& G; t, o9 a- eWinNT) with the CreateFileA API.
' ^, {( W, o# e& N; k" o4 v3 V: h8 V0 O( K
Here is a sample (checking for 'SICE'):/ r$ E$ o! F# |6 M) j% _4 N; O
. {8 V. T1 l, _' F6 j
BOOL IsSoftIce95Loaded()! l& P' l( @$ D; i! @& b1 ~
{) k! L* C7 _& T& L" s8 s4 [. d
HANDLE hFile;
, F* \% V+ @ p9 d hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ a. Q$ [- R' S$ M FILE_SHARE_READ | FILE_SHARE_WRITE,
4 T9 g/ A. h$ L9 e- s% T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: z5 ], O% k7 f F) X2 v
if( hFile != INVALID_HANDLE_VALUE )8 R) y: c. l# _* G
{$ J k8 Q z- T
CloseHandle(hFile);
' c# }* Y1 N8 \0 l2 a5 h' S return TRUE;9 B- x: H" J' T ~2 ~+ N
}
0 N1 d1 p$ u' g return FALSE;
. V8 X1 Y5 A# ?- v1 k8 w}: q b( W9 t+ f
2 d( } ]9 {1 q k, D, JAlthough this trick calls the CreateFileA function, don't even expect to be5 R/ E8 p7 G8 m- R8 X4 X/ m
able to intercept it by installing a IFS hook: it will not work, no way!
3 g" X4 k+ g9 ~5 s* UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 f4 X3 W& \) h3 _% s$ P- U0 d0 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 v8 v2 x; O( m ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ o" ]# T4 `- c: S" }
field., m" M7 C+ B4 ^" g& u
In fact, its purpose is not to load/unload VxDs but only to send a
. @+ b4 m$ Y3 Z' K( b6 R" FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 M) W+ {1 K- L9 o/ W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! L/ p( Y9 `& ?7 `5 A# Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 L! T( w, q* X9 P7 l) T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: n1 X. p% Y5 V- U9 H0 jits handle to be opened and then, will be detected.- E+ O; @4 }, C$ W- `. y
You can check that simply by hooking Winice.exe control proc entry point+ j6 U& S4 |! b
while running MeltICE.! ~$ m( B$ t0 {& q T& M
+ T& a# [& X4 k7 ^" a1 J8 q
, k' N3 h8 i# D+ a& k- X" p& z- p 00401067: push 00402025 ; \\.\SICE/ r( c, F- Q1 K* s
0040106C: call CreateFileA
* f, L/ {4 v9 v( h! C( N 00401071: cmp eax,-001
% U# }; g! j3 ^+ N8 u/ p 00401074: je 00401091
, R) j1 |, m9 g, x Z. o2 i& _
8 X8 L* d& A- t+ J* i# e
9 m6 U+ X- f; a6 ^There could be hundreds of BPX you could use to detect this trick.
$ A% A# m: D7 [6 F% ]-The most classical one is:
) E; \7 J/ q9 _/ f: a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) ?) d+ J2 X% r2 E- z- m
*(esp->4+4)=='NTIC'' C8 S- n) w/ e- p5 \' ~( @
1 a) f4 k/ c7 E! u t( |
-The most exotic ones (could be very slooooow :-(
8 Z5 X# F* b) x$ p( F& F* e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! z' g7 i' V- m+ C' U ;will break 3 times :-( }' k, y. v& Y, G4 r
: o X# T9 Q3 B- r# {9 q-or (a bit) faster:
/ [! ^. ]/ C' R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 G3 E, ?+ X, r4 `: q2 H* M
: Q/ u, w4 Y- J7 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& _; v/ d ~4 A( Y' v" H/ P1 a; i ;will break 3 times :-(
7 b2 k$ \' w. v9 Q! M- Q
9 X a0 `" k( ?# o T& f-Much faster:
H, l) a8 j9 D$ p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 n! a5 a I8 Y1 t% e% [2 X( X
) _$ U$ Q" ?+ r8 V2 o! x2 z+ SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* I+ ?9 A1 C k5 O0 @$ `/ R
function to do the same job:
; k; c7 q; \9 w0 l0 ?! q( s# `4 v+ t* f6 \, U* j+ {* U
push 00 ; OF_READ
: S) L' j$ L& Y! O5 R, \! l" m mov eax,[00656634] ; '\\.\SICE',0
- g2 k" R' ?7 E Y! P% a( W. ? push eax
2 V. f: y$ V/ l5 h$ i call KERNEL32!_lopen
: ~0 X, e s$ K) u4 F) y inc eax x% e4 [5 k4 _: r. O* w# K4 U
jnz 00650589 ; detected1 J6 _; F2 X i1 Y' f) A- u% _
push 00 ; OF_READ5 Q$ Z: w) q# f% w+ D
mov eax,[00656638] ; '\\.\SICE'2 g$ C1 ^8 m6 ^7 K. @: k$ \
push eax1 V/ Z* f* W, c7 q" j8 C5 L
call KERNEL32!_lopen
, N- _5 `: ~( s9 n9 o4 d) O inc eax
; `- h2 j: ^, h( h( ] jz 006505ae ; not detected
5 q- C9 u* y+ Z' b
6 U. C: F7 \( r' H) t/ {+ e% [" }. m1 E0 D. l+ E. P: u1 d
__________________________________________________________________________4 I, t! |! o# [2 r+ n2 h, Z0 F9 G
( l; b% A: s2 p' V" H3 x/ G
Method 12$ w2 a. z# {! S6 ]3 m
=========' g1 b5 s" ^0 k1 t9 K2 {
" a, y( e# H9 X M! ?& T# e
This trick is similar to int41h/4fh Debugger installation check (code 05+ f, K& i8 \+ t* ?0 }
& 06) but very limited because it's only available for Win95/98 (not NT)# H. r. Z6 z" Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ W# H* ^: S: Z; r5 g1 o; e
' z4 j: L; \/ w3 G: ~7 _ push 0000004fh ; function 4fh
# ~" G; [8 O, S push 002a002ah ; high word specifies which VxD (VWIN32)
% A) h& g! M( ~ ; low word specifies which service r7 {+ d" E: B4 d: K9 U! Y1 }
(VWIN32_Int41Dispatch)
1 f; g9 K# B3 s' x call Kernel32!ORD_001 ; VxdCall
$ _% B& U6 L, h. k4 f5 g cmp ax, 0f386h ; magic number returned by system debuggers
* f9 }& g) f' I# s/ o jz SoftICE_detected
i0 i. L- A% H9 I! Z
; i2 |3 ~; a. o% zHere again, several ways to detect it:4 i( }. {7 |) I U$ o& r* \8 O
* D3 O, {$ T& {8 g2 D# I BPINT 41 if ax==4f
; r( J: z. v7 E0 [7 i# P( S8 [/ o
. c7 U; o% c* Z0 T5 j' j& ?0 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 f* }" D/ C' C2 N+ n5 J N; K5 w( G. y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) w9 x/ q1 I6 @1 M5 V, Z+ @- d' R
. C: k/ ?3 e/ d: J# t J" u9 T BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( F8 L" |/ f! e# a' F
' L; {7 ]9 }6 s4 O: G, ^9 s% I__________________________________________________________________________
2 _# a( p3 ] h2 |& P7 L3 ?
4 k, D+ ?' h ?7 Z) ZMethod 131 j7 g6 ^0 F' v: m5 j0 o0 u' `
=========" u4 ]2 E) {) l' |1 l- K# T q
8 M: [8 [9 K; ^& b$ C5 m& T2 fNot a real method of detection, but a good way to know if SoftICE is6 o8 c! v8 \6 ^) |9 C) S
installed on a computer and to locate its installation directory.
4 O/ }1 K7 I& t% d- q8 w3 PIt is used by few softs which access the following registry keys (usually #2) :# H9 ]: _6 v8 W' o, e/ O
3 s/ g7 R- h2 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! X! X0 u: j+ W2 x) [( ^\Uninstall\SoftICE! y3 c4 f$ d5 l7 X% P8 G0 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% T. e/ ~% H0 @& m4 N$ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# P9 ]2 }7 Y* o% X# z% ?
\App Paths\Loader32.Exe8 C8 s: R( ]! O/ P1 J$ ^
% K$ s9 O- ~: |
. z8 C$ _( K3 zNote that some nasty apps could then erase all files from SoftICE directory
+ A9 a; L2 m, x(I faced that once :-(( u- t- T7 ~5 A8 M
9 G1 C6 X1 s6 Q9 rUseful breakpoint to detect it:" h/ f+ M% d# X0 ^
3 }& ~# @7 v* Z3 v
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& c; F% g8 _1 ]6 M) M$ M
' F) j. r5 Y% k8 R1 m. q' `__________________________________________________________________________% ^7 I9 h& D1 q3 s6 o+ y, d3 u2 I
; W0 @; y( q" f I- N
6 G5 |, D; j( q, Y7 G( ^1 p! \, g' EMethod 14 7 ]# v% F' a2 C- j3 k" v
=========1 Z- \7 d# J* n6 @' T: K
% f+ ?8 Q. d4 R! N3 z1 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' a* ^5 O% \/ Y
is to determines whether a debugger is running on your system (ring0 only).
" a( t5 \4 I6 S& p) A& F; I4 ]' @" {. b6 O
VMMCall Test_Debug_Installed0 m0 W' d; B5 H* M
je not_installed
2 o+ \" u2 k! V; n7 N% D* e* I( i
$ N( A$ O3 @( h2 y7 o9 N8 AThis service just checks a flag.
: H8 i4 j1 F: r+ Z</PRE></TD></TR></TBODY></TABLE> |