<TABLE width=500>
7 B+ z4 a- @0 h<TBODY>4 d1 j% O9 R4 q% w
<TR>* D% m% x0 z. o5 m1 @6 g) A; P
<TD><PRE>Method 01 ! e( s* S% Z$ g8 V
=========
2 m# g" x' g6 D- U# y4 q% A% Z. y8 ~3 z1 z1 u! e6 w, c
This method of detection of SoftICE (as well as the following one) is
V n7 X9 ? Jused by the majority of packers/encryptors found on Internet.
, g4 w" {% M9 xIt seeks the signature of BoundsChecker in SoftICE. `& E! b& g) u8 t1 ?
+ c/ E- M& V9 R3 y+ P0 w* I/ ~' R mov ebp, 04243484Bh ; 'BCHK'+ e) m$ J7 c) q F" c# K3 S
mov ax, 04h
* c; a( l$ _4 H$ }) T4 e% p int 3
8 {% f+ R. {1 U3 Z3 q cmp al,4, G; S( }6 y t- z6 u: `% w( d
jnz SoftICE_Detected
3 F) k) V7 W" P" H3 }/ {4 }
) o! r5 o. h& C___________________________________________________________________________
3 U3 ^* r9 ?2 m% Z
+ F6 ?7 q- j; b% YMethod 027 o/ c: E! W3 e' [+ o; S
=========( I" {/ j2 t+ O/ o& ?
; }& Z, ?3 A8 J& l/ H) A |Still a method very much used (perhaps the most frequent one). It is used
" D% M- D1 h) z b1 A% t" Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ S$ c8 n: h: A- X) ]! ]9 Mor execute SoftICE commands...
- J5 ]/ h3 S; c2 m# Q+ B0 XIt is also used to crash SoftICE and to force it to execute any commands' M" }- y; M* x& y! f
(HBOOT...) :-((
/ n* J4 r2 k3 n' X
! [+ e" i8 v NHere is a quick description:& S, h. n$ Z: ]* Q. Y' J
-AX = 0910h (Display string in SIce windows)5 R. V9 W3 }& z7 c$ a# D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, C# |4 t: e) p5 w3 k/ f0 r-AX = 0912h (Get breakpoint infos)
4 Q5 E9 B/ H6 o1 j-AX = 0913h (Set Sice breakpoints)
# _1 n0 [2 [# l' U2 l4 ^-AX = 0914h (Remove SIce breakoints)
H$ S( {7 _9 n. L+ c- ?+ f; ~9 L/ M1 E1 j5 ?; i2 L0 \; v
Each time you'll meet this trick, you'll see:+ E/ V1 [' m6 ]3 r, G
-SI = 4647h
7 L7 q; @# L# L1 U-DI = 4A4Dh- `1 e- A( w6 }+ ~: B. S8 M, A! p2 Z5 E
Which are the 'magic values' used by SoftIce.7 E$ |: K- I1 F/ x; Y0 V8 a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. Q. X* a) T' E$ s- x# `
* x1 a/ E9 P" M$ B- o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' S0 t4 k' |/ ?9 ?* iEnvelope utility use to protect DOS applications:- n* P. K- _; P/ B0 Y& [& j& \
8 z, B: D* J; a4 N8 ]" B
0 J* p2 a$ Y+ y
4C19:0095 MOV AX,0911 ; execute command.
+ A J. Y+ t* Q9 O+ k, j4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 j2 k. @% ^ [# s( F3 q4C19:009A MOV SI,4647 ; 1st magic value.- T; a, J" Z# M" o4 {9 n
4C19:009D MOV DI,4A4D ; 2nd magic value.. {; y. q$ w( M0 U
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) b% \ o- m! a! O& z' i
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' R8 x: t& T d# i l% O& M
4C19:00A4 INC CX
4 b& u) b$ P- r0 F7 z+ @4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ q& ?6 `- s2 F: r3 q: l
4C19:00A8 JB 0095 ; 6 different commands.0 N1 J! J3 G$ s( m3 E
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% Z% K! Q2 _; x2 F" B' u2 n0 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 h& B# R' s4 _$ A6 p% T
( ?, D) D: _5 A! W( X% Y, NThe program will execute 6 different SIce commands located at ds:dx, which1 P* ^( M. P9 X) x0 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' V1 J: i) C1 Z# _- D3 B+ q
: U! e _1 x9 f; z' Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( a# |3 F" ]2 N( H/ L4 ?" B___________________________________________________________________________
4 U- V4 I, l7 C0 R1 f, b
9 ?) Z1 i* s6 u9 @7 s7 U. r
9 G6 s( c! @1 t6 B0 A: gMethod 035 b' U5 M2 N. w" K- p
=========
! p4 B+ F* t& P5 p( Q! v5 e0 G$ }2 V7 ~+ e% w; ^
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 ~7 _$ b: p- \$ v$ C, k
(API Get entry point)
6 Q- b" K4 k! u! X % r I" f6 e: T5 \9 d
4 t& i- d# Z5 L4 e8 I& y xor di,di
. M: G5 I% o0 a: b mov es,di
5 J/ O. a, J/ E, d Z: z, y' A mov ax, 1684h {4 ?! z) A+ M3 \3 Q! G4 R
mov bx, 0202h ; VxD ID of winice* u; F( ]# g) t
int 2Fh
( z! x1 V! i5 @ mov ax, es ; ES:DI -> VxD API entry point
: T* O2 o0 m/ ]8 E3 G add ax, di
2 e }2 `% v' C" G Y5 F test ax,ax
% I9 |8 M/ U4 [6 l+ G4 x jnz SoftICE_Detected
$ P+ I: H- J' x4 F& j! Z, q: t% e
/ ^& s" m6 {- T0 ]. E2 V1 I___________________________________________________________________________
- F5 ?: f& K) W, l
8 x y$ r7 V1 ?2 y M( ]& D( T/ nMethod 04
& s4 n' p5 ]6 O3 b3 `, v/ Q9 v=========& m9 H* B& R2 G8 g7 k4 N( _; g
4 m$ d" A9 l c+ W. L3 W- TMethod identical to the preceding one except that it seeks the ID of SoftICE6 d8 }: ^, q! N5 t4 p {3 q. C% f
GFX VxD.# s m4 ?/ m: g8 O8 I
) \ W% s4 W0 V( h! c2 v
xor di,di
& V0 ?4 w; ]3 C( ?& y6 i mov es,di
4 `0 _! ` L. M; s" k5 R mov ax, 1684h 6 ]! v/ G- r ?
mov bx, 7a5Fh ; VxD ID of SIWVID6 v9 u- T. `8 x% F" Q! Y0 k6 E
int 2fh
0 J3 Y3 ]9 N! m1 ^- ^ mov ax, es ; ES:DI -> VxD API entry point& x/ B: d- h2 T, |$ p( W" q9 J& u# d
add ax, di
. K/ }9 S3 r& u" E test ax,ax, K+ {( `& t0 }; D% _1 ^" h/ }
jnz SoftICE_Detected
& m) R+ t1 |3 ?4 Q/ A- _$ k1 m+ w4 A; R
__________________________________________________________________________
( N2 E9 R& M0 ]8 Z* e' l; w: }* R$ J( w+ ]
% M: R$ V/ j+ F/ t: L
Method 05/ a4 P7 b) u3 B* {
=========
3 B* v- G8 c8 M: W
% i% J. S" u) a5 D, G9 A+ |3 rMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 o. [& T F4 _
debugger. It calls the int 41h, function 4Fh.; Z8 {& Q; B+ \6 q2 U( e& {
There are several alternatives. 3 Q0 o0 C# @. S: R. W& Y
# v* X+ Y( b: [5 k8 q$ j
The following one is the simplest:, T; t; s$ z+ T) U, j
2 F' a J" F% F; Y
mov ax,4fh- `! e3 Y/ I" I3 x9 [* e
int 41h
2 Y& t- \# [' P. E: D N" W cmp ax, 0F386
9 {" {( F' Q9 n# s2 @* [ jz SoftICE_detected- C* y1 u2 x$ ?, \3 N- c) Q
( _) L" Q" b+ G5 k& f2 A
! Z/ o* z: f- b8 l. _+ V9 JNext method as well as the following one are 2 examples from Stone's % C1 m" q* S# k2 d9 }7 S
"stn-wid.zip" (www.cracking.net):7 G: p/ P' P7 p+ U2 B
8 ^+ B$ J$ \& P mov bx, cs
" S9 c2 \1 r6 l8 h8 ]4 w5 g- s lea dx, int41handler27 d" |$ n) y9 a* m2 ^4 i" r
xchg dx, es:[41h*4]
& n* R/ @4 p: r9 |. Q3 u# q6 B/ C xchg bx, es:[41h*4+2]
8 L& U9 ?' q4 c- O mov ax,4fh/ n; d4 w# B" j% o2 z/ M2 E
int 41h ]' N% U% f/ S5 W9 u) x
xchg dx, es:[41h*4]. ]3 f8 J) d' m. O% r8 J$ F
xchg bx, es:[41h*4+2]! x$ F# y( [; n" q; [
cmp ax, 0f386h' Q) h: {4 X) \7 P) U8 f
jz SoftICE_detected
2 {9 V* |7 [ N! F7 |* T/ F2 A% `7 i* m* m' A% s1 `, a5 @
int41handler2 PROC7 r+ o. @* _5 K- _ Y4 q$ i
iret
/ a/ i( D) _$ i- s$ v+ f2 [int41handler2 ENDP
. {% ~3 C8 ^4 H! e* L: d9 U
7 H- ^6 F' d& a, P. S0 G& ]" d
, }; ]# c* _& l1 Y1 \" o/ g1 @1 H$ r) J_________________________________________________________________________
9 l. V4 _) I$ `! K' M
" O2 G( q+ l5 G( s& E: ~" g4 }* l6 K: C: \% f& q5 E7 x" e$ Z5 i
Method 06
; Z' Z0 F2 Z3 W4 c1 M* R7 o2 x% i=========: j: S7 a* o- {& P$ i
6 S' w8 ~" r! X/ z2 z% N/ t$ c; \) H" L: F9 Z2 O1 n5 k9 w- E, q" ~9 i
2nd method similar to the preceding one but more difficult to detect:6 \ Z9 v4 q0 t
3 a. V5 ?" g! e8 O
- q0 `" w! W, j, o: Mint41handler PROC5 |9 C7 W8 i8 G ~, S$ F: J
mov cl,al
$ a7 [4 ^, c4 }5 b* I iret
) I% u6 H1 Y8 O* bint41handler ENDP0 G3 E4 h% S/ s1 ^
_5 \. [: H" u. W
/ E2 ^. H2 U- ~$ O# z6 A xor ax,ax
. q3 p, g% v5 }' M' D; H mov es,ax8 G7 L. a$ A: n
mov bx, cs( X0 u) t) l, y& r: a; g9 L+ A8 T- D) A
lea dx, int41handler+ m; e8 K7 Z5 w. g3 s
xchg dx, es:[41h*4]
7 o) @! j. e9 H1 D xchg bx, es:[41h*4+2]
# t$ Y. K6 o7 g: n' F, Y in al, 40h
6 Z! J" @' d: N6 O+ ^, h/ t3 a xor cx,cx
( h( ]) y! o5 r- ]9 o int 41h. T0 x- k- @0 R# v
xchg dx, es:[41h*4]1 \3 T/ g$ s$ ^) \, c: R: H) l H
xchg bx, es:[41h*4+2]
6 [/ U; e# e( z' L4 O3 N cmp cl,al
) ^, c( D1 I0 G1 P/ [ jnz SoftICE_detected3 d3 f3 P! P; P. L7 \! B
7 @# I/ |7 ~) x
_________________________________________________________________________
" Z$ V6 P2 ] n g! W% p/ X2 A% J+ F( {- M
Method 07
* f. R4 f* s4 m* _6 t5 n# _=========
! s/ F- o6 G4 y6 W$ J. ^
# e) a4 M! J" `3 NMethod of detection of the WinICE handler in the int68h (V86) ?$ o( k! u, y
& A8 N& E( b! P mov ah,43h* D( Y7 u4 o# f: ^
int 68h
& _* ^/ G) M* l) ] cmp ax,0F386h
& ?2 }8 t" m6 j3 Q J- v jz SoftICE_Detected8 i3 e& R5 U6 r% }
5 ^! h0 I' }+ c
7 t1 y& C8 q! s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* \ F- _! a( ?3 ~" O* k app like this:2 X) S. S2 _' h' ?, P- \" ^
8 g! K" S3 p% F9 {1 v$ |
BPX exec_int if ax==686 [6 O! t! Y# g' |
(function called is located at byte ptr [ebp+1Dh] and client eip is
( A* {8 O) W% c: r. r+ q2 s# y located at [ebp+48h] for 32Bit apps)& ^6 Y6 N+ M% Y# ?4 U. N
__________________________________________________________________________# S& Y- z z+ P5 f x/ P" X
7 B0 m) ~/ z+ f
$ E; q% C: `' S4 jMethod 08
' S. | |3 k# M+ j9 v' N4 W8 D=========
k0 h: |+ P B) M
6 P: S) @3 G5 EIt is not a method of detection of SoftICE but a possibility to crash the1 H7 G# z/ u" Z2 E
system by intercepting int 01h and int 03h and redirecting them to another
% b8 i6 B2 U% y) ?- S {. o& nroutine.& x& U2 s$ f! V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 h( `2 z: |3 [( Y o) H7 c& _' _to the new routine to execute (hangs computer...)$ @2 T/ Q% v1 ?" p8 J
, A8 c6 }. ]: e, I6 o9 [( S
mov ah, 25h1 h0 j$ X# R* n" z. @4 n- Y# A
mov al, Int_Number (01h or 03h)
- q* f/ s8 S' W/ P* a mov dx, offset New_Int_Routine5 E# v2 x6 W: L I) t
int 21h
6 z5 j; i0 _9 p5 y" B8 |/ @ O" Y2 ~6 N' C/ L: c& d
__________________________________________________________________________
+ }; [: {' |9 a: T+ Y
" b5 ~8 ^" [" j2 u i/ L) D) Z- lMethod 09
; A6 m! h$ `4 K! ]: P=========' W( z* \: P$ Z# c* ]5 @
. i" t2 K7 |4 v1 h8 F, E) H! k9 ?7 D# u) F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 k [# ~3 j9 L" C+ i; Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 {$ c) y5 ~9 [The Get_DDB service is used to determine whether or not a VxD is installed
" X/ ]0 A; x% m2 v3 d9 pfor the specified device and returns a Device Description Block (in ecx) for- i3 }* m9 u' `8 i6 u& w- T
that device if it is installed.
/ M0 Q- a' M, C8 z$ l& L
: [: L* [: B5 P: K" a6 e! _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" ^) C2 f1 A, v, J7 s mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* h1 P) v! Z$ p: F7 h- }8 k; e
VMMCall Get_DDB
' N; q. y2 [% p2 f& K0 O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% B H7 |/ k; l9 Z: r
. F' a! X9 B! I) F/ O+ `Note as well that you can easily detect this method with SoftICE:' s8 m" a& V2 X ^+ \# d+ |+ |
bpx Get_DDB if ax==0202 || ax==7a5fh
% A8 R& i2 U2 b1 `8 ]1 l; X4 U- N6 h9 B; w% w( L# y% o
__________________________________________________________________________
) m: k- @1 t6 S/ d8 p1 I& ] U$ H/ Z* j8 L- Y( J
Method 10! p. ?. o" D3 ~- j. |+ @8 k/ I
=========4 l+ M+ H* ~" \( |2 A; [
; c3 t: e% H; ?" n& k- Z=>Disable or clear breakpoints before using this feature. DO NOT trace with/ r1 @% L \3 l3 N
SoftICE while the option is enable!!) ]. ~7 |/ C' [1 N5 _
0 |1 A) W) m; pThis trick is very efficient:
2 I, a8 i; f: L/ K, P2 M* uby checking the Debug Registers, you can detect if SoftICE is loaded: E1 |4 ]7 s5 |- ~) ?0 ]& P1 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& T% ] \9 T/ @0 U2 M! ^! S$ Z7 N( Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 R6 O) l5 T# q+ H
value (in ring0 only). Values can be manipulated and or changed as well
6 k: D2 x3 Q- d" {( q* ^(clearing BPMs for instance)
: ^8 V, B6 Y- [. f7 O! Z# w2 |9 A! p$ |3 e2 M; a% @3 D1 t
__________________________________________________________________________' @6 B: Y4 b/ q; ?% d
! l; J$ m6 e% P, ^5 i7 g/ y. f' o) MMethod 11
5 U S% u( y4 c: o" M=========
$ O" a: V' }8 ]
3 x! ~$ \& H e2 X+ ZThis method is most known as 'MeltICE' because it has been freely distributed
! f j' Z c/ [9 q6 k* m. Y& G Qvia www.winfiles.com. However it was first used by NuMega people to allow
+ u' `# N, ]( L3 R! @Symbol Loader to check if SoftICE was active or not (the code is located4 U5 m! j' y) U
inside nmtrans.dll).
. l K. [; C& N) I4 x
' c+ I3 m! a! ], f# }9 mThe way it works is very simple:* ~& ]$ m, R! b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* t& \" A$ x9 nWinNT) with the CreateFileA API.
2 V5 S. d5 }8 n; r, f9 }
/ B5 \5 w* Q# P# hHere is a sample (checking for 'SICE'):
' f& {; I3 g3 y& h2 i
6 m- x- ?4 P& L( x8 o/ _4 k' O! aBOOL IsSoftIce95Loaded()( V' `# v7 V3 U! E0 V
{8 M: d5 ^+ o" X! D/ i+ j
HANDLE hFile; ! h: ?; p8 H9 [+ K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Q( X% e, `3 u" O6 j4 Q, L FILE_SHARE_READ | FILE_SHARE_WRITE,8 h; \, i; o0 Q4 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 U7 j3 g% w- V if( hFile != INVALID_HANDLE_VALUE )) c/ M( Z& W0 }8 C; m8 w! C$ \( ?
{+ `7 J! ^5 ^# A' O5 H
CloseHandle(hFile);3 j4 P, m- H9 O, I
return TRUE;
% p+ r' E' V( N; f1 h9 j! o }
2 G. L5 M8 Y5 V( z, k return FALSE;0 u/ s. c( W8 U% _& V) B- m
}6 q! ^) o- J/ M2 D2 D
9 X! N: ~7 ]8 Y' a3 MAlthough this trick calls the CreateFileA function, don't even expect to be3 i- j* I9 t' j7 T% Z6 Q& |
able to intercept it by installing a IFS hook: it will not work, no way!3 b' P s, }3 ^2 \% |0 J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& K9 \. W* p1 ?$ O7 C g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 V" n( n7 q5 x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% ^4 U. W3 T" P2 @/ g5 G2 r. vfield.
# F9 D- z# y8 u, ?: ?0 q* ^# YIn fact, its purpose is not to load/unload VxDs but only to send a . d, R; ?/ `1 y" i6 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* |9 d* s9 V2 l3 G/ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try# U$ W. e& \1 v |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Y4 S! `! u) R! a, WIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 m3 {9 J2 E1 ?+ [) V
its handle to be opened and then, will be detected.
* r: P3 v3 B# v0 ?0 Q$ E! @You can check that simply by hooking Winice.exe control proc entry point
y) n2 Y, h0 @$ B6 V9 ?while running MeltICE.
0 T* u$ o' c { `+ ^
; q6 S$ `% }$ E7 P# H4 k5 f B5 s/ z4 y0 b8 _
00401067: push 00402025 ; \\.\SICE7 M$ c$ B: I. t- m- w, n
0040106C: call CreateFileA
% w5 O( g3 H) x5 N- o$ }9 S( U/ N 00401071: cmp eax,-001; M4 b. ]$ t0 J' M
00401074: je 00401091
* i: L7 r5 r! `; i- {+ t
7 y5 l6 I1 X! z! m" q0 `+ m& [& _4 f5 T7 E
There could be hundreds of BPX you could use to detect this trick.! m) a' A4 u% \- Q) F u
-The most classical one is:4 ]+ K7 d# O# V% L; X# u; i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# b. L, D7 F6 M: O
*(esp->4+4)=='NTIC'- @' W" T. _" w2 n1 c
7 P* c6 _2 x6 }1 F' `. X
-The most exotic ones (could be very slooooow :-(
5 s" u0 y: K" i1 p9 m BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( @9 t$ a: b' Q0 n6 G& U
;will break 3 times :-(
4 n+ s6 y" b" l! s$ B
: v) o0 R- S9 a; W- O. J-or (a bit) faster:
, t, k5 z3 N3 i. H8 d; h/ w+ ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 O3 e3 o9 L& Z2 E, w) N7 {
8 |% F+ G! Y' n1 k1 y2 q, | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; c5 F, } u- U6 J) y3 N- r J1 Q ;will break 3 times :-(4 Y! b6 W& e" s5 S8 z; Z: T) T; {
1 J# c0 Q9 w+ j8 p
-Much faster:9 b1 [ }7 P' Z) C- Y( m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% Q! a, O9 k2 A! c) T2 b, { z
1 o7 s! v( n; t; |( w* iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# W" V" M8 D2 [* i
function to do the same job:% d) _) M+ u M; C
; b+ J7 f! Z0 R B
push 00 ; OF_READ
# ]2 o8 C) e$ c4 T mov eax,[00656634] ; '\\.\SICE',0 i! o: i4 Z+ t6 O+ U* v
push eax
9 j. R: R9 B( S: P call KERNEL32!_lopen; g! S8 B) ~& c% w
inc eax3 m# ^0 g: u, u1 t9 k
jnz 00650589 ; detected
~: D i& a5 c& f5 z) Q$ ` push 00 ; OF_READ" u5 q8 ?2 E) [
mov eax,[00656638] ; '\\.\SICE', w9 A2 K3 J. k9 h, f( K! l1 q
push eax. `# M. O( ~2 s+ V
call KERNEL32!_lopen) U: e1 {4 ?% l- g
inc eax
# m z7 {# E/ r* ?6 n7 N jz 006505ae ; not detected
* N6 u, ?2 H# l/ r' Y0 G) ?- W. A
& G9 [! Q$ I. |: _; g
4 F6 `+ R- _2 e ?0 l__________________________________________________________________________8 r, y) A$ S7 a5 D
2 E8 }; d7 {9 D0 h; Y" q
Method 12
( ?1 I0 Z4 o% [/ H% ~' N: _. i- P=========, l5 K4 c. n3 n! U; [4 i- L
5 Y" ?3 f5 w/ I) _, f6 |4 z! r
This trick is similar to int41h/4fh Debugger installation check (code 050 w: H0 z2 D4 V+ s9 p- ~
& 06) but very limited because it's only available for Win95/98 (not NT)( A6 ]0 z% j- r" f, ]" l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 L: ^. _2 V3 |$ F
( ?3 H B- K' @& R( n% y push 0000004fh ; function 4fh9 |! _* C. u8 d- e8 V2 A
push 002a002ah ; high word specifies which VxD (VWIN32)% C9 L0 I3 R1 }, N5 |
; low word specifies which service: n5 E0 f$ ~% q% @# F8 v" i
(VWIN32_Int41Dispatch)- Z) P4 I: t4 |# { q( w
call Kernel32!ORD_001 ; VxdCall) z8 L% {7 x V% L, [ o6 H/ Y
cmp ax, 0f386h ; magic number returned by system debuggers4 J3 o7 Z5 o3 E
jz SoftICE_detected( X# S. n T" k9 I1 i) r
, S, Q3 B8 W# [/ f: n
Here again, several ways to detect it:
; ?) p/ {2 i3 F& ` d. x+ ~/ U$ N8 g$ T3 |% U
BPINT 41 if ax==4f
3 b% P) j/ I1 F; E! p+ b8 v( |8 P- O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
g! n% o( X. L' m7 n- ?2 b! P+ |$ K1 P9 o9 V
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 J% R8 ^6 G8 Y4 e) \- L' W2 A7 p* K: w6 g. Y; Q: i. w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 v6 x1 R, d' p0 f. d' @
4 G1 Z* Z9 F8 S# {) `- C; z$ F
__________________________________________________________________________& v$ V1 [: D3 V5 W j5 C
7 x) i& @2 ]. ?/ a/ k q* A1 l
Method 131 ?2 \* \ M" X, _$ n
=========
0 {: Z# j1 D" M; H, ]/ w0 O4 ?% t+ O
% j* \; O% x9 m+ v3 ~Not a real method of detection, but a good way to know if SoftICE is
1 H' b7 ]9 O% `9 H; u6 _( h# yinstalled on a computer and to locate its installation directory.
7 q% U; {9 a0 P' A2 y# fIt is used by few softs which access the following registry keys (usually #2) :
& h3 k* E! Y* |0 }9 \
/ ^3 M) V7 `% C! C0 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! O! h& K, j. z* c/ ?\Uninstall\SoftICE
u+ ~3 s; i9 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& a) O: f" t& O2 O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 N8 d' _" @: n# D\App Paths\Loader32.Exe# M" T8 a l, D- M$ V
0 q( g1 @" v; @3 U
7 j; t8 p( t/ y6 O
Note that some nasty apps could then erase all files from SoftICE directory4 X8 y {9 b3 O
(I faced that once :-(
3 r! {. p% _; c ~: t% [" V. v' T# t% A; N
Useful breakpoint to detect it:6 i0 B* @7 ^& ~! `4 _. R M& `& G* E
& z0 V, y3 m+ j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 `4 {5 T: V, O4 @* u
4 D# D# F( T1 L. v
__________________________________________________________________________3 E- M5 [4 X5 m$ ]( d/ ~! t/ y
7 j+ x& V0 y( O& Z- t( T
7 q$ U2 u( L1 j2 h: J* B
Method 14 6 g( y( [4 k1 x0 B x/ n+ D& ?$ y. L( `; G
=========
I2 w- }: U3 z p
% i4 [5 [0 Z+ ] U9 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 a+ ?- Y o0 `4 g" R
is to determines whether a debugger is running on your system (ring0 only).
+ y1 U0 w5 a4 U3 B: {* u# e5 a# }; r1 ^! ?
VMMCall Test_Debug_Installed6 O7 D! G- Q6 k2 t
je not_installed
4 z9 J3 j- X4 [. H" w- U P- H+ ]' w$ ~
This service just checks a flag.
1 X6 K8 t! I* Q</PRE></TD></TR></TBODY></TABLE> |