<TABLE width=500>
: O& U6 O' @+ C, Q1 g+ v<TBODY>3 N3 K$ {6 y, H0 v4 N: i+ z7 X3 V
<TR>: S/ X. O: a2 y1 c8 t( j
<TD><PRE>Method 01 / s: b/ X9 \2 c; C
=========
: t0 q7 {6 E( V: E* ~
. ~! X9 c" h& RThis method of detection of SoftICE (as well as the following one) is
% H; n, ~* o |6 G& g5 d& tused by the majority of packers/encryptors found on Internet.5 F" M2 k. M$ p. [* \
It seeks the signature of BoundsChecker in SoftICE
9 n) v5 r# A }) q2 I! n( h C
) Q& s7 \1 G* @+ I4 s4 ` mov ebp, 04243484Bh ; 'BCHK'" h' y. L0 k" f& _8 F2 O
mov ax, 04h9 L$ e7 S5 A0 j0 O. P
int 3 # }4 D! y, [9 M, m
cmp al,40 X: f0 V* K$ K% J6 ] @
jnz SoftICE_Detected4 s/ v8 t" I) G( H, J$ H! e
3 f& @* o L: |___________________________________________________________________________ k9 ^5 ~( k! k5 z8 \" N2 c6 a
( w, @) S! l9 _' E+ } vMethod 026 T, Q( N' I1 ~, C+ M$ x7 b
=========
2 g6 v9 s8 n+ D5 f
0 g' L* t0 A+ k* b1 CStill a method very much used (perhaps the most frequent one). It is used
+ H/ c5 U4 Y. j+ \- D" Y6 f; C6 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 `3 d9 w6 B" [8 o, K
or execute SoftICE commands...
9 c: i! q L, D* n7 i# ?5 VIt is also used to crash SoftICE and to force it to execute any commands
. V4 A- X( w- A( i! u(HBOOT...) :-(( 7 ~/ O) k3 [* d: u* ? \8 J
7 ^5 H1 e. O3 b) t% C- W8 y+ ?Here is a quick description:
3 g9 ~' d' o% M' e$ n-AX = 0910h (Display string in SIce windows)/ L, i1 Z/ J3 D8 X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 a: S9 X! Z. G-AX = 0912h (Get breakpoint infos)
4 f/ ?( Z0 b/ h; t, m+ S; z, I8 b4 R-AX = 0913h (Set Sice breakpoints) f0 G6 U% W, |* A5 ^% Q
-AX = 0914h (Remove SIce breakoints)' C* X. Z2 e( n' R0 T! Y
* X& c' q/ ~/ w3 Y: y3 F3 WEach time you'll meet this trick, you'll see:
, R4 Y0 @# H) r+ N) x" G* w: A+ B-SI = 4647h8 v5 L/ S" O- W5 T" j3 Y. z6 c' e
-DI = 4A4Dh" W U: a J: ~( ]: D v
Which are the 'magic values' used by SoftIce.0 O2 M1 ?& E" J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. @3 v. Q3 Q% l' \' C6 Y
- D- y* R) u' u0 h l) U8 }$ K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& c/ R( p+ C x+ yEnvelope utility use to protect DOS applications:
; T% p( K. u( S( l$ _$ W, V9 C4 `
5 d& w. w8 C- [$ @. {$ j1 c5 w! O5 z7 [
4C19:0095 MOV AX,0911 ; execute command.8 X: r8 j' {; a1 X4 _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 `: ~ K' b, g( n
4C19:009A MOV SI,4647 ; 1st magic value.: K; A$ Q" x* `5 D6 h
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 h+ ?, T+ f4 o F+ E9 J- C4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% ^( U7 Q8 R0 c0 g" Y Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 y$ e" h6 U3 f4C19:00A4 INC CX
- k9 A0 K- l7 |. g& |( I& X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% ^* r+ I! X: m1 e
4C19:00A8 JB 0095 ; 6 different commands.
, t4 ]% ~6 }: s4C19:00AA JMP 0002 ; Bad_Guy jmp back.
|+ D, `9 M" I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, m& e% b+ S0 p8 c0 B: x# V3 d0 @# {, J) f, X
The program will execute 6 different SIce commands located at ds:dx, which7 O! I7 l% X8 j P; V! U& n9 b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ n4 W' ?3 G- i+ d7 S( Q+ a9 g& h* w
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) @4 ~# h' P1 F, Z1 a___________________________________________________________________________
6 D+ |7 s3 w/ U9 D* t8 {) ~+ B
w: V0 i$ k+ G( \8 P. ^3 [* g
Method 03
- Y2 |' W) d! ^5 X=========
$ n7 G7 d* f: s4 d7 r8 r
: ~2 N, O# x3 I" t1 g7 ^) C7 RLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* y+ z8 R3 b9 P7 H# Z" z(API Get entry point)
7 J, N4 j1 l% Q8 L8 [" Y5 o
" A& s: Z2 S7 j6 X* X" X B& l+ d5 ~8 o# s9 v; ?; `& G6 P
xor di,di4 A$ V: a) O" n( v, ?4 Z
mov es,di3 ?! q9 y; \) L; W! Q$ y2 [; F
mov ax, 1684h
! L/ `9 g; q& ]( \2 y mov bx, 0202h ; VxD ID of winice
8 N8 M8 h+ ]% J _" S: s- H8 Y int 2Fh
* x; W, F8 k! W" g# ?! p& G mov ax, es ; ES:DI -> VxD API entry point: W6 u+ v8 C6 a! r
add ax, di( |) M/ b* v1 A3 k6 [0 T
test ax,ax
7 f2 y J' s' w8 _, T$ l# F jnz SoftICE_Detected
$ B Q0 A7 z* k% w$ _0 L: o' B! x* u4 Z9 a: s* B9 N4 L
___________________________________________________________________________
$ \5 W$ P+ {! U$ B7 @
9 Y& o" Y( u& ? B4 zMethod 04
% y: N d9 Z8 z4 L=========+ ]' S5 H" C8 y9 C- @
. N m6 W4 f7 B2 E* m, h) sMethod identical to the preceding one except that it seeks the ID of SoftICE
: U( N$ W8 z) _; ?/ ]8 ~# G- f. TGFX VxD.& _5 v% ~2 c# `2 C1 q! q! _+ k+ M) H
4 I5 K) A# K* o, |( u xor di,di
8 S% j/ u& V- H7 z mov es,di
- M/ r. Q% v( d& L/ u: n mov ax, 1684h 6 o! O) b6 E1 i' h* u
mov bx, 7a5Fh ; VxD ID of SIWVID+ Q" n3 e0 H0 S$ C9 r
int 2fh
" m0 Q9 J: v4 r: q/ i' I/ C; Q1 p mov ax, es ; ES:DI -> VxD API entry point
3 k% f w) W* S) @8 I0 ? add ax, di
2 B0 v" {9 |* `, _/ w9 A( x test ax,ax
1 m: }/ S$ }( G& n jnz SoftICE_Detected. I' t, P# ?3 [+ k% A; Y& N5 J: n
6 p$ b1 P8 i' g- U. f__________________________________________________________________________5 c* Y( i+ d7 ?4 x% ^
* i5 L% W# g- J! g7 c" H$ V) X" k# M& Q3 F* P% Y. t+ Q
Method 05
# p; I& Y7 P- H; @ |( |0 J5 X=========2 @: l" F% C$ H. ?5 h
& z+ A% X. z2 u/ L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; Y3 J/ L" L9 Q' h, W* Xdebugger. It calls the int 41h, function 4Fh.* a. b$ h. D1 `5 ^. m5 u. b3 G' O
There are several alternatives.
+ ?! W; z) G& E5 D( i2 Y2 p+ f/ n( b I- b7 u' S# a
The following one is the simplest:
/ U! i8 k2 P, v6 B4 F9 T9 q' R' x
. S6 Y( E8 o+ G. d4 ?4 Y* q mov ax,4fh
6 G$ L9 A; @/ W" k7 A int 41h( a; b/ @4 u7 i/ w3 t" b
cmp ax, 0F386
& o5 c# y i/ I* @6 C } jz SoftICE_detected
7 n& A' ~8 c4 M- ^! z6 U
7 @# @1 c# T. N
8 E4 P0 F" n* @) lNext method as well as the following one are 2 examples from Stone's
\. }2 V4 i j3 l+ U$ R"stn-wid.zip" (www.cracking.net):+ d; m7 I+ D$ s8 Y: A& A3 S
6 F, g( K# R' w j) \4 j, Y
mov bx, cs
; V) P3 {2 t i5 s5 s7 j0 ~ lea dx, int41handler2
. F0 z% p6 \8 E- V; k' H7 ^3 h+ m xchg dx, es:[41h*4]
. W8 G' ?/ e% t0 u6 s9 o# w xchg bx, es:[41h*4+2]; h% b& _4 x: o( s9 y
mov ax,4fh. c6 i b9 L, C/ Q0 i) X
int 41h9 O+ ^ h) m/ I6 O6 N- L1 E
xchg dx, es:[41h*4]; a4 e2 I# E% M; l# w; N
xchg bx, es:[41h*4+2]
% W% W4 K9 E. H4 M+ S cmp ax, 0f386h
* _' K0 ?4 j3 n; w2 G jz SoftICE_detected3 _" e, e* o$ P$ b0 M3 \
' {, h* ]% _* Q- z" w5 oint41handler2 PROC
( L' \; [; F- V) O" V iret
/ c' L& C5 A0 q1 r L7 W4 Wint41handler2 ENDP: V& i5 @' n! o5 X' s& k( u
5 Q! G) V4 p! |
; {; B( r& J0 ]8 ~& T. x8 i @_________________________________________________________________________
8 @1 b3 Y) T4 W. V5 @5 E. `( c9 p6 _: N' p
6 `! X; t( s) O
Method 06% W! D* v6 Z0 J) }+ x
=========
2 @4 @' T1 n& L) y; G h1 }5 y0 @! V9 ^. E
' Q0 d$ \* @3 N% {' a2 T9 D- Q2nd method similar to the preceding one but more difficult to detect:
& Y9 `6 Y3 n8 h0 B2 L( w) v/ ? T
5 z5 C- v: u! d( b7 wint41handler PROC( \1 j* L" j9 a3 M6 |7 ]; K( E9 ] W
mov cl,al
3 W9 f: g A6 G iret
]/ R+ U' p( E& D( @0 P8 Gint41handler ENDP- E. f5 W" L( t
6 e7 Q' I0 U' M7 n( `* M( q
1 C( T0 v2 a# g& E- A
xor ax,ax6 g$ `, `3 {7 p! a
mov es,ax
. s; H" D/ E9 ?# b# b/ M mov bx, cs
- l7 F$ u% b' J5 S lea dx, int41handler
9 w4 Q9 b, T# Q. m. Q! T xchg dx, es:[41h*4]- [7 P- b9 Q* V9 K" T: B p1 S) [
xchg bx, es:[41h*4+2]; s9 `6 [& r/ h! J! n* n- J; v4 k: _
in al, 40h
+ V9 ~$ B, S9 o( q( Q( y$ \, G xor cx,cx9 v" R( ^4 X7 X# s7 |5 I9 V5 N: u: Z& }
int 41h
4 s( ]* Q' k" k3 k! K6 ? xchg dx, es:[41h*4]$ ~3 X: h+ ~: d F
xchg bx, es:[41h*4+2]
3 q6 ?: L' y) {" U) F cmp cl,al
' p; N$ G: V. W+ D/ d: _ jnz SoftICE_detected
4 Z. M) K% m4 p, E. G& |9 V- }9 w, q
_________________________________________________________________________
! {- V j2 c. _3 I
. b- U9 z9 e) l/ U+ uMethod 071 ]" P0 b0 S, P+ ]8 q" ~) I2 Y
========= G' x! D6 { z# [
* k; w9 D h/ i* D% ^1 ], `
Method of detection of the WinICE handler in the int68h (V86)( N7 n8 i, J. L; j. B
5 _9 P0 h% v6 T/ J4 b5 O& C* z mov ah,43h$ X4 A! c* E: G1 N# W
int 68h! p1 \7 T5 f) G% G
cmp ax,0F386h
* ~. X& M( \, J0 {: ^! a: M jz SoftICE_Detected; d" ^/ T5 s) M9 ?' L7 m' U1 F& r
; v7 \& G/ @9 ^. Q6 k. Y& R3 _
4 s6 B6 s# O, d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 M. \' y) |4 P- I app like this:
& P# T n5 d5 v; g7 j; R1 h) a* ~. J; v* u& a ?5 i# _
BPX exec_int if ax==68! E' n0 c N: @0 C
(function called is located at byte ptr [ebp+1Dh] and client eip is+ C0 H8 M8 r; w
located at [ebp+48h] for 32Bit apps)
( P# ~$ ?9 |, y8 U" u0 n$ |__________________________________________________________________________: a! E- t0 t f# x
2 @) s: x2 i8 y# [
& R( t9 e3 ]' f% ^0 ?
Method 08) d; W' ^( q5 f7 l9 N+ s4 z" e
=========' D8 g+ V: _; `0 z# q# f4 ?
4 N# }7 J* M: U1 l& A
It is not a method of detection of SoftICE but a possibility to crash the
5 ^1 I, r5 M+ [6 a/ @' osystem by intercepting int 01h and int 03h and redirecting them to another! Z& G: |9 V& e+ z
routine.
' Q8 x! k' y( K: C) Z% h+ zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( @$ P* S; S9 qto the new routine to execute (hangs computer...)
: e4 n& F! A$ Z- F6 A3 X4 a( S. q: w( R: H' r2 K5 W. B) L, Y
mov ah, 25h
1 }& o3 z7 ?& d! Z; ~ mov al, Int_Number (01h or 03h)
: k" _- A7 c4 r, Z mov dx, offset New_Int_Routine/ ~; `- x" W5 v& Z5 u
int 21h$ P3 v- N6 S& E1 D8 |. y; @
: p' d4 v0 a1 K__________________________________________________________________________
# P0 U6 b7 p+ x; ?% X# F
- V6 k$ Q- k, z. b8 R/ iMethod 09
- B9 m4 o- f% ?# w=========, e K S ~7 D" ?( _* P
; R4 p- n* ~8 t$ W$ W5 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! |0 g$ \. u1 M) \$ Y" Jperformed in ring0 (VxD or a ring3 app using the VxdCall).2 N7 X, q) }9 @. X- P' F
The Get_DDB service is used to determine whether or not a VxD is installed3 ]+ x- z+ ^6 x. j8 Y' s
for the specified device and returns a Device Description Block (in ecx) for
4 y) b0 c n1 R$ t5 q. \( ?that device if it is installed.8 B* O& m0 w1 | o2 |0 Y
9 ~% S: X2 D3 v w& q; Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 W; H5 [5 R: { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ U% k) R. ^$ f3 T5 p VMMCall Get_DDB4 Q1 X/ p& U4 \0 e
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 R) A1 u# d5 V' o$ L6 ]1 c3 {
2 n- y, d. w1 P% eNote as well that you can easily detect this method with SoftICE:6 G |. W5 [& \, j" l8 D" H; |! d
bpx Get_DDB if ax==0202 || ax==7a5fh5 M: H- x8 F5 [2 \* j% J. q3 i
7 h; R0 d7 u: ~" j__________________________________________________________________________: V' r* Y8 {+ G# U; T, `+ K" I
; `, c" t. e' H8 g" E
Method 10
% u$ B, A' ?( n# h=========* @& i$ y4 U1 `# e; S
' n8 N8 z" e2 ~+ G$ X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
h, d" B$ K+ D8 d. Z SoftICE while the option is enable!!
3 e/ m. N) |# K% i, r$ o4 \, h
9 x1 `0 L" ~3 S# C8 a9 _, VThis trick is very efficient:
* i) g- ]9 H pby checking the Debug Registers, you can detect if SoftICE is loaded
- H6 [) v3 V- w I3 `" Z; O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& I- d9 u/ I1 z7 ~. Q( r
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# Z8 _; r8 R2 d6 e2 j! E) Gvalue (in ring0 only). Values can be manipulated and or changed as well
" H: M7 L/ |/ h' \2 }(clearing BPMs for instance)+ o6 B6 {) B6 m: g4 M
/ @7 a8 J7 a# q
__________________________________________________________________________
; V1 l3 s2 ]* ]; v0 J8 x) p3 P% S7 g( I# N4 w3 L' y4 {" K' C0 A
Method 115 ]2 E$ ~, I6 B5 o1 u& G) y" j
=========7 g9 d0 a9 `' x3 H
4 A) V- ~( x, a* ]This method is most known as 'MeltICE' because it has been freely distributed
5 @$ l% w* L1 O/ jvia www.winfiles.com. However it was first used by NuMega people to allow$ z' U m( r- j2 F8 @4 C
Symbol Loader to check if SoftICE was active or not (the code is located7 }' c F: S6 u/ h! [8 j4 Q
inside nmtrans.dll).
# e Y1 A% L4 ?" ^8 v- j: ]; }. L0 @8 O3 U! H! B& G: K' [
The way it works is very simple:
0 _' h8 r. t* w4 h& DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- h- s, A/ \3 ]# F. CWinNT) with the CreateFileA API.; k2 C" W1 V& \- A0 M1 L- w5 @
+ l& m0 N7 ^6 W% n0 @% y7 S! ^' U: ?
Here is a sample (checking for 'SICE'):
4 N. s( o# S8 b9 c0 N
$ J: h) W7 E& z y) ]BOOL IsSoftIce95Loaded()( D* @) B1 H7 B; b
{
: I, R5 n, A6 L2 f HANDLE hFile;
8 z9 J g4 B# ^: e( {# ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- _. V# ~8 r0 O7 V
FILE_SHARE_READ | FILE_SHARE_WRITE,5 l, b' o) L9 l2 G. N4 O! {
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) `: _- K# X1 g+ B" r$ F if( hFile != INVALID_HANDLE_VALUE )% |& I* f7 P) x( r. W# O/ _
{
+ v( C- Y" n' Y' h- r; z { CloseHandle(hFile);
. G4 n+ Z7 ~) |, m) l! g/ _% F$ ` return TRUE;
2 E, d3 t5 K) Y }$ t0 w: v5 e; `& w; B3 @! W! ]9 \9 M
return FALSE;
5 l; r1 l! q# v l+ K}
! _0 T$ R3 Z( T
% u8 A1 ]6 Z: pAlthough this trick calls the CreateFileA function, don't even expect to be
' ]7 A( e& j. E. d1 y) W% |able to intercept it by installing a IFS hook: it will not work, no way!
. i" g- H) p0 s+ n3 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( S6 B% V" s6 E2 V/ [, ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- ?& }( @8 H" ]+ a( G7 F2 e& `& l. P2 Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 k' L6 ?1 S& `0 R8 zfield.$ c! }" {6 X: Y, c$ B$ Z; C" N
In fact, its purpose is not to load/unload VxDs but only to send a
0 V- w! C0 r6 ^) {5 _: q8 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: V2 p7 `1 S( h7 [5 oto the VxD Control_Dispatch proc (how the hell a shareware soft could try! @; W z' \/ K: R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# B# [5 H2 |9 W9 D7 FIf the VxD is loaded, it will always clear eax and the Carry flag to allow. Z$ J3 ?5 [6 ^& Q, Q! I
its handle to be opened and then, will be detected.# M9 \/ g2 s9 ]) R2 E: t* ^
You can check that simply by hooking Winice.exe control proc entry point
! ]1 d! t! L1 `while running MeltICE.2 z* G! z/ j7 M/ l$ Q! j7 `
4 ^. J7 N; x2 [
" R4 Y' B8 {" v- W* F w" o& I 00401067: push 00402025 ; \\.\SICE
; f& Z; d! k3 E& ]3 A9 U. L 0040106C: call CreateFileA
2 w9 `. R- J* c8 z6 }; G 00401071: cmp eax,-0011 `/ X, t3 v. [
00401074: je 00401091
W9 U9 j2 i2 _: s' h% L; R3 \/ ?* A
2 i. m9 H3 p$ M' Y' aThere could be hundreds of BPX you could use to detect this trick.
0 A( _& y" c2 t" h+ E-The most classical one is:; t1 b, q# ~# U
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* y. x$ U1 p9 Z" c5 h( [2 o3 W
*(esp->4+4)=='NTIC'+ L1 m: i2 u% a
) e. l6 r; | Q# g! n0 [& M+ S5 ~: c-The most exotic ones (could be very slooooow :-() C7 t! K& _$ ~- A% Q2 }
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 W0 t9 f+ I- p. B: z$ h ;will break 3 times :-(4 v" d0 P! R. ], u) o* d+ W
* `) _8 ~' E, r: S6 [; g
-or (a bit) faster: / g4 F5 B7 i k& F, t* n; ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! N) \6 ?. ^5 S1 v D+ [. }3 W
9 Z" D7 e, I% j+ `, }. i) L; P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + t9 h2 @2 f, G2 I
;will break 3 times :-(
7 K, O. k- j7 ]" E2 C5 ]' F4 {# k7 z1 O' u# M0 c( ^" [
-Much faster:
" i7 I2 _& U3 F6 U$ U/ L3 L& K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 T6 e6 C T6 s( X- q$ c
* ^. U/ ]& @1 Z [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 V% S9 [1 }. {2 `1 ?$ j" {
function to do the same job:
) l' g& L E% x, _. z
; T4 f# }( h/ P push 00 ; OF_READ
2 s- W0 f, b2 F mov eax,[00656634] ; '\\.\SICE',0- B, i2 c; a& t
push eax& B/ }+ [9 ]! C2 {8 O( I
call KERNEL32!_lopen9 l+ ]; t+ R' O6 \) @
inc eax# v. a4 u9 Q2 b" ` `
jnz 00650589 ; detected {# {) W0 E$ {7 E; }. X
push 00 ; OF_READ& J' ~! H- Q+ N4 n
mov eax,[00656638] ; '\\.\SICE'
, @: [9 c" J6 ~ push eax
7 B( o: g. ^* N call KERNEL32!_lopen5 i: |( d3 _% k1 j# L0 g$ P
inc eax
+ [; G o; M v$ | G jz 006505ae ; not detected
- v$ K, [& {/ J6 k4 x; O7 {' D% R! P c
6 }: M+ ~4 h% X6 P
__________________________________________________________________________
$ H; o+ [, M/ v3 e" p& f" Q# _" ]6 U' k2 L3 y/ P
Method 120 T ~: j9 Y+ P7 }& y
=========3 e! V7 ]* C5 X. R
k: v2 W3 t6 P4 dThis trick is similar to int41h/4fh Debugger installation check (code 05& [1 t& z/ k7 ~# \2 e: ]" `
& 06) but very limited because it's only available for Win95/98 (not NT)
" o2 V& v! G0 R- D; las it uses the VxDCall backdoor. This detection was found in Bleem Demo.) L9 m5 T! |- x: q& r- |
8 O2 u( [, G: W. W
push 0000004fh ; function 4fh- }/ K# Q {9 f8 G1 v
push 002a002ah ; high word specifies which VxD (VWIN32)
( C1 i5 S9 _6 {: O$ U) a9 K ; low word specifies which service" M+ N& Z( j# V/ N
(VWIN32_Int41Dispatch)3 P+ m3 w2 ?* P& `# k" j
call Kernel32!ORD_001 ; VxdCall
6 ? q- k6 n+ p6 C1 V6 p cmp ax, 0f386h ; magic number returned by system debuggers
" S- F# D K" m9 [ jz SoftICE_detected
8 O; Z: L9 M8 h; E7 t& D5 L4 \/ T" w4 b; i! V! B" C" g7 B) d
Here again, several ways to detect it:4 I1 t& r2 \9 q- F6 E- l
- ?% I% a. ?. u7 S0 ^/ {7 w2 B BPINT 41 if ax==4f. ?* R# r) ?0 x {: A7 |% A; l
' ?7 y; A3 B/ s+ j9 h3 p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) m' m! w, |- h# P
6 A3 ~6 [# \8 w; v0 o3 }+ p6 T5 P BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ R1 O4 H* r8 ^
0 H k3 `6 p! V/ C7 X* d/ ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: s" L0 `- H, E: u1 R9 R& j: f
' |! {0 n3 J# `( Z__________________________________________________________________________
3 ~8 J5 z4 V2 ~' |- B
* m- e3 s( v7 c5 p4 Q' |, I! Z2 ]Method 13
0 D! r+ H" V. z=========
" R p# q- P! t+ |7 V, U
z& G% j0 [) \* B2 kNot a real method of detection, but a good way to know if SoftICE is
0 l# U l: H9 Q8 einstalled on a computer and to locate its installation directory.
% `, l( r- {& Y" GIt is used by few softs which access the following registry keys (usually #2) :
5 w& c, H$ T2 z6 K" K& b6 ^1 V9 B7 H; i* P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ Q( E* X: _& z5 h8 ?\Uninstall\SoftICE5 A! v7 m. D1 D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) z/ v2 B! H7 A. ]' K. E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- R0 k! ] _" P- `* d" o+ f
\App Paths\Loader32.Exe
* q5 v& Z( M4 |' f+ y+ |; b5 O' H) S& Y9 Y
, ~9 }% r5 c/ v' [0 s2 g
Note that some nasty apps could then erase all files from SoftICE directory' i$ [; N! ~7 ^. s6 r
(I faced that once :-(
, z0 k$ D8 Z7 p7 d- P. n( Y! a* @! c3 p: g" b, z1 ~
Useful breakpoint to detect it:
7 j- P0 R9 O: f7 b
6 j: x0 U9 L ~6 ?8 m d6 L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') Y' b; I6 ^3 W* i% {: _
* q! C" m/ {3 }3 `9 R7 [+ |5 f
__________________________________________________________________________: w! y& J O4 J0 v0 P: Z& j
$ U6 {: h5 e) p# t
& ?0 L" y, L7 T2 B! hMethod 14
, E$ A3 ~6 W& x5 ^5 K1 `=========; a# D( h2 P4 ^) m( m$ `2 B3 m
8 n! h% Y: i/ hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ p) s% V/ i& Y i Z1 L! Iis to determines whether a debugger is running on your system (ring0 only). C! I/ M" D7 p: r6 |
0 \9 {% M* m) B& J9 } VMMCall Test_Debug_Installed! _6 h6 c0 [+ I, q
je not_installed
/ Q( f) b9 ~1 s# a- H" @) X' }0 {: w( {6 w
This service just checks a flag.0 X! b5 c& X! O
</PRE></TD></TR></TBODY></TABLE> |