<TABLE width=500>, x. V! n, H6 F; M4 r3 b. k
<TBODY>( q" V/ ] \- y0 G5 [# h+ |# x
<TR>
J: u5 P* p2 |% y) w4 H q7 W<TD><PRE>Method 01 ) y' ~' g; E+ m5 O
=========1 f; k' `" f4 \- T1 w4 S
' g6 a6 K! H- o8 z6 m
This method of detection of SoftICE (as well as the following one) is
' e; Q7 v# [9 |! }) h5 h( w5 @used by the majority of packers/encryptors found on Internet.( @6 s) }' Z% v e! H' }+ k, k7 P
It seeks the signature of BoundsChecker in SoftICE' n/ s, r* T- u6 n1 N7 ~
5 S0 Y; B" S! J$ X- j" t: F) j
mov ebp, 04243484Bh ; 'BCHK'* B) }3 w6 O; a: l0 v
mov ax, 04h
% s0 X- ~2 n9 o5 p: n. D0 c/ f int 3
8 ] ~2 c4 e: x9 ?9 ]2 s7 x cmp al,4
' a$ ]5 @7 s4 N! ^" s, S jnz SoftICE_Detected+ s1 ?$ ^8 F' N- Y0 Y
( E/ b% O' F7 c1 g8 D
___________________________________________________________________________
# q, t, \8 R t8 h: r' U
4 c3 ]" k) O; e4 M5 _1 g' ~Method 02
4 M1 O1 k) e1 Z5 Z=========
2 `5 `8 h2 Z' @. Y: h3 Y8 J. H+ x& F
Still a method very much used (perhaps the most frequent one). It is used
" k3 h' w: S! [; b: p6 Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- p& B& b+ C' e q0 p
or execute SoftICE commands...( w4 P- i- t. x2 x) o* R
It is also used to crash SoftICE and to force it to execute any commands
3 T* }5 P/ T: j(HBOOT...) :-((
' ?: [, Q4 D" d0 |/ M" `7 ]
0 ]9 |9 O! q: k$ o. G: k) ]Here is a quick description:
+ l) V) A) X+ e* p8 u-AX = 0910h (Display string in SIce windows)
3 J \1 Z+ \1 B3 B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 q7 v$ a- t3 `
-AX = 0912h (Get breakpoint infos)( T# R: G+ Z ?( E l
-AX = 0913h (Set Sice breakpoints)& ~1 h; k/ |) h7 Z7 K6 B! Y/ R
-AX = 0914h (Remove SIce breakoints)
* F1 h2 `! Q5 Z R1 M, Z
2 i& H( E; M6 W6 S3 aEach time you'll meet this trick, you'll see:2 W7 Y% v/ D; M/ _. W' m8 z
-SI = 4647h
6 U$ R3 @' D ?% K' l-DI = 4A4Dh
8 ^* o% ]7 j q6 k+ @" ~Which are the 'magic values' used by SoftIce.: f/ M! X E9 c" y ?5 w1 [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 `/ i4 J: f: D9 Y; M1 H
1 C4 r( }; X* M8 g7 ^5 M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* o! e7 m; L3 s4 l# VEnvelope utility use to protect DOS applications:
4 U# t( U2 y) y
% j) Q* e( f9 E- l% [7 l, p% p( U' g, n5 K- M$ a& x
4C19:0095 MOV AX,0911 ; execute command.( F$ R: H5 o7 V+ p5 a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 Y/ d; z: b' u6 n- b/ F4C19:009A MOV SI,4647 ; 1st magic value.- x, H1 J D& b& }, v3 S, b- c
4C19:009D MOV DI,4A4D ; 2nd magic value./ M( g/ C( f9 {% L' H# \8 p+ V; j9 m
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- R y3 X" G6 \* }- W/ O. B% X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, @3 i3 t. {( K* m# U4C19:00A4 INC CX ~: I3 V$ H! A( h! U; s
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ i; G6 p8 ?' }
4C19:00A8 JB 0095 ; 6 different commands.
8 F6 b+ x; B: X) ?4C19:00AA JMP 0002 ; Bad_Guy jmp back.- ]& O6 Z; i, L0 \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 i2 C1 H5 B! |0 V( I6 S& Y c, ?
4 e( x4 @4 c% l3 r; N/ h2 y& {2 wThe program will execute 6 different SIce commands located at ds:dx, which7 r. g. p9 ? z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" F8 u' P8 p0 @
N/ I3 F6 R" [ N5 u, x, \% ^0 c2 e1 |/ v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ X! x1 `2 B9 B' g0 i
___________________________________________________________________________0 q) U( P3 c$ ?6 \
1 X9 _ E) ^* D: a& b# t) G! E
% L: r8 p6 W) e" D* zMethod 03, o5 j+ k1 b8 B# G+ _- p
=========
, B, c+ G# j. c g" \ ^- P
4 \+ Y( D+ z8 i/ NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( o7 n. n! [7 G
(API Get entry point)
9 S7 y @: h0 U/ F* E }, t 5 r q5 _7 Z* S' _
5 o0 W+ s' D- }4 O
xor di,di
( g: _) Z! ~& P6 r7 Z9 K- J mov es,di- r4 g; k/ k* L y
mov ax, 1684h 9 O1 H; {8 H6 u
mov bx, 0202h ; VxD ID of winice
5 c7 G, _" Q! j' ^9 `3 `( \ int 2Fh. |, K6 ~; o& {% y" U, J
mov ax, es ; ES:DI -> VxD API entry point
; |+ g; r; x' ~5 T3 r3 K- f add ax, di: r% l o3 G! X z$ j2 V
test ax,ax
6 ^$ v0 d* i& H$ m jnz SoftICE_Detected
8 n% P: B1 p: }9 F7 }) w4 R9 s2 u [8 i0 Y
___________________________________________________________________________7 A. r- i* t8 V$ i/ t
9 j. E. T1 ?4 l/ J; `
Method 040 W4 ]4 m7 l& @8 v% A1 _' v
=========
0 k" V# x# ^0 @2 p& h6 p. v3 ^( r" f+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE& }. g2 o: C3 s/ @6 H, |6 M, `
GFX VxD.4 G A# b% }) s* q$ c
+ t. w% |1 j' Z: F xor di,di
# G1 D6 V/ ], K* B mov es,di
% w9 k$ t* M& m4 z/ }1 O mov ax, 1684h * C) m# r. u& x( n2 n
mov bx, 7a5Fh ; VxD ID of SIWVID
, i9 J `, ]7 Q9 b4 T9 P& Q! g/ f' d" f int 2fh/ E) t9 E0 a, J
mov ax, es ; ES:DI -> VxD API entry point( \4 G* S2 @3 P6 w) v
add ax, di
$ W0 z" J d* ~" b test ax,ax
5 }* i# c2 o( N5 I. k+ g jnz SoftICE_Detected
8 k' I; Q$ u) J. `
# ]9 u; E8 W8 o! ~__________________________________________________________________________+ r! D! A0 [9 ?/ Z3 ?7 p
7 \+ s8 o' \( W6 j* A
0 o' {8 y4 ] A+ F( lMethod 05, k3 Y! z: A$ s" F x5 s7 J: _
=========
* W) Y6 |5 h X& C% }/ [
0 S! E; D+ y2 N% Y5 |7 |1 b" YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( a! p) q8 W* ]0 q6 Y- Idebugger. It calls the int 41h, function 4Fh.9 H2 S) q! v+ |* t$ E0 [7 t
There are several alternatives.
3 p7 ^, Z8 P8 e
* n. h W7 B" \( RThe following one is the simplest:
5 R2 p; g3 w. S5 u) h
6 @1 m" q2 t# `" L- H; s. U) h mov ax,4fh& _1 \- p# n% D3 W0 B0 W+ Y
int 41h
( _% X2 ~. {3 x; X% d1 X cmp ax, 0F386
7 T4 ^2 Y7 | J jz SoftICE_detected, f2 q( k" Y. I1 A0 ~0 L' k' U8 L
. t3 Y. b) }# O' {9 P4 a9 `6 h
2 G% a, n. r2 U# ]& a
Next method as well as the following one are 2 examples from Stone's % I$ W1 |8 i4 |8 \2 a+ v: o* A
"stn-wid.zip" (www.cracking.net):9 H& U5 L5 A" O- i' P; }
h' o7 L9 n' J3 b$ D- w. @( z( P mov bx, cs
) P s& j `* N/ k4 a, o' s, E: | lea dx, int41handler2
/ g! a; T5 X$ B" L( {$ `6 s xchg dx, es:[41h*4]6 Q$ V; [. d* q& W4 o
xchg bx, es:[41h*4+2]
) [& M, y' v# P3 a, r# j, w mov ax,4fh) s- X2 A/ \' C" w
int 41h) `) ]% R8 K3 f5 y( K
xchg dx, es:[41h*4]4 W* N, y. ~% i: y/ D
xchg bx, es:[41h*4+2]4 P, \: ^$ w, u( p8 ^- o4 a
cmp ax, 0f386h# X4 K% T+ ~( t$ u) q
jz SoftICE_detected
, S/ M& U6 W, F% q% I1 s
# c8 L2 o8 Q- |. H" E0 i8 wint41handler2 PROC
4 E9 m4 k$ R0 ~ iret
, \$ J0 t7 i3 e! ]1 `+ ]: [int41handler2 ENDP2 S6 p. K, s6 I0 [2 p' ^% K4 V" e8 y% G
$ T( G$ Y7 g" I9 T) u7 T B- o, R3 [# h
_________________________________________________________________________
; z9 ?# I6 ~% m
8 O8 d5 S% Q/ k/ i3 U; i' V3 \3 A/ D$ ~7 c: R E
Method 06% v) I0 }5 R8 R$ j3 }% v4 V
=========" {5 G5 [" b% A/ h
/ O6 o. H, I: ^' N
9 `1 z( H9 Z4 q v
2nd method similar to the preceding one but more difficult to detect:
3 d4 k/ X9 z `: r, `( N$ Q& B, p7 B
7 r" @: p6 ?5 z$ _3 y
int41handler PROC
0 H5 B) m6 q! c mov cl,al
0 A+ X. {. j9 X" G* F" d0 j$ D iret
% i9 E4 a. v4 W; b* [int41handler ENDP+ N/ b- _8 ^, U4 M2 f+ L
9 y2 p" a% Y J: D) T
2 H n( |1 }, Z( ^8 r( m0 l xor ax,ax
% C5 `0 Q) A" x8 `- {$ A) B! W mov es,ax
" r# ~* `7 }7 N% I( y mov bx, cs) S; Z/ T4 x9 e- v) K
lea dx, int41handler) J" j- F" m7 X- Y9 N2 ?
xchg dx, es:[41h*4]
3 }3 Z n9 d' ? xchg bx, es:[41h*4+2]
* R/ H) [) B2 |, l- ~+ E' e8 C2 ? in al, 40h6 q: }& b8 k2 j2 D3 K
xor cx,cx
' Y) w L7 P# V: q int 41h
# t) Y' ?: I/ _& [6 u/ i) o: j% D xchg dx, es:[41h*4]
3 _, z6 v W! X: c- {+ X- n7 v: L. A xchg bx, es:[41h*4+2]
) N+ H4 T% w6 r- j" G cmp cl,al1 } n+ V# k( |4 J' y
jnz SoftICE_detected
4 \( N( e* m1 U" Z. v3 s
& X+ p; p" M- V$ r5 V/ F6 X_________________________________________________________________________+ h& E2 e$ X/ h
, s6 P0 I$ _( r: r; {Method 07
) }+ d# \; M( b7 \=========2 @% N, M% G3 a% s5 O2 I# Y
8 i" q8 \3 h/ u# @* A2 T6 NMethod of detection of the WinICE handler in the int68h (V86)
! h! @3 J1 I3 A- Y. b2 S% G3 y
' W/ {+ |7 q8 E- T mov ah,43h# o, c4 l" }7 J, u
int 68h
; ?8 o; K& a5 m2 K* g# K' U, H cmp ax,0F386h" H4 e+ b* T& N# W$ O
jz SoftICE_Detected9 x7 m0 |* t% r) s9 _, ]! a/ k1 @
; F+ ^2 N) i2 L0 T) ]6 {
& Z" O9 l3 ^: j* {) {& E& d- w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 P/ X) `- _+ Y# M f app like this:/ c' s7 X( `- d# A3 \. Z
# K$ ^6 I( U( i, D: s BPX exec_int if ax==68: \( U r6 I4 I, ]* C
(function called is located at byte ptr [ebp+1Dh] and client eip is
5 ~, A5 X4 i$ G) F+ t z located at [ebp+48h] for 32Bit apps)" s4 r" v9 N$ K+ |( v
__________________________________________________________________________" p( u7 y: t( c/ `
( C4 A: s5 L) J4 h
2 f5 o' D5 ?; NMethod 08( g5 [( e. ^8 f- q8 z! X% j6 Z) \
=========
. l) P. ~ f+ a& m$ W2 e5 d
' L: ]5 ^: ~" N0 @: o( i* e; ~6 L) ]It is not a method of detection of SoftICE but a possibility to crash the
8 ?8 ~' a" W! l6 Usystem by intercepting int 01h and int 03h and redirecting them to another. K n9 t7 r9 ]
routine.* o8 Y) `* T5 f5 L+ H) U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" W. [' l) F6 Eto the new routine to execute (hangs computer...): _. d' G& r! ?# n8 K, z! Q
! J2 [* ^; B2 E5 L' B7 j1 n mov ah, 25h& R6 T7 M' H4 O8 t: y0 n/ C! b: R \8 s
mov al, Int_Number (01h or 03h)
" s' S, J( U/ x- C( ~% Z mov dx, offset New_Int_Routine0 u8 v M( |1 a7 Q0 }' t
int 21h$ g6 F! z; g8 c* n6 N% u9 \
6 t( S) k" Z8 B+ M# t9 u__________________________________________________________________________" d* O } A* H4 {& H/ M2 a6 }
3 ?! Q+ U- I4 u) dMethod 09+ I! `7 I: O6 M) i8 u( b2 k
=========$ r' }; I/ n! t
/ Z2 i* z! w0 _" K: ^; c- y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 g6 Y5 b7 A' P& a9 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
: a d0 U" A# A/ a; y6 l, AThe Get_DDB service is used to determine whether or not a VxD is installed
* K" s. x. o. S8 g1 R4 n* o+ |for the specified device and returns a Device Description Block (in ecx) for5 a" H: f# Z7 @$ h+ @9 S0 J
that device if it is installed.& o c3 a4 W D) I( L# h* R+ Z
+ X# Z9 t6 r7 D: q3 G% Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 U x: d% N! X* m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 W# [) m. Y& d @ VMMCall Get_DDB3 o+ {6 P" x; P' _6 g1 N, r* h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
T' [; Y L; }( {
# Y5 `4 n" n. y' p9 xNote as well that you can easily detect this method with SoftICE:: G$ T) a9 w5 J
bpx Get_DDB if ax==0202 || ax==7a5fh
+ B. k5 Z/ F7 q- U
" b. u2 x, ^2 D" n__________________________________________________________________________
. f; o& q2 I! H" S* N: O' \' r
Method 105 |* g& }8 ^$ U& B9 ^2 u
=========6 d) y3 V0 b8 j
* H0 ` t* J- M6 H9 D=>Disable or clear breakpoints before using this feature. DO NOT trace with
) u' l% c7 h& p3 Y; q SoftICE while the option is enable!!( c3 v8 F2 }, t {+ f0 w/ O2 A
3 b. `& h1 `( I( Q0 X
This trick is very efficient:
/ j; Y- x9 u ?5 {by checking the Debug Registers, you can detect if SoftICE is loaded
* a# b: @2 x7 J) h. V- F M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; R' E6 ?& {, q; ]5 Y8 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! [4 }7 x+ C4 W: S, G0 l& {value (in ring0 only). Values can be manipulated and or changed as well0 `9 J3 M4 N) R: A
(clearing BPMs for instance)2 ~- H6 b+ T$ O) P! w7 G {/ b3 }
3 m) Q9 w* N: W. g* `* x
__________________________________________________________________________2 t5 [% h- D3 [" E U+ L' j
% b' j2 T# w ?) ^9 ]3 r2 r# Q
Method 11/ F5 n5 @3 u. @) h
=========' R! L1 G/ M# Y9 w
+ `/ ~! n5 e( X# |1 k9 pThis method is most known as 'MeltICE' because it has been freely distributed
) _4 h0 N& M7 S+ y" P5 |+ b1 uvia www.winfiles.com. However it was first used by NuMega people to allow1 L4 p2 a1 m. ?
Symbol Loader to check if SoftICE was active or not (the code is located. w: Y; \( u Z6 f3 e4 e
inside nmtrans.dll)." c: c& H* n! S7 ~% V
/ z1 i& {( ^8 ?4 m! _- T7 d3 mThe way it works is very simple:: L6 l9 n" q( X! W4 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! f# e2 I* H, k7 y' C
WinNT) with the CreateFileA API.
; [+ \9 x3 I0 c4 v) v7 P( c0 O2 h" [0 Z* R; J& j, |
Here is a sample (checking for 'SICE'):- u# t: m7 N) N# g4 {, e9 }; F
2 V0 C/ j4 z7 V; t) O! CBOOL IsSoftIce95Loaded()
9 U2 P H# o) o2 K( ?/ z{
( r1 e: a9 x: H9 n* @8 l* { HANDLE hFile; : E& C& o0 U6 Z" C- c% K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 i2 W# J7 g& I! g: C; u& z* x FILE_SHARE_READ | FILE_SHARE_WRITE,
& F2 H: c1 r' j+ w' H& U3 u8 F/ i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; `2 o5 e; N6 m9 Y7 T# J
if( hFile != INVALID_HANDLE_VALUE )
~: Q% }' e( J# j0 G {
s+ D. m, n2 a7 z) z& r, j0 V# U. Z CloseHandle(hFile);& D4 ]( o& D! A6 e1 _ J
return TRUE;5 h2 n5 B: r$ x% d- u6 r J
}
5 k! l% ^. R. f. Q- E) w$ y4 L0 B% s return FALSE;8 s6 m) r+ C) D' T$ ^6 a1 K& E
}* U9 B! N+ ~, z
& L- X \' l# K* _( e
Although this trick calls the CreateFileA function, don't even expect to be+ N; e. N+ c8 y2 Q
able to intercept it by installing a IFS hook: it will not work, no way!
5 l! Z9 A4 {0 [+ O3 t2 y2 t1 m: MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 I" n7 e1 O( n! w& w8 P3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% ]: C5 \ q% \' [" uand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 B" C5 ]. o g- \6 D; T
field.+ n, Z2 |% o# ~ p
In fact, its purpose is not to load/unload VxDs but only to send a
1 W- u) L: ~8 N. W* V+ F2 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& J$ j$ R. V+ _5 u ^/ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try: X9 I4 X4 j+ z9 l4 h8 [1 Q, v" X+ T( ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: Z$ \7 v* l- R) ?, V$ LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: M" B7 E2 z: q% z: c" A$ Dits handle to be opened and then, will be detected.
0 w8 _4 J. N! X( Z2 T% `/ P+ O. DYou can check that simply by hooking Winice.exe control proc entry point5 D+ W" ^3 O1 G- {; ^
while running MeltICE.
3 s2 [0 H& V5 ?; n' e8 Z( W$ }6 `( `
6 l. r/ Q+ ]1 ^! _
00401067: push 00402025 ; \\.\SICE
0 ` F) P% D; ?2 c% K 0040106C: call CreateFileA
3 m8 c5 @4 L( s: I8 i 00401071: cmp eax,-001( k. I$ A) L% I) L) L# X) |# O g
00401074: je 00401091
8 d& }, ~ X' F/ C* \: b8 ], w- p9 t( h: D! l5 K
) j' C/ \1 d J8 K8 _# Q
There could be hundreds of BPX you could use to detect this trick.) K/ [; n9 ~. l8 x+ r* \
-The most classical one is:) G r8 J U/ W& y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 S! c/ Q* d; ?( E, b1 z2 Q2 b
*(esp->4+4)=='NTIC'" ^9 A/ s k0 s' d3 L# D( f
- R) C" q1 P, R, g" U) z! Y" a& s
-The most exotic ones (could be very slooooow :-(
: Z! j* @' O. c: y* x( f7 l# o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! k, M- h# c, m* D$ E
;will break 3 times :-(, a: k" A* i0 b
0 M! Y% [3 p( J, D& s3 k, k# k
-or (a bit) faster: - ]$ w) c" a- K3 _0 s0 D3 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 {. {1 B" U, _5 {' W" r$ |# V
S5 G: M0 g* M# b# k+ i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' z h$ B7 t e9 p/ R3 h+ j9 g; f ;will break 3 times :-(
+ x- o1 N O- J) o- W
2 X0 ^6 B* e9 `% m1 Z-Much faster:8 z1 l% y* [6 i" B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 B$ h/ h# @3 `, z% ?. L0 B5 ^
" r& f8 C- M# M3 i+ @* ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* x6 q% B; ]- J8 o. ofunction to do the same job:
W3 m) K3 A4 _7 ~ M5 s
: D1 }: l) j+ U5 q. e; j push 00 ; OF_READ8 n0 {; S1 f# m# l
mov eax,[00656634] ; '\\.\SICE',0
z; G/ z/ o) G* ]7 ^& r$ p push eax/ u+ E' W. g _( {7 b# Q+ [
call KERNEL32!_lopen& g, i, s1 Y& r, `9 x) v4 ?
inc eax
% y, t* a5 O8 H7 [$ H' ?" M, b jnz 00650589 ; detected
% P2 e( A; |8 \ push 00 ; OF_READ
/ c0 C: H/ D2 g mov eax,[00656638] ; '\\.\SICE'
/ C( e6 P7 s" _$ l4 w! _6 {2 T: m push eax2 s( J: W1 I% A& H T
call KERNEL32!_lopen
2 ]7 Z7 u5 } i x. [, p inc eax! f! b5 }5 C8 ^ r/ k7 l
jz 006505ae ; not detected6 u) S R( R! [' _ H- I7 `
. R1 S' f( ]) z7 W' N
; h" y7 u/ N* g3 g- g# K' J__________________________________________________________________________5 ~5 u# a$ ^# t6 ?* l7 d* e
* o. Y" h! x; a- x1 i$ O, z1 M3 L7 R
Method 12
' o% f5 p# v }- H=========
$ I; g* f: Z8 ? C" ?0 j; q5 v6 L& B
This trick is similar to int41h/4fh Debugger installation check (code 05
. O S8 D" x3 [3 Z1 n9 |& 06) but very limited because it's only available for Win95/98 (not NT)
: y: m/ ?7 b5 |; z" Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# s {7 f% R& S" J
% [3 e' K0 z9 H& Z7 p push 0000004fh ; function 4fh9 Y5 {1 U0 \* L! U+ s; B
push 002a002ah ; high word specifies which VxD (VWIN32). Z* O6 I# ?, p- R, k. r& o
; low word specifies which service3 H! b+ p8 W' p3 o7 e
(VWIN32_Int41Dispatch)
G/ y F9 i, t2 K call Kernel32!ORD_001 ; VxdCall$ ?% t/ b) O8 N$ `6 i/ e) R
cmp ax, 0f386h ; magic number returned by system debuggers) ^5 k5 N7 k' G$ ?$ ?0 q
jz SoftICE_detected
: N3 ^- C2 G; e- m3 ? s, b: ]) \ X; `( ^8 y3 d8 v" Y3 d
Here again, several ways to detect it:
" G1 {# P& y. d5 D6 _( x1 I
. ]8 P! }( z+ S' _8 _& v0 I7 C, k BPINT 41 if ax==4f) c7 w/ o `+ h4 w7 V
& c, T7 j$ x( N7 O* ` BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" Z2 h4 U G: ]5 z( s! g Q j( Z# q9 L X' c7 j9 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 [7 |5 G6 }% b+ M- l
4 R4 O+ _0 _0 a8 H8 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 j: L3 R/ V& i8 C+ }+ i+ T
/ v$ p$ B, C% @/ d/ V+ p; _. `__________________________________________________________________________5 X4 l6 b- D: b
. v- \2 e6 L+ ~$ Q4 I1 k7 aMethod 13
: l0 M4 q% U* D& T$ O=========
) k# Q5 `, X# f' z5 [5 y: R
! _! q) g' ]/ l& Q) S8 oNot a real method of detection, but a good way to know if SoftICE is' c9 @- X8 u) m$ u
installed on a computer and to locate its installation directory.
# U8 t* x n, Y8 F9 R! zIt is used by few softs which access the following registry keys (usually #2) :
+ R: S/ \: X6 ~: ~" M
# Q1 S$ A$ j* L' p) X; I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( i( z/ s% _6 U ^\Uninstall\SoftICE
$ I" L. Y% S2 @) _$ |) l) R' \4 W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" o) F5 K \. U/ Q {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 }; s, s& V; Q8 R* x) g
\App Paths\Loader32.Exe
% t2 S& ^* t! {: o9 R
! H( R& z# P0 w; ~" _( C& j5 N$ ]9 R+ \
Note that some nasty apps could then erase all files from SoftICE directory+ ] X2 B1 L; k! u2 h |
(I faced that once :-(
1 p+ x, M s, v! h! t
/ U# a7 P) i/ _( ]; XUseful breakpoint to detect it:( A' O/ m7 R& |5 F- ~1 j
( D' D9 f, H; J9 A- z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. {1 H+ Z/ |& q- K: b& m; T; A
: s1 }4 ], R$ N) K$ t
__________________________________________________________________________# r! H! _( _ H
# a7 D. i7 A+ @& U
8 a! v8 Q+ {6 U+ b: b6 J- xMethod 14
# `5 s' e" h, d6 J a=========, ?5 B; y$ n' q) u8 p
$ N- k$ W! ?1 B' |6 }) H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 W% ^% ^' V' F+ V8 T( @# ?5 k
is to determines whether a debugger is running on your system (ring0 only).
: ]3 s9 P, Z3 h e5 e& o
' p. _0 K; U3 k5 B% o VMMCall Test_Debug_Installed2 ^3 n2 p4 g- j+ Q( m
je not_installed
- g( ~ W6 E' i8 ], E/ |4 S
4 ^! J; }5 ~. }6 \* G" |This service just checks a flag.
& f: ]% T0 r9 y* k</PRE></TD></TR></TBODY></TABLE> |