<TABLE width=500>
2 v5 q9 X) n* ?- I) ?* @- W<TBODY>% j; F, n3 x& V3 s3 B( m
<TR>& f7 u! O9 z9 Y! R, ?# P
<TD><PRE>Method 01 ; Z9 ]/ C. N. C/ g
=========; K, q& \) _& [0 b+ D; G
/ G0 B) v: O3 h, RThis method of detection of SoftICE (as well as the following one) is
; P9 V1 Q9 N8 m( T( rused by the majority of packers/encryptors found on Internet.
$ P! i2 |) q0 \+ TIt seeks the signature of BoundsChecker in SoftICE, o X) ^/ {! c1 ~" i3 K
& p+ u# [5 c; P: o- a mov ebp, 04243484Bh ; 'BCHK'' k2 v& ?3 k' z
mov ax, 04h7 Q- B' a3 e b+ d
int 3 % d* M- _3 R- b3 e5 C
cmp al,4% Q2 I! Q( [ p8 }; v0 |
jnz SoftICE_Detected
/ \6 Z, e8 g, u, }; L% E# y+ y$ E$ \ L3 h0 k) |
___________________________________________________________________________4 ` V( w+ o! \4 h
5 v+ m! s! e" ~; d% U5 D! X) p
Method 022 h1 P* ]% w# e$ V
=========. t: i$ e% G5 p1 ]
( K% D* F5 B! i. aStill a method very much used (perhaps the most frequent one). It is used
3 w# v% r; O, O! ], o3 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# L% Y( P3 j" e( d- [
or execute SoftICE commands...8 |: l4 h* E$ y% ?7 G. Z' y I
It is also used to crash SoftICE and to force it to execute any commands$ I) h: w; I- B) S* ~
(HBOOT...) :-(( 5 w' M, U l% K' F7 S& u2 K- j2 R
- k5 D4 F( `$ E6 v: r4 `! P aHere is a quick description:" }3 h9 r5 D! \- w" B% ^
-AX = 0910h (Display string in SIce windows)
- r* B9 m& v( y# P# ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& @4 b7 ?& `$ M( ~-AX = 0912h (Get breakpoint infos)
& n! k& f" ~; J: x-AX = 0913h (Set Sice breakpoints)
2 s& C6 m, O$ f' D: m6 e-AX = 0914h (Remove SIce breakoints). D/ l9 F: j$ b' m7 N
8 R' r/ g0 d+ \
Each time you'll meet this trick, you'll see:8 o1 _: T" }3 I
-SI = 4647h! o1 X) H6 Q' c" E- J* V
-DI = 4A4Dh
" t9 o' Q0 a8 ^+ m# l7 y: JWhich are the 'magic values' used by SoftIce./ m# M! W7 ?# z& c8 b/ F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 P/ H7 O8 d' x; w& E) j- a4 m& ?( ]& b6 W, g7 z: i
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) D- }! J) o# Z$ B" j2 N# B4 j9 O. [Envelope utility use to protect DOS applications:% \2 O' h X( H3 F: S
* i# W0 _7 t" S1 x
1 h* K1 n- D! ~3 q2 Z8 n: t4C19:0095 MOV AX,0911 ; execute command.! }9 w; `# R$ S7 t1 i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ p. f( @' Q" L/ c7 x4C19:009A MOV SI,4647 ; 1st magic value.
- F; B% l4 S( \6 i' g3 B0 o5 a6 V4C19:009D MOV DI,4A4D ; 2nd magic value.
, J% U3 h6 a, }1 p/ g! V6 W" V x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); [4 \% e- q- y6 [2 T' a. K& H. F+ Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ e) t& |1 U# t) P4 Y& F, o4C19:00A4 INC CX2 h5 K& v3 X4 q3 u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" ]8 x% z3 M: K' ]8 S5 b
4C19:00A8 JB 0095 ; 6 different commands.$ I" w4 [# i0 ]' }. a5 S2 W
4C19:00AA JMP 0002 ; Bad_Guy jmp back. M8 Y$ s3 y5 ]/ q/ S6 K5 Y! u8 P: S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
+ Q7 N& k0 l3 C/ s9 e8 `1 T( N. A
The program will execute 6 different SIce commands located at ds:dx, which
D9 _ T' j; ]3 E6 b% uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 t) R- P1 l* ~3 h8 q' j3 j; B* X; R6 b8 ^( `0 p! z% ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., x' }4 W3 ^1 C% G% a
___________________________________________________________________________
. \( ^3 ~0 M: d9 p: E$ x; q# i8 ~* |1 W
( S! E+ F& m: w+ l8 [6 \+ d* hMethod 03
7 S5 W5 m4 h4 U# i" H- w=========
% @/ s/ x! B2 e ]& P2 u
7 C! n9 }$ }1 _* _7 ^0 ^/ TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" Z9 J4 D" |. ^- |2 p. \. M(API Get entry point)4 s7 S3 }$ y" e. |) s
- r0 n& ~1 }9 ~2 o8 R f
# B) h; R3 @, }2 C& \3 X xor di,di1 B. z7 H S8 i3 h, m2 ~0 P
mov es,di& ~% D# Z/ Q0 w# ]5 M
mov ax, 1684h
- A1 c/ t- b" w1 Q, S8 \ mov bx, 0202h ; VxD ID of winice
2 x% W K" N8 ]& P int 2Fh
, U' @) b) A3 W7 B9 l" i8 d mov ax, es ; ES:DI -> VxD API entry point. F! D" h! h! c% g- b; i2 X
add ax, di
9 H- l0 d6 _: E3 S t- Y test ax,ax! [/ |5 ~# @9 c/ F1 ]
jnz SoftICE_Detected- t1 {/ ^! H# g) ^# E
4 _; L! \& ]* Y5 g7 {___________________________________________________________________________7 F2 D3 Y& P2 ?4 d
4 t4 V) K) P# Y/ P. yMethod 04
! k$ E/ q$ S1 R; Y( ~=========& @" O/ ]* m" e P9 V
) d& M$ x" M& ^Method identical to the preceding one except that it seeks the ID of SoftICE0 D6 y# y" k! i/ x2 E& M
GFX VxD.5 ]5 E/ @* n3 M: {8 W/ P
$ E' j6 j9 L) g: `0 C
xor di,di/ Q8 m6 n6 V1 a$ s V( P- F$ Y
mov es,di8 U) z6 _8 c( W- ~: c
mov ax, 1684h " R+ f5 K/ G+ t }" a
mov bx, 7a5Fh ; VxD ID of SIWVID
/ B8 t$ }% W2 i+ A4 O int 2fh
9 e' m; Q7 K+ |, x. A' ?3 L mov ax, es ; ES:DI -> VxD API entry point
- v8 j, W% C& a) ^9 o& `1 u add ax, di
2 p F3 Z( M7 v3 @- t test ax,ax9 g6 ?, }% b1 x! j2 J3 ^5 n
jnz SoftICE_Detected5 E7 ?3 X$ q9 @1 ]* C
& C* T5 m& I$ }; O! r8 U2 q7 c M( v, G! e
__________________________________________________________________________
3 M' N9 _0 S0 s8 Q- C3 e0 f& B8 n+ l
" b2 q3 J& d' P0 \+ ~, ^Method 058 d K; l( S P) j6 U' {
=========
7 i6 g1 k' c% E1 b
- d+ G4 B n* G2 R0 e& N ]) g* bMethod seeking the 'magic number' 0F386h returned (in ax) by all system; q$ I; j) Y( H% G+ Q% o- t% z
debugger. It calls the int 41h, function 4Fh.) N" M( x, u4 }% T9 [: f8 B
There are several alternatives.
4 f& r3 U8 c! X) `) @, v
9 [6 ~6 @" m) K" NThe following one is the simplest:4 ^* F7 _% p- _/ u
5 j6 R4 J( s& w8 O" f# H: e mov ax,4fh
) i) X2 E' V) K0 _ int 41h- m, R+ L& E# G
cmp ax, 0F386! N0 Y8 Q! j$ ], t
jz SoftICE_detected
/ |$ U7 S/ N; |" w7 G
2 v6 G3 n& i7 Y5 ~* c
* N2 g" _# T- |0 T& F( X D' aNext method as well as the following one are 2 examples from Stone's
% {4 M8 X, u5 J"stn-wid.zip" (www.cracking.net):
% x4 w* i2 V5 M. b' z+ A7 d" l; G
`2 o2 N# _ ~; u. D$ G mov bx, cs
, B& c- T+ h) [2 f) }: P lea dx, int41handler2
% o* }& U8 }( J' n' K; s# D) ^1 c xchg dx, es:[41h*4]- u" W' b3 j; s7 c) [. M
xchg bx, es:[41h*4+2]5 F. s9 q- e0 z2 }4 u3 @# F
mov ax,4fh# ^' x. f' m7 i- M' @5 {% L
int 41h
- J( {+ X9 t+ I: p, A8 Z- | xchg dx, es:[41h*4]
2 E8 i3 v% S3 W" \2 Y4 M xchg bx, es:[41h*4+2]2 G$ E# R! o6 G
cmp ax, 0f386h
0 e3 b6 E8 q+ y3 M9 C jz SoftICE_detected
W0 C- k/ r* x% i$ c, r/ l
- Q- z8 E! ]1 ~* `! o8 g* H2 fint41handler2 PROC& p5 [" e* y- b% U( g+ r- n5 ^/ T
iret) a- O. ^, c0 G" ?: q
int41handler2 ENDP" l8 p; g3 o- M3 |) w8 [; B
6 Y" s8 ?# k/ n `/ L9 b
/ L p% I; v7 B! Z* u5 ]9 G4 ]_________________________________________________________________________* T2 N6 A- u3 ^0 m. `% H
, e9 M' w* h, u8 e; X; U
% P, w, E8 \: Q6 X9 sMethod 06# Z* a5 B2 O" F) I" F( y
=========) Z; C3 J% ?! t. h1 X F; G
8 G* ^8 A& F% W$ ^
# w2 }! K4 a6 E- u/ H1 ^- P' J @
2nd method similar to the preceding one but more difficult to detect:
+ g- v9 r* J1 M4 \: @1 e2 W0 o9 Z' _/ o' D; a+ A; C! K
; `8 s( k& E- J* V; j9 Jint41handler PROC& V+ k5 k3 Y7 p* e$ I& q5 s; t. V
mov cl,al# B- b) v: ] b) d2 |0 P
iret
0 R+ P$ v4 T! ?) H6 R. k9 m' c5 `int41handler ENDP
5 |* o" q4 i" o, y1 u: }) H+ _. q" Y9 w x, ]0 j& Q/ c- B
/ `6 Q* h: `* y4 C/ u
xor ax,ax& S7 Z, s: ~+ h0 N+ P A+ G3 _* S
mov es,ax
S. W1 i; S/ \6 W( d3 y mov bx, cs. J' D4 q) K0 q9 v- t. i! c# \7 E
lea dx, int41handler
4 g. k2 L% ^4 V, z9 V0 _4 T xchg dx, es:[41h*4]% Y% X! W4 D3 [- `
xchg bx, es:[41h*4+2]. t, o- Q$ A# J* e4 f3 q# P0 b
in al, 40h
$ u6 u* z1 T: d' c; e; @& u5 J$ j xor cx,cx
% ~- u/ r. l# e( A3 J# H) ?% j int 41h
! j1 P3 s& R1 B* [7 m0 @( V8 e xchg dx, es:[41h*4]$ i( r$ Z. B! M& A4 p
xchg bx, es:[41h*4+2]
" P6 j P' `0 I$ ]' R cmp cl,al
" ^3 P4 K; |* v3 r- u- O jnz SoftICE_detected' p, z- k+ C* l8 `
8 y! p" I- k) W_________________________________________________________________________
: s) _8 O. ]" A5 W/ F* L7 U! m0 @3 F) [. y$ s
Method 07
( l! Z7 g Y8 N, x0 m' m=========
, l n9 s8 z: U2 X6 r5 c( K* C/ t; N
Method of detection of the WinICE handler in the int68h (V86)
- b* q4 u* L$ e7 a! \/ H9 R2 T' h+ g6 x' B9 T" K( \
mov ah,43h
" p) N/ k) M) z: l. i int 68h6 R8 f: [ q5 ]
cmp ax,0F386h
. }. V9 T7 G$ o# E jz SoftICE_Detected" }3 z/ q; M5 u7 h7 z
3 Z x( e/ k1 G# [$ l. q+ q
* X) r' [7 `5 {/ b2 [& q# |6 w4 M/ `=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. \- F! |: i' q9 F% L1 h1 k; F9 |
app like this:3 H8 {% Y( J4 L% a8 w+ K% y
( [7 J' q0 f, R; X! ?0 ] BPX exec_int if ax==68
! D/ `' t) k* A. ]" T (function called is located at byte ptr [ebp+1Dh] and client eip is1 I$ U+ C2 f7 G
located at [ebp+48h] for 32Bit apps)
& L' O$ t6 E3 z- k__________________________________________________________________________
9 _' b* d& R$ x. p1 Q1 m
% ?$ b6 g% ]4 U6 C
+ y! Q* \$ ]' t/ \& rMethod 08
4 }1 q+ s* X6 W=========
( \4 u1 D' K- ]% o* |4 n+ ?, r
2 N, F$ F4 K, G! l' r2 o. RIt is not a method of detection of SoftICE but a possibility to crash the
p" _. s- K$ s& |" x5 o8 n& p7 `system by intercepting int 01h and int 03h and redirecting them to another! r6 l8 `3 D- x7 L) k
routine.
; P. v$ L/ c9 [4 s# GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" a |# G9 k F Zto the new routine to execute (hangs computer...)
& j! I' F J; F: ` l, n+ h/ ?/ F0 U# e; T! q
mov ah, 25h) Q: q7 D1 ~" j7 b, z
mov al, Int_Number (01h or 03h)
( k* D8 l8 R/ q$ k mov dx, offset New_Int_Routine
+ {, w, {7 B# D, F& u9 `3 m int 21h
& m+ J1 q" X3 R3 j% M6 r
, y# q6 r+ B, w) s. D__________________________________________________________________________
! b, s8 k6 m- m; \) }; `, e' c
) u/ B+ g9 e; W0 w( F5 V! y1 f1 Y6 lMethod 09
8 J" G4 J/ ~2 ]& _) o9 Y6 e=========
. s$ ?$ }% d( c w6 u- ^7 [! n2 D: m4 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* g) A2 X, g4 |3 I) D6 r; A- ]1 K
performed in ring0 (VxD or a ring3 app using the VxdCall).5 U9 g& B* D ^7 U
The Get_DDB service is used to determine whether or not a VxD is installed
$ W! B3 q0 |7 j& U5 s4 zfor the specified device and returns a Device Description Block (in ecx) for
4 `* n+ | U3 r* J) uthat device if it is installed.& H f: A6 J: d1 p! {* v& g9 f
9 s) z' k5 g* m5 \1 M( ` mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 {( \5 n" X- _7 N( T/ ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( I2 W7 V2 _7 L# s9 ~ VMMCall Get_DDB4 I/ H6 {' U: t) g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ b6 U& \& P, J+ |8 M u/ [0 e- K" j. ^7 q
Note as well that you can easily detect this method with SoftICE:
8 ` V5 ]) H$ q$ A$ {( C4 I) }& N2 a- D bpx Get_DDB if ax==0202 || ax==7a5fh
3 m# N$ ^6 S7 Y. Q$ o
V# m5 `% v' M! B__________________________________________________________________________# O3 T- Q1 p* Z# a" R+ l' w
% c- p; ^: Q- l2 | r5 [7 B: f3 \% mMethod 10( f0 s; Y; [( E/ t. M2 U- A w" s7 o
=========
. N' P9 X* q# F D
: |$ q$ V. x8 d% [ w4 B1 v0 u3 ]" D" q=>Disable or clear breakpoints before using this feature. DO NOT trace with1 |) _, Z! X8 @+ I
SoftICE while the option is enable!!
3 S% ~7 S5 w: W7 {& U; ~9 V; Z% K; |5 w9 M2 f; |4 Z7 T( n
This trick is very efficient:
; Q0 n! c# P# B8 a! \; zby checking the Debug Registers, you can detect if SoftICE is loaded3 ^/ c6 n( L5 R. u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 e2 [9 r n, {: k% L# J) |there are some memory breakpoints set (dr0 to dr3) simply by reading their2 p" ^/ ~! w, Q
value (in ring0 only). Values can be manipulated and or changed as well
8 |& t) t' ]* T! s1 M- \! n6 w& L(clearing BPMs for instance)
' m0 j, C) j, B% k
4 e7 ~: z8 `1 b$ B! `4 N4 O/ j__________________________________________________________________________
: f, B# ]$ [+ ^9 B
% @5 y# F+ H5 N8 V& cMethod 114 A: k, b% ]4 d! G, |+ x
=========. T: I& z R5 M1 g- [! B
. n( V E5 S8 n0 \- C" m
This method is most known as 'MeltICE' because it has been freely distributed
. P8 l, \* Y# J. bvia www.winfiles.com. However it was first used by NuMega people to allow) M! N( w9 N' F/ Z; O( i% s
Symbol Loader to check if SoftICE was active or not (the code is located" ] `* |1 s; U( R$ k
inside nmtrans.dll)." A! L! l( W5 H9 X$ [8 ^
) g& A: Z3 O' M! y
The way it works is very simple:
6 t$ B1 _9 G2 Y6 H2 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& |0 j% m3 P" D9 \8 _" \
WinNT) with the CreateFileA API.
7 J9 U" E5 d$ Z! @9 F8 o
3 q3 W! U# r$ k- XHere is a sample (checking for 'SICE'):
; B: T: w) h# K" ]) h& @$ q! W! r2 _ t
BOOL IsSoftIce95Loaded()
3 I9 _* d, [. O1 D{# u, h" p5 ^* p
HANDLE hFile; % _2 o4 T; V0 {5 n8 S+ d( `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, t5 s$ R$ j) e" V& |: ?: D FILE_SHARE_READ | FILE_SHARE_WRITE,
- h B: B# q! q" W, _: O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 x: y/ L1 s. n
if( hFile != INVALID_HANDLE_VALUE )
9 C8 L9 z4 r' a6 o/ O k/ T# i {" ?4 s6 X2 E) y0 Y" O- F0 r+ V9 H
CloseHandle(hFile);
/ p& [( P \6 Q y return TRUE;
1 w- ]4 h) `) H }
* d* T& j% E& m return FALSE;2 `2 e9 l5 E) r5 i
}- D; N3 O) z2 Q2 ?. t
) ]) Z+ ~( E7 n- ]4 G+ v% s
Although this trick calls the CreateFileA function, don't even expect to be5 z n1 E: [4 S
able to intercept it by installing a IFS hook: it will not work, no way!+ p' C7 F4 M6 S$ O1 D m& p; s9 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& N& W* x0 I' O; Z6 z$ z; R8 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 G* s& A( Q; W% K, Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 F& F X# K- @' T# u, d# Kfield.
L0 b; K7 ? j0 v9 c# S6 z/ MIn fact, its purpose is not to load/unload VxDs but only to send a K8 p" T( T6 a0 O ~! Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 P/ F, B, S+ a ^8 f+ N' @
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" Z9 f4 ~ J) W0 E" k8 o; ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).! j$ l8 }% p- V, s* U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 P, ]; Q3 _( i5 R5 Yits handle to be opened and then, will be detected.+ Q: e. Y0 \) x9 v
You can check that simply by hooking Winice.exe control proc entry point$ h) I' |6 K" I
while running MeltICE.
% p3 Q) ^ c* h g9 E" Q
/ b6 ]& w3 l) ^# u5 i- q8 Z9 J9 Z2 y$ |3 E7 \: A( h" K
00401067: push 00402025 ; \\.\SICE
/ D6 S( b' q u! y6 K" h2 ] 0040106C: call CreateFileA
! C, y9 K4 o- u; ? 00401071: cmp eax,-001
2 l7 D, P5 O, S+ i 00401074: je 00401091
6 w7 ?/ J S% `! t, _% E1 u0 g7 ?" m3 y# w. B% _
/ K( q5 s, h6 R( gThere could be hundreds of BPX you could use to detect this trick.
2 G$ T; H3 k5 o6 W$ b2 H-The most classical one is:3 ]. K. ~# H" h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; t' Y/ H! O- P3 A+ Q) F' q( c
*(esp->4+4)=='NTIC'& D# S, u5 l% R/ j: P: s
- b" X9 A/ f' K6 u X
-The most exotic ones (could be very slooooow :-(; u8 I. q- K+ C! Q; U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* L5 s) U7 q9 Z8 t; _ ;will break 3 times :-(
. k8 j; y3 M" r6 {; i, b
5 i1 N9 q K5 m3 s: B-or (a bit) faster:
* b' r- r; k% p7 j7 f) t Y6 c; S9 h& U BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 d) W! C9 v6 M1 l) o
/ Q. G( j6 g6 b; L, [% F9 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' $ a. `9 I5 d2 F% v' Q% D
;will break 3 times :-(
/ E" n" _- L9 [% `: |( R1 ] X6 j' r) S( m$ M7 s4 v% P1 J+ @
-Much faster:' ~8 Z, n" q( ?, i- D3 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( M6 f! n: n; K% I0 ?- y1 C/ L
" w/ i0 x) n- N# y. t0 V/ ~, D9 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 F c6 Y8 N- [$ m( S# U
function to do the same job:
/ L+ x; S6 X) p V( _% M
2 U, J( V! y; P* S2 g* G7 n push 00 ; OF_READ
2 {6 J* [) j$ G3 Y mov eax,[00656634] ; '\\.\SICE',0
9 O0 o1 Q& { g push eax! B: [7 v) X% l; T$ Z
call KERNEL32!_lopen5 c' Y( a3 n- B% V/ j' O3 A! ?3 @
inc eax
/ J x( ]6 p- f0 g0 P jnz 00650589 ; detected
2 {" c z) Y% g$ d3 ]) _ push 00 ; OF_READ' K! K4 {7 B( E& l
mov eax,[00656638] ; '\\.\SICE'
9 \3 o, b# U/ P8 _& X3 C push eax7 Y& q* I/ H8 ^# ?$ ^
call KERNEL32!_lopen, R9 m e# d: V+ {. R+ N0 X
inc eax
* w& k( e& C+ J$ D- K" | jz 006505ae ; not detected
: m! Z1 b0 M C3 X6 Z) e! i7 ~9 q
% }: }* L3 B$ M. G \
) n1 T9 Z9 b5 h& k__________________________________________________________________________2 d$ Q. J1 t/ ?, B5 X" I0 z
3 ]# _# J' ?9 {- i& u `6 p; E
Method 120 K6 D+ G2 ^" i! n( q
=========
& x$ a- y Z4 {4 B) i% L) W9 K+ f( a7 ~2 W# }3 Y& @ q
This trick is similar to int41h/4fh Debugger installation check (code 05
2 L+ I. n/ Y$ j" u& 06) but very limited because it's only available for Win95/98 (not NT)
& Y, q8 X/ C5 k) V, L: Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# L3 ?$ t* [4 t8 x5 i
3 q6 f) A) ]' U& W push 0000004fh ; function 4fh" }% ` n/ C7 T$ N
push 002a002ah ; high word specifies which VxD (VWIN32)
1 U3 c8 X/ y" H- {" O) r' N% [ ; low word specifies which service
5 k& S! `' K+ C& O (VWIN32_Int41Dispatch)
5 `0 ?# I t4 E9 i1 U! n* O call Kernel32!ORD_001 ; VxdCall, j" d9 l2 x1 o
cmp ax, 0f386h ; magic number returned by system debuggers
5 ]6 t; x0 X2 N4 a jz SoftICE_detected/ m; @2 l( [9 S/ q9 B0 A
?. K. ]" W3 d, N0 L1 d
Here again, several ways to detect it:
3 a7 `6 F1 y0 l2 T
2 ]$ I9 s+ N( U0 r% X1 ?! R BPINT 41 if ax==4f
) `6 f+ Y1 N& k9 J( g/ d3 R- m: v
) G3 v* S5 ]3 s* W& c' E r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; l, Z6 T/ o6 d( ^2 v
) ?! d3 k" K) n# ^4 x0 J5 J' n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! a4 L5 Y* X3 G7 Q
! J7 N& w5 i8 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' C& t5 _+ y2 P& p9 f% m1 M6 s; K e9 I4 x. z3 G. X" p
__________________________________________________________________________/ I# G5 j9 H& q5 U0 r; S
, z" z2 ?; d$ F# z2 I- MMethod 13
! \' N$ D6 p- B& D=========8 C, a7 c6 b, ?4 Q4 I
& x+ P2 _& Q, ^8 B' `1 A, cNot a real method of detection, but a good way to know if SoftICE is+ i6 e+ H7 C E; M0 u
installed on a computer and to locate its installation directory.
3 r7 U; U; C5 SIt is used by few softs which access the following registry keys (usually #2) :0 t! r" g1 e5 V7 u3 ?
% Y2 u& i/ u+ u4 P3 u$ }) ~# |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, H% [4 W4 o5 S+ f! X. Q! `7 U
\Uninstall\SoftICE9 ~& ?( r. p3 ^% o* G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, [( j/ D" V& e* [; A" P( M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 B9 A* Y& R, J2 }) D
\App Paths\Loader32.Exe
y4 }- P5 ]1 z9 q; ~, ]
2 Q2 M; i' H4 Z$ J# ~: r& p. B0 c4 T a
Note that some nasty apps could then erase all files from SoftICE directory
' e/ X2 z$ x( T& n9 g) J) j(I faced that once :-(
9 k: C }( g, }3 y
! ~5 w9 ]( n' b7 X0 [; X9 XUseful breakpoint to detect it:( b+ f# O, v- Y$ R2 C
7 \# |3 s; k0 N! `3 ]. k, Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' q% y0 B* Y; d( ?5 I) _3 n# g- k7 z! l
- T' x, q, V+ ]__________________________________________________________________________0 P6 |5 c9 M! Y/ A1 I& {9 w
) K& H) V! M) h4 G/ b3 k8 [% s3 C3 v1 ~9 g! v4 n6 k
Method 14 8 C3 N! ]; a C: T1 `0 j
=========
) R8 r9 g: T5 a+ E+ w6 u
, m5 E0 c% ]+ m7 KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ v- R4 c* {1 }4 i5 R) j8 P8 D8 Uis to determines whether a debugger is running on your system (ring0 only).
! ?" Y! C$ P6 `0 \- h% B
9 Y' k$ d9 j3 a: @9 l VMMCall Test_Debug_Installed9 j# q- G# y! I: f
je not_installed. v2 [1 J0 k) C8 ~. y% m6 _
A9 i8 R& e0 x- `2 ?
This service just checks a flag.; l7 [) ~6 ^/ z! f
</PRE></TD></TR></TBODY></TABLE> |