<TABLE width=500>
; m M8 d% s8 `' T<TBODY>
" j% U7 ~. W' m; X* Q$ q) `<TR>
4 x. t* s# Y. q" [$ n<TD><PRE>Method 01
1 d% E/ r/ n" F' H0 F=========: g, g( \8 F d! ?6 o' Q* c6 `& y
2 |% [4 {7 [( ?5 I. {/ S
This method of detection of SoftICE (as well as the following one) is1 o: V* v% M- V) q1 ]* }
used by the majority of packers/encryptors found on Internet.
7 z [9 v6 l6 B2 i6 uIt seeks the signature of BoundsChecker in SoftICE6 Z+ t; [4 w+ {% q, g
; i1 K/ l: c g8 l. p$ \8 l mov ebp, 04243484Bh ; 'BCHK'. @* y) L8 H/ k& y) J" Z. T' |
mov ax, 04h
3 H+ p; j$ h+ @0 Y% Z3 E4 v int 3 . {0 ]! V7 I3 Y- ?$ R
cmp al,4
9 {* x6 B2 v* W' t3 f- n& j jnz SoftICE_Detected4 K/ ]6 a% M: E% `
, R4 r& |+ i! G( b3 q___________________________________________________________________________
$ W z, F; `+ V/ v$ _
$ d7 \8 D* E( z* j4 M' e: y+ F. _Method 023 h/ v* C! D3 u. \5 r" w, @
=========
# N+ s& Y9 D4 j# h1 N$ _, p$ o3 Q* |) m% k4 M: k6 v6 o. j
Still a method very much used (perhaps the most frequent one). It is used& ~: ~: o; F6 ]* d. V6 a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
s& D& Q: G4 D! H" v+ K1 S5 aor execute SoftICE commands...
% A4 \/ S- L/ u# I: iIt is also used to crash SoftICE and to force it to execute any commands
* p' P3 D9 P" u4 m: ?, z; x6 \ _(HBOOT...) :-(( 4 x5 ^9 {& ~1 @6 u
1 z1 V$ v4 U$ m" {6 \1 H
Here is a quick description: u) q) ~0 E( }2 H% K
-AX = 0910h (Display string in SIce windows)% N- Y# @- b6 b/ o7 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 ^ O$ M! J3 [: k: C" H-AX = 0912h (Get breakpoint infos) K# B# j6 M- W! X7 T7 Y0 Z& g1 j
-AX = 0913h (Set Sice breakpoints)( H. V1 Y) K, d! V9 g2 T$ J
-AX = 0914h (Remove SIce breakoints)
: g" Y& h9 m# M1 a6 k0 t8 G1 Z+ n* v4 g( ^3 P7 z' t
Each time you'll meet this trick, you'll see: d! f7 n0 j" `2 _) [0 V7 S( L
-SI = 4647h
: i$ A4 j1 x+ [1 G-DI = 4A4Dh! t" L- x: E8 z
Which are the 'magic values' used by SoftIce.. K$ N* ?+ R" C+ y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% | Z9 L9 {$ ?7 f1 J4 A' m% s
5 J3 b7 Y8 ^4 X) \' P" y/ o9 O7 oHere is one example from the file "Haspinst.exe" which is the dongle HASP: |4 C+ L: R0 P
Envelope utility use to protect DOS applications:" o) s: N; e5 a1 D+ z
0 C) y; X0 s& G. S
, i4 m9 T# `0 }( L ~" g& d4C19:0095 MOV AX,0911 ; execute command.0 r7 |: \; d1 k/ Q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' X" ?: t, z! f$ A( L& H
4C19:009A MOV SI,4647 ; 1st magic value.
8 c6 L& G' Q5 V) n: K' ?4C19:009D MOV DI,4A4D ; 2nd magic value.$ v5 i* E7 ^- ` }
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: `5 I; M: w5 ~2 w0 [2 t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 m( y' r; C- n4C19:00A4 INC CX
% `' I6 P( v7 \( _; M$ a$ f: }6 J' T4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 e; B" U5 D% Q+ _
4C19:00A8 JB 0095 ; 6 different commands.6 q& j6 {3 T0 K5 L6 @5 @" C( v
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% {6 a Y0 ]* c4 J' D4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 I0 r$ v$ X1 t1 F6 }. S* j6 z6 X, x* ]0 T8 w2 l
The program will execute 6 different SIce commands located at ds:dx, which( e* l, Z! X/ h1 Z# X5 z7 y9 c6 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 g% r+ r" a* R0 i1 k7 n$ b
: z/ T2 A* M" O7 x! H& U: n9 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& I* n- p3 }/ b; l- n___________________________________________________________________________$ w: o, x8 G4 f# B, v2 g* y1 [
5 S, Q; p! _1 M
+ u+ S* Z, b2 a4 AMethod 03
& ]9 K: v9 H: ^/ x=========
& E4 O/ U% s- g9 }$ ?4 `
* Q4 h0 a, i q* y2 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# {. C8 |, p+ ?0 f% V- [) A9 _& y(API Get entry point)' ?4 \: ]/ S2 A" y+ C
, E* o7 O* F6 w
3 K, G8 Q4 y: [+ b2 Y xor di,di s7 t" S7 r1 Q+ A3 w# p/ O
mov es,di- _0 ?6 k Y, Z) W8 c
mov ax, 1684h 5 A! n7 R$ P2 r! S. o8 u- ?
mov bx, 0202h ; VxD ID of winice6 o$ J' x. X, z" [+ H0 ^" i0 ?8 R
int 2Fh
5 K5 ^2 M3 e9 G: T/ `" Y mov ax, es ; ES:DI -> VxD API entry point
/ M! L* z3 l0 d8 V& \& ? add ax, di
" Q3 h9 W0 g0 n test ax,ax0 v3 Y* g1 d$ S ]3 {% p1 U" d
jnz SoftICE_Detected
$ @- u; V' b+ d" Q6 z5 O/ f- F. P# y7 k
___________________________________________________________________________
. h A c9 }8 Y9 Z
1 Z$ v; m P. iMethod 040 V$ `' \4 P+ Z+ Y6 i+ N! x1 }
=========2 J% @& O; A' S
, k; j* S- z, ?/ h5 p3 j: uMethod identical to the preceding one except that it seeks the ID of SoftICE
- J8 w1 |6 h: j EGFX VxD.: V* \8 J% x. A; G. u! d
8 q& B" H# F+ ^7 {
xor di,di$ k& N- N8 W; j& E2 Q
mov es,di
/ [$ s. q) |2 ?# { mov ax, 1684h
$ P M) j: H4 C \) i+ L- s mov bx, 7a5Fh ; VxD ID of SIWVID1 D% h' B0 W( t: v- s% i. C
int 2fh- }3 b/ o2 g8 K0 m' |
mov ax, es ; ES:DI -> VxD API entry point
5 W4 q4 d1 I8 w% I add ax, di
' x) H$ \; ` J P( n test ax,ax% Q% E5 r. z6 d( q3 z, J, C$ ~
jnz SoftICE_Detected
3 g; _8 I4 e8 S$ s# E5 |- W. K% W! e
__________________________________________________________________________
# D" @' d* k3 H, E4 u& S
; S! n& K' C+ x2 n' G/ Q& v' s' _7 ^( }' n" I4 r2 n9 c
Method 05* y% o6 I' j* Y3 b" C
=========
; V) C& w: _$ p$ _) l; X0 e
; c" T9 `0 B- J' j" L2 v9 R4 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! x+ [- F1 E. o1 y4 Qdebugger. It calls the int 41h, function 4Fh.3 Q" h+ H# N8 H+ ]. l+ d
There are several alternatives. ) { C# U: L5 G0 k' }5 W' P
2 N1 [9 g4 ?0 ?+ L: w
The following one is the simplest:
( F* h( e) w& X, i. S# z. v$ W6 H$ y$ |# Q2 h
mov ax,4fh. Q! Z8 n* U9 _, o, n* M, z7 Z6 N
int 41h$ ]7 G1 M$ h- U* h/ P" u' o' p
cmp ax, 0F386
) f- v. Q7 Q( S; Y# }4 y* J0 M" c jz SoftICE_detected
1 E7 q" V/ D$ N
0 ]& P K: S3 |* M
) K; o. J( Y: y5 l9 ?4 I. HNext method as well as the following one are 2 examples from Stone's
: J" e3 J* ~8 c2 n"stn-wid.zip" (www.cracking.net):
) T3 h' Q, K: k4 f- F3 `1 B1 Z( b2 Y6 ^6 M: L+ s; w" \9 d
mov bx, cs
0 `2 F# ]+ D: R( O$ [6 p lea dx, int41handler2
1 l5 D; ^0 }. Q$ j' J" J1 O/ q5 P6 B xchg dx, es:[41h*4]3 `: }' s- Z! H( Y7 W
xchg bx, es:[41h*4+2]
* z) Z8 F+ r! z! x& p mov ax,4fh* [7 b3 ]" m8 R5 g( Y% O' R5 Z9 o0 ?
int 41h
/ k: o: Y6 i& X) W xchg dx, es:[41h*4]& |, x9 C# d, g2 q+ I
xchg bx, es:[41h*4+2]
, Y# i* s9 u n cmp ax, 0f386h
; W# t+ h* c$ ]7 n2 I jz SoftICE_detected
! G2 }( {- J. K: ^. q( [" Z& a3 Y3 u9 D& K) B
int41handler2 PROC3 ?# P# W/ K# t. B9 y1 L/ ?
iret4 r/ G$ L1 V" h; w! q, P
int41handler2 ENDP
* N% d+ d7 g$ h' F3 G6 I' [
5 L& L3 k. H4 o4 B2 J1 j- q0 t: S% M1 S7 U5 m- s- }6 f5 {
_________________________________________________________________________
9 `- W, |0 p2 N4 \$ _7 K: N% S+ l ?# d7 w4 [% }: y$ i
7 c9 ~4 X/ d7 a4 y$ C7 R( C
Method 06
6 }+ E' ^* R$ y=========
3 ^$ U9 R7 K) s2 a3 A1 E/ [- B: K4 t( P% M/ t6 `% i
2 r y( D6 w# D4 s, E) E1 |! M, L
2nd method similar to the preceding one but more difficult to detect:
; i" J: l& e& \5 R* n, q5 d3 ~* i6 L, } v
b3 P P/ r$ i- V
int41handler PROC+ d7 o; i: Q# _! O( ^9 W. c( ]) U/ U
mov cl,al2 k7 h/ G9 T _0 X
iret
) e) m. ^$ \/ C" X0 _/ m( uint41handler ENDP+ C8 Y% F; o, ]( h
3 b9 H$ u' H0 [; Y& D0 e5 L
: B. v" Z6 s1 C& V. r xor ax,ax
- ^6 W6 j3 B: `. r J% M& P mov es,ax$ j# }- P3 J% T, I6 ?
mov bx, cs
3 v# R8 ^& n F* h- ]* k& l lea dx, int41handler. C& T! n% q! \' i8 S/ E5 m
xchg dx, es:[41h*4]/ ~& y% B5 A$ \7 `
xchg bx, es:[41h*4+2]
3 z' h8 X7 S9 } in al, 40h* T5 I, u# D. K" l; b& G
xor cx,cx2 }2 _ H% G7 ]+ M; A0 u7 v
int 41h
5 A9 T2 L- d1 V0 L; B! L xchg dx, es:[41h*4]- F9 H' P& m. `$ R
xchg bx, es:[41h*4+2]
; `8 w! L% z0 A7 }9 N$ ]. H, E7 x" i cmp cl,al+ t- X9 M( e/ S$ u; v; J, _6 h
jnz SoftICE_detected! w4 I* ]6 y) f* _8 i
' |7 E/ a* ~. ~1 X+ U) y( D_________________________________________________________________________& ?; `. ]0 L( b9 L# `6 p
9 ^5 O/ F2 c3 }, o6 o* x
Method 07
O( |; s4 I0 \- j( \, d=========
! M2 r- r7 P$ A# P$ B1 a; Y D' L [3 i6 C" [/ C- C' w
Method of detection of the WinICE handler in the int68h (V86)
- b- P/ ?& z' X& L" l0 w1 N5 _1 [* V* S2 m0 s
mov ah,43h
* m# R+ s: |5 S( f$ p int 68h2 G9 Z& `! I3 A1 [
cmp ax,0F386h
/ v% n* x/ L6 I' u5 s! R! o. C jz SoftICE_Detected& U& H6 s- u* `
# Q0 S% D* ]& n. a; d' }5 V
' h% Q. p. a' R( }" |% J- s
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: I$ R- n! o2 y! L9 N0 m app like this:7 S$ Z, @6 H7 P8 W( g
7 D0 f/ b, a1 G BPX exec_int if ax==68
$ v: _7 J; N1 b! s, G (function called is located at byte ptr [ebp+1Dh] and client eip is! Q0 o$ z6 n6 f- h% g6 n. ^
located at [ebp+48h] for 32Bit apps)
: H+ ]5 a& u) J# @% w, B# Z! t__________________________________________________________________________
1 k6 V; S: e* F
0 y$ U9 b3 l" K% p! \4 _ F) {8 N
" L! ?7 D! M( p. HMethod 08
: @# W7 K2 v& }) @, @. {" Y=========$ H; f6 J1 c' L- I: M
; J) C- I6 \- n0 ^/ \
It is not a method of detection of SoftICE but a possibility to crash the8 f) F- L8 l; i
system by intercepting int 01h and int 03h and redirecting them to another
( w0 C" r+ A. J6 i) M9 r$ xroutine.
+ Q, x9 ]) c, G0 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. S! V: U% s$ Q# Z
to the new routine to execute (hangs computer...)0 E' ^/ J' O( l& C+ K
* q0 a+ b# J( x+ ], I( s mov ah, 25h& @. f) @1 l' i5 q
mov al, Int_Number (01h or 03h)
& J2 B( u1 W; u( v mov dx, offset New_Int_Routine
2 |$ N' }) h) K* f+ G. r int 21h
8 J+ P) t; I" `5 i9 [- |7 Q8 y+ }* q5 s
__________________________________________________________________________
9 ^9 h* ]% Z( s0 y7 l) g4 Y9 j. _, ^& e$ \/ a; n5 v& x
Method 09
+ ]- f+ }/ n z# D6 v=========
& j8 d* P6 Z$ Y
9 t$ l2 k7 _5 [+ _' e6 Z8 \2 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 Y% U1 @' h. g0 f. x( |performed in ring0 (VxD or a ring3 app using the VxdCall).3 O0 ]2 w e- p( }" J
The Get_DDB service is used to determine whether or not a VxD is installed
# j6 u" g& H/ Z' T" ufor the specified device and returns a Device Description Block (in ecx) for
& L0 Q* i- j _( p9 ~& pthat device if it is installed.
/ y5 E$ r$ k7 M9 Y* y9 A5 u
) ^( x, J$ v1 ]( m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ f* ^3 X' F7 a' l2 _5 e
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-) ~" i/ _5 M( B/ w7 A, c- j
VMMCall Get_DDB# b; m7 u& U) `# ^3 v
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ Y8 V: z+ _" q3 _& J: |6 L
% `$ d( O1 w& ^9 x- B
Note as well that you can easily detect this method with SoftICE:
3 g- _ v- R' @4 j bpx Get_DDB if ax==0202 || ax==7a5fh. D* A: c9 E: x8 {9 x
2 W. a, J9 V9 d8 r, g+ T9 w& _! e
__________________________________________________________________________
& j1 t N" j* h& E; x4 k0 z, J; g
Method 10& g* {+ V5 A3 {" A
=========
0 m" L; O! V; E3 m& K- [( X
. Z! \, O; @4 G# L=>Disable or clear breakpoints before using this feature. DO NOT trace with; u& w5 [7 a* a- g
SoftICE while the option is enable!!
$ a- z+ y' n6 ^# I, y3 K$ n0 |, Z) m, X6 f) E% d7 M
This trick is very efficient:
" |# ]8 {4 r7 R% i$ Mby checking the Debug Registers, you can detect if SoftICE is loaded
% U0 N& Z( q0 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& |: u' n+ Y+ z$ d) K4 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their G2 J% {/ Z$ [! q8 e1 P
value (in ring0 only). Values can be manipulated and or changed as well' k7 @2 v% K1 K- {8 N" Q3 A
(clearing BPMs for instance)
R2 Y2 G% Z8 ~6 S% s" Q/ b( v8 m
__________________________________________________________________________
# A/ `; N" W c0 Q3 i) N; _9 Y9 S6 {+ l
Method 11
& S8 F2 {* D2 M- d=========/ r" O* i4 ^& B. y
( ]# }: }! R1 J% q3 n6 x8 m4 {This method is most known as 'MeltICE' because it has been freely distributed
; E1 Q4 g1 ~0 ?via www.winfiles.com. However it was first used by NuMega people to allow
- D7 Z% u4 b9 s$ V3 n& RSymbol Loader to check if SoftICE was active or not (the code is located/ F& w+ B) U" |7 _2 S" D7 t
inside nmtrans.dll).! A8 S- R t" I9 T6 M; G& G
) |. d1 x8 V7 E. r% N8 ^The way it works is very simple:
+ |- d. j. V9 J6 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 A/ `, C1 f* L, s* C jWinNT) with the CreateFileA API.7 N7 l+ C$ x3 a M+ Z2 k& K
! e9 ?: u. {, K
Here is a sample (checking for 'SICE'):
# H5 y# ^! J$ a6 ^! |6 T* O& t1 p" x6 r% W
BOOL IsSoftIce95Loaded()
& l7 J* h9 q2 `/ _) m1 ]! |5 O{
9 p/ u# l% u# [( j4 l' L8 l HANDLE hFile; $ a+ p( A8 g$ X- Q+ L
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
E" n, u2 `" h; J" _" a FILE_SHARE_READ | FILE_SHARE_WRITE,0 T7 x8 ]5 L6 e$ q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 Y3 E& f: @& `- r5 K2 q
if( hFile != INVALID_HANDLE_VALUE )% `2 { X' R7 j
{4 j3 D6 m- a3 R6 H& B2 o
CloseHandle(hFile);. F W/ J) z6 F3 ?
return TRUE;
* P) h1 N2 C8 Z1 D2 e$ I }
5 G) V8 H. Q* }: |) A+ \ return FALSE;
+ w! U( i6 A4 ^3 b7 h. X}( Q% R' u- j$ T0 A. S
: h, i. X: e( l p- |7 S4 l( w9 DAlthough this trick calls the CreateFileA function, don't even expect to be/ x& o; L3 h4 _5 K4 F% o
able to intercept it by installing a IFS hook: it will not work, no way!. U3 K3 u8 L% L% r2 w! V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; F B0 N, l- j7 w' @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ z% ]* p1 u& K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ?7 f1 @9 l0 h- E; h( Hfield.
7 w# H& r( B- r" g1 I! }! \- aIn fact, its purpose is not to load/unload VxDs but only to send a , Z% I Y4 ^ n. q' I4 E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' V; q" D) {- I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& \" z2 l m" m4 ^0 k3 k) s. V5 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) J: l9 J5 D2 ~( B4 J" yIf the VxD is loaded, it will always clear eax and the Carry flag to allow S, Z& P9 \* }. a3 I. ]
its handle to be opened and then, will be detected.9 V2 I7 ^+ e: g1 X9 E- l
You can check that simply by hooking Winice.exe control proc entry point9 A" H: z2 a. t" P8 e: [4 _! y A
while running MeltICE.
I' H* f; L: C" ^, p# N* v" w/ d5 v- v0 P
m! Q9 O$ |( l. y# [1 ~8 t0 |
00401067: push 00402025 ; \\.\SICE! x+ p9 J4 p/ U1 w" u
0040106C: call CreateFileA
0 R$ _; Z/ y5 g" E7 s8 F" [ 00401071: cmp eax,-001) ^6 {7 ^8 v/ \4 i
00401074: je 00401091
4 ~( R5 I% M5 R, o, I6 S) }
( F/ b! o1 Y$ X7 U& y C
$ e+ x0 e( _* [% y; yThere could be hundreds of BPX you could use to detect this trick.
1 `% S# G7 V. X7 n( A- z7 ]2 C-The most classical one is:" d! L* U/ @$ E( ^- Q4 I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, M' |7 K" V" Q/ g4 J *(esp->4+4)=='NTIC'
# O& y/ G8 ^& C+ q: @4 A! M1 A' s* O* |4 S3 c) _
-The most exotic ones (could be very slooooow :-(: i( J4 a6 c- ?3 k6 t2 ^* a* F( y: K
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
! X) @' b7 h* N0 L, ]5 b/ F, F ;will break 3 times :-(
' L$ D: t9 P' |1 T
9 `* s" F0 r" u2 j-or (a bit) faster: 8 G& _, n" z' I. z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. L9 O, o3 f, w) r# w0 n" L. O* m/ W. F7 T8 _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 p# b/ g! P. g7 j. E& Q ;will break 3 times :-(( d& v: e' K+ Q3 \& `
/ D7 F$ |' L j6 i9 L
-Much faster:
* h( R: d- Y( P7 y+ [4 p/ { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" x6 `7 t) B9 L6 X) [; X; Z. f7 C
. E# J: e) r& ^6 Y+ W; F0 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 B% Q( g5 W6 W, d
function to do the same job:
/ `& {: Q: w; w% c( |3 l6 I( B) ]5 B5 j1 }1 ?
push 00 ; OF_READ
# {, b8 `2 {! f N. v9 T* c mov eax,[00656634] ; '\\.\SICE',0
1 P- n8 a% W9 Y3 `# G push eax
7 B0 V- I2 C9 w* y8 w4 O call KERNEL32!_lopen
: n6 h$ v9 _* {9 }6 D5 j" Q inc eax
$ m( R9 R9 F/ W5 ?# v+ ^' P jnz 00650589 ; detected
0 Z- u8 s5 F# M+ {6 y push 00 ; OF_READ
3 n! M# |) b9 Y2 R5 i mov eax,[00656638] ; '\\.\SICE'
1 W' {0 f% n/ N; [% T; H push eax3 v6 N8 `7 `7 t
call KERNEL32!_lopen4 z: c6 X- e% }) j; _/ }
inc eax1 ?+ w1 j! ]' O. z- S$ `
jz 006505ae ; not detected4 ^; C/ e! l+ f6 E
! e5 r% w ~1 A7 B) X: C
9 l2 P1 i: X) N( u4 d! X
__________________________________________________________________________
}3 K; X7 u: \+ N( f, S- S1 F
- W/ @$ l. r, S# C; N. W; z. ?Method 12+ v+ r& p( _0 ?( m4 S F
=========% g5 z# Y& ~" |) V
; v6 I E. y* b% V! A
This trick is similar to int41h/4fh Debugger installation check (code 05
. F4 V8 T# T& b+ K1 b& 06) but very limited because it's only available for Win95/98 (not NT)
( c; d( x5 z4 J/ uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ e. Q9 ]6 l V( i: b6 A0 R! y% Y, t
push 0000004fh ; function 4fh+ y/ n' O& J) v# W- r8 g# B0 K
push 002a002ah ; high word specifies which VxD (VWIN32)
5 I8 d# [; r. R2 l( s3 k ; low word specifies which service
" B) {- J6 R1 h (VWIN32_Int41Dispatch)
& G6 ^/ A8 | \) `4 _7 Q- _ call Kernel32!ORD_001 ; VxdCall
# }, {7 c+ n8 G2 s1 r' O cmp ax, 0f386h ; magic number returned by system debuggers
5 `& k" ^" v5 p1 I jz SoftICE_detected
$ Y( Y# c9 S" o$ }$ Q+ i& y. Z' `6 D) u: v
Here again, several ways to detect it:6 Z" ]: A* W6 R% J3 V
: r8 o+ Q1 N6 Q' a BPINT 41 if ax==4f9 \! G5 R- I- V
, ` \9 g" X& k, w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! r+ V: I+ J% `" v
2 Y1 H1 H9 M% Y8 v: h" K BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; l7 Y, ]$ Q; m3 Y' d- F, B; U/ h
' _$ v0 O( F" ]% p6 x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* k8 y9 u* w& K1 G
% F; d; y# o2 P: o" w1 K
__________________________________________________________________________* n1 G0 W9 n" U, y' S- b& L# q8 F* f: k
* Z' Y# I( _& Z1 AMethod 13
' G/ n3 b: O# E, h; d# w0 J; i! @=========" F% G7 Q( D, F. S
6 v. @2 Z9 Z; i, d- z
Not a real method of detection, but a good way to know if SoftICE is. H: N) C+ u& \ d$ o' N
installed on a computer and to locate its installation directory.
: o: c1 R9 z. M% H# XIt is used by few softs which access the following registry keys (usually #2) :$ d4 j1 Y, D6 g! n4 r
7 x0 x0 [, ?, P/ m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# {2 {2 {) L* b9 |9 m$ S W\Uninstall\SoftICE1 t* K8 V' T! k P. D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 c1 B% ]0 J* _$ K- u! Y L0 ~ v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ p2 Z, g! W L5 f
\App Paths\Loader32.Exe7 W: I5 A A; ~5 a
9 \4 J+ l6 X) Z5 U7 I: z( e; r) {" J) o1 a( J
Note that some nasty apps could then erase all files from SoftICE directory1 r4 s7 l: P9 a9 q. F7 h, `
(I faced that once :-(: p% m& R; X' t n& r
( p9 H" M% A/ l2 UUseful breakpoint to detect it:
4 C& W5 `$ [$ ?" h2 ^/ I1 \$ j$ Q
% K1 T( A" ^8 z) b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# Q! f6 U- c; ~1 n' J) t9 O! J) p- o4 s
__________________________________________________________________________6 |5 I# p; o( h% F- L
0 Y }! }5 v- K, w: ]$ {, u1 x, C7 {" a# o. N3 h
Method 14
2 z2 Y2 P7 M7 G" {, ?, ]=========% L- {' \+ x. e5 {# @3 M
( K7 C9 h5 y# ?. z# a6 D" aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ n7 h* Z! j/ L
is to determines whether a debugger is running on your system (ring0 only).: |& r9 S8 b. R0 D& w
0 l7 e# r& H4 h/ Z$ k; I. ? VMMCall Test_Debug_Installed8 f9 J8 A1 X3 j) p4 F! B
je not_installed1 s8 Q4 j/ z* {3 e
6 {% S3 ?) E; l% m3 b
This service just checks a flag.
" X3 x( I O+ @; D0 O! p</PRE></TD></TR></TBODY></TABLE> |