<TABLE width=500>6 [+ S) s: `" F4 g/ s# `
<TBODY>5 \8 [8 J3 S: L, w6 {
<TR>8 A7 o9 S( C3 i9 i4 q2 J7 j
<TD><PRE>Method 01
/ o$ K! e4 a, {4 H9 @=========2 b& g5 Q$ I0 k# y- H: |2 Y& ]! p
3 C, ~* }3 K& M- S$ z4 Z$ C
This method of detection of SoftICE (as well as the following one) is
5 B& H; {' ]$ T& J3 P+ r4 d* xused by the majority of packers/encryptors found on Internet.
2 u4 z6 a7 }% pIt seeks the signature of BoundsChecker in SoftICE$ v& u& ^: r, o/ y; Y
' Y- c1 B6 Q Y: l1 E5 ^. ~ mov ebp, 04243484Bh ; 'BCHK'8 g% n( g0 P- _2 M% I% K: `) z
mov ax, 04h
/ e8 q z6 {& P* a" \6 [ int 3
+ P' O: N/ d% J# I* O cmp al,48 G* G) l1 `& m
jnz SoftICE_Detected8 I* Y) h% D7 q! C6 y; y
+ q* R6 h5 c8 j j
___________________________________________________________________________0 F1 k% [" b' f
& c+ T- X1 J d
Method 02
; P( `, E6 |8 c5 J! @=========
% Z1 L- P8 Q3 j d' R
& b. ]3 ?) t9 U4 P# jStill a method very much used (perhaps the most frequent one). It is used( j7 J/ P; ?! Z0 y6 ~ a3 X- g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- D7 U2 d5 S5 s7 j9 @, j( S
or execute SoftICE commands...
* s) c( H: z* V4 R' iIt is also used to crash SoftICE and to force it to execute any commands% V7 R5 A+ E9 N7 d6 W
(HBOOT...) :-((
; M" O. |, w; [' e1 _3 N* Z1 Q- y3 L& T
Here is a quick description:! j. d5 |" u) t5 i: f5 `- v. Y8 e! G( u
-AX = 0910h (Display string in SIce windows)
9 r( {! [, g) T+ y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ N5 P- z: N0 @
-AX = 0912h (Get breakpoint infos)) Z3 }% W: [1 y$ ~
-AX = 0913h (Set Sice breakpoints)" J2 F7 @4 u+ I8 v( H; N
-AX = 0914h (Remove SIce breakoints)2 G9 A% u' u# b6 I& `% [6 G" X0 J
5 i9 w/ r" H. T0 i0 [5 NEach time you'll meet this trick, you'll see:1 q# d2 {0 H' u/ i5 E5 `9 O5 R
-SI = 4647h* D) |2 t! p+ _0 U* l( h- [0 W/ w
-DI = 4A4Dh
+ `0 [5 N, m9 a+ \Which are the 'magic values' used by SoftIce.
' w; k1 i) E6 S9 L+ Y" h5 v' L { r, WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( h ], p" x. X( t5 u, {0 J3 \8 }* E4 j8 @8 w9 N
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: I/ T* x2 P! B9 ~" o2 {Envelope utility use to protect DOS applications:
+ ^) l5 o3 `( r: H. S% r
# O4 C8 S0 j' x% i+ P0 ?
! L( b& A* ]- n* Z& @4C19:0095 MOV AX,0911 ; execute command.
0 o$ W$ `( s4 p# X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- C! r# E! _) A C
4C19:009A MOV SI,4647 ; 1st magic value.3 {7 x+ Y5 c6 |( y0 F4 _0 E
4C19:009D MOV DI,4A4D ; 2nd magic value.2 ?6 ?# C% V1 d1 z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)% q' [8 `: l. _! J4 z5 F$ o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 T" \+ h# A, |: r
4C19:00A4 INC CX
8 E4 I) ?+ r& a- a% G4 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute# Z; W; X, [. n% U* g
4C19:00A8 JB 0095 ; 6 different commands.
. L$ {, q7 ~/ M% h! T. n4 a4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 `: o$ L. N. Q9 J4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- l7 R% l6 H" ~& B, l" Z8 ?
! Y, r2 a1 P1 P8 {. O4 S- bThe program will execute 6 different SIce commands located at ds:dx, which1 x! a0 ~/ ~9 R" h/ f! c x; }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 A* D" \! w. i" m) Z$ j- U1 I4 B2 u9 E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 W/ a2 Q" P7 ~" E. O) G___________________________________________________________________________8 j( r4 G, ?& Z( @8 |
* p+ b: @$ c. K, X$ V; }: Q% C& b+ b! ?9 v$ S) E0 k/ ^4 `
Method 03
; i: x8 F$ A$ k- Q; s: ]; Q=========- f+ i7 W4 ]# a! b3 U; `7 o
3 \- u) l( B+ e1 u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; u8 D! M% x; k$ V1 d2 x4 t) R
(API Get entry point), }. U# j; [$ k. v( g0 |1 z5 |2 s
; {& ` E' y" ?3 w% V$ Z
& x# f4 k" {3 U' u
xor di,di- l( _8 _; l3 j, y. H2 N3 s
mov es,di1 j, @; ?4 a, [' l" Q
mov ax, 1684h 6 f3 g# k) g- I `3 I& V, h
mov bx, 0202h ; VxD ID of winice
% h! {8 v+ P" f7 L& O+ @2 A" r+ m" w int 2Fh
; a ], B# t: B( Y; M- y mov ax, es ; ES:DI -> VxD API entry point+ X0 B. s+ V! \) A7 q1 |/ W1 o+ z
add ax, di4 F' ~- b$ [0 {2 w. B7 Q( o
test ax,ax
h: h. i# j3 X) }8 d0 ] jnz SoftICE_Detected
% D, S, n. X- L: h' P- C" d$ L" z2 W$ `0 e
___________________________________________________________________________6 p% V8 m, {, h+ C' I3 T s
$ j9 G+ W0 b+ |+ P6 _Method 04
* O& T5 ]4 ~2 Z3 L4 [; h4 h& q0 ]=========
" u- {5 I/ Z+ n$ v7 ]! I5 \! A8 |* V" r" E6 j& [: a
Method identical to the preceding one except that it seeks the ID of SoftICE& { x, V0 M# H7 \5 z2 b
GFX VxD.. K, s4 W! W. W$ j
$ {1 Y0 v8 u6 z7 I5 p xor di,di( `, w4 \/ c8 a& A
mov es,di
: a- a; k7 C* @0 B+ I mov ax, 1684h
8 p6 J: B: ]! B mov bx, 7a5Fh ; VxD ID of SIWVID
/ n* w) k7 F1 q8 ~4 s int 2fh
. s# S2 U. J, B! C# E( k mov ax, es ; ES:DI -> VxD API entry point* Y m0 E3 v, V# ]" r# z& A. H
add ax, di
7 e- e& }; }4 z test ax,ax. E9 {& L- j5 Z7 b' j& l! z/ G
jnz SoftICE_Detected P! y# z' ]! p5 y: M* ~
, C) S, ?. u! }3 U__________________________________________________________________________
) f M) K, }' v0 c
: |! k( `* |; x8 M6 ]- ~, }
6 ]. ~0 X% {; g- q0 U I* A8 |Method 05
8 D, F1 M) S& W3 V* f8 L" L7 p=========
8 t' ~" Q9 e6 r7 u2 k
0 w$ O2 r3 R) e* A$ gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 g( w) f l( x* p! i1 Ldebugger. It calls the int 41h, function 4Fh.
6 n/ t: L5 J) }' j( hThere are several alternatives. ( g3 [( r0 G' ^9 _) S; l
' b, [, n+ V- H& W$ e$ I
The following one is the simplest:/ i4 e# X2 f. n$ w4 w* l
! k! v- i$ |5 r2 J- n8 q& Z mov ax,4fh+ n+ j/ q7 X1 ]+ ?# L) d
int 41h4 {. H; _& ?1 K, n% {
cmp ax, 0F386
" U/ u8 a- }" k/ U, k+ b5 p jz SoftICE_detected
5 s- i @- Q: h( z# V
8 Q3 I# H, g6 W; o. M3 Q: `4 r
! O7 G" J9 O2 V* gNext method as well as the following one are 2 examples from Stone's
. g: U; t! J+ a; d"stn-wid.zip" (www.cracking.net):) J9 V+ `" q0 N5 C0 m
. M' l3 }* @6 B* ~
mov bx, cs
! p1 q# d7 o2 H: t. q( K+ e" Q lea dx, int41handler2
' X% W! y; v _4 X$ l- n- k7 K. l xchg dx, es:[41h*4]
' i! z2 A# P. e+ s5 Q- e4 ] xchg bx, es:[41h*4+2]- F; Q- Q, f) K
mov ax,4fh3 C- ~+ d9 \5 v( W7 y
int 41h' Y; \2 A2 A4 q" b U4 a' d
xchg dx, es:[41h*4]# Y4 B( J9 C; G0 a
xchg bx, es:[41h*4+2]& q$ c3 k8 R8 {& L
cmp ax, 0f386h1 y, a3 a1 G' m9 D
jz SoftICE_detected
/ |0 c+ A- @1 W4 ^ k7 |) W7 R. m
$ [3 k/ `7 x$ Rint41handler2 PROC# m1 S, A4 p' w5 T# K/ b
iret- X2 r5 L- Z! q' i& V. i3 J+ m1 r
int41handler2 ENDP$ A$ \+ K6 e: l7 C' _- J
4 B3 @ j. z) D7 K
3 ]6 q1 Q2 D5 O' u8 ?- s& T
_________________________________________________________________________( u% Z4 G: _4 B; B; m
0 A8 A4 `* Q0 e& z
! P& U$ T) [8 V9 m7 _# ^Method 06* m# I3 H' ]( p5 s+ ^( V4 m
=========0 u3 p# r9 j& C( y. h5 v/ W
) B1 a J/ }( `3 c! @6 F" N( z( q7 w& X
" n2 J4 w3 u2 O! L& p' }2nd method similar to the preceding one but more difficult to detect:
0 h: M6 U: v8 T( A* c( j* q, A- b$ [9 Q% ]/ V
* O, Q6 x1 B4 Z$ r1 w& B( }
int41handler PROC
; N+ b2 F" R+ U8 k$ ^6 |6 | mov cl,al) e/ k$ Y7 Z1 H7 l( y
iret
, k% K, b, J# Y' H4 @int41handler ENDP
/ I' `# n; s# @9 \# v. }' Y
, r7 b, C+ A# |0 S: x' R; x: ^( \/ _6 d% D: }7 u7 }0 ]
xor ax,ax h. i F+ Z; `+ ^$ a3 @: i2 ]1 A
mov es,ax/ a; ~/ l4 g8 _- U
mov bx, cs( q) G( }- V" x5 P- p9 O
lea dx, int41handler
6 E& W4 J. p" B xchg dx, es:[41h*4]+ t+ ?+ `, G: h U H2 |
xchg bx, es:[41h*4+2]6 p- r3 Y3 X$ P. i5 Q; d
in al, 40h
* I9 ~! M. P( N xor cx,cx
, {1 L- o A5 d" M! V8 E( v int 41h& g% u, C3 t/ d+ w2 \6 H: P
xchg dx, es:[41h*4]
6 a; u7 [- \( C xchg bx, es:[41h*4+2]! ] J) u7 ^$ ]
cmp cl,al+ p+ X8 B0 |0 F+ H
jnz SoftICE_detected/ P6 }/ Z' ?! I8 _, P- F# u7 L
) A2 {# E+ c/ ~2 w_________________________________________________________________________* C" l6 D4 z7 q# A, n
; O, u* M I) y$ {6 B' F- TMethod 07
" E2 ?% {; P8 a' K1 _=========& w8 P7 m3 T( L
2 a& j" |7 S& x0 z4 o ~
Method of detection of the WinICE handler in the int68h (V86)5 Y4 w/ t/ W. V( g# G, u8 D
' ]- T/ L. g8 p$ K" h mov ah,43h
: [' [; D) S ?: e; b int 68h
( F p) t: W7 P } R' C: W cmp ax,0F386h
) v5 r# M" y! o% U( G) X$ O3 h jz SoftICE_Detected" |0 U0 x! i, A9 P u
) H+ o( }8 B M$ v. h6 W
# C% y: A) ~) [/ `* N9 Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ~2 j+ A/ V# P. B
app like this:
. M' m; q# `7 d3 p$ \$ D% Y. P$ `) \/ Z' i- F S6 w# c
BPX exec_int if ax==68: ?2 z3 B% X2 W
(function called is located at byte ptr [ebp+1Dh] and client eip is
( R# Z7 O; ~! j+ D; J; T located at [ebp+48h] for 32Bit apps)- K8 N6 J+ g* A$ ~0 F- z2 X
__________________________________________________________________________2 n1 o+ @( S, J. k- K
7 u6 b. }/ h2 Q3 [8 j2 d5 M( Y( v
9 Z0 L0 n7 \6 dMethod 08
1 N- P5 r" H' q2 Z' s" {=========4 ^0 k. q& H' `# u3 d4 b
4 V( B2 a, D4 N* {2 J4 fIt is not a method of detection of SoftICE but a possibility to crash the
3 ~4 a- E. b/ qsystem by intercepting int 01h and int 03h and redirecting them to another
5 n' E5 Y! i9 x; B* E" ~9 Broutine.
: A. F2 R8 T: p% W1 J/ a/ Z+ `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# {. b: w5 U) m3 D" D$ i
to the new routine to execute (hangs computer...)8 a: p( G/ L5 t$ C, @/ P! t
# J" F+ ]* C0 |
mov ah, 25h" \( C4 _6 ^3 G u- s T1 m
mov al, Int_Number (01h or 03h)! o; j; {6 B1 _
mov dx, offset New_Int_Routine. O% U: a1 I! E4 v3 |( J
int 21h% c' w5 O7 L) o9 J7 a. h" X6 t
* J7 B: ~) e/ U1 D) f, G6 [# K0 k__________________________________________________________________________. V6 t+ k/ L3 f- x2 R- E U
. Y6 W0 T$ n/ W6 M7 a+ M5 ?
Method 09" O* i" u9 _( ]( X
=========+ x" n; H; C1 z: m+ c8 j5 o/ p" M
/ D& v9 N2 d& h, F* }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 N! }9 V$ v* h0 ^7 T# J1 g1 Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 y% E! T2 E. Y1 @4 S9 Z j3 `9 }8 [The Get_DDB service is used to determine whether or not a VxD is installed
. [' b9 I4 |, E' z( wfor the specified device and returns a Device Description Block (in ecx) for* H6 E3 S" a' C* ~5 W0 K! [) V
that device if it is installed.& A4 p' B3 Y1 {" u7 W( V
) O' ~$ W) U1 L8 \+ R3 f+ M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ _% {$ B) b6 Q o4 J3 B9 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 J! u1 ^# @( H: ~8 k& p0 K+ \
VMMCall Get_DDB
, k- x) J# x7 R/ k( z9 [6 @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ y. I$ {# s, J+ N2 t X. x
' Y+ i! c+ ]8 Q) h9 WNote as well that you can easily detect this method with SoftICE:
5 x | g9 ]! T3 X bpx Get_DDB if ax==0202 || ax==7a5fh
! H3 e E# a% o: {; P- `/ K
5 i! J. j( y6 R6 [, p) {: ~, H__________________________________________________________________________
5 W' o4 `2 M3 x4 x2 r8 v& k& O% w- p' T# S1 `# S/ x
Method 10$ r5 B- a6 a' @, d8 Q
=========
, h9 U* T8 A9 C' Q
0 [; z7 M8 I* E }, n; R4 F. W( Q/ N=>Disable or clear breakpoints before using this feature. DO NOT trace with2 k3 z" v1 m6 \ p J- {
SoftICE while the option is enable!!4 E: k! K5 W# c- ^- W. o* [
% Z$ ] e W$ q4 SThis trick is very efficient:5 I/ F) F/ k+ R9 q
by checking the Debug Registers, you can detect if SoftICE is loaded2 ?! q0 U$ D- B5 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, }. y/ k! k* Q' K0 Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 E5 Y4 s5 W! q C: L
value (in ring0 only). Values can be manipulated and or changed as well
& p/ _! s8 P$ [(clearing BPMs for instance)
3 J) _ ?( d1 g# m; G! N/ s
% w! s! t2 k! c8 l3 L7 ~__________________________________________________________________________
. R0 ^9 X) i5 q; v5 F4 w( n0 `) h9 T5 V, |, L0 Y
Method 11
1 x9 A7 A; |9 N; _=========' X& E" N" p5 H' w! b5 j
* H! U7 k3 ?; [This method is most known as 'MeltICE' because it has been freely distributed) ]. V5 j; ? ?7 n2 ~
via www.winfiles.com. However it was first used by NuMega people to allow
' c1 F/ p+ h8 y' l6 t& a( b5 |' S( ySymbol Loader to check if SoftICE was active or not (the code is located
9 j! _: r2 B0 n9 V: P rinside nmtrans.dll).( Z: w) d, F/ B1 i4 C; v
+ m3 }8 {* A. _/ XThe way it works is very simple:
( [9 P5 T9 [ H7 r' zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 Q* D( X& l, j. p0 {" a5 pWinNT) with the CreateFileA API.
3 j9 I: z' i0 {! z# n' I! U3 ~+ B" v6 q0 h
Here is a sample (checking for 'SICE'):9 ^$ @" Y2 n3 f) P }, Q9 ^
& ?# V: s; d5 c! ?2 W* ~
BOOL IsSoftIce95Loaded()
( {5 H4 M t( k& ^/ g* ~: d{2 T. V5 y4 i$ K' J0 Z+ _" m
HANDLE hFile; 7 }, \' Q+ k( i# v
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
`5 d: \4 |2 x$ N) q5 _9 D FILE_SHARE_READ | FILE_SHARE_WRITE,: S6 W' i* V0 S; Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- k; U( W$ p3 L( `5 {& C) P if( hFile != INVALID_HANDLE_VALUE )
7 R6 R: \9 r. n( r7 I {+ h( P6 Y9 j# E- Q* }8 I2 _ M
CloseHandle(hFile);1 i1 ^/ G" r! E! |- c+ y
return TRUE;% R$ j' [8 ?1 a' ?: c) _2 @! P! P" R. ]
}! B: o* _, [* e7 o4 i0 C) a' ~
return FALSE;; C+ x1 S6 F. n0 u- E
}; i; l! x- u4 w3 ]' J; x# T- P
# V) F3 j0 p. I% S7 [( @! U. E
Although this trick calls the CreateFileA function, don't even expect to be
( r! w9 H( s* I! lable to intercept it by installing a IFS hook: it will not work, no way!
8 [1 ?* o8 r1 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! g# O! `' I+ n) o* a- qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ B! j- N1 B7 @# B) Q# Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
r! I) O$ x! ?3 z; Hfield.
) _- p% ^$ h% V, z0 Z! l+ v% IIn fact, its purpose is not to load/unload VxDs but only to send a
# J, K0 v! [4 f) ^& N: y: yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 N! g5 Y( S* }' g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ L, w- v* o$ jto load/unload a non-dynamically loadable driver such as SoftICE ;-). S+ ~1 I1 b( u! `; Q" Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: t; Y% o Q2 Dits handle to be opened and then, will be detected.2 X# `$ ~5 m6 p7 B, Q% Q
You can check that simply by hooking Winice.exe control proc entry point, X3 K# T: R, s; A6 H
while running MeltICE.
4 I, i4 Z& q7 e. p; p) }, b& X4 V- s" K C
0 p( a7 d1 A/ X7 M
00401067: push 00402025 ; \\.\SICE3 L) z. \5 p: c4 ?( _! ~( |
0040106C: call CreateFileA
; e' C8 a7 t* g 00401071: cmp eax,-001* Q" q/ n* p5 \8 N. `! j
00401074: je 004010919 ^( {5 A8 H0 H$ s
# a) k' x- H! s- r: ~3 R- `! D. N& {+ g
There could be hundreds of BPX you could use to detect this trick.
- r" p* e- t& B7 p1 b% p$ B% v/ ]-The most classical one is:( ~# g) L/ r6 u) a! }- p
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- x1 ~5 V& h0 M0 B# _ *(esp->4+4)=='NTIC'
7 _8 L# v" w" Y# W8 @+ _' c; }9 N P- J' R) _0 c+ T( U
-The most exotic ones (could be very slooooow :-(
! F0 S& q% V4 r. h5 Q BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 A* z1 l7 S* g* A R6 Z8 y" d ;will break 3 times :-(6 u- ]' x+ q. D+ F* W2 }& T
5 g# d3 g/ t" Q6 e Y-or (a bit) faster: ) l. H! N( Y3 V' }3 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* l, T( \/ n' K& i. Q
: m# x- _. q( e. r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # D# E' ?: Y+ G0 F; U( T
;will break 3 times :-(
. M' p1 a+ W/ J/ a/ s& ^0 J& S7 v: \0 [1 M) @( E( U
-Much faster:
$ ]( U- o( z, x" G% N+ O1 k. d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 i# _6 g/ D7 |! U5 c- ?
3 o- a& {. P% f: wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! X1 W+ K, x4 u4 r0 i5 \. g
function to do the same job:1 ~) ]+ B- k }! D! v
! }; G% m7 H/ K/ ?8 e* z1 D$ T+ g
push 00 ; OF_READ
. q6 q/ ^+ e6 @, n mov eax,[00656634] ; '\\.\SICE',02 B$ A1 G% ]2 K: m
push eax
* ^* Y; j! s9 s+ |. T/ Q call KERNEL32!_lopen/ e/ [7 q' u* E; N, z
inc eax# S. k7 }1 _0 f
jnz 00650589 ; detected
! h9 J! X5 |" k" ]5 @8 ` push 00 ; OF_READ6 \: L% P% S6 H- g7 P
mov eax,[00656638] ; '\\.\SICE'+ s- c8 r) N, l" q. K
push eax# A9 G. K: u2 |" ^ h0 P, J
call KERNEL32!_lopen8 x# K1 `* L( B0 F% `$ X. d
inc eax
& e1 U1 A6 } g; I! ? jz 006505ae ; not detected8 P' \& n3 a% e! X* g& G
3 @ }% K) E" s" y# Y' W/ v
3 N- c# @2 F: W& v" F, q__________________________________________________________________________7 G7 j8 m9 U, ^0 y2 N
/ `& r" m# p2 N
Method 12
! x# a: {3 G) u=========" l8 d2 m4 D6 Q4 O% v# L! W ^
# j) H! h/ Q$ f# p
This trick is similar to int41h/4fh Debugger installation check (code 05
: s% `* q9 F Z" [& 06) but very limited because it's only available for Win95/98 (not NT)4 Q% n @. j- r/ m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 W% r" Z. Q5 D, d: Z$ a/ H" e8 n' V6 L) w0 _) U5 M
push 0000004fh ; function 4fh+ B* C+ b0 Q' n6 a
push 002a002ah ; high word specifies which VxD (VWIN32)! F/ R: Y# }4 Q) |* i3 X
; low word specifies which service8 b8 Q7 S/ ]2 ]/ m, x, ]/ b
(VWIN32_Int41Dispatch)& X7 V4 s6 H1 V# @8 \: Z/ l* |8 j
call Kernel32!ORD_001 ; VxdCall
; x0 D9 o* v4 T' g3 H1 |, U3 }2 h1 E# U cmp ax, 0f386h ; magic number returned by system debuggers
$ w" r" g( h1 S9 Z jz SoftICE_detected
3 y* y' H: V/ ]* F" o- G5 ?% y
4 y5 o0 x7 M3 w( ]Here again, several ways to detect it:* ]. E, k+ O& f, P9 H* `" z
9 g# z2 ], D7 }" p BPINT 41 if ax==4f
- J* l+ Z0 Z/ p) O9 W7 r( p4 S
- N0 `6 Z6 Q. q" b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
) F. t. D8 z! [4 R9 j9 _
8 }' Y8 h0 D9 ~ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, |% T' i) A$ m1 y8 C9 v! Z) M" F* I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& f7 [; y x: k4 o
2 k% r0 H& W4 y3 }6 G8 {; x__________________________________________________________________________
7 i% l4 o. d/ p+ n/ X2 y% v' s% ]( e& ~9 }1 r* O, J: P
Method 135 J4 i" k" P g3 c. S
=========+ K4 @# a9 W; u7 G
\! G/ k/ ]: {Not a real method of detection, but a good way to know if SoftICE is% W: Q- W: j' U' S( { M
installed on a computer and to locate its installation directory.
+ U: ~ _0 J7 `# `6 TIt is used by few softs which access the following registry keys (usually #2) :
/ C1 J- u5 z- S" _
8 O& [2 T$ ?7 x: [( V4 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% j9 v0 P4 [7 o' I1 D6 h\Uninstall\SoftICE
$ U% c$ P1 B# B$ |/ J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! F$ Z. D* n, D9 x8 v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 m4 {' ~1 d8 D; L d& h* K
\App Paths\Loader32.Exe
8 d" c" |# ]0 a0 n" Q2 n9 r# n9 j) k7 S& V
3 f. R2 S( W) E MNote that some nasty apps could then erase all files from SoftICE directory
' Q3 L! ?3 P- \; d7 ~4 O' s* W: B(I faced that once :-(% z6 U4 ^6 ?" u( }- l- g* d. k$ x" ]
: G8 m. V8 p3 g% t
Useful breakpoint to detect it:" V5 Y: D9 q1 g6 q5 ~
9 n; B3 b; Y$ _1 K3 I8 r( W BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ @8 P9 V+ q; K9 [. v
& v) l W3 p- K' U J6 P/ g2 Y__________________________________________________________________________. b, c% s4 J# R# C+ i5 ]% U% ~
7 Y* _; ?( Q! t0 r$ T( W0 u* X. [1 n" ~* P* T
Method 14
s# o7 W d* g+ x2 R$ ]0 y) v=========% n8 h. m, f9 u
' }9 S: A8 E- |" e( s& E) S2 ?; I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! J6 F6 L. z+ N& A% a; j7 {
is to determines whether a debugger is running on your system (ring0 only).! d% Y& r+ U. X0 x4 S( Q
2 p0 B7 j; {2 L& g1 o2 h1 d2 y
VMMCall Test_Debug_Installed
9 V8 a4 M* b8 Y* y. |: P8 n je not_installed
+ ^) u+ r' l& Z$ o# b9 q' g+ L% d* {5 T W4 G. _7 U$ Y
This service just checks a flag.! O3 S2 I$ W1 d
</PRE></TD></TR></TBODY></TABLE> |