<TABLE width=500>+ `1 s; D: w% F) O2 C5 ^& S
<TBODY>) a+ F9 G$ c0 l* g
<TR>, h3 } T2 p4 c2 p2 M
<TD><PRE>Method 01
9 P, R n7 z, P/ ~=========
. l6 ?+ |8 O! X* f0 K6 t
) l' P9 {& M# L2 tThis method of detection of SoftICE (as well as the following one) is$ ]- {5 {4 H0 |
used by the majority of packers/encryptors found on Internet.
5 w8 f' U; I0 W% [4 U0 qIt seeks the signature of BoundsChecker in SoftICE
/ h9 { \; u, X" a2 u7 ^" W0 v( K8 W" s) v6 L7 m6 U
mov ebp, 04243484Bh ; 'BCHK'
* E5 Q8 k5 B. R+ V2 H mov ax, 04h
# |3 }+ \. i* _1 |5 I int 3 + v1 q* \8 ?% c8 m) M
cmp al,4
6 A3 L. D; e* d jnz SoftICE_Detected$ g4 Y! u7 {/ X6 j5 ?
, Q% x6 @' v ?5 \; F
___________________________________________________________________________
' Z5 k! y a6 {( h5 l7 i# m; t& O$ X1 Q1 f7 @5 @4 ~% Q
Method 02. L' z# Y$ p, ^* m$ i, U0 A; ?+ M
=========
: Q, ?8 c' N9 c. F5 F
: O8 }" e" u2 u: i8 Y5 DStill a method very much used (perhaps the most frequent one). It is used
8 K% j& f7 }/ S$ r) fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 W$ [4 K9 s& B0 O# a( z0 d
or execute SoftICE commands...
l6 i2 }( z! W3 ]# @* ~It is also used to crash SoftICE and to force it to execute any commands
. n1 h4 s: q1 a$ I1 s ~! \' s(HBOOT...) :-(( $ Y( |( n) D" N4 l
' x9 {. U: C0 I) R' U) `
Here is a quick description:
5 W1 ^: z# B5 r( s& F/ B-AX = 0910h (Display string in SIce windows)
3 e# u k9 c9 p& a# S9 _1 E" e0 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 B2 J3 U. n% Y P0 `! G' ?, Q" @7 ^-AX = 0912h (Get breakpoint infos)7 t& h0 O s9 F# _
-AX = 0913h (Set Sice breakpoints)8 F& U$ J# H3 o+ e
-AX = 0914h (Remove SIce breakoints)
" H! a& W) {' w4 X' C" v/ X
% I8 H' c2 T7 Z7 i, v4 `Each time you'll meet this trick, you'll see:
! Y( I$ v( ~! }* X- P-SI = 4647h y5 L& J2 F# \- L1 D
-DI = 4A4Dh u) i8 m- l6 }
Which are the 'magic values' used by SoftIce.
. _3 p( {5 R4 M# k# e8 HFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 i' n7 S) P6 Y4 x: e
) [8 V& ^( l" t. r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ h: O3 C! Y$ }4 u0 \ g6 bEnvelope utility use to protect DOS applications:) h3 h M( C$ a: q# X
0 g4 m1 u9 N0 x _
2 {8 D; M- u& _, |% r$ G4C19:0095 MOV AX,0911 ; execute command.
' |1 [% h$ j5 R; t+ V- J6 J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) }: y6 H: v" I |. ?9 N5 |
4C19:009A MOV SI,4647 ; 1st magic value.
0 c: ~! G4 f& ?, d% }+ ]4C19:009D MOV DI,4A4D ; 2nd magic value.
B7 z# p6 J4 S9 _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( {2 Z; f: D9 B7 n# g+ u I4 Q3 Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ H* z& P( F4 t) m+ j5 A: }4C19:00A4 INC CX; D- I5 x+ {+ C5 R
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( q/ `# N8 k& {3 o0 R! Y
4C19:00A8 JB 0095 ; 6 different commands.
7 h% L& a- N7 ^ k$ i; w4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 q7 ~! X6 h1 ], l8 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 _9 j% D: z/ b) S
& {6 |( K( C/ ^4 E; K. n1 t
The program will execute 6 different SIce commands located at ds:dx, which
, i: s- N; c* }& ~3 Z, c: J0 ?- nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 F+ c- t# Y- c1 _) U, U% O; ?3 {2 a" `4 {+ o) D$ m! S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
T+ R r9 g* b% T7 ~: `___________________________________________________________________________( O; ?' `' N0 s3 s
+ q4 h0 c7 n" P! v3 f G8 D
$ x7 L j8 ^" d* R3 j
Method 03
8 ^- j% Q/ Z' ?1 [ m! e I. [=========
: }6 |5 _& f( v- C3 o5 l" F( c8 H' _; N/ Z: G- P( u! v H1 r
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) G; G- _4 Z# k9 _/ z
(API Get entry point)# u& u! F! k# S1 I' P5 I8 Q
4 D3 I! N; `3 [% o+ D+ g
; M8 h J9 X* {5 X; K
xor di,di* r2 D% }( b0 l+ e* O, v
mov es,di; Y1 l0 t Q0 w
mov ax, 1684h
/ K. Z. N4 A/ s# S mov bx, 0202h ; VxD ID of winice9 v; i( ~6 @* S$ z2 w2 Q
int 2Fh
% R, W8 _# r7 ?% J+ K8 r; S mov ax, es ; ES:DI -> VxD API entry point
) R8 g% i2 r4 B0 S) e1 Q add ax, di3 {5 d- E; F* X' F! j
test ax,ax
3 K! J6 ~4 c$ { jnz SoftICE_Detected
8 F2 G' H7 Z l1 L- G0 {8 b1 j2 O; `3 i
___________________________________________________________________________
% w% ]$ e+ y- {1 j
; l4 {- ^% q0 B8 o$ UMethod 04
5 ~) |% F6 D4 e7 C2 N=========
4 X/ g, F! G2 z- h. _
" k* R0 D: ~ Y: N( h8 d* ?$ ?. kMethod identical to the preceding one except that it seeks the ID of SoftICE+ A' Q: M) o+ V/ o5 N
GFX VxD.
, o; t u3 s K4 M& h* u6 O& T7 N2 w
xor di,di. i8 `: Q8 l4 k) A; y
mov es,di' p: N: R0 g) x, U2 i- b
mov ax, 1684h . v% Z; k! ^& ]) I6 z# r
mov bx, 7a5Fh ; VxD ID of SIWVID
/ h! J% n2 D0 ]- U int 2fh
" I5 ~8 Z$ E) R' n) H0 L/ O& {2 G mov ax, es ; ES:DI -> VxD API entry point
3 K! j5 Y) ^) g) ?* b1 O7 D add ax, di% |8 [: K; D2 {
test ax,ax
7 U+ B3 S4 \8 [7 c" o jnz SoftICE_Detected. q& L; F% B3 U% m4 T
4 X' G: }+ s) u__________________________________________________________________________2 B# `2 x9 L/ g! q
c" }% C+ |* x/ H- }; R! Z
( I3 D' g1 s- x; @" g9 g! hMethod 05+ J6 X& A4 W6 x1 Q" ^' z
=========
9 s+ @& ?2 a/ e8 Z7 f
1 j0 r6 i& C7 Q# O1 i6 EMethod seeking the 'magic number' 0F386h returned (in ax) by all system) j: B, t6 x6 j: s; Y
debugger. It calls the int 41h, function 4Fh.6 a) ~) I9 T) A/ {6 P% J8 f3 ^' I
There are several alternatives.
( b# x+ H [/ D1 [, G- h; S3 R5 K0 w) z2 m7 J" N6 S4 U2 N- ~" ]
The following one is the simplest:2 O' s, `6 x* f p" C. |
% a3 L t; \) w" N" ~ mov ax,4fh- V F* f0 \+ q k9 X
int 41h
^8 g" `+ }' W4 c( h/ [; z cmp ax, 0F386
2 d4 n: k' y+ L% h jz SoftICE_detected
* X9 }5 F: E) p/ `/ ?; d8 n, U, A6 l% U, t9 Y
' `. n2 z/ ?( e, a2 W! P, R
Next method as well as the following one are 2 examples from Stone's
: H6 ?2 O( L) z' V4 p4 a3 J"stn-wid.zip" (www.cracking.net):0 s3 e( A( \" y6 [2 W9 _# k6 O1 c
4 k! X, w, f- G t4 K
mov bx, cs. l% d1 h1 ~! C
lea dx, int41handler2( ?# N- v* k5 }
xchg dx, es:[41h*4]( m! m C. }, j6 E8 }
xchg bx, es:[41h*4+2]
$ o6 d4 |3 o% |7 M/ F" N' v mov ax,4fh B8 ^' {+ ], K$ d/ p
int 41h
$ R! A/ z i$ R6 W: G xchg dx, es:[41h*4]7 b9 h% D( |* e# Z# _/ r6 A' l4 j( O
xchg bx, es:[41h*4+2]
) L4 Z6 p) v' @) h$ b/ h! ? cmp ax, 0f386h
* D }3 G% H, ]# f jz SoftICE_detected6 }0 U1 p9 T! \. H/ f
4 f' F! W+ p! V! {1 E0 ]& P
int41handler2 PROC6 j, y$ F: P- Y: a- H: {; Y' k. W
iret7 H! [5 P" o" c$ T, Z
int41handler2 ENDP- x9 k4 W& q8 S
/ W4 U7 z R; Q- d
9 H, U! u4 J, g; C+ u; s# z. K: ~( l* j_________________________________________________________________________
* }9 e6 V# t5 } M5 U! z3 F( G* P: R! X: }6 S! e" X
: T% ?! f4 ]8 r- EMethod 06
* t$ i, ~) |3 A( {6 M=========
, p5 Y, A1 Y5 p" j* b- [2 U! ]( G; E% ^- t, [
) n- N7 s: D3 k' j" N
2nd method similar to the preceding one but more difficult to detect:5 U. r) g! S7 b. y1 a4 U3 F
2 Y2 x, Z9 E+ o1 O
5 y E5 h6 C4 p" q3 Pint41handler PROC
v3 {) N% K9 d0 n5 j% N& i mov cl,al
3 m. R9 U$ t/ |9 _5 r$ T iret
9 T4 K9 v! G. vint41handler ENDP, i3 l, t3 ^' d7 v8 N
: F! M% h+ ~; l& D; p* p- j" p( A
' Y. \5 W6 d& |$ \# }, P z
xor ax,ax
) M; _9 O% w |( K mov es,ax
# i2 J' y7 ~4 A( t& b/ { mov bx, cs9 M+ d& R8 o# |
lea dx, int41handler
% w: m% T, p, G$ j) G xchg dx, es:[41h*4]/ W& ^, u$ v$ D# B5 G
xchg bx, es:[41h*4+2]$ ~$ \, l4 Z) e, |: o% Z- z
in al, 40h
& w( w( u3 R2 X7 |" o xor cx,cx
* l/ h0 z0 W; P% B int 41h( p6 R% A3 m3 Y. Z# V% d
xchg dx, es:[41h*4]
6 C) Q) b4 l5 v1 f xchg bx, es:[41h*4+2] U* k5 N/ c; P7 ^4 W# b3 N' v
cmp cl,al
T' k- e, I" ^7 ?6 N jnz SoftICE_detected+ T& p. \. i. |( i% q+ ~2 q9 R
, N, f4 W% x) f1 {; k, ~4 M
_________________________________________________________________________% S+ I0 g" T8 ~5 O1 P
! X; d: \- G/ d2 \* |+ k: a
Method 07: S) z2 R$ J9 g" a
=========
- d; q+ D! `, V$ w4 A% j) Y2 m* i1 A) I9 G! c
Method of detection of the WinICE handler in the int68h (V86)/ j# o$ B1 l8 B' M/ X+ W; T/ s8 ? I6 Y
( D3 L: ~3 t& S. X, V" h
mov ah,43h
9 t' t6 i3 v4 Q. ~8 k2 i int 68h
, C+ z. U) H4 D; E% r cmp ax,0F386h- S: [8 `2 `( O. J" @
jz SoftICE_Detected& F2 o* O: z* u5 ^! K, p
+ a% l/ k V$ W* l4 P1 j
# O6 e- C) [: S: B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, Y9 m% b1 T6 j9 I
app like this:1 F% {2 q$ a+ j* Z) b8 O
s' N$ B9 t" O9 U) c0 R/ p
BPX exec_int if ax==68+ K7 z0 u K: [$ a1 h6 S
(function called is located at byte ptr [ebp+1Dh] and client eip is* `" }) [ I3 N5 h
located at [ebp+48h] for 32Bit apps)1 l% ]0 g6 q1 a
__________________________________________________________________________4 t4 S# l2 ]) B$ z V
3 }2 W% S& B9 o* `& X/ R
! _+ b2 C% k/ t, N* ~Method 08
& K) i2 A1 m6 X( F& I1 W! T=========
3 X3 n' Z8 [: p; G) \2 D: f% c2 i7 m ]7 n7 c: T" z
It is not a method of detection of SoftICE but a possibility to crash the8 N2 t: L6 j7 F% j
system by intercepting int 01h and int 03h and redirecting them to another- D1 x: v @; X3 F
routine.' u0 u6 b/ J# t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. a, y% v- ]8 \& O( A4 j! Dto the new routine to execute (hangs computer...)
$ K- U- D: p4 Z' \$ x# X0 f' g9 ^* u9 ^# M9 O- B; U- m
mov ah, 25h
. x, g, ?* z& E" m3 u mov al, Int_Number (01h or 03h)
`& H, c* E2 Z( s; R+ e mov dx, offset New_Int_Routine! g& M" i5 L, s( \* z2 e- a/ z
int 21h
" K: d' d% C2 l
) R. B3 Q* C4 O) j! p$ G__________________________________________________________________________
% f0 V. e9 }* M: v# u1 }# P. U7 X M0 F0 H8 {
Method 09% Z2 \! G) C* d. H) }
=========) x1 D4 S- X3 Q
c2 \* O R. M2 z& o1 a- NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ {3 z, A1 o# W. @
performed in ring0 (VxD or a ring3 app using the VxdCall)./ V" k4 ]% ?" Z
The Get_DDB service is used to determine whether or not a VxD is installed
: {8 `0 G' \7 D: nfor the specified device and returns a Device Description Block (in ecx) for
8 h1 [2 e% M2 }+ Y8 b/ R3 O4 T" L% tthat device if it is installed." u, Y4 }2 t5 s6 Y) w4 z \
?1 ]* o/ q7 a4 D! o1 k- } `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! S% q6 t. j/ p6 R$ V; F, I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) s5 w; d9 v6 G, _; y
VMMCall Get_DDB
1 }6 M/ x2 b' X" x* @: Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% Q% U4 m9 k! s4 C7 y; b6 t+ \/ d# Z# }6 @5 F* G8 _; ^2 E2 ^
Note as well that you can easily detect this method with SoftICE:
. |' {! t9 Q" h/ B- j# O) K bpx Get_DDB if ax==0202 || ax==7a5fh; T" D3 [8 r+ `( q L9 f, ^3 ?
/ g+ \9 G. X$ D+ p7 m__________________________________________________________________________: h) X$ _/ `9 z# K& z
. V' E* }! J* c: E: pMethod 10: h1 }! L$ D( O, b/ ~" L; ?. a
=========
- K9 j% T5 [# K" X/ T" M- I6 `6 E5 t/ V y
=>Disable or clear breakpoints before using this feature. DO NOT trace with8 K4 A% m8 x. A4 }" [- A, \
SoftICE while the option is enable!!$ F3 j" I5 X) q; X+ Q
2 G F8 ^( ~7 V" Z' W
This trick is very efficient:8 K7 ]5 S" [; ^1 H m2 g" k
by checking the Debug Registers, you can detect if SoftICE is loaded1 H9 f, ]5 T* T6 V# |% s8 @ ^8 G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: F4 w% b& l2 j9 a0 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
. F d" i7 {9 o2 yvalue (in ring0 only). Values can be manipulated and or changed as well. s2 D( ]+ f+ u! X7 r
(clearing BPMs for instance)$ }& K6 ?: |- G0 C0 [
2 ?2 k! v- V. B% M% z% b__________________________________________________________________________7 G& Y+ U$ z( b) l" O; n
7 k( E9 i$ _' H2 ?3 @' @/ R4 QMethod 11
+ u& }) \& v8 V6 \5 L=========
3 j8 B: }+ h* u4 r5 a! D" ^
, n* B( ~4 W6 g- eThis method is most known as 'MeltICE' because it has been freely distributed- O9 E1 R0 [" y3 R/ L7 D2 n
via www.winfiles.com. However it was first used by NuMega people to allow
, I5 K2 ]/ d0 x6 ~Symbol Loader to check if SoftICE was active or not (the code is located
" P7 l4 U6 x4 x- k1 d9 W$ U2 Ginside nmtrans.dll).
1 A3 _1 Z" n6 D) F* O. ~+ U
1 Z) L1 \/ D9 ]The way it works is very simple:
4 e1 c$ I3 ^ u- O5 Q* s3 g- VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 S$ \. L2 A1 {7 j7 f4 ]; ^WinNT) with the CreateFileA API.
0 B* ^- I) K) L
8 _1 B6 j: j$ i8 V% W9 n# f$ e2 d6 t' IHere is a sample (checking for 'SICE'):4 f' }# E" E3 ` C& S
2 Q% n" m8 X: I) u% c% CBOOL IsSoftIce95Loaded()* l& l0 z' X7 S8 `) P5 ?# X
{8 c$ Z9 L/ G* N2 a
HANDLE hFile; $ U2 m6 G$ T1 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 X3 ~$ `1 z0 {: Z4 A8 s8 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
" J5 b$ f! k2 O0 E: A' |% M! S* O+ X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 @. X) l* A' p( z/ _7 y
if( hFile != INVALID_HANDLE_VALUE )( G/ s: |/ ?+ I5 @
{
- j# y" v; o4 V9 P+ ` CloseHandle(hFile);
& Y9 D$ g Z# d% G return TRUE;0 G8 `7 ]2 h7 M# ~
}8 {. w* F: h3 K' r4 Z
return FALSE;* {5 v6 V, x2 K" P
}$ S! ]3 P8 f/ a
7 e0 |$ B& }5 Q+ l7 s7 pAlthough this trick calls the CreateFileA function, don't even expect to be; R1 e. ]( z/ j8 Y) W7 X
able to intercept it by installing a IFS hook: it will not work, no way!
, S) q2 N7 O' f- z/ o6 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 g/ p, `! p: f# d# @1 g' {9 @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 q" B% O/ ?5 Band then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 L# E" V. i* F( g4 L# a0 Lfield.
( x6 P( ~; I$ nIn fact, its purpose is not to load/unload VxDs but only to send a \& o& t( F% X# ]5 ~+ T, D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! c2 _# L3 L4 H5 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" N5 a: P+ C+ E g5 vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 M- T7 l8 l* S! DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 V% C$ g. {5 P) Uits handle to be opened and then, will be detected.
' b& y- D; r7 i" ~; T+ T( p7 J8 YYou can check that simply by hooking Winice.exe control proc entry point+ A4 ]7 |9 F: `1 S' g; l8 l- s
while running MeltICE.% l5 ^ ]' h! D2 x3 x, j
) Q9 L7 J4 S6 V. m3 I
) U( t- v; |" H2 N! ]" |8 Y& L+ q" `
00401067: push 00402025 ; \\.\SICE; H0 l! a( A* u$ u
0040106C: call CreateFileA
0 k, F v6 P* H2 U b" ?1 w 00401071: cmp eax,-001
+ {* T5 D5 \ D1 M+ \ 00401074: je 00401091% v, c4 K; d( j2 s5 c) ^
0 t& ~4 f, x- k& ~0 b1 Z( _+ y
8 h+ E) f, d$ X/ \
There could be hundreds of BPX you could use to detect this trick.
- R/ M/ G# h& `, L" H9 i7 T1 s-The most classical one is:
& [; \, u4 o8 K4 m1 p" P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& J5 U3 C) u, z% D" h5 | *(esp->4+4)=='NTIC'
4 q) M* d9 M; b: [6 ^5 @. h, J* ]3 ~7 ^& ?+ V6 f
-The most exotic ones (could be very slooooow :-(
: N W/ Q, @ ?3 F2 V1 T5 A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . W X/ @7 Q/ g# @7 s$ Z S2 P- Z
;will break 3 times :-(
4 ]7 k% c# {; @7 ^& q2 {
+ n( [5 S: z: j& s2 J. z- C2 _-or (a bit) faster: % L: e) k* F2 r# k0 M# t
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 k( F& U6 y) a0 E% B. b l0 v: w1 V, T }2 q/ B
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( f4 P+ k8 `( m5 O ;will break 3 times :-(0 x8 l) R3 Y# ]
- t* ?' l5 i3 m9 u. [-Much faster:4 k' {$ w3 P+ }- p
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 z# g. S7 T1 K/ w: f
0 F/ p H+ D% J6 [3 f7 bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 L+ x, H+ k0 o, V
function to do the same job:
" `4 ]1 L* I/ I0 r8 J3 Z( V
: H: ~# Z( `1 G" r: X/ S push 00 ; OF_READ, |. k/ h$ e5 X/ q5 @. V& Y; j# i
mov eax,[00656634] ; '\\.\SICE',0& s: N4 a9 `) o+ l5 r
push eax
8 X0 }: f: L1 e9 L) q call KERNEL32!_lopen0 [& b ?, i; m P
inc eax4 D- W0 o1 t# B2 d) l( s1 W `
jnz 00650589 ; detected
. p& m7 I& C! W) f7 r& ?' E5 w push 00 ; OF_READ7 e9 l" Q7 _0 k/ v+ j+ Q9 _
mov eax,[00656638] ; '\\.\SICE'
1 I1 M \8 o0 o* }- o push eax: O5 x% N! Q$ r5 m/ s. w, @3 p
call KERNEL32!_lopen
1 p9 Y# C4 A5 x' m v inc eax+ U( c8 F% p5 K+ T6 g
jz 006505ae ; not detected
8 c: H) q% S: ^9 k4 n5 {, d1 M8 _& H+ U* V# C
1 j5 c8 n- I/ t2 T/ T+ r% O2 f__________________________________________________________________________
6 \: D$ H% G6 ^( d1 V1 ]2 Q- Z3 Q$ H
Method 120 H, ~! O# s: ^* v: Y- f& P
=========% k" {2 D# L) n9 j
) \& ^5 S( G& g* KThis trick is similar to int41h/4fh Debugger installation check (code 05! {, |: O) I, W& s6 J
& 06) but very limited because it's only available for Win95/98 (not NT)* {9 p8 o6 L" b# @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) A) x' i3 J) B Q* Q- X8 F8 e
0 T1 C3 _0 d! ~+ G! Z. k
push 0000004fh ; function 4fh
# l2 ]! t+ s; N- {9 }) l push 002a002ah ; high word specifies which VxD (VWIN32)
: \6 |% h6 q' {, z ; low word specifies which service9 n" b% a+ h& Y+ `
(VWIN32_Int41Dispatch)
! U1 P* D- j( n( X! T call Kernel32!ORD_001 ; VxdCall
: j. a2 j7 w, M cmp ax, 0f386h ; magic number returned by system debuggers3 J' ~0 i4 j! f T6 b
jz SoftICE_detected
) f) H& X, C2 Z, k
5 C+ x& d( i9 |7 |0 iHere again, several ways to detect it:8 ~# l6 }) c2 i# u/ w+ |/ C
; E! E4 h+ f6 ^" X) [4 k
BPINT 41 if ax==4f
7 \. W0 A p) X. B" Q( m
$ M; H" [, Y' } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) B/ [9 v$ N. J( S! \$ z
3 e; f# G: y9 E, P1 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* o+ {8 u; `4 E- A/ ^' V$ y9 q u4 u
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# @4 v$ V% L; V# }- u0 L& u0 @) j' p8 z6 H
__________________________________________________________________________4 L. j: r9 L! H! f: i3 K
7 `& [( u' |; U' r# b# V" {Method 13! c' J @% v3 C, r
=========8 j; e/ P4 g5 P5 i
) r) M0 Q: \, E
Not a real method of detection, but a good way to know if SoftICE is
~ E- f+ |# E' }/ {$ cinstalled on a computer and to locate its installation directory.
3 a6 j! M1 e& ?, u: @# tIt is used by few softs which access the following registry keys (usually #2) :4 z* ?3 J/ m* T8 l4 `7 j/ H
1 j. p- `5 V3 ?, F7 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 P( d# P3 P* m& n$ C- ~+ S\Uninstall\SoftICE9 K2 k* Y: A, C- H0 _) R9 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; @& A" _( E5 ?1 {" r( U# n; m/ B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ x3 g7 d4 k7 K* r8 N2 l P( r
\App Paths\Loader32.Exe
- X0 U0 f, \4 {! E. O/ ^1 r% v3 a5 H7 H
[: U) o# ?6 M
Note that some nasty apps could then erase all files from SoftICE directory
5 i n+ z: D7 s7 \& x(I faced that once :-(
) j; G% {; Y N8 ~& G/ R% U) U7 p; @9 n; s4 n( s* _7 z1 ^
Useful breakpoint to detect it:- X# d% M. o% } |4 X
6 S2 p; V! k* ~8 j# a& }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- d, x6 |: n1 N Y9 s: L: T. R$ t h5 Q) H" Y# v- {3 t9 c* Y; q5 H5 O
__________________________________________________________________________* a- |, @' f2 ^! A0 |0 H0 V5 b
, [+ H. ^+ R6 B
( a5 `4 ]; j. Y1 v8 D" R7 DMethod 14 : c( ?2 S+ F: W8 J- c
=========
6 ?4 g |& H: J8 n0 _4 Q5 e% \+ v( Z( ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" O( \2 B% o: s% ~% v! }* Mis to determines whether a debugger is running on your system (ring0 only).; E( Y% o: U3 m& W% ~- \5 c
( q8 S) h7 y; H+ k3 M# ]) p
VMMCall Test_Debug_Installed
4 {4 c* k5 f: u: B; { q" {$ k( G& W+ S je not_installed
* X( [& O' Q2 `9 U& e
9 B% L# p4 L( p7 s# G. BThis service just checks a flag.3 _6 U# R; m0 U8 }5 M* U7 N2 g7 Q
</PRE></TD></TR></TBODY></TABLE> |