<TABLE width=500>
+ T: F# K) p7 d<TBODY>, P# t& e$ M0 Y3 A; g. R0 R( M9 v: c
<TR>
* d: p1 m, j& i# H<TD><PRE>Method 01 4 g) Z& \) i) m" |
=========2 B) ]% r2 N9 C, k
- J6 v; }2 [* h7 r2 LThis method of detection of SoftICE (as well as the following one) is
. u% p- B9 } Z7 a0 n+ Eused by the majority of packers/encryptors found on Internet.
# p: j; m& \; W- |0 EIt seeks the signature of BoundsChecker in SoftICE6 J" @0 u/ F1 S2 F( H% H' @* ^3 s
9 N9 Z" |. E- S# C6 l: s* b+ g
mov ebp, 04243484Bh ; 'BCHK'
! R) O5 c5 K( @+ w q3 [: u mov ax, 04h& N/ _- F; v; y0 ^9 Z$ ^. |3 r( v& y( q2 C
int 3 ) K- @0 s3 ^2 B( `( \6 Y. U
cmp al,46 {3 e# Q& C$ |( n; s# @
jnz SoftICE_Detected
1 P. S$ E5 x% _
& l( F" U" b! Y0 z___________________________________________________________________________# L& o8 ^2 z6 c7 i
/ r* K& t5 K8 EMethod 029 i" F( j- O# [/ o
=========. r, a5 {* v- N5 N% r
- g% M9 X2 V4 x: G: N+ mStill a method very much used (perhaps the most frequent one). It is used' t1 |' Z3 l; f9 D! O5 G8 {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 d i: J# V \' e# W
or execute SoftICE commands...- Z/ g5 M1 P: G8 [
It is also used to crash SoftICE and to force it to execute any commands1 r. f8 X5 Y c& q y! f" t
(HBOOT...) :-((
' d& \. ]+ i( `& `: d/ l* e& c5 r: J7 f6 @
Here is a quick description:
8 _+ D$ v% p# r/ y5 |5 F( f-AX = 0910h (Display string in SIce windows)* ?4 B6 S, T: `5 _- P7 S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ B. R. E l9 b4 \( C- { J-AX = 0912h (Get breakpoint infos)/ `. M$ Q2 [2 b! [5 i& g
-AX = 0913h (Set Sice breakpoints)- g+ l4 ~5 N8 e
-AX = 0914h (Remove SIce breakoints)- R1 @4 V+ N: y6 Z6 ^
: v, y9 n0 X+ y5 X4 P2 u
Each time you'll meet this trick, you'll see:
' |2 B4 s, ^. E6 U; X0 ~5 m-SI = 4647h
4 K9 e/ k# a1 x1 c/ z6 H: f-DI = 4A4Dh; K! V4 C2 o. B" m" [3 a9 \
Which are the 'magic values' used by SoftIce.
# y) `/ H5 v8 t' h- nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ R, l- r' R4 ~& e! W
% x3 b2 a3 X8 D% sHere is one example from the file "Haspinst.exe" which is the dongle HASP
! F1 _' t/ c* v3 i) hEnvelope utility use to protect DOS applications:
2 f$ V, k) Q( K+ ^: M/ q8 }( `! d! f: n4 }2 W
$ |8 O2 U! \6 i4C19:0095 MOV AX,0911 ; execute command.. z4 H e; w! I
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' v' x$ F$ M3 b# i4C19:009A MOV SI,4647 ; 1st magic value., V% U/ O) ^# C1 d: J3 b3 r
4C19:009D MOV DI,4A4D ; 2nd magic value.
* R% a) K9 W2 @' x- H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
l/ \, J# U. R% e! Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 c5 v3 K% w( q- F- [! g
4C19:00A4 INC CX
& k: w- Q+ l$ F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute b; v7 x, V3 m
4C19:00A8 JB 0095 ; 6 different commands.4 Y# }& I" C7 S/ ~* Q) ^! i6 x7 D4 ^
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# I7 ^6 E4 D0 e: q' {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 [" [8 X. G* K- f( c; Y; u
& N' \, m; s9 D: |" _The program will execute 6 different SIce commands located at ds:dx, which
3 I5 j# s- A5 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- G2 d) N+ o) M; n
7 `, o* U) u8 z/ f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; X' W$ D. u. [6 e C4 j
___________________________________________________________________________) N, p5 @( {( b4 ~
2 _0 ?& o8 s. `' J( B* `$ s3 x: ?( X P+ u
Method 03: D+ Q4 L, L$ C
=========4 c4 }8 h7 l) F& R+ [% a
; W. c, g' d0 g" n0 N/ n( e8 uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- I5 T8 R2 Y% _2 \+ c(API Get entry point)
2 }0 K4 m6 `9 I7 I9 ~, t 6 J, I% x5 @* s9 C2 D* q
H5 @4 V: q s5 G xor di,di
3 Z/ }2 e, [- ]5 c# B5 r mov es,di. u, j1 U) o- I
mov ax, 1684h " ~8 E: l/ O3 a- S. C4 C
mov bx, 0202h ; VxD ID of winice1 v8 _! p Y/ s# t
int 2Fh
6 k+ ^6 V* x1 K5 S! v* w mov ax, es ; ES:DI -> VxD API entry point
4 N# Y+ P; J& ]3 T% Z/ b add ax, di- m- G, w: ^5 z% o
test ax,ax
3 w" u1 Y2 Q8 d9 L8 j( [) J6 o jnz SoftICE_Detected
' ^) C- I. m8 ]- A/ M3 q5 K6 E" z- a
___________________________________________________________________________' g. W% \. A+ {2 m
, j" o7 {. i2 |: O- Z/ TMethod 04
+ w9 S9 f, z) s& h# G=========
8 e P: T3 `) V1 P8 I' z2 ?3 a0 u4 l' a7 c/ n
Method identical to the preceding one except that it seeks the ID of SoftICE
6 w N3 y! F$ p7 R6 {GFX VxD.) ]* _$ X) I/ A. J
4 ]4 j$ O0 E0 e" q6 }
xor di,di: V+ S w: f) Y
mov es,di% D& P: k; H0 \
mov ax, 1684h
; k! T) Z. n' {9 \ mov bx, 7a5Fh ; VxD ID of SIWVID3 N3 m) L, o) @1 l9 S. ?
int 2fh) b2 P1 u' j) k* Q
mov ax, es ; ES:DI -> VxD API entry point
9 @! X/ g9 M0 R# [ ~8 V, g4 y# s add ax, di
. o8 p% x, c; v2 k$ D7 L$ F/ N test ax,ax- {: s |6 \3 E: Z# I7 i
jnz SoftICE_Detected# y2 |; }, \4 a- P, C
. P( D. \" I# H
__________________________________________________________________________
" D. I" Q2 A9 M, V- C+ d7 O+ z4 Z2 ]6 D! Q! {) z* e8 V" h
5 a- \5 H: a1 b- Y b8 J/ x/ T& |& gMethod 05
% Q" B4 [9 C8 } v) V8 J9 G=========
6 S) x& n* P, g( Z5 O
7 l' S6 U- X; I. A* UMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% `1 i6 o6 L: ]! h5 [debugger. It calls the int 41h, function 4Fh.) \3 Q; \! F- w+ _7 b, @5 H
There are several alternatives. ' \1 i& w. b$ Y X, \/ ^. e. U
" L) e3 ^1 k+ Q2 `3 F2 c
The following one is the simplest:
, q$ Q) F. {3 F7 T) `1 F5 I: a" }
0 l2 I. ]0 M* ~8 w9 I9 [6 Z6 Z mov ax,4fh
" I) l3 q) k8 I4 z int 41h
+ ?- X# P2 ?7 H8 y: O cmp ax, 0F386
4 @' s e0 m* X* o6 p+ d0 U jz SoftICE_detected
% ] L' X% k. F2 q7 x- m k4 d3 l
7 ?6 X5 F$ d* T$ Y+ O' B
1 b+ l% N2 X. ]& Z) V" M8 f# QNext method as well as the following one are 2 examples from Stone's
1 h" X+ o) A& z% G6 D; h"stn-wid.zip" (www.cracking.net):
6 V5 ?" w- ~! P2 m6 L. J- G3 G6 `) {" i3 P$ H/ t
mov bx, cs3 c! C% F8 ?( B. s h0 @
lea dx, int41handler2/ k5 s* m% v$ {+ n
xchg dx, es:[41h*4]
) |) l' K0 R/ h: n( [ xchg bx, es:[41h*4+2]
3 ~( _) p3 ~+ Z6 m) \ mov ax,4fh, e( t3 w! d; ?- \# Z r
int 41h
3 k c* T [7 E7 v2 H( t! U- d xchg dx, es:[41h*4]4 w2 j( v) E% O% k8 E" H3 |
xchg bx, es:[41h*4+2]
) l; H% ~% b2 n) h) T8 E5 L cmp ax, 0f386h0 ~& I2 }6 H( n5 S$ ~, ?: ^
jz SoftICE_detected0 x: j' X6 P/ F) m$ m2 h
, G0 }7 [# C1 k
int41handler2 PROC
+ C4 o' n- g" n. }; J \( H2 \ iret
: N- i3 I+ H: W# ?/ ^( Dint41handler2 ENDP
# ]3 z! C' G2 k# z( E, N+ \- d! f$ c+ Y6 t1 U7 G
1 `! m0 y2 `' C5 t! R1 y3 S_________________________________________________________________________- o- o0 j, u& r) A' x) c
k! I X8 A" A
8 e% K7 W' f8 e" ?0 Q
Method 06' k. r# [$ n0 b; x
=========0 S: D3 B8 `, a/ L
# I+ ^6 b. W3 p% x. o9 z
9 K9 k i2 x& V0 d. n2nd method similar to the preceding one but more difficult to detect:$ v% E5 `/ P$ g. i4 @: Q
) u# s# X+ U3 y* z9 H8 U) L
+ G/ |) y( f6 `& ]( kint41handler PROC
# W" e+ j* g* b+ ^3 I0 V6 ~; g+ i. U mov cl,al
, U, }2 j1 e/ |; ]# a/ @" e iret( B0 o( {$ G/ m: j' i; x% p0 W
int41handler ENDP, l9 k9 r% y. W+ g v3 c* q: e x7 Q" v: @
8 {( @. d* X1 E" Z9 P. I& Y
$ K9 N; F9 R! M xor ax,ax3 I. l! O% H5 p# t7 H1 [5 x( g
mov es,ax
- y" `; v3 z, [) ~7 }7 ~ mov bx, cs1 J- U0 ? { t0 M1 M5 Q
lea dx, int41handler/ e& R/ h9 `0 j
xchg dx, es:[41h*4]
) P I* D) v6 F& ` xchg bx, es:[41h*4+2]& u! [4 D: m9 R( J( j
in al, 40h1 E i2 z0 k3 V/ u& p
xor cx,cx" G& b0 R7 i' w5 h
int 41h2 n% f& V! w) T. L2 J" U
xchg dx, es:[41h*4]
" v) B5 L6 b* ~4 O: L xchg bx, es:[41h*4+2]0 o& m! o) H' F; F* {) w$ @$ Z
cmp cl,al
+ X- ?1 w: d! ^* u' ~( A+ b jnz SoftICE_detected2 g) B* H/ N( R
0 D5 u/ n. u4 U5 i Z_________________________________________________________________________
+ o. O5 G8 ?; k% `1 F( f! l0 l$ t6 A& Z" f; b& E1 s- Q
Method 07
- s m) {, c2 @. M. }=========: x8 E2 `8 e; i! F; X. S
7 H Z8 z/ }$ ~& v( a( U0 VMethod of detection of the WinICE handler in the int68h (V86). j' P0 v. E. U; Z N4 a! O
, i+ T* [7 o; u" |: K
mov ah,43h
, g- P6 F' H* A! c; r6 h- v int 68h
$ v8 b9 K: V6 U7 v6 \+ |. C& R+ \8 l5 y cmp ax,0F386h/ n0 n) H: l$ M) W: D! _$ v
jz SoftICE_Detected" N. h+ S( Q+ h# v+ i% C
# C3 F0 v& U) m7 M7 B: i
# o% Q7 ^6 n7 ]: ^* n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 ^" E% x Z7 ]. F+ a
app like this:) [; W: w' Q! I) X
- f) |' Z2 U6 i7 S4 z6 b7 | BPX exec_int if ax==68& x% x0 v$ m$ K* O
(function called is located at byte ptr [ebp+1Dh] and client eip is2 I7 q& B% ` W" ?% f9 Z% r
located at [ebp+48h] for 32Bit apps)7 w4 i$ ]7 F' f* `) t4 f' J
__________________________________________________________________________1 B) l0 }8 v# Q1 t& I
8 @ D' ~5 j# T9 n5 j2 n( {" n: m; {. {* s
Method 08
: l% r3 B$ Q) N% @4 z=========
4 @0 r5 t) t9 a8 t4 s8 d' A9 ~8 u8 B. U. L1 x5 J
It is not a method of detection of SoftICE but a possibility to crash the) O7 T! V; ?9 u
system by intercepting int 01h and int 03h and redirecting them to another! [: c; B' I$ c) M. [
routine.# t& ]2 U1 g2 u1 Y+ q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 D" p( e& L% v+ v1 C7 Kto the new routine to execute (hangs computer...)1 m6 U9 ] i7 A9 C5 |8 {
) ]+ ?2 e- i( l9 ?
mov ah, 25h
/ `; v$ Z0 @, w% h& n mov al, Int_Number (01h or 03h)
( T, I6 ~. u9 V* U3 k4 h mov dx, offset New_Int_Routine. f! f6 o- z% b8 M" @
int 21h
+ t, j4 g; ?" ~- g3 R6 y& B/ h- h- Z% c7 L. x& i
__________________________________________________________________________9 k% a J+ T* U4 t$ G7 Z
( ]8 v4 A& J/ W' w% F( v8 c7 C+ s6 R- @Method 09
0 \' z) c8 ?4 C7 U3 v=========# G3 S$ ?, ^' B: q
! Y+ {6 [. o+ K3 @0 V2 F% i, q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" M& R. o4 O, D$ J4 Y8 Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ @/ T2 [8 H( c2 |The Get_DDB service is used to determine whether or not a VxD is installed
6 C( o! e1 ?3 p: {% N7 N: A) h: q" Gfor the specified device and returns a Device Description Block (in ecx) for
5 L$ l5 f6 X, {' ethat device if it is installed.
5 i5 b$ y" B' d
! Q; }9 X* G' } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 b% c& e6 u/ ?/ A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% @2 j" p, z" J0 |
VMMCall Get_DDB
, g8 s: ]& j% d9 n$ D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# _: P, Z9 K" L6 m0 i8 J3 y5 u: B5 h
8 E, U2 e# v0 ]$ h7 K( U7 A9 _8 m7 GNote as well that you can easily detect this method with SoftICE:
! N% M6 g5 g( Y1 x bpx Get_DDB if ax==0202 || ax==7a5fh
6 T) d% P# y' U% p" h% V M1 R P
- }& O# y# M# `6 p5 D/ I0 Y__________________________________________________________________________; @* h* R7 J3 V
0 g! j$ o1 ]+ [9 }$ M
Method 10, T3 l( w' P6 c
=========
1 t2 x) {) m: i7 w8 U: w/ Y8 S. W, X+ C- P. b! |; s8 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 |4 a. @8 ?! a# ~/ j/ b7 o SoftICE while the option is enable!!
! c) }( N2 T9 R% r/ M$ k8 _- ^% i C9 R
This trick is very efficient:
8 }/ c. w: N# }4 Bby checking the Debug Registers, you can detect if SoftICE is loaded; y! r/ w. K1 `0 k, D% y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' m3 E" l& c& `% e$ m) w7 z! Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 \# p0 K6 I8 dvalue (in ring0 only). Values can be manipulated and or changed as well
6 S3 Z# H+ |# M1 Y(clearing BPMs for instance)
6 c6 Q" ~, @4 L6 y. I" g$ Y) t0 e
__________________________________________________________________________4 T \6 p* [! W @
* `: q& N$ s, s* Z
Method 115 `, Y3 ~6 G! d# a
=========
& H- P3 ~9 j( [6 [1 t, U) Y& l+ A2 `
( Y9 s5 r* j, I: b* i/ ^5 T; oThis method is most known as 'MeltICE' because it has been freely distributed
. D# {6 U# j' ?+ Q' ^# Fvia www.winfiles.com. However it was first used by NuMega people to allow
- U# u$ `# ]4 g( ?* Y Y. @& zSymbol Loader to check if SoftICE was active or not (the code is located
. Z/ w8 ~% x* X0 |7 ^: _2 ~4 Jinside nmtrans.dll).: ~ Y6 b* {) f9 l5 f
* n# a# ]3 W6 ^3 u
The way it works is very simple:
$ s+ b* {. U5 L2 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' L( w& G. `9 n3 WWinNT) with the CreateFileA API.7 d9 q: V' ^3 c& D2 k; e1 ]
' y0 J5 S( K0 f- @3 E
Here is a sample (checking for 'SICE'):
F" t8 |. y! Q* v( {1 Y1 Z5 N: t: U; _1 y
BOOL IsSoftIce95Loaded()+ r, l: ^5 y1 J! Q& `
{
h1 D! j9 D* h$ n' s HANDLE hFile; + _2 A, z' W4 X1 N3 t* K
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
c; o6 J: `4 }9 C& u$ u FILE_SHARE_READ | FILE_SHARE_WRITE,2 q, k0 ?' N9 a! B9 O* o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! K' E2 P/ s3 O if( hFile != INVALID_HANDLE_VALUE )
& ^% ~; I7 X7 ] {
; a \. V* Q' ?8 v1 x( ` CloseHandle(hFile);
; ~3 ^! K' L2 E( s% ` return TRUE;3 O4 ?' o3 {8 L/ L' H1 `
}
0 S! M7 U5 D9 q) C. g& v return FALSE;
3 i& v7 ?: u2 W; n& P' N; G}6 U! B0 F: P' B6 n$ S& F
7 g; f8 K( ^3 p" H3 g6 |$ K' _
Although this trick calls the CreateFileA function, don't even expect to be6 U6 V c% H8 C$ L8 ?3 U
able to intercept it by installing a IFS hook: it will not work, no way!9 z1 Z; S0 d% n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ Q8 V* F# d8 x0 i' L* W1 \% y) E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! S6 K7 f+ L# Q1 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% _+ y6 m! X9 m9 n8 Xfield.
$ r/ K$ l& G7 D: a4 ^0 N- ZIn fact, its purpose is not to load/unload VxDs but only to send a
+ i$ S1 S: I% x; {# TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( ?9 P( w0 M% e9 D/ n* ]- e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 ]) }9 B: Q/ i3 B% g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. K. B1 k& c% G$ B3 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow. @, u; \5 {1 e; @: |' o
its handle to be opened and then, will be detected.
! D! ~+ b/ p$ w; \# fYou can check that simply by hooking Winice.exe control proc entry point
1 ^' \" E$ g3 [while running MeltICE.
# Z& e @2 x6 V/ w. n" R9 A" Y8 N! S+ k9 P
1 A7 `3 K1 F% e' @8 p 00401067: push 00402025 ; \\.\SICE
, c; r/ ?9 Q* U* f 0040106C: call CreateFileA
+ D6 _/ ]) \! l; ]# X 00401071: cmp eax,-001+ y% z& c; n) z, G+ v2 g- a$ ~
00401074: je 00401091
* V# ?- u$ `' y
1 p/ b' _+ j9 a2 ]! H2 `* ?( k/ _; s: `! x+ H
There could be hundreds of BPX you could use to detect this trick.2 \9 N5 b- U) K. ~2 m0 p; S% b
-The most classical one is:
0 v0 ]% g! C0 O# a$ b: I% W BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! ?( I" h, P4 I7 O3 {& S* d
*(esp->4+4)=='NTIC'
, X0 d: C- f7 e; L0 ^. j; F! Q9 O5 O; v- Q$ Z+ S) Y4 }7 f- W7 s
-The most exotic ones (could be very slooooow :-(' o- F% S, k7 K, M/ w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) c1 v! A% ]0 Z' Q1 B1 _4 T4 d# B, K# \ ;will break 3 times :-(
. k C, L/ d5 W# W2 ?/ M; B+ X' m
) o8 G; L) ?3 [ x: q/ i-or (a bit) faster:
& s8 {, K0 K/ G7 J; Z3 U/ p# o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 j" q5 ]- ~% ]3 y7 g9 w& \( N" p
1 u6 h8 _/ D3 X7 {5 T. r2 z! W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , J1 R0 x" F# h& ~6 _- `+ c/ P# ?8 L
;will break 3 times :-(! Q' s1 Z$ t: G+ _. n+ w* Y* d0 d
3 _4 r. u: r6 [
-Much faster:/ p5 ~! g2 }- D( Z0 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 J! U3 O2 r: i9 K; E: L0 U) o
" ]/ s* G9 A/ Z4 l S6 zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 M# z$ c* u+ O6 w( Lfunction to do the same job:* X' L t" \- O, F' N
4 j' F* H& h" n
push 00 ; OF_READ% x# \' `6 Q& ]& j+ W0 ~$ K* H6 j7 J
mov eax,[00656634] ; '\\.\SICE',0! r) d7 s7 m4 u* D" `% u
push eax
/ F: I8 N" b. |, w* m; I: ` call KERNEL32!_lopen6 z5 F% E+ u {+ g$ K" v8 T
inc eax z( z# [( J- \$ }& d0 ^9 A: ~ ~
jnz 00650589 ; detected$ ~& d( C: M4 w% |3 R: r' f
push 00 ; OF_READ
: {- g2 ^& K0 l: E: M mov eax,[00656638] ; '\\.\SICE'
3 J, A8 D* f) v- h: B( P4 O* G push eax
& X- P1 K. c) P. N6 x! F4 O, p call KERNEL32!_lopen$ L' N5 b* \" T: I
inc eax
! O$ g7 P/ E( x! a3 B; j jz 006505ae ; not detected4 m5 C0 d9 h: J, V* y8 ]
! w; H8 r) U7 W5 S
/ K6 D/ @$ u) R1 O% q4 d__________________________________________________________________________3 t" c- }6 d/ x. v. L$ J& v2 D: l
2 u( Y/ `' ], g7 e" \3 o8 D2 e$ f* HMethod 12
4 B! B) Y. i$ K& H! _. `% n$ ?- G=========- j$ f7 T; o6 e; h9 M# E
, b# _6 r: {* \% z, |4 e/ O8 L( U: t
This trick is similar to int41h/4fh Debugger installation check (code 05
1 `, ?# Z) b( T2 t: }; N, N& 06) but very limited because it's only available for Win95/98 (not NT)
9 S3 l, Y0 Z2 e. v2 pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- ` m* v9 T' W0 O1 q3 e9 Y" F
i7 o1 _9 Y' S. H1 j push 0000004fh ; function 4fh K9 Y- ?9 G/ z8 c# ]! {. C
push 002a002ah ; high word specifies which VxD (VWIN32)
8 G. y- \4 R% A3 l, p3 ?/ P$ y ; low word specifies which service, [/ @8 J" I$ E: X! {+ e* S
(VWIN32_Int41Dispatch)
- n4 c) q' u8 w$ m9 @/ q/ q call Kernel32!ORD_001 ; VxdCall
. z) y8 J: {: }. J$ \1 @' P) Y cmp ax, 0f386h ; magic number returned by system debuggers1 I& i; _! G! |% E+ I3 i) }7 }
jz SoftICE_detected! }; I3 C5 p! s G% u# y0 N1 {
4 {4 _8 ?1 f& M" DHere again, several ways to detect it:
8 f ] M4 k( N) Z V* W0 \ J0 Y
BPINT 41 if ax==4f8 y6 \0 v# ^% n4 M
2 D9 X$ Y2 s6 E* C8 \) @( ]6 E+ C0 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' _/ W! h1 e Q; d, U3 v; R& l
6 c# w& t7 j, n, i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 ~/ Q7 Z8 I+ h( u z- d
* L; H* }; s( C5 e- k5 J. c/ } BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# D* |- ]) a* ?! W, D, W' C
' ~7 z8 m' z/ o__________________________________________________________________________
7 l+ z0 }( N2 G" K" a. b4 F! Z/ T$ F5 f, V
Method 13; `% w2 b' P' {3 Z/ `
=========8 T" S+ y0 G7 K) k/ k& H; l# b$ @
, v4 K! }( m5 J' h" U* T8 v- ]Not a real method of detection, but a good way to know if SoftICE is
6 `; q+ c2 }! [; M: C4 p2 L2 Oinstalled on a computer and to locate its installation directory.
0 [/ G6 m! j% R3 h, a+ \# O# aIt is used by few softs which access the following registry keys (usually #2) :: I5 K, J4 h4 k1 z
" q7 W/ E1 ~5 S" f- l* w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' v5 l4 B" {+ E! b8 E& i' x N( x7 Q
\Uninstall\SoftICE" U- y+ H7 ? i: @" @8 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: G- _. Z" g& i+ \$ J x9 C- K& J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! V d& Z8 J: m9 j* ?
\App Paths\Loader32.Exe
, g, V; g9 Y5 O) q' }; _
3 N0 V$ O! I L8 H: [4 l8 c6 C8 ?/ J0 j5 G
Note that some nasty apps could then erase all files from SoftICE directory
& _$ R! T. ?) h: X5 w5 @0 v9 B(I faced that once :-(+ J, l3 [, H1 G' k
$ V# X6 C; c! P1 c
Useful breakpoint to detect it:% \4 l, }+ h: d/ @2 P1 c
( t% t6 {' G) l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ E1 M: h% U! b" V, B( D9 r7 f7 N D3 s+ K* O
__________________________________________________________________________ @( L4 o8 T+ J& ]* [$ o
9 [& R4 f4 k* R* n8 l* r! p6 d9 G/ @0 H
Method 14 1 V! }+ M4 u L
=========
- e3 K! L+ L6 v, P
$ g3 f9 i5 g( [9 C5 }' E7 ~& CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! O y8 T! `; _5 l( n' L: Mis to determines whether a debugger is running on your system (ring0 only).: Z n' f+ f: g& h) i% T/ Z
" a* S- I# R, f# \1 I$ A
VMMCall Test_Debug_Installed1 r4 `- y1 G7 Z: T- b2 L
je not_installed v& O. |/ b4 C" q/ D: m, d
0 W2 c& h3 x3 Q: xThis service just checks a flag.
, `- Q& |$ u* m) w2 a) F- J8 X</PRE></TD></TR></TBODY></TABLE> |