<TABLE width=500>
\# z ^# V5 f4 z; f9 p<TBODY>
* m% e5 `7 v) g8 E<TR>! i- ]0 D4 k! q0 Z. w$ s
<TD><PRE>Method 01
6 y6 d C0 A1 Y: V! }: t=========9 J# d% n8 p* p0 P; c: _2 b
+ ?( s3 D* y! K2 |This method of detection of SoftICE (as well as the following one) is9 m7 k. G# H! H2 f" l# C8 Q- E$ l
used by the majority of packers/encryptors found on Internet.
. ^0 @# @) c! B" lIt seeks the signature of BoundsChecker in SoftICE
. ?4 m( m+ k( d* }" b1 z- b" J! I# ?( A* L
mov ebp, 04243484Bh ; 'BCHK'
- }4 C, E& A: p% ` mov ax, 04h
5 E4 q. p; S' }! R! Q int 3
; w) y! t/ C. P3 W cmp al,4
: _6 k; F1 X2 G& S1 u: I/ l jnz SoftICE_Detected4 L- F$ U3 z( y9 g+ Q/ ]
U2 `: O V1 \. \3 }2 K
___________________________________________________________________________" g' M, g1 K o; G- u
7 u/ \! `$ Y! Q# A( X/ \) eMethod 02) c; u. `' R, ]" r8 }. i
=========, Z F9 ~- @# ~" ^, o
$ d* H" v! m( v" t8 E' |
Still a method very much used (perhaps the most frequent one). It is used% e( C! b6 K( t! i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) s' ^. L6 r4 ]& v S L
or execute SoftICE commands...
# ~. q; s) ]; S+ }9 f2 U E0 A8 hIt is also used to crash SoftICE and to force it to execute any commands
0 @ }% C! x9 S(HBOOT...) :-((
" h& o8 B/ m, D! X4 ?% ?+ c$ n
Here is a quick description:8 h& l6 T9 h4 C7 S7 J, w/ q
-AX = 0910h (Display string in SIce windows)
! W. C# H( h; s9 T; K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 }& P H* u& q3 ^# l
-AX = 0912h (Get breakpoint infos)0 g- U ]1 e) r5 p0 {4 `' H6 |
-AX = 0913h (Set Sice breakpoints)
* O9 x+ G% Y: ]* J3 Q-AX = 0914h (Remove SIce breakoints)
% I( @8 s' A# a; _6 F
) o7 @+ }+ \& \ N5 }5 T ^Each time you'll meet this trick, you'll see:
+ B: q# h6 F2 }-SI = 4647h" ~- J) H3 J: h6 o9 u1 O; T7 e
-DI = 4A4Dh
; C9 H' W6 m1 mWhich are the 'magic values' used by SoftIce.
" u! C# l9 _8 z2 Z; Y6 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% y" c8 s9 k9 R! [( Y& r3 L; _$ x8 d) ]; J+ a) B6 E' W" H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ p/ w; ?( {% Y& c( p! J% { hEnvelope utility use to protect DOS applications:
: s* C8 j: D5 e9 h7 o1 X7 l' Z
- i" N) N5 I% c8 `/ X+ f# D0 B$ V6 L7 G9 i
4C19:0095 MOV AX,0911 ; execute command.
+ }% s, U. a3 ]: q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 @6 Q" n, X" \* c4C19:009A MOV SI,4647 ; 1st magic value.9 `$ ]' i, W& A" O* B
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 a0 p! I" o, `5 v8 o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 I. i% H6 m0 X! C7 m9 ]7 U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 F- A( V; x" F% g* {5 y4C19:00A4 INC CX, c8 `' U5 r. r2 ^& C; ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, q5 o B6 J/ P1 h5 `4C19:00A8 JB 0095 ; 6 different commands./ i7 a9 U& g$ f; N
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# ^$ s! W2 W9 c4 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' Q; [1 I# V, w0 N1 k
/ F$ K" w- z7 `# _7 LThe program will execute 6 different SIce commands located at ds:dx, which
+ n0 W1 B' {, G b6 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ U9 Z; ^! {- u, y2 V/ | c1 W
7 x% t/ p6 L- W" w R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 P% b$ w3 c; ] j4 z+ v
___________________________________________________________________________) z7 Z' n5 Q; @/ ]& f9 _
3 [! l8 k o0 w8 _) ?7 y
: v) B' C9 O5 y0 I: y" a! O! e8 aMethod 03' t4 e+ A- |/ U2 `/ ^
=========8 e( @# g/ j$ [* H0 \$ F/ R
2 f6 z8 g5 L1 t$ Y# `" G2 b, `; V! }4 w p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* `/ X% t) s R5 S+ ^
(API Get entry point)
% h, d' Q9 [1 X# C
n* V' E9 g; X8 H3 [# ~. M- T- C8 F
xor di,di
. n9 x1 {% t0 q' j$ N) ~& W9 U mov es,di- ^0 D0 w) y+ W) f
mov ax, 1684h ( G) e) P4 r& e- A
mov bx, 0202h ; VxD ID of winice; G* i( J6 x1 z% F( q! p
int 2Fh7 }: P. v7 p7 P% X# k
mov ax, es ; ES:DI -> VxD API entry point
1 y/ C5 W( ^5 {- M: G add ax, di2 |" S" h3 Y0 o& _
test ax,ax! W- A9 L! v& {- K% h3 W0 \
jnz SoftICE_Detected
0 n- F5 k' ~( n7 e* C2 t1 v! Q6 w* d$ w4 E) C9 d& d+ w
___________________________________________________________________________7 @! y& V; \. H
* {, d1 Q6 s! B4 u3 o
Method 04# C) g! k9 [1 y& t
=========/ D2 n5 w7 x, f6 R
0 g0 U9 J. P" I Q0 e
Method identical to the preceding one except that it seeks the ID of SoftICE
6 Q6 t5 W1 X4 o; fGFX VxD.- J& ~, M5 H' `* b
: G# T1 q. E8 i! S7 _. B$ P* N xor di,di
4 i+ K8 r! X. x8 O- } mov es,di
5 { _, s) e% \3 R( S0 {7 ` mov ax, 1684h
0 i! P8 x8 f, w9 W8 U% t- z$ L mov bx, 7a5Fh ; VxD ID of SIWVID
, J, H: o& ?1 t: b& j S) E int 2fh
( r$ i* f' Q: F$ a4 j) B+ v' B mov ax, es ; ES:DI -> VxD API entry point
6 G7 @+ q0 M# O/ T( f/ Q8 m0 Y/ o" L2 Z; ^ add ax, di" B$ }3 u: }3 }8 M* r
test ax,ax/ G$ K# p$ }2 z7 g. |: L2 r
jnz SoftICE_Detected
7 i: b* `' u7 h
, a9 | I9 |9 _9 Q- ?; g__________________________________________________________________________
( \, ~+ F+ J( A* L" ?/ \7 }: d5 p+ l
9 x; V1 Y: u6 T' a- s! ^0 N/ A I
Method 05
" S8 J! \ f) a; X=========
4 x2 C. c# v* L
0 l* d. ~0 @& b2 H, \+ l) |2 a- `+ }Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 p* H9 ^( Q! k2 ?1 F9 V+ G+ t- Pdebugger. It calls the int 41h, function 4Fh.+ j/ m: H" _* C
There are several alternatives. 9 v- P! B# Y1 t) ]" x6 M
" G5 m4 q+ J8 P( o
The following one is the simplest:2 i. k0 c9 M R$ M1 N4 n( h
# ^. [( P, ~- R! t1 y9 b
mov ax,4fh
. E: {8 e4 n* @! f int 41h! v% k/ M; o/ I% C: q
cmp ax, 0F386
# D z, c: M* P; h jz SoftICE_detected5 f0 [# F' Q) s6 W: o) W
\# ^) O" m3 u# i& ~+ m
( G+ }- }# l! {0 h k
Next method as well as the following one are 2 examples from Stone's ' M2 z$ M H6 |; D; m
"stn-wid.zip" (www.cracking.net):- }# ^, O+ O; Y3 {: J4 J
' r( j$ Y( t3 d/ ]; p; T" q
mov bx, cs# a. ^2 d5 {8 s
lea dx, int41handler2, d9 m% d! \ v1 e2 z$ t
xchg dx, es:[41h*4]
) X/ \6 \$ _7 R4 W xchg bx, es:[41h*4+2]
: n* d# H \) k% ?" |0 a mov ax,4fh) I) X7 V8 r# G7 I
int 41h
( ]7 I0 P* T: ]/ V; T5 P5 V6 ?0 s xchg dx, es:[41h*4]2 C0 ~6 X) {+ X. i
xchg bx, es:[41h*4+2]
0 `* ?1 P, _4 [) j) {& ~ cmp ax, 0f386h- s$ r. d7 y; j' ^$ u2 E9 p3 L
jz SoftICE_detected
% \' D- k9 m `7 q6 c7 B
6 ?6 K! b- G% R" ]% ~int41handler2 PROC$ H+ `7 n7 K/ {& R0 B h" i# ^9 i! m
iret! b/ i. I: N% c0 d5 Y' c2 ]
int41handler2 ENDP2 w9 j4 p# K! H- Y( Q# O# B
/ k% @. _% |: C0 m K8 @) n, s
% S3 w* [2 y; {( ^3 u_________________________________________________________________________* l! `4 x2 f% Z. P! w) O E+ u
& [# \* _. ?6 M$ n
' q& d R3 b4 K2 z" eMethod 061 p e1 M$ }4 I6 t
=========' O3 p& V( F0 q& ` Z
& Q8 w" R& B% p6 K X+ a2 F9 r
: D0 h' s2 u' T7 ]3 Y2 h, R
2nd method similar to the preceding one but more difficult to detect:
* F) o) t5 y: r* U
6 s" }; ?( P4 \2 z6 X
8 h8 ?, h( `% D" B" lint41handler PROC
# A/ w; }8 P f) i% \& p mov cl,al6 X" F! b2 z3 d* ~+ b
iret% b7 F! H0 F% f8 |9 r# p2 r/ y0 u
int41handler ENDP
# Z' B! f2 f+ ]0 j+ B+ z3 v" C5 _, ]- ^7 A
# V& ^9 ], h, o+ u. p% d' q xor ax,ax4 M+ F, j ?0 ]3 B% E7 c" H, v
mov es,ax1 B# z- j1 X6 f8 R, Q4 C5 \
mov bx, cs- M' {9 O, E! f
lea dx, int41handler8 z- t' d2 }# V8 E" q7 w
xchg dx, es:[41h*4]
( G/ i; u. `' V7 B: v- b xchg bx, es:[41h*4+2]' H- i4 ]5 C$ Z0 H, `5 A u
in al, 40h7 [% L5 X8 n3 X6 Y0 n
xor cx,cx
9 p: c* k4 u) |; Z int 41h9 G8 Q6 Y" |, r6 d: ]) s) \: D' n
xchg dx, es:[41h*4]
* i+ d: D, M* a% y% K% j3 A xchg bx, es:[41h*4+2]
8 l+ U6 x+ e! W4 N% j/ z cmp cl,al
6 i( e( `1 m X9 T jnz SoftICE_detected* _# h! X, X% b$ L* e" M
( c" ]6 t% H9 ^; l8 p! j& @
_________________________________________________________________________0 ^/ E# J" B" m* a5 l
8 |1 I) ?4 u1 N3 C. `$ kMethod 077 o4 Z# b3 I' ~4 D
=========
+ F0 `0 G) K0 q& Z5 k9 v% o" J! Z: R. n- J4 {
Method of detection of the WinICE handler in the int68h (V86)2 ]3 n. m3 v+ d, A6 H
5 K9 v |' z( \$ O- h; Y$ A6 A/ } mov ah,43h m; L& d( ~2 v8 B* s1 ]
int 68h
3 x# g+ B9 u0 S! ~ cmp ax,0F386h; V6 Z& p$ @% m4 ~/ o' e$ U9 |
jz SoftICE_Detected
3 [2 y4 D0 D3 x% q) ]; X/ M3 b7 s! s8 K
0 Z; r1 H& F& _=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' F7 S2 K5 h0 e* K, O app like this:
8 O! ~! b1 G' t. T+ C# i
& \/ m: j8 B ? BPX exec_int if ax==68) v1 l: o1 f1 P
(function called is located at byte ptr [ebp+1Dh] and client eip is4 }* [! b. E( |+ v. Z1 h* J
located at [ebp+48h] for 32Bit apps)5 ]' S+ P+ [' f+ w5 s0 L U
__________________________________________________________________________
( r2 ?, o5 Y! J) V! c; ^+ S
1 Z; P2 e+ c& ^6 Q7 I4 y6 M
* @5 S: T) ]9 K# y( L" S2 O* mMethod 08+ j& b1 S* q; A" |4 g
=========
9 `& _ x) [' G2 T, \
: `& Y( m" U9 U0 z4 r. ^It is not a method of detection of SoftICE but a possibility to crash the
0 h( W- A) z0 ^- A' r5 \system by intercepting int 01h and int 03h and redirecting them to another
* a$ |" l9 k/ K/ t: Xroutine.% d% {6 h0 ^/ E7 ~, l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ \+ Z6 r& k2 }# {( P4 L, ?
to the new routine to execute (hangs computer...)# Q2 M$ H7 ]- i% E6 `# W
" n5 H3 ~/ I% q mov ah, 25h; T' y2 ]9 P. f! ?0 E0 {# F
mov al, Int_Number (01h or 03h)
2 Y2 x L6 o1 z! T) j$ R mov dx, offset New_Int_Routine
, X" N) G2 R9 X0 }8 o int 21h
' q# l2 ^* J2 w+ |
4 I8 T. C* B6 Y$ t__________________________________________________________________________5 c5 b' Y1 Z2 b1 N% O& p7 q* W
# ?6 u% y# t; ]9 q$ m; SMethod 094 J d4 H `7 V5 w) J& }
=========
/ a9 B( |( V0 i% s* N/ @' i) p Q+ o
8 m1 K e: e( L$ G1 E0 b8 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' O5 B$ v1 e) s# C: @performed in ring0 (VxD or a ring3 app using the VxdCall).
1 j% S7 l' _, fThe Get_DDB service is used to determine whether or not a VxD is installed
+ G$ `9 e( j9 R. f, Rfor the specified device and returns a Device Description Block (in ecx) for
/ t4 k9 W, M. n! W/ p0 zthat device if it is installed.
9 \6 j" q5 E8 Q8 |9 G8 T
) k8 [- }. W; P/ I$ s2 ~1 _ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# a7 U' R$ k# u0 P7 ~2 w* `
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ D7 A/ @ U9 v VMMCall Get_DDB2 S( v7 s) T( M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 r: G0 ^& I* B5 A2 x) t+ t6 G
6 B- Q; F; {0 R4 Y/ F; u
Note as well that you can easily detect this method with SoftICE:. S$ Z4 l% u) a- M0 {
bpx Get_DDB if ax==0202 || ax==7a5fh) u; z1 `- i, c6 v* B
. g# R M9 C& _6 X1 P* s__________________________________________________________________________
9 R6 K6 w2 Y; R
: x1 ~4 f% A% s4 ^# Y/ _Method 103 k. n) S* n( T% S8 v4 K3 S- N- g
=========# b& h9 F/ k5 |+ @6 M+ U) O. t
3 n* G- S) n8 W+ [, w! e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 t5 e; J2 V7 F. v' j SoftICE while the option is enable!!
- o2 P: D0 W- o6 ^
I& ?; _( j2 |! l% T2 Y2 UThis trick is very efficient:
% K/ O: B2 N9 ]+ b: i1 Jby checking the Debug Registers, you can detect if SoftICE is loaded
" N2 I8 w9 j5 F0 C6 |! n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& ^2 r ]7 v* ^5 `; E; H+ K8 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& e. ?5 X/ `6 Y: _value (in ring0 only). Values can be manipulated and or changed as well
Q" c5 x5 C5 a' s) p$ R(clearing BPMs for instance)
- S1 A" q9 _$ e ]5 c' T: w6 a4 G5 b, x( f
__________________________________________________________________________
9 J& u: N7 R' K, S9 P; [' B# Q8 c3 c( s% `. I- v. | f6 j5 J6 l
Method 11: L' K @5 u! E9 b" b" r, M5 V# H" d
=========# x( m: Z0 k" K2 c) k& L: {
( b! h3 y. v, s1 X6 t0 j2 nThis method is most known as 'MeltICE' because it has been freely distributed8 O" S8 o' Y7 F5 \$ K
via www.winfiles.com. However it was first used by NuMega people to allow
$ i8 m# _) x/ c7 k8 Q( x( ]" @Symbol Loader to check if SoftICE was active or not (the code is located
4 E V$ c, H( d. x, N$ F" h. @' Vinside nmtrans.dll).
" O" o. w( }; G4 @& ]6 x$ h; U: j- _6 d/ Y' p- b5 G9 X, k
The way it works is very simple:
Y6 F- I2 R& R8 t3 M$ ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ M1 }* A' l7 L9 s! E9 n, }- M) z. a
WinNT) with the CreateFileA API. g8 M* B# O- g# _* n7 e
9 c; ^: g7 e8 k' {$ J
Here is a sample (checking for 'SICE'):
8 O+ C6 _1 C4 J3 @
# r/ Y. ]% s3 d% y$ gBOOL IsSoftIce95Loaded()# ^9 Q' n! A3 L+ e$ q5 r3 d$ ^* _
{
4 T" [ P* E1 C! ] HANDLE hFile;
( e" ~$ H# S! ?0 O$ o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 b, s5 F$ u$ s* x7 k
FILE_SHARE_READ | FILE_SHARE_WRITE,
) x' ?5 v$ w6 q: d) ?& Q% C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' L; R. V. |3 x" j% m
if( hFile != INVALID_HANDLE_VALUE ): r; _" C# i! B' C6 M* |6 j9 g
{
7 W" O% S6 D, J( B CloseHandle(hFile);5 a/ G: p4 m5 j5 c: U+ `
return TRUE;% j; R" n: ^! l) R2 W: {$ }
}) x7 L8 d2 J" A
return FALSE;
0 ^- `" Y/ r W: y}
" i" W6 P8 J% F7 z: }1 |1 o9 _7 H) a" G# k4 g0 i% D8 `
Although this trick calls the CreateFileA function, don't even expect to be
2 k: \" B) T. z( ^; U+ table to intercept it by installing a IFS hook: it will not work, no way!6 n* w) w! t9 ~4 b! u" W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; |1 L+ W& O7 t i; G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 u V7 [, D+ ^+ J8 t4 d0 P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 v/ h j" c: w- C4 B0 U& ]' G7 h% i
field.
3 O, ^4 c! \ w h9 }In fact, its purpose is not to load/unload VxDs but only to send a - i% c8 p% V$ M* A" W' x6 @- X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, Q% r( p) U: j! L) Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 _. O$ j* {/ |1 l! w* c) h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; l6 N7 _8 N' c9 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: G% n$ F4 ~) C( N4 E+ B4 yits handle to be opened and then, will be detected., f( @7 Q" k4 I0 D3 `2 Z
You can check that simply by hooking Winice.exe control proc entry point' Y: g o& c$ [' U
while running MeltICE.
! T: G8 x! w: r0 h6 m) X7 Z
8 e* G$ r4 B. a: q Q
: M, Q5 P, v, c! d) H 00401067: push 00402025 ; \\.\SICE; L& {0 K$ y( ]$ l& i3 k2 W
0040106C: call CreateFileA
: [2 G1 Y# m9 C& ?) c) J7 F 00401071: cmp eax,-001; k O9 s; ^- K. n* S8 p, ^& ^' G
00401074: je 004010919 h2 a: X( X/ e7 c, d9 Q
% N8 Y$ [# `, K( {9 Q+ F, O1 J1 C- {6 O, g5 z
There could be hundreds of BPX you could use to detect this trick.: [0 b" U- Y4 C+ o8 h1 _
-The most classical one is:0 |8 X7 L. O3 y9 |) P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 y: ~2 L0 o0 E1 W' S1 B" Y6 l
*(esp->4+4)=='NTIC'
2 K5 ^+ i. Y; J/ K$ r$ g1 d7 p$ Q; V+ M, l% O, L! P# i7 b
-The most exotic ones (could be very slooooow :-( W! x; V5 [' W+ I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 M7 h+ u `8 F: y ;will break 3 times :-($ k- R- k' C& C; }
8 X; O9 ^7 x" Z" y$ ~. B-or (a bit) faster:
7 f' z3 Y! d8 M! e8 ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 D5 a! v. {$ ~1 e- g) ~+ }+ f# F8 P+ w) d0 v
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 r8 G, l8 a/ y9 K d4 M
;will break 3 times :-(
+ N/ c" j) C q' |" x/ v4 p: m/ j
-Much faster:- `& N; J$ C8 r1 n; Q; T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& l2 U# q9 m8 _5 A
4 ]; C# E: k; w3 J0 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 A2 t( C5 v. Q" |. vfunction to do the same job:
% Z' ?- h% q1 N( U0 X; o6 [9 i) Q$ j
) R# C/ O. n' c4 } push 00 ; OF_READ
9 x; o, |$ r0 P. r- i mov eax,[00656634] ; '\\.\SICE',0
1 y |$ X( B& L* ?' E push eax
* V8 ?) \0 [- D3 L" ~ call KERNEL32!_lopen
2 h" G9 ]$ V' }: V W5 i0 Z inc eax! t$ B( S1 A( G! R5 @; U) y: B A% ]" v
jnz 00650589 ; detected: z, b% u* l+ y1 U5 R" T. `
push 00 ; OF_READ
! R( |, K8 t$ o" f* O- c mov eax,[00656638] ; '\\.\SICE'
' b1 ~; H8 S( J6 s push eax4 U: \- t6 B3 l, S
call KERNEL32!_lopen
5 x( @2 F d% ~$ a# W: @ inc eax
2 f9 H) k# }5 v# d$ _9 o jz 006505ae ; not detected
3 Z4 _5 r0 ~$ x) ^. z! E* J/ p) e( g6 A# \. X) I+ v4 s
' s2 p9 t" f0 e* |- {5 r* J
__________________________________________________________________________
- n0 C l( J& d! g. E) Z2 M4 v
9 r' I$ K. I5 C4 |Method 12' Q# s3 _* R/ o& g6 |
=========5 n+ F- T" }) ?* v
, u- z/ D( }8 U7 F* QThis trick is similar to int41h/4fh Debugger installation check (code 05
' H! c1 [) ]$ y: H7 P; t& 06) but very limited because it's only available for Win95/98 (not NT)6 D2 Q7 X7 S' o# f) P, |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! K# V: d$ x6 ~* y7 S. E
, y5 H8 B [8 C# f* m+ q
push 0000004fh ; function 4fh& h7 \% [ v: C- ^% v
push 002a002ah ; high word specifies which VxD (VWIN32)
/ g/ P; R% u- Y: K4 z! x [; B8 ` ; low word specifies which service. S1 v3 k/ Q' ?7 |4 ?$ T0 K
(VWIN32_Int41Dispatch)) _5 C7 B( g: }* o
call Kernel32!ORD_001 ; VxdCall
& Z! @1 E, o. a; q cmp ax, 0f386h ; magic number returned by system debuggers. k, q& M# m) A ]: F6 }
jz SoftICE_detected/ s& V9 F( ]: s0 v' `) g& U
4 h. J: h) W5 S6 |) h! kHere again, several ways to detect it:7 e( L. D$ g1 ?) R- b
- x$ O2 W$ v8 d4 Z/ R BPINT 41 if ax==4f- p9 a4 H% x' z# q3 Q" ~1 B) v( ` o
% t9 U9 N8 m4 G6 Z; C7 M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 x; W- S2 v& [: w0 \/ P
2 e- ]4 T; N% Q* v E- X+ X# Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 E% C, r0 A* \% @( ^6 `9 k
5 A/ h* d5 Y6 Q" d0 V$ j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: N: H& @& B5 E# ~, T" ~3 X+ j& V5 v& s# x7 Y# ]: G3 k) ^; |/ _
__________________________________________________________________________
1 }/ U6 h8 S( [1 y% b) q- w/ A+ A. s6 I; G& K/ c+ i5 s; }
Method 13
2 P* b: O/ }6 h3 X& _9 J: i% }=========
3 [% o! L) h( n2 R* {5 h" T; F+ G { z
Not a real method of detection, but a good way to know if SoftICE is
, ]# t; t0 X- J$ ?* \9 P# b5 h' ?4 Binstalled on a computer and to locate its installation directory.6 i' U& N6 N: o. h! Z7 @( q1 z4 ^
It is used by few softs which access the following registry keys (usually #2) :
$ t) I& Y! K4 T$ k) Z( y; @" i8 K, v2 Q' i) W) I5 L/ a& T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# `: P) Q, I3 e+ T3 @. e$ Q
\Uninstall\SoftICE+ U9 X6 o6 y: H' j+ S' }& X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ Z# ]- Q( F; H7 w! r& {9 k0 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# `0 Z; S" }2 s J
\App Paths\Loader32.Exe
4 j4 |4 I) o+ @8 i, | [$ X$ m$ _; `
6 _8 b; {+ [1 B2 a! U ?( mNote that some nasty apps could then erase all files from SoftICE directory9 B1 S" s# J9 q7 X6 }, a4 S
(I faced that once :-(( ?6 Y6 m; s# R* @
8 N' h" [3 ?. b: u {8 jUseful breakpoint to detect it:" p+ p4 Y; Y2 y3 K; H
" v H; r7 d G- _- w7 ~: y; @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, Z% t, l4 i* F4 _* c5 a$ B7 y! ^& m I$ n
__________________________________________________________________________
8 ?4 V$ }* L6 N3 Q
, ^* a9 n! ? K h! |0 F/ b4 a
1 o; B+ G1 Q% H6 e" qMethod 14 0 J* [6 b; G1 ^# X
=========, n6 D4 d8 ~/ W7 Y! `$ O3 i
9 d7 y) S: U% `3 C5 u( K, N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, Y) n1 R7 A' I7 f) l$ Dis to determines whether a debugger is running on your system (ring0 only).2 f+ k; y3 @* V6 P- \
/ C. _6 Y, n! D& I
VMMCall Test_Debug_Installed
, Y, I# @+ G2 P: {" T je not_installed
4 }/ J' H* a' V9 m( D+ ]( \+ N
2 P' S& F! s# V {This service just checks a flag.
, e: e5 c+ }" u. A( P</PRE></TD></TR></TBODY></TABLE> |