<TABLE width=500>* X2 E, O# O4 N7 b- P9 f! `
<TBODY>
. V: z! [& e0 p& F1 `<TR>
3 n' Q+ g7 r4 k- U. @+ ^1 H<TD><PRE>Method 01
8 x/ g5 ^. n( \+ T0 x' ~8 V=========- M+ p% o8 O. k; j, R
9 E& y- {! J( T) C. t4 x
This method of detection of SoftICE (as well as the following one) is3 w. c& [ D7 s5 |6 N
used by the majority of packers/encryptors found on Internet.' ]$ F% ^; I6 x& c- x; {3 h
It seeks the signature of BoundsChecker in SoftICE
/ e$ ]* P7 y- K" u( r9 K0 c h$ w
6 T j5 O7 g' O+ R mov ebp, 04243484Bh ; 'BCHK'% X: k' [" a+ f$ T
mov ax, 04h
2 Q- Q* g: c; z$ Z( J X) S int 3
+ R6 o- r5 ]% `" H% X U6 b cmp al,4! K( w" A( U$ C7 m
jnz SoftICE_Detected
4 C8 V3 j8 t b) k/ M2 w8 a m# T0 y) ?0 P9 |2 H8 I
___________________________________________________________________________) m( C% H* |9 K3 x7 S7 `+ d0 _
3 A% \9 g& w( ~' _Method 02
8 Z* }' z: t# k=========
" E+ V6 K, [! \0 Z8 H7 [$ j+ b* p0 i5 e% Z8 ^+ C9 J2 c
Still a method very much used (perhaps the most frequent one). It is used
8 m! Z6 O: S: @+ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) D% s; }" j$ z
or execute SoftICE commands..., f9 B% Y5 X- E
It is also used to crash SoftICE and to force it to execute any commands" R+ Z: E! w+ I' `' Q
(HBOOT...) :-((
& I5 A4 g7 P8 i
, _% b1 w5 X6 WHere is a quick description:6 R, v& X- N0 I2 r" I# a
-AX = 0910h (Display string in SIce windows)
( p- x2 h6 I0 w-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); K& j" P# R: F2 O, \
-AX = 0912h (Get breakpoint infos)
H% ~2 Q# \5 Q3 i2 _# I-AX = 0913h (Set Sice breakpoints)
3 h' q; L9 y+ k9 N* S! E; e: M-AX = 0914h (Remove SIce breakoints)$ m0 T4 B7 n2 A( n% i3 ^+ M
- S8 t, y0 l' H/ e- s
Each time you'll meet this trick, you'll see:
: f0 G* f% q+ d) H: K6 \-SI = 4647h
a* F8 d. c$ |) s( o1 L l; C+ F-DI = 4A4Dh
, e# H/ C& u- BWhich are the 'magic values' used by SoftIce.; q6 A( u( h" J( Z2 _( R9 g& p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 d7 W% a4 ]3 Y- h- p W' j& g
+ e4 F1 X6 ]4 @- X2 L& t; s& mHere is one example from the file "Haspinst.exe" which is the dongle HASP
( `, R# t% V6 L7 V' ^$ m/ AEnvelope utility use to protect DOS applications:
# h: J) ]7 a6 {9 i" Q9 v* S3 \) b
* z% Q3 {2 \* v0 z
4C19:0095 MOV AX,0911 ; execute command.
& `, L* E$ w* ^4 D; U4 v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& h6 k% g U; M& T+ p/ [
4C19:009A MOV SI,4647 ; 1st magic value.
- x; p$ `- T4 v+ A$ N/ \ e4C19:009D MOV DI,4A4D ; 2nd magic value.
3 v; N# ?8 q5 x4 n6 t, I# u4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& W/ v% }- F& I2 Z- R! _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! `& W1 O; G! {* F: N$ |4C19:00A4 INC CX
, C: b" r7 k. S: ]& t, m& U1 t8 T6 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ M# L- z6 I% o7 A6 L0 p
4C19:00A8 JB 0095 ; 6 different commands.
% B, q/ C7 {# N" B0 K8 G4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, L$ G" J' [" G( ^: \/ x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ Z% d* R5 D. l3 v. l( U* u( S( d4 @" _7 }, u: Y. j" y+ T/ ]6 J
The program will execute 6 different SIce commands located at ds:dx, which
9 @7 H% s U) ^3 v9 t7 G: `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, g5 u; |! N3 U1 k' Z/ D: C, B- q, V) v4 `. Q5 A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 v4 W. w8 S3 w4 c" _( ?___________________________________________________________________________* H& b9 T3 i4 u( f
& f0 ]4 W" }; | A x
% w4 i& j0 B$ d% G6 }
Method 03/ _8 _3 W g- J @+ a
=========0 H2 m1 W4 ]3 u9 h: x
$ d6 C6 l. v/ z% U0 F1 d& vLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 X% A, o0 t7 n7 c' U; L, r7 X% w(API Get entry point)
8 z8 n) C) i9 j, e! D6 ]/ M' i+ j
) P. M9 S' ?- Q q) C5 [+ S. B( Q: t9 ]) d
xor di,di
. z1 T& w, t# D mov es,di2 U" v" [2 Q. Y- k
mov ax, 1684h
/ |; r1 y6 T% I9 m( J% r mov bx, 0202h ; VxD ID of winice/ @' p5 h8 y, A; O3 ~1 ~+ Z0 Y
int 2Fh
~+ w z, }: N- B/ w! t mov ax, es ; ES:DI -> VxD API entry point& F* g& _- N& ~& g! i7 W+ m
add ax, di
1 l+ z0 D% [$ @# _0 s. G' q) W+ ~ test ax,ax
% h% r1 o: y2 M1 M, ~! g/ O# V6 Z" K jnz SoftICE_Detected2 a% A+ F+ \6 m( A B! i7 T3 J, c
& F; S Y2 {) M$ c. p1 O7 j
___________________________________________________________________________
6 @5 U- X7 H* k9 D1 `; h9 i9 z5 ^5 M6 ^6 Z# T
Method 04
( M1 d( N8 j8 N7 M5 O=========2 _$ G3 W" v9 R& s- r8 `0 L1 D
; f" ?3 A; p2 qMethod identical to the preceding one except that it seeks the ID of SoftICE8 y. D% p' x( ?' w# b
GFX VxD.
9 A' g# m$ p' Q% ?
9 p) i! ^( w6 w7 q xor di,di( l7 I/ X v* Y+ Z" k5 a5 A
mov es,di
' {7 u A' Q+ g5 y J, g mov ax, 1684h
4 R! Z' h$ |2 A; o) ?* D0 t) l mov bx, 7a5Fh ; VxD ID of SIWVID
9 i1 A0 Z7 ?4 M! C2 Z int 2fh. V+ {; Y; c5 J, ^/ [
mov ax, es ; ES:DI -> VxD API entry point/ `5 w7 Q! s% e! C
add ax, di% a. i& h* L7 {; j' ?
test ax,ax) x# e6 @3 \9 F: i* U) o
jnz SoftICE_Detected `5 E7 b- ~3 ]% a! S, a
' Q( d# G7 R. D0 ?3 {5 D8 G# @__________________________________________________________________________
X+ T+ y8 a% V, s
8 d! o( a+ s5 u/ h8 D/ f% `0 w4 ^. B$ Z1 w- m0 A9 [ p# h
Method 05+ `: D$ j b i5 ~
=========
" w O( c: p+ d$ Z) s* j4 ^ f* Y, `9 f; A
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 C* Z; j0 E5 Q' ]6 [) p
debugger. It calls the int 41h, function 4Fh.
* I7 C9 J& w. S; k0 }! c( C: C5 T3 kThere are several alternatives.
( `. s4 X5 D& R( k7 ]
' L/ N6 _) g- r6 K* ZThe following one is the simplest:
3 d. m9 n1 v0 C1 U6 w; c$ q: m' d; } L" S
mov ax,4fh
9 P# b/ F F% \$ G2 y+ a int 41h
- j: E4 P- Y3 N) @# s: M cmp ax, 0F386
# \1 c7 `; e1 d8 b& r2 Z0 N jz SoftICE_detected( @$ _3 P+ u2 e6 L0 n
( r) I$ N5 p8 R( p" w# l U" o6 ]; y: r- W1 F
Next method as well as the following one are 2 examples from Stone's m# G) ^0 [% a1 V; z
"stn-wid.zip" (www.cracking.net):: ~) P$ L W" j: |+ |/ L" q3 o `+ [
* M& {, M6 F1 _ mov bx, cs' p" R! ~ Z/ S* L
lea dx, int41handler25 {- r K1 U D) C
xchg dx, es:[41h*4]' D1 l3 f( q: @* d; o; j1 M
xchg bx, es:[41h*4+2]
7 Z4 G9 Y" P$ s mov ax,4fh
, ^6 V ?% b3 W* k: \ int 41h
' W/ K& ~: w$ ^ xchg dx, es:[41h*4]. ]4 D: U, J: F# | U3 t8 R
xchg bx, es:[41h*4+2]
/ v& D2 P/ j( ^- q9 ~' ?# `- [6 R cmp ax, 0f386h# j3 |( Y, F% V' Z; V( W
jz SoftICE_detected+ ^- H4 s. l- s$ [$ u$ s
' z. H( P' q9 ^7 ?: g
int41handler2 PROC( c5 r" O8 S) v# b# h: J
iret( f0 g- \9 T9 u3 u& ^% J& {
int41handler2 ENDP
' l, b2 m8 y+ C2 f% V( D# w& x- b; p1 H. ~1 G. v
7 u! g' U0 X0 `. y_________________________________________________________________________
& c# R# d% i/ l: `% c8 t
9 I8 o; ^0 a# t
# c j/ e6 O+ ^: w2 W! xMethod 06: W7 o1 o5 h6 Z6 w
=========4 \& z! }* F% |( |
' k' H% `9 U6 a1 d
: I* y: H8 M2 d' g- A) X; r
2nd method similar to the preceding one but more difficult to detect:& G5 Y* A- j8 s% w1 a, r
/ |- ]3 x) H* Q0 M! H5 Y8 E9 D" e8 y' g3 U2 A( N
int41handler PROC) ? x- U7 q. L* o+ Q5 L2 h& X& J
mov cl,al' v. [" M. \$ p0 m7 B; ]
iret
' V9 r6 \% I# @8 ^: v2 `int41handler ENDP
; |2 ^6 s4 { s: d! R! v( g3 p4 Y$ V
& o( R/ q; \1 Z1 ?9 ]% {
" R: K' P" C$ a xor ax,ax
- b9 }/ V2 k+ [; a mov es,ax
6 g+ I( P/ j$ X% E# A1 h mov bx, cs
: L3 z9 _! ?) \" R# N lea dx, int41handler' E1 n3 M8 m" L2 L" x e! S
xchg dx, es:[41h*4]
* h+ q0 [9 Q+ c5 g v4 {% l/ } xchg bx, es:[41h*4+2]
b' {' i( i$ l0 V% M/ ?. ^ in al, 40h" F N& G) E8 ~* P) V8 \
xor cx,cx
9 S# X9 c. l9 _) I( n+ b9 \ int 41h
6 W* M" M4 d: e4 w' T xchg dx, es:[41h*4]9 \& h! H3 s( e' M3 e
xchg bx, es:[41h*4+2]' C! m- v5 D$ l; l+ i% F/ z5 s0 b8 ^
cmp cl,al
* x$ G) @* l r8 W jnz SoftICE_detected
$ c; N7 j3 m0 g1 ~. G' c$ }4 u1 y" y6 H! A; @; {
_________________________________________________________________________- T% i+ ]- h+ ` ^0 j( g
6 k2 o0 S" N, T# z: L1 MMethod 07
+ X" b7 ~; r1 W& g=========
$ J: Y) M# b. O% B' r) }! D. g
7 X, q- j/ P5 |9 tMethod of detection of the WinICE handler in the int68h (V86)4 P# O+ o1 t' k1 y0 d* ], N
: \$ u! b, F4 m
mov ah,43h
* S$ d0 m8 w4 n# k3 b int 68h3 { U; F$ `' V% t8 Q: n( z
cmp ax,0F386h
" `2 ~' p4 {4 F5 P7 q jz SoftICE_Detected7 ~. z8 z" D! _
% z$ Q5 H$ l* o
. D( x* ]/ B; q2 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: s! A+ x4 Y/ x. h app like this:
# b# f# V9 a y0 D+ O# m( n, D- o; H# @, h) [+ E/ Q
BPX exec_int if ax==68
: e' {1 W; ^, D# a0 [* v (function called is located at byte ptr [ebp+1Dh] and client eip is" z" N4 B/ @* g
located at [ebp+48h] for 32Bit apps)
h+ x @/ f' y, |6 l6 `7 z3 j__________________________________________________________________________6 x3 m" K' D' n4 M$ c, C
( w" v, p5 x3 k' ~
/ s% D& M' ~' q# W: HMethod 08
( j4 M- M2 F% N5 c u: [=========# m! A4 \" D8 r$ g, {
8 ?. |( v' g5 M; r# x0 Z) m
It is not a method of detection of SoftICE but a possibility to crash the
; c' L Y( S0 H1 Gsystem by intercepting int 01h and int 03h and redirecting them to another6 G" S3 c# {$ f$ @' j1 | r) I
routine.3 y+ x$ O/ Q; v1 R, h: l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 D0 O1 m2 e3 Yto the new routine to execute (hangs computer...)
( ]/ M( ?/ X' \% ]0 _( w$ ^8 P3 X* d1 N7 \
mov ah, 25h
( s; D1 T, {4 X/ p mov al, Int_Number (01h or 03h)/ o P* O% b. ` s& _7 g
mov dx, offset New_Int_Routine* V7 A0 F9 P" V6 Z
int 21h
9 S- W( Y' a- t. n
- W+ E4 G9 e" F* W9 A__________________________________________________________________________' U6 Q x0 b8 y% b) s$ x0 t( S1 ?7 L) X( z
$ }4 [. J" G) I, h1 L
Method 096 W: j) E! m" }+ o2 d- F$ _1 ]$ i) \
=========
7 e* q) f0 ^. f! G: C6 `- }) t6 c; V
' c; C! P' C8 }7 g$ kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 \/ r; B: \. i, o( Uperformed in ring0 (VxD or a ring3 app using the VxdCall).& d$ }% z2 k) Y( J: N5 t6 `
The Get_DDB service is used to determine whether or not a VxD is installed% u& {% W/ G6 h) R! B( g) K
for the specified device and returns a Device Description Block (in ecx) for- X3 @0 R5 p6 c, W
that device if it is installed. z- ^/ C, M. o/ I# b% Y
, I4 Q& m- m# {2 b- d& s
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 l! [& s2 }& c7 m0 d7 C8 m mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- w! y+ E# Y/ d3 l( T7 o d9 V
VMMCall Get_DDB
+ P& m7 @& C& \: K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 i3 J7 b( } L" [' W% [& S3 X9 p* ?5 p" N; z
Note as well that you can easily detect this method with SoftICE:6 W2 }2 k1 J) s V' Y. n
bpx Get_DDB if ax==0202 || ax==7a5fh
& T: ~" u. N% K) N+ w" m8 c3 s. S3 g, {' u: v- u2 b- J! V% g
__________________________________________________________________________
' c+ a ]3 u# F; i
! x, N+ |4 `0 _$ u. o# QMethod 10( j/ l% t' P" I8 w. _. A% c* k U$ O
=========
* {7 ^% N. G1 T0 c! ]; m% Y- H. B$ q- B" N3 V9 e) n+ _& N
=>Disable or clear breakpoints before using this feature. DO NOT trace with6 ]9 n2 D& B4 E5 u$ |+ B
SoftICE while the option is enable!!# @& {. M! X; f1 A* E/ r
; ^, n2 q2 H' k8 L: D0 y+ FThis trick is very efficient:
j7 k) x; J: p" C/ Q9 ~& Y+ Z, K3 qby checking the Debug Registers, you can detect if SoftICE is loaded/ w% H1 z( G+ q8 M, g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 n5 @# F4 ~7 R2 u. s
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 u' H2 k3 W% S5 F+ E# D! w5 c
value (in ring0 only). Values can be manipulated and or changed as well7 N7 q- v! `) R4 L5 ~, I# r( t
(clearing BPMs for instance)
! N6 n# p5 Y" V
: G7 r0 u6 m$ G__________________________________________________________________________/ b9 c+ W+ N2 g9 D( y# y
4 f4 s- }# t: F: g$ S X* gMethod 11
" b: T! I8 [4 A# q+ j0 d, Z+ C. e=========! d: @" r' A4 N- b
( N+ I6 c, b5 w6 iThis method is most known as 'MeltICE' because it has been freely distributed
0 V! a/ [( X- pvia www.winfiles.com. However it was first used by NuMega people to allow
6 |9 b! j7 q0 @4 n% k/ t9 k3 c7 HSymbol Loader to check if SoftICE was active or not (the code is located
# l% R) j X. }: ~* _) s' iinside nmtrans.dll). X: P: D5 C. i8 o
% i' W& q8 m8 TThe way it works is very simple:' E. w* u/ f8 l. X7 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 v, X# B! _2 Z2 A9 p
WinNT) with the CreateFileA API.# {* n* V4 f3 ?, P6 s4 D5 X, p
) |' `, T- A+ V- u. {- `
Here is a sample (checking for 'SICE'):: D) V1 `6 q* m- G4 }
- ` B6 D- b) sBOOL IsSoftIce95Loaded()* h/ w( D& H/ m* N: L
{% a+ f" B" p. N6 h& w8 r
HANDLE hFile;
! i. \+ `( Y0 O; J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' g4 ]+ V) f$ Q
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ Z. i0 _0 w6 ^/ e- w( o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" [2 B* m: H" s% e if( hFile != INVALID_HANDLE_VALUE )- Q$ u' X* J+ e& i- M% [3 S
{
5 G5 H3 Q5 ~1 a4 R4 { CloseHandle(hFile);
: y0 H$ C7 k G0 M- m: O% O return TRUE;
: l2 `4 j( \ R }
' z# X$ Q4 f0 Q x7 T8 @2 ~ return FALSE;
1 R3 h. L- }! F! I; d7 d}
$ g- @* Z; t" A# d% v/ i; ]6 i- A; U$ S0 F+ _
Although this trick calls the CreateFileA function, don't even expect to be- ? \# b9 L9 O" _
able to intercept it by installing a IFS hook: it will not work, no way!
) G+ k! k7 r4 G/ ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 \# r# \3 f$ b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( w1 |6 L" D2 o* \5 s- v6 D' aand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 O; R3 T7 q& e/ e# W; o) B. p- B+ i) e
field.( R) J( Q0 l; o. |% Q
In fact, its purpose is not to load/unload VxDs but only to send a
1 J/ m/ Z; C' n# M! `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& J0 @- k& m; U q. j* b: o: C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; W: [ ]" C! [' Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 S# z. C; t* U7 H' TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' B& s, N7 I$ g; xits handle to be opened and then, will be detected.
1 B p" i1 B" N5 E- V' n2 O0 nYou can check that simply by hooking Winice.exe control proc entry point
" F; W- a5 h' q2 V+ P+ j4 N Nwhile running MeltICE.
: c$ q; _, U5 i+ V* w7 g* ~7 ~2 i& E2 r: c
/ M2 w, g8 Z$ a
00401067: push 00402025 ; \\.\SICE4 `0 z' }% ~3 q0 o* k/ G4 W$ `
0040106C: call CreateFileA3 w1 i( A' Q3 r+ D# z# @
00401071: cmp eax,-001
8 z; P g, d/ P& @# i+ V 00401074: je 00401091
$ ?+ O+ U; C0 x) e G: V1 p9 w
& j M4 |, |# h8 n- W. \- e" _. }1 @- `+ H- R! A, H
There could be hundreds of BPX you could use to detect this trick.
; }5 k6 |* q- `9 Y; M! O$ a* ~" n-The most classical one is:8 r( m/ M8 s6 y1 F* H2 F/ X# o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' M- a6 U* d4 {+ x' W$ q, H' B *(esp->4+4)=='NTIC'
& V9 ~( P# ]8 r, v. \) o& U$ {( ]8 y2 t
-The most exotic ones (could be very slooooow :-(! Z. g' Z; M( x/ b- p- n$ l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 ]; P& u% Q L4 W7 ?, V, |
;will break 3 times :-(
: v1 {% @: A J# d4 Q5 e) A3 U$ ?+ q+ s+ _
-or (a bit) faster:
- [% E. R i3 u; ]0 H BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 E$ l/ |1 O! m" y! L
/ x0 y9 E3 H, v3 V5 ]$ W8 Z- \ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ ^% H U( ~. s) G$ [' P0 e ;will break 3 times :-(
4 H$ _, Y: x( k+ f4 _% V+ y
- p' Q# c: E' K8 Y- x$ p- H-Much faster:
: X8 t7 @; N a7 c; v6 l, e0 n6 t) u BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 e, F- X% X1 _: v# L
/ N/ c# Y. U3 v0 T6 q; U; W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( [, Y) j) R' l9 n c
function to do the same job:
* e2 Z9 b' M1 @, v) X
9 A& j }7 C' [4 u2 z3 F% i- n6 X push 00 ; OF_READ
1 ]1 o4 g' D8 n* g2 S, q mov eax,[00656634] ; '\\.\SICE',0% i" L, k. W5 n9 r, P& n' [- D
push eax
' V& E" W. d6 a" m7 B call KERNEL32!_lopen
$ }) e/ O% @6 r+ S* f( x. s inc eax
; q; {4 Z7 ]* A, _- U+ o# k( ^ jnz 00650589 ; detected, ^' |' H6 A, p) e7 X: S5 i* r
push 00 ; OF_READ
( i7 ~! a8 R/ b: |8 n mov eax,[00656638] ; '\\.\SICE'" x! A9 u% c$ u. K* p% d
push eax3 \; Y4 w2 B6 M/ p3 ]
call KERNEL32!_lopen
2 g. Y0 j! C: q: q3 v inc eax
( S8 f- r9 d4 v* K: ~4 r jz 006505ae ; not detected$ N8 i5 P! z, L$ z0 u$ I) ?( V
* c# I% \3 s6 s
# X: b& V' J7 K( P \__________________________________________________________________________0 L1 w4 b2 A# v( G4 M7 U
! q1 t( ^9 k9 Q. OMethod 12
7 I' ?4 |! a; |$ T: m1 x, O9 M6 q F$ v=========
5 G0 m, ^# n& k: R; O$ e9 M+ b9 ~4 L1 y! j, l q; j W
This trick is similar to int41h/4fh Debugger installation check (code 05+ c9 I- E" F/ P' n
& 06) but very limited because it's only available for Win95/98 (not NT)$ L& b1 ?9 d e% U- G3 x; ?# {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& U$ @5 X* \* n5 c h9 Y' R8 ?5 e
. C. @2 e' _; U- _! o7 h push 0000004fh ; function 4fh
2 n5 F0 l# I; C2 H- \9 i push 002a002ah ; high word specifies which VxD (VWIN32)
' _7 ^6 X, q# ~' D) C# s ; low word specifies which service0 J& T8 Q7 S5 e; c$ K0 ~* ^, m, |
(VWIN32_Int41Dispatch)4 w k7 y$ k. X& L
call Kernel32!ORD_001 ; VxdCall8 r8 g- ]/ y8 h4 s `( S) s
cmp ax, 0f386h ; magic number returned by system debuggers, c8 c g% C: }* L1 C0 e
jz SoftICE_detected" F0 P6 [+ Z7 Y
. j: j8 R& w! z, N% f( v& {1 _
Here again, several ways to detect it:
- w0 o- p( E+ y H8 s! f1 t0 E6 {6 t. P- x G) ?- B
BPINT 41 if ax==4f! ?& `5 s+ j3 Z' z; p, _- `
& k, _5 C3 q5 @1 h/ w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& H1 `" |7 l$ v0 p
+ l0 A3 h) b1 D5 |8 P7 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& b6 T3 d/ |( t% [$ k
$ r; T! }5 h% H, N ^) s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 L& i" J1 V0 p
0 Q5 L! }0 v! |/ z__________________________________________________________________________) t& \1 W( N8 l
8 J: \3 s8 U& S1 q; W
Method 13
8 V7 E3 C) u+ j0 W0 I+ T( N% b=========
& I/ d) ~0 h) N) N/ I, F1 o5 e% F+ a: w6 G: ~6 ~2 ~ ^6 I: [. f
Not a real method of detection, but a good way to know if SoftICE is6 h x/ p) r8 H2 Z9 g( i% N3 ]+ H
installed on a computer and to locate its installation directory.* x/ f! V! v% J R4 K. T- X
It is used by few softs which access the following registry keys (usually #2) :& `3 j$ e+ [* z# O
3 l3 d( \7 O4 Z9 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 q# B5 H0 J: m c2 O, u5 ~3 ^/ k2 C
\Uninstall\SoftICE
( C& _' n1 v _9 T7 @) ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 I: m0 Y+ b. n% I* k. K/ V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: R. a* x' k5 p, f* U- g\App Paths\Loader32.Exe1 a. G0 G* x, I0 X- H
3 m G- I4 c) W! N; [$ x6 z! D) q
Note that some nasty apps could then erase all files from SoftICE directory |5 e& X8 ~7 K( K" T
(I faced that once :-(
V# P( d0 L" E! o! p v# ?$ W" y% o8 F8 @' L; D7 O/ b0 Z
Useful breakpoint to detect it:) E; R. x) z! C4 o/ b
6 ~* I3 |* e- x; @& O
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! B: h: _# ?. U$ X+ b
9 f/ R9 F. H* W, I% f0 ^__________________________________________________________________________
. [2 W& b7 z/ j# S$ |, B& d5 D4 E" P3 z
; }9 ~- r7 K- A, c+ f1 U. JMethod 14 ) i8 j1 o6 |/ U: i7 \& W3 r0 R
=========2 F2 r1 t/ N5 F( } D
; `7 \) T6 K$ m- Q% S- k4 {9 j4 CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( i! \! l( b c
is to determines whether a debugger is running on your system (ring0 only).) | i4 d- ]5 q
L0 u6 q2 i `( W' d2 f% u
VMMCall Test_Debug_Installed+ t: b1 k; v5 t8 ?9 c
je not_installed
* Q7 G/ _6 e2 \1 g7 L( D
3 v ]4 { P. j% h1 P; E/ h6 U1 L5 xThis service just checks a flag.
* x/ G7 H9 O5 f6 C</PRE></TD></TR></TBODY></TABLE> |