<TABLE width=500>
6 v# `; |' [( b( M5 \6 c<TBODY>
) A6 \9 B* x5 J/ s) k" W<TR>
9 z4 ^' i7 \0 F<TD><PRE>Method 01
) p% ]2 w3 U9 M2 ?5 P========= N Z9 y! P- b
1 g# ? y. U% d- L
This method of detection of SoftICE (as well as the following one) is0 U0 U% O/ |, a Y: `1 @) S' S
used by the majority of packers/encryptors found on Internet.- p& Z) ]" _, c8 L( u( C% ^
It seeks the signature of BoundsChecker in SoftICE
: g/ e! v* h. c. M0 ?: D& [
W7 V1 x6 n! i; S mov ebp, 04243484Bh ; 'BCHK'' M) T5 x# _; {' d) u" ?
mov ax, 04h
/ `- v" D. B5 @ m( u3 z int 3
; _- y, ]/ z( u5 G8 h" l, ?: _ cmp al,4
! T6 p8 m9 K1 h w* B! U- j jnz SoftICE_Detected& Z1 i( [" R! |! O8 x; Q
2 U u- z6 R% c$ J___________________________________________________________________________6 O" \& X7 C* z' m* V Z1 u
# g3 F1 Q5 b6 R5 z5 s- ~! uMethod 02
Z1 E1 {4 P( u0 y/ q+ F- j7 W=========
7 e* K! L( M. [% q- G. R; w- V7 a9 q @7 @/ Y( |- G
Still a method very much used (perhaps the most frequent one). It is used% U1 z4 o5 j! t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 G3 i- ^7 N! h4 O' ?4 F
or execute SoftICE commands...
- K& x \+ G P# ^& X) p3 jIt is also used to crash SoftICE and to force it to execute any commands @3 t* }& D- X/ E+ A# z
(HBOOT...) :-(( 7 j* ^8 J! N" c- h; a
$ {) h% V# v9 v8 ?% L
Here is a quick description:
% l& f, c* l; [+ l! q, f-AX = 0910h (Display string in SIce windows)
1 h7 n4 ~ c9 @-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) a; \4 l3 T: k% S" n9 ^6 ?
-AX = 0912h (Get breakpoint infos)3 D3 r( O9 j H% M; m5 E- c
-AX = 0913h (Set Sice breakpoints)- X" i) Y6 t% x/ H- K
-AX = 0914h (Remove SIce breakoints). v- I! R4 s4 r2 R# k& i
4 H0 q7 T( Q& G; i0 ]3 \# V3 g) y4 _& f$ ^
Each time you'll meet this trick, you'll see:
& g9 Y4 Y% Y3 H-SI = 4647h
5 a Q) M+ Z4 C3 |( W! S-DI = 4A4Dh
- ]/ M. c+ O8 O' s( tWhich are the 'magic values' used by SoftIce.4 e) I' Q3 Q2 U7 `# B0 |' e2 [, J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ n# u, D7 \- C" K( k
. n1 F1 `! }/ G) n! Z) S z6 F9 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ j! n( p1 [& }* k- _# REnvelope utility use to protect DOS applications:
! L5 a: }* P) o# g% `7 H
( ^5 Z% t6 f: G4 g: b
7 B+ u$ W3 F4 y1 `/ o4C19:0095 MOV AX,0911 ; execute command.: L+ c, w8 W* Y Y2 Y1 [
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ O8 k" A) O" G+ K
4C19:009A MOV SI,4647 ; 1st magic value.
6 b' D r% y4 f% b9 T6 {9 A4C19:009D MOV DI,4A4D ; 2nd magic value.
2 i& ~ W0 ]: E2 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 ]4 {, |8 ~" {9 {) [# Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ z- ?# M: z% | I c7 f4C19:00A4 INC CX
' f' b1 M S( d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' S: `& {. h8 `( m$ k4C19:00A8 JB 0095 ; 6 different commands.
$ [; [! b5 Z8 Y6 t! t: }( i* c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: ^4 p }4 U3 j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 f/ x# X0 L$ W% i. K" F9 C( v/ S0 @
7 F9 Z8 H( d8 K2 f1 l4 P1 G1 u& u) t* V, qThe program will execute 6 different SIce commands located at ds:dx, which
& U2 X9 X8 u5 `5 ~' V xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 {1 z! h* P' g1 _, o* t ~7 E( d. N2 s2 P4 c6 i7 q( }$ ?. ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 X( F ?: P# u" n$ B___________________________________________________________________________* g! Y5 l7 T( R! e
' \2 M& m$ E9 ]* p. G) ^
p m! P9 K; g' tMethod 03
+ C) ~7 P# \- s6 L- N! A5 C=========9 H3 _! d- ~/ x( _& \- P1 b
3 X( k# }0 N: L# t8 ~- a }5 `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% |: j. F9 ^/ x8 u+ {6 Z
(API Get entry point)0 g1 V: i; `) j8 l; B. M
2 D$ g; ~) C$ M8 ?; Q
9 \, S b _+ f% C, ~6 x
xor di,di
6 C m' u9 i; y/ U* V/ X mov es,di
' `% m$ `" X3 j4 @' O, _6 T' n mov ax, 1684h
D A$ ~; m7 S% M2 G mov bx, 0202h ; VxD ID of winice
+ s7 K, W. p# R. e' D int 2Fh- X4 Y4 D T( E: \: m' ]* P
mov ax, es ; ES:DI -> VxD API entry point
7 R7 [7 ^3 {% r: c add ax, di4 ~8 P. f' g2 P8 x& p
test ax,ax
1 O( \8 A. v' V0 p3 z2 m jnz SoftICE_Detected
# ~+ P, w- m m0 A+ q
) R. t1 J! m" d A% e/ q8 b___________________________________________________________________________
2 E9 f: T) e) F ^& J4 e! _
5 t9 {3 \0 |$ O8 s5 m& e3 Q& a, NMethod 04) h* g( B `4 _! \' i3 s& V
=========5 Z/ q! F# P6 T
1 a z2 P1 Y5 U5 p: ~
Method identical to the preceding one except that it seeks the ID of SoftICE
0 x) P0 }+ C" ]& c1 q0 w. M! OGFX VxD.
9 v. T+ A! j& f+ u7 x/ u
" e" R& i9 ]" X' o3 z xor di,di
5 q" \. `% Q# C mov es,di% J3 [7 g/ R4 j# }/ d5 \1 N
mov ax, 1684h
: f, V: Q) q- T. F3 z) ] mov bx, 7a5Fh ; VxD ID of SIWVID
9 L9 v# m. R" |0 p, M int 2fh/ }, s# A4 s# o0 J' J
mov ax, es ; ES:DI -> VxD API entry point
$ Z; E, }/ S' Q add ax, di5 |$ A. R: }. p- T
test ax,ax
0 w# M& Y2 w. V2 k( p. Z% A0 X; `8 N( O jnz SoftICE_Detected
; {/ E% z6 @9 M( P
, \. r% _7 T% x- A3 A) e1 C3 ?__________________________________________________________________________- p8 F" h5 u7 W' R- |7 ^0 {: r
7 }! @7 h+ Q* S, D; W& ?( V7 n
Method 05# @2 d' P4 P. R4 X4 O4 w v1 N
=========( e: ]; n1 {3 X' Y
6 w. {, i+ ~( |Method seeking the 'magic number' 0F386h returned (in ax) by all system$ ?- G, s6 F7 z5 t6 q
debugger. It calls the int 41h, function 4Fh.
, b) {. @! U, M( {! XThere are several alternatives. 2 S' ^, r+ F6 n3 I& K- k
4 B8 q& O3 I" T% E9 f% WThe following one is the simplest:) ]8 \$ T5 ~) o
" W7 Z: b3 _0 y [9 n* |! v9 g mov ax,4fh
+ P7 c0 {4 m1 k- T$ W int 41h
2 u/ |+ J+ [6 Z8 h; i7 ^4 z' V cmp ax, 0F3868 }- T% r7 @5 ~+ ]/ T
jz SoftICE_detected
9 Z1 P1 ?* n6 X% ?
5 S) K: E6 S0 c1 B2 H/ e& h O
9 l; M5 D$ {) s% r! ~Next method as well as the following one are 2 examples from Stone's
" L$ g6 M! s: U: c; Y4 b"stn-wid.zip" (www.cracking.net):; w4 f& w1 i9 M" S, ]0 m# x& L; i
" [$ H7 u* g* L0 {% J
mov bx, cs
' T6 |- m- N) x4 d lea dx, int41handler2; w. n' W( b* D' Y
xchg dx, es:[41h*4]* k$ z" \3 p7 I
xchg bx, es:[41h*4+2], O7 u+ B/ O3 D: {* R7 T
mov ax,4fh! r: g8 t7 i' O/ t) k' n
int 41h& o) w: l0 b8 F
xchg dx, es:[41h*4]. N1 r% A- d% E2 o1 G
xchg bx, es:[41h*4+2]
! R9 `: x' R5 ?: ~; b cmp ax, 0f386h
d* @4 l1 m! f& B# S8 H; h jz SoftICE_detected
c+ v2 l0 p# \1 ~; }" x8 U
2 @, W. V( ^& Xint41handler2 PROC
; H# J1 d1 T, P8 z- Y) J3 p iret1 g3 {0 Y, s' n0 d% G
int41handler2 ENDP
; j( z: P, Z& j7 l7 a4 k# K' |
) E% m, x, d- d: m
4 h) } `1 P% m3 h5 I_________________________________________________________________________
5 w$ b0 s" c4 N1 {) m
+ K* c2 D5 {$ Z
0 p9 u& G9 F6 L; Q# q; SMethod 06' V7 E& ], u* B, X
=========2 J D# e w* t6 J0 N
" i5 p- E& m# @; t
' w1 \/ x7 D! G2 z( E& s* n# `% p2nd method similar to the preceding one but more difficult to detect:" O! S: e2 @4 K+ ~8 [
4 C. ]* C9 S e7 z- @
: l! _- C. S- [# o/ n, I7 {( hint41handler PROC
% P% X8 q% p( W0 u, e' s mov cl,al8 v+ g" g* z' z6 Y; o
iret, h, U4 d5 q8 O9 }( f9 c; n: l* |& |$ h
int41handler ENDP
5 i p' v5 d' N4 Z0 ^/ R2 D8 N
& q: u" J) d+ _
5 V) U( L1 k; I: R4 ], l xor ax,ax1 K3 n+ k; O/ V8 T4 }
mov es,ax0 i3 d- Q0 g$ x0 T' w2 A o
mov bx, cs, b8 Y" S4 ~: K! L$ F
lea dx, int41handler
6 ?: p( T, ]! G' @1 O' m/ P9 J K xchg dx, es:[41h*4]
$ A9 j3 Q+ U1 b0 V" @5 m# y( d# l xchg bx, es:[41h*4+2]
0 ~4 v3 M3 N$ l! }. F' D2 e! i in al, 40h
5 E$ g; I' o ] \6 i) K- _1 ` xor cx,cx* `% y z- V0 x. h" m
int 41h3 X8 b; F. X$ C( S, L& L
xchg dx, es:[41h*4]' G4 S1 @- S5 i1 P# a
xchg bx, es:[41h*4+2]( o) C' A) e3 i8 s& ^4 W1 L
cmp cl,al
4 z: P7 _$ N n1 o jnz SoftICE_detected" x) \5 _3 x2 ]' P% O! E9 \. Q
* Q& r/ _( ]$ Q& F# O; k
_________________________________________________________________________* n- L4 \4 p* W+ g% A: _
0 V9 H! u& P" A# i+ D: v
Method 07' V) s7 }5 U7 X
=========
5 F* o( z$ y$ i! c* O: @- I# H1 \1 u, A& Y5 J# ^1 q* t
Method of detection of the WinICE handler in the int68h (V86)
) v: L6 E. D0 F. V T! |7 c {* Y
8 Y* l# D- M; `7 Q/ u0 l mov ah,43h
8 q; y2 K0 @( f) B int 68h
8 w. f0 w5 |+ l D cmp ax,0F386h/ X7 U4 \, G2 [# S/ h2 I* @
jz SoftICE_Detected* I6 m$ k; n* S! T% t
* M) c8 P' Q9 Q" C0 {3 I: A
" R- O' O8 Z V# C) T, K o! L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ N% \3 |: u. c) E& @ app like this:9 [9 t5 b2 Y$ o3 {( _0 e
, h% {) L+ }' M. j BPX exec_int if ax==685 N2 ?. S, N* J# w
(function called is located at byte ptr [ebp+1Dh] and client eip is- e8 a& C. u8 L' Z4 Q [7 x' e
located at [ebp+48h] for 32Bit apps): Z( @' s1 t9 B! I# W. Y: T4 C6 C
__________________________________________________________________________. ^7 Y4 v0 g& M: ^/ y$ m- w B' j
! H% H1 m* g# d* G
4 S- x% @& c7 _% f+ eMethod 08
! g. G/ |. P- l: u7 ]. c1 T=========5 y% N2 x& P& S8 K! J1 V
, M, a( A8 }( f" {, YIt is not a method of detection of SoftICE but a possibility to crash the
5 n5 w3 p) U2 s! v wsystem by intercepting int 01h and int 03h and redirecting them to another4 b6 z k- M9 j4 r
routine.
9 k. w" ^6 _ d2 f. M7 G8 k8 w9 E. yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& {/ r$ B7 D" J; r9 f4 f9 n3 l
to the new routine to execute (hangs computer...)
: @& s' ?! e/ R' a
) h$ J/ a1 M9 H4 f5 z7 v5 ?5 \ mov ah, 25h5 i) a% r0 R1 l+ W: C1 o; f6 \
mov al, Int_Number (01h or 03h)! L( j; B( V4 P
mov dx, offset New_Int_Routine
; h# T" Q' v3 Z; |) f: ]6 t% U int 21h
8 c- l2 z7 J8 r6 y$ I5 D- ?% ]. B6 e
__________________________________________________________________________' d5 t w; j& ?) K* i7 d. P
6 p: y# T1 \" WMethod 09
8 O' a8 s2 o' n, G8 x=========1 y9 P3 b; m1 e8 c ^
3 y8 R) |6 }$ ^+ W, L* v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) b% Y6 G, `$ n! a4 J. @& {! Mperformed in ring0 (VxD or a ring3 app using the VxdCall).9 _0 v5 |0 c5 J
The Get_DDB service is used to determine whether or not a VxD is installed
, Q7 h8 I1 A% I# Dfor the specified device and returns a Device Description Block (in ecx) for
4 o4 p- b' z+ L9 q. @' y" Ethat device if it is installed.
' r5 K" u6 [9 l( {! C! n. F% Z ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ K: }* u% @6 F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 Z6 l# E' C8 o' s8 n# A. F VMMCall Get_DDB8 _" g* E4 k& }. [" f: c2 ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% s5 t3 P0 `/ b9 i
% P- a- k8 L" |3 o* ^Note as well that you can easily detect this method with SoftICE:
( v4 j8 q$ L/ j) M1 K* l bpx Get_DDB if ax==0202 || ax==7a5fh- r# F5 G- G* I- Q
# x6 c( _0 `, a2 j( P3 N__________________________________________________________________________
9 o8 G6 m+ \* `7 f# j6 N0 O7 _
' P3 A8 f! Z% H! V! KMethod 106 m1 Q& n# z1 k3 x/ L) I3 m1 O9 E4 S
=========
% c5 Q& I# o$ n5 i2 P
# c. [5 F' ^& u0 ~7 k( t/ _4 C=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ X4 {' w# X9 k- W0 \3 E SoftICE while the option is enable!!2 ^" e# E. [' O F# q
2 S, r4 b1 w) @& `
This trick is very efficient:" m% v3 z- |3 D/ m1 c
by checking the Debug Registers, you can detect if SoftICE is loaded" U) h" t6 p0 [3 s6 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 y& \8 ? ^, T+ _' ]: c# D" H" Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 I" w; D' J/ ^8 g8 n% Rvalue (in ring0 only). Values can be manipulated and or changed as well
0 X( I$ m/ z/ S; D* Y% }1 |(clearing BPMs for instance)
- ^5 K8 Y3 w% ?
( x! R' y- o+ X# t- R9 I__________________________________________________________________________
0 t. M) e3 }7 }& a8 t5 x8 G; m2 |( k
2 m, m" r5 W! n+ zMethod 11
3 ]% z( t+ D4 t; z }=========
- l/ }8 p" H$ R7 m+ D3 ?/ d" v) S0 s. `5 v: k: I
This method is most known as 'MeltICE' because it has been freely distributed
1 c# Y$ w0 O- Q3 a$ I6 ?# s% |via www.winfiles.com. However it was first used by NuMega people to allow; e% n. F( C3 D! H: w
Symbol Loader to check if SoftICE was active or not (the code is located
9 K, @$ c" n. i5 X# Linside nmtrans.dll).9 n3 M# @. e9 L
G# }/ v/ Y/ z( R3 N7 l, U6 j0 DThe way it works is very simple:
. e; M" z& O. u# xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 o* q9 O* _# p B( H% e5 p" f0 wWinNT) with the CreateFileA API.. G8 O x" P# K* K7 F
" p8 U: V7 b2 }* e
Here is a sample (checking for 'SICE'):4 Q4 R U& a% x3 n A
7 t l9 i% E8 v/ e" z0 D) E
BOOL IsSoftIce95Loaded() O6 C( y; I0 [/ `* H! D/ W, E* ]
{- M+ o% S t- U* d( O/ L
HANDLE hFile; * n. \+ e) l& r) S
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 c& t/ m) i( ]: f3 O4 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
" Z5 @9 A2 ~* c2 z; o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 b4 i/ L7 ^9 c' R1 E* n4 U1 F if( hFile != INVALID_HANDLE_VALUE )
4 z' v5 A/ d8 Y/ ?: G, o {
& H9 R6 j T- L: f9 [ CloseHandle(hFile);
( A8 N. V. Y4 a) H1 ^$ ]9 V* d0 D1 [ return TRUE;
! |5 Y" x0 x9 [# t+ B' {7 j, [ }& }# F6 [6 G% O) A- _; Y) l
return FALSE;
' Z% T5 T8 y5 x! B1 B1 l0 X}% G9 A0 @4 y7 F2 v" h
1 |" x0 m) H$ Z/ O4 _Although this trick calls the CreateFileA function, don't even expect to be
: N8 r; r; X- X0 \$ f8 f# h* pable to intercept it by installing a IFS hook: it will not work, no way!
! [/ A* T$ X, HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, U( Y! m3 X3 M+ e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 n1 o5 W8 K: x) }& E* K$ H4 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: |2 B; A0 E% L3 X9 ?2 E; v$ q
field.& { N2 S' o/ x) K% b6 P$ Q4 l' R
In fact, its purpose is not to load/unload VxDs but only to send a
: d9 G) F. b; u6 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ F! x2 X" L/ Z: Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 ]* J3 {! m: R% V1 mto load/unload a non-dynamically loadable driver such as SoftICE ;-).% T4 y* Y# s! a ]3 {+ Q, W8 h
If the VxD is loaded, it will always clear eax and the Carry flag to allow' j6 n9 F! g7 I
its handle to be opened and then, will be detected.7 r* j- ^! d6 N0 g1 v5 h
You can check that simply by hooking Winice.exe control proc entry point) d3 o$ m4 |7 r/ ]6 r. n
while running MeltICE.8 \3 h: D& K9 W; m- g* K. d0 ^
$ ]0 K! G# ~' p
+ d. R: m+ Z7 s9 }* h4 @
00401067: push 00402025 ; \\.\SICE
/ T0 V3 p W1 N+ E# m! K 0040106C: call CreateFileA0 B' A! f5 P1 q5 Z7 r
00401071: cmp eax,-001+ B- c M) z2 _+ W) v- }; r4 Y
00401074: je 004010911 N% a1 N3 Q* t2 P/ w n
' B3 ]7 J* \, a* j1 K6 m; U4 r& V- Q
% `& Y7 J# @. rThere could be hundreds of BPX you could use to detect this trick.8 B2 s8 c. d( Z O) H/ X
-The most classical one is:; t% b* c/ L+ e: p. F0 V: h
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 n% y( @; V) `6 J2 c9 M0 l- i
*(esp->4+4)=='NTIC'
* `$ e2 I. K0 Z' g: o% O& O/ ?# g! @) K; ^4 p7 L
-The most exotic ones (could be very slooooow :-(8 F# [& p) \4 c; U) Y) D4 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) r0 L- W9 ]4 o. _& z; x- h* i1 L ;will break 3 times :-(. \2 s$ v* I2 R* P1 D, F
5 X1 C* Q, s% x0 C1 E/ U& j4 {3 r& ]-or (a bit) faster:
3 n" l/ q, R8 l& @- H BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): c2 E: j& U, L3 t3 Z2 B7 \
2 ~- p7 B; w a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: v- W' R8 `7 J# f ;will break 3 times :-(" z2 y7 q/ ~5 u$ E+ O" C
1 e; R1 \$ x& W0 t/ T
-Much faster:
, ~" R9 ]8 {( H' D( J- B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% J& @! J3 H% T- `8 Y' I- z# P7 I- w0 ?( E1 B% B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' Z4 X/ b5 I" D/ |8 @. q; d
function to do the same job:
, ^! d: g0 X& J' _* V i# A( z8 j
0 z. c1 l& ]6 @7 \ p push 00 ; OF_READ* O& a1 v9 z+ o3 l
mov eax,[00656634] ; '\\.\SICE',07 m$ x w2 e# k
push eax
/ `: ~ C1 a& [! J3 a call KERNEL32!_lopen
8 {0 m% v" `1 B inc eax
- i. ?( H" G! K# Y' a jnz 00650589 ; detected
% a. \0 i- D8 E) j push 00 ; OF_READ
7 t5 ?8 l2 }0 T1 N mov eax,[00656638] ; '\\.\SICE'
' F, Y0 Z* c+ L, Z push eax, J* V; g" O5 D1 f7 w. z- X
call KERNEL32!_lopen
5 R R6 ]4 k8 `1 g- _* z! s/ i inc eax
/ p" x- u; J# m9 Y; \' ` jz 006505ae ; not detected
' {2 ]( @1 w8 U* {4 e
9 M, E M0 B6 F$ Q& V s3 e% ~, B+ Y5 h! C/ T% P. ^
__________________________________________________________________________8 v. `+ F! x" w. g/ N) D5 O
7 |5 b/ C: r2 H4 e5 wMethod 12
" B0 b2 Y. S, j% a; r( R& w=========4 `* b- g' @, a
* u; ~ C W6 pThis trick is similar to int41h/4fh Debugger installation check (code 05
& X+ X& A" m& h$ Q% B& 06) but very limited because it's only available for Win95/98 (not NT)
; F7 a% N& C1 Q( @' h9 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 Q1 J# h+ Z; `+ }3 Q0 [' N- x) n+ H; i4 x# m
push 0000004fh ; function 4fh/ A% _( m1 }' e; n
push 002a002ah ; high word specifies which VxD (VWIN32): ?" i; J: | K$ O9 X
; low word specifies which service8 F& v7 ^- M# |0 C# u6 S; p- g9 P
(VWIN32_Int41Dispatch)
: ]/ D$ _1 ^( D/ w6 w call Kernel32!ORD_001 ; VxdCall
% i/ E# o# e$ F, {6 ~1 g1 L cmp ax, 0f386h ; magic number returned by system debuggers
9 ^- {" O- @6 a$ u jz SoftICE_detected2 h. `4 l1 q- _( ^* G5 y
+ M) h* J! U8 D) z# M
Here again, several ways to detect it:
% N$ I$ B; k$ u' B
7 N# X* h' h; Z9 Y ~ BPINT 41 if ax==4f' @! E/ f) _2 I5 e, F
- D- w9 @3 ~* S9 B, T+ C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 Z/ N) L k0 q( Q8 l8 e/ k1 c) c3 Q! j/ q- e2 h
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& \& [ N3 P4 W; N& U: z
, b6 Y7 K: J0 |; u' f# h+ A) c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( _, A4 G6 k/ K5 B6 J1 J0 P
* \! b3 q' m) H M. z__________________________________________________________________________3 x- U7 t% M2 w, Y7 n
* S& W+ ]$ L$ x* ]: a; W3 H
Method 13
9 X9 S( z/ o- b- S=========
+ J: A4 U3 m# y# a0 z3 B3 v! ]3 C
Not a real method of detection, but a good way to know if SoftICE is
! g# v* g" F& S! Iinstalled on a computer and to locate its installation directory.
5 Q P: L: x( [+ {) D* sIt is used by few softs which access the following registry keys (usually #2) :
3 a# C1 ^8 K9 E( N' u4 I$ e5 U- y8 d" C3 X4 x/ U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 A$ L+ n2 P/ ^' z7 Y4 Q. E4 l/ ?
\Uninstall\SoftICE' r: E. ?% \* o+ [& Q& p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 c; p# [( C- A& z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 L1 f5 F8 `: L- V
\App Paths\Loader32.Exe
2 S- O5 p$ D: L4 W+ @
* t% z7 v8 @# ^2 g% s
9 i r, w; i0 E+ X6 KNote that some nasty apps could then erase all files from SoftICE directory( p8 d; u. ^1 L) [- a4 a
(I faced that once :-(6 `, ?, ^$ @' U5 `- c
. I+ ^8 g# [ m& f0 o9 l
Useful breakpoint to detect it:; _$ p4 r3 L0 p9 Y$ H/ I4 A" \" |
. K" V# u$ Q: `" H# y6 K' B' i* l! G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 B# p ? @& J8 P5 b2 K# [
" F6 v+ S1 \( v# w* Q- {__________________________________________________________________________0 T$ ]6 j& j; r8 {
& ]$ X; |. x9 ]+ Z1 ~2 x
' i5 B1 T d2 N9 U/ E
Method 14
, J7 ^2 C$ w. n/ N=========+ \$ a" ]/ {) D9 D% }5 M* [# R4 u
' B% q$ ^: M2 u1 O9 ?& k% S; I$ Q# gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 Y2 F% K6 v& P; L- n5 u: ]% q$ c
is to determines whether a debugger is running on your system (ring0 only).( Q+ }' F7 F' ?5 H7 l
( P; O8 N1 L6 X2 \8 W& D
VMMCall Test_Debug_Installed( ~# S* r1 x, X$ g$ y- `4 @
je not_installed# k$ x8 \8 t- k" c' l% S
' D9 Y' T5 @! k) w
This service just checks a flag.
8 R, S& H5 p ?; u2 f+ u</PRE></TD></TR></TBODY></TABLE> |