<TABLE width=500>2 @$ _, R" A3 }* \$ R
<TBODY>
- N6 l( A3 Q# ?3 @0 q7 l<TR>
: Q6 v+ u4 P- j* T* U% y<TD><PRE>Method 01
" ?' N1 s& F: E' u=========: f3 s) t) ?/ v# B: {3 n& ^& u
# G# z0 }8 M: m1 e$ R5 ~5 @9 kThis method of detection of SoftICE (as well as the following one) is
1 w1 \* n& h3 r: N! ^, Q- tused by the majority of packers/encryptors found on Internet.( p9 @# z. F5 y7 }
It seeks the signature of BoundsChecker in SoftICE6 a( r3 e( w, I; Z- s, f
$ b# {2 J% ]" s3 `+ H! t& D
mov ebp, 04243484Bh ; 'BCHK'! r- y J! B+ U# |
mov ax, 04h7 a# I; l$ Z! @! R
int 3 $ w8 z: c; C% q
cmp al,4
. i! a% K7 _ q3 S8 g& m jnz SoftICE_Detected
' [0 e" l6 O0 J6 G5 n/ ]6 I
& c5 m9 H. j) `, M M___________________________________________________________________________% U3 l, A/ ]9 d* D
* G* K; B q4 c2 X5 T0 O4 v3 t3 t
Method 025 ^' H- @) U& B, k8 {
=========6 g, z! F/ Y, M6 ~" R% N2 C i: F
/ n" R. a" n4 j# c ZStill a method very much used (perhaps the most frequent one). It is used2 } W3 U8 \9 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 N! Q, p5 s8 Wor execute SoftICE commands...$ n) q( |# G: n6 T2 _+ M% M
It is also used to crash SoftICE and to force it to execute any commands
% s( V4 t/ ]" G' X0 k0 e(HBOOT...) :-((
5 w [% O4 {) J, J
$ G3 _2 e+ Q/ GHere is a quick description:' ]2 A3 o3 u- p
-AX = 0910h (Display string in SIce windows)
* L3 N+ ?% ]( @2 E. O+ }& s, e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 G* E& y# z. M7 E7 i1 o1 B-AX = 0912h (Get breakpoint infos)( D1 n1 c$ s3 K' G6 I
-AX = 0913h (Set Sice breakpoints)
) C* S/ A& V2 }, P-AX = 0914h (Remove SIce breakoints)
6 C5 z2 v* m. \; ]/ [% V/ J" [- c# j- f( k/ s
Each time you'll meet this trick, you'll see:
! R' B0 t+ y7 L& {7 J9 I-SI = 4647h
8 U5 k2 k$ W5 I4 w* u% h. q-DI = 4A4Dh% `0 ~ x( R+ R7 N
Which are the 'magic values' used by SoftIce.
- e# N/ A* O2 y# I5 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 ^/ W- K) _$ u- W' D6 h. q
' L% B |. s0 D8 [+ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP) k, m0 }; V$ |3 E( C' H
Envelope utility use to protect DOS applications:
5 u4 C% I: O& S3 [ S
! G, v; D0 ^/ r* {1 @- v0 Z% A# O4 Z) Z
4C19:0095 MOV AX,0911 ; execute command.
6 l$ ?. b4 z9 \+ R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 B2 j$ E* i4 x- V$ Y% ]4C19:009A MOV SI,4647 ; 1st magic value.) F& a' M' j: c$ G8 ]4 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
7 Y* A4 A+ q# x5 w7 V. U8 [/ ?. g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ s9 `: C) i- }6 ^& `4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 e- [4 _' d- [6 Z* ~- L3 e4C19:00A4 INC CX6 D- e# S8 R0 u* I5 r, c% y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
3 {# s7 W" B5 U9 b6 d4 M4C19:00A8 JB 0095 ; 6 different commands.
5 T; a" l- p5 u4 S4C19:00AA JMP 0002 ; Bad_Guy jmp back.) U. s. G1 f2 N- Z0 N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, _9 o" o g; \) c& a& y1 C( L* r
! [& I7 r5 o8 o2 PThe program will execute 6 different SIce commands located at ds:dx, which h" T; Z, z/ t% J0 h/ h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ ?- h6 P* B8 \8 F, o; ~& @8 m% L- a; v1 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' N2 ]7 `, N! M! g5 c6 O% \: |8 G
___________________________________________________________________________
# j8 c/ @+ H% q! K, p6 d0 C$ R1 N
, q I% p) p; d% sMethod 03! y3 w1 I# V+ x+ Q s+ k
=========* e( k% N: X* d* w
. V* n, ? K0 v9 s/ z" n2 x- CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 A8 y) `- Y8 P4 e) T; Q2 k$ c9 ](API Get entry point)! Y% n7 I0 @; O
; M1 m, O3 K) z: q% {0 d' b U- o p: t. z- M8 k
xor di,di
( W( Z) _$ L" ]0 \/ i6 X mov es,di
7 o; X" C# G/ c$ m/ ?+ h mov ax, 1684h
8 T$ c& z1 q* l+ x* l+ q2 j. F mov bx, 0202h ; VxD ID of winice1 Z7 _) ], s% v; A5 W* q% b
int 2Fh
4 E4 D$ P7 N" \5 U1 N' J+ s mov ax, es ; ES:DI -> VxD API entry point
4 C/ a% U D' [ add ax, di6 W0 j# Z9 `9 s z. z- U
test ax,ax) g0 C1 a5 F; J# C# x/ _: ~
jnz SoftICE_Detected
) n5 I ~, E5 y8 L: V6 J
p- R4 [# G! _# X___________________________________________________________________________6 }7 O5 N' _4 z+ V
7 `5 @1 V ? i2 vMethod 041 _4 ]1 W& s; m9 r% E1 ^# ~
=========
1 ~1 T3 r4 b4 Y7 n2 r- }6 i3 m4 S
5 T, Z5 n4 l7 G% q: YMethod identical to the preceding one except that it seeks the ID of SoftICE8 O: p3 Y8 Z% U* f* c# V6 V/ a
GFX VxD.. H/ b% u9 d# n% g! K$ |
2 ]+ d2 y4 G/ }$ m# l xor di,di
0 z4 j8 w! V. v3 k L3 o; i1 B Q8 @3 X mov es,di
0 m l5 b8 `8 c7 g' q/ O mov ax, 1684h / N& Y" f% F. p
mov bx, 7a5Fh ; VxD ID of SIWVID
7 u3 u! Y9 n m1 [' A int 2fh
2 q& Z# c3 P+ ?/ C" u# O. d( W: G mov ax, es ; ES:DI -> VxD API entry point
- D2 a. P' d9 n4 P7 X! p( l add ax, di
4 p3 u, ]3 E. I# T; y test ax,ax
" e& N C1 |4 N6 Z' G4 @ jnz SoftICE_Detected
: n0 m7 H( g: Z- p
8 f0 A2 O/ z2 J3 d__________________________________________________________________________
9 o: U! m9 F$ D8 S
# R5 ]4 w& B/ W% B' M( C2 f* b( H. q: H1 Q. V: |9 y5 U' R ?
Method 05
+ {: `6 E. _8 f6 j=========! C9 e3 V I! f9 A9 e; ^$ p
) A$ y# q! r4 s* a& g9 V2 K$ v
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ n# [. k3 B& y: u3 G7 m- i/ D
debugger. It calls the int 41h, function 4Fh." @4 r$ t. I1 I# V, m
There are several alternatives. 2 s8 k5 K/ h/ C
) c' n/ k% V" [! i2 F& E& |* L& uThe following one is the simplest:
& c! z7 M4 e" ]0 Z+ h; G/ H/ f5 f2 X* K& W4 ?/ t( Q
mov ax,4fh
) e3 U% V6 D4 g! T! s int 41h8 o" Y9 n& O, p6 c$ l' z5 r
cmp ax, 0F386
4 V5 y# t( H! @0 ]9 p" r* Z jz SoftICE_detected
* F* X+ u0 J' p. N9 i C( e+ p
0 P; P; W# @- Z) s% b) C* D9 _+ Z9 ]7 c" J! U
Next method as well as the following one are 2 examples from Stone's
% ^- x. ]) T, }, [) Q"stn-wid.zip" (www.cracking.net):
- M+ o, w2 H- e* W% s9 z4 s. S& E# q4 P
mov bx, cs
' G* T% R o! W5 \! x2 z1 e lea dx, int41handler2
% i# |- h8 g2 f8 o/ z' A. ^ xchg dx, es:[41h*4]
. f7 P2 |# |" y# t8 c# [8 S2 O xchg bx, es:[41h*4+2]1 z+ _0 V8 O/ u" z( V2 _1 J+ s `
mov ax,4fh2 A, t+ D# ~- _& [9 T, _9 ?0 _
int 41h0 J. o% H. I6 w y
xchg dx, es:[41h*4]/ v0 h |0 @4 _4 Z: R
xchg bx, es:[41h*4+2]
& {+ |# R$ y4 z# G3 a, ?5 h cmp ax, 0f386h
6 E P; N& q! P' D9 ?; T jz SoftICE_detected1 r1 l* d' d: L- n4 ?; S k8 h+ W
) D) l- o) B6 ^0 i! pint41handler2 PROC; A8 F& _5 S4 j
iret
/ P& n+ O. ?1 g) c) D/ G3 e8 Y& S& Rint41handler2 ENDP+ d G _, ~3 Q& r% U2 d
! @4 |- e& ?. p1 Q9 u& Z! s7 u& i% _6 w" l. a: I
_________________________________________________________________________7 T) [+ d- l3 G- {" r8 q6 T; p
* X! D, X& Q0 \" j, }! c; ]
9 O c: w3 Z, g0 m3 Z& I
Method 06. v+ ~: t, t& @4 k- Q
=========
0 |' t/ G& K; _. `
: N7 ?- |1 b4 u
; X$ b+ i; @- _( k; Z. }0 l2nd method similar to the preceding one but more difficult to detect:! ]" Q& I8 d$ q2 I5 E% B1 O' b; I
; W+ a+ A- `; @! \9 L1 q2 o) P1 j) l8 k8 V8 X( B4 ~$ @
int41handler PROC9 Y+ ^9 J& E$ w$ E0 c
mov cl,al
3 @. @/ E1 c7 ^) S6 p; U iret
3 H6 L* ]0 o: j) M6 g9 Tint41handler ENDP
. x, t, x% V6 {$ [; i- e. B+ u$ i* x: o$ E
# ?5 A. \% V# ~
xor ax,ax% j Y; d+ R1 G( g6 v! L! c
mov es,ax' Z6 a$ H6 q# e. r4 y: A
mov bx, cs b Y( u: @: Q% M, P4 }2 y! J/ O5 r
lea dx, int41handler1 D& u9 |0 x( o+ Q% n
xchg dx, es:[41h*4]
5 r6 k2 t+ U! h# U) Y xchg bx, es:[41h*4+2]% w& V4 L5 L* |# o' l" Q- H
in al, 40h
( v+ h; S* ]/ e( k2 K2 O7 k xor cx,cx: j$ r: }; _4 c+ ?6 Y
int 41h+ r3 o& d3 z# b
xchg dx, es:[41h*4]7 `: Z* Z' W1 b3 T, w
xchg bx, es:[41h*4+2]
7 L' O7 @+ T8 k8 W0 p" P cmp cl,al
1 z$ c! C7 M$ a, M jnz SoftICE_detected
2 M! x4 g1 Q) v! r/ I: h5 ^& O. V6 J* C4 o: _9 `" S( [( K' [
_________________________________________________________________________% c. y) W) ~6 f
. ?7 O$ G6 ]% n* j9 i% d6 R$ ]Method 07( C6 a7 a: I5 Y- o; w# t
=========' X& B6 _5 V0 t
) @" _( t/ B0 o' }" D2 v5 C
Method of detection of the WinICE handler in the int68h (V86): B: W S$ s8 c/ B# K
# `' E5 Y j8 ~9 C1 r* i mov ah,43h
# O- B" V# L1 k9 B0 L8 M int 68h% V+ J2 B3 a- L- x: {7 }' @
cmp ax,0F386h
% A+ p' ~8 p; [ D/ `3 @' x% S: Y0 `# j jz SoftICE_Detected
+ ^% F; x7 s# Z& W" O0 I
* \$ f/ {. o( U6 r1 q+ ^: N0 s7 T1 |. M6 u; W' d$ [$ {! S
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ R+ g4 `9 O) ?" A) Q app like this:
, |( ~; g2 ^* x0 m" |9 J
, d3 O& g$ o; S BPX exec_int if ax==68
# @% A$ D! T: J& w) p) q (function called is located at byte ptr [ebp+1Dh] and client eip is
; I" f" m+ S# g# W( P) ? located at [ebp+48h] for 32Bit apps)
. Y. z' E) h3 y2 O6 s8 ?& A__________________________________________________________________________: e* T& z1 |& r1 B, J
/ m5 S! g& B7 K, m3 W
: _7 N6 q: M& x3 p7 JMethod 08
0 L s: K7 f5 y8 Z=========
8 p9 T3 w6 p b% |' g: ~/ `% u6 X& L7 Q. z4 y$ P+ H( c$ G6 z' W
It is not a method of detection of SoftICE but a possibility to crash the
% p/ L8 s( k5 T+ ]2 l" ~system by intercepting int 01h and int 03h and redirecting them to another
% H/ L5 a# a1 @7 ~" S: Froutine.
- k# S3 q' |3 k/ j* f" p' |' tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 Q% y' d/ F* U- T3 }/ Y: J
to the new routine to execute (hangs computer...)
' y. c( x, L$ ?2 d
0 O% k" p+ E9 B! T+ h/ d mov ah, 25h
' Y- \9 p" P& I" m mov al, Int_Number (01h or 03h)
8 _# F- @! l `- W8 Y& d G* W2 `" j8 n mov dx, offset New_Int_Routine' i% N* B: v$ ^4 _1 N* }( q' P4 I
int 21h
" ^) b2 v% N; p; j5 s3 ^/ O8 s
- I- k) H# N( n0 `__________________________________________________________________________
7 M+ c7 U1 c) z
8 i4 ?. e6 p0 O A: CMethod 09( L- A0 g- c$ a) x# V/ L# X; v
=========9 I+ p" v, L! \/ p
: O; m& c5 d- t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& x+ l% y3 z. ^8 N) t( eperformed in ring0 (VxD or a ring3 app using the VxdCall).6 C5 L; }% f* _: t
The Get_DDB service is used to determine whether or not a VxD is installed
! ~3 l) B* ? o$ `for the specified device and returns a Device Description Block (in ecx) for i7 ~3 L+ Q% y+ }
that device if it is installed. C& z f, ^ y( w, t! Q
0 z! b, ^( X" |; _4 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* g& I; Q! C/ V/ q6 Q: s! g3 N7 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 Y2 V, H( ?! C: m) } VMMCall Get_DDB' N' f5 Z5 X7 q; D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; w, p! G X8 H4 o% R y
: z. k/ G% T, l+ }4 H
Note as well that you can easily detect this method with SoftICE:) F- f9 k3 G R: y
bpx Get_DDB if ax==0202 || ax==7a5fh
8 b( i8 O! e8 z3 M, {* Q) X" q1 [4 b; k
__________________________________________________________________________; p1 G8 s- E. V8 X4 s0 x. h% R
! e' m" P/ e. g2 o/ P4 k8 n: \
Method 101 Q* l: |% n, b
=========' ^) I% @& F" s& W/ H& R
4 V5 M: A0 K9 \% H=>Disable or clear breakpoints before using this feature. DO NOT trace with+ R. U4 A+ k9 c) G
SoftICE while the option is enable!! P; }& M4 |) u4 I7 a
. G5 f" S [0 |8 L( L
This trick is very efficient:1 h4 D( ~/ j" S3 W/ G
by checking the Debug Registers, you can detect if SoftICE is loaded0 T0 H- X4 M: o5 V0 t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: x8 J: B* d" N# uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 Q6 h; p; P7 U; A; vvalue (in ring0 only). Values can be manipulated and or changed as well ~1 E' W3 G j: K0 k# P
(clearing BPMs for instance)' S, @( d4 d( U! J- X0 c% `2 _+ S% Q
) ^: w( u+ U; X5 M6 [0 W
__________________________________________________________________________+ }5 r# i- @. `3 A' i4 d
% p4 M+ b7 y2 KMethod 11
: ]' T) o X( {5 o1 M- B) D* x; i=========( T4 L% r1 l/ Y) _& q
0 h' W |; s6 X. yThis method is most known as 'MeltICE' because it has been freely distributed" B# j) h; C% s" D* _# F
via www.winfiles.com. However it was first used by NuMega people to allow
V# P' t1 t6 c0 N1 E/ w& u7 TSymbol Loader to check if SoftICE was active or not (the code is located; K/ }5 B2 z% A4 t" M! z
inside nmtrans.dll).
6 \3 E' x; U. W. R7 q7 D5 U. o/ e
8 Y, J0 g/ B# y' C' ~" F6 M IThe way it works is very simple:1 }# z- Z$ ] F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- X& q2 z" w' D3 u3 lWinNT) with the CreateFileA API.
( k# Q" P) o" U: v. p+ y! r3 }. F, `) h7 \) q+ v+ C; D
Here is a sample (checking for 'SICE'):
5 k6 M& E+ [8 Y0 J* u2 g7 G7 O6 W7 t3 Q. i# C
BOOL IsSoftIce95Loaded()
- J. p- ^9 U/ V1 j{
8 a; [1 o- z3 O# o) l | HANDLE hFile; $ F/ m6 ]$ B/ ~
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- V) }! o8 R: Q& ~- u
FILE_SHARE_READ | FILE_SHARE_WRITE,1 ^* |5 T- j7 U% A0 n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" J* ^' I$ N; [& d2 [9 z0 Z
if( hFile != INVALID_HANDLE_VALUE )7 k+ v4 Z5 R2 \7 u" Z
{
$ G, \, {* x5 j [* D( [; l. w8 K CloseHandle(hFile);$ a) `2 W' T W7 G
return TRUE;
o: c& i6 [ z1 t) d/ q }
R; b% b( B7 L$ X+ M" K7 M return FALSE;4 q. h' _2 R3 X N9 D1 D# M9 `
}6 X" [5 y6 Q5 i) l
$ @% {+ @: ]' H
Although this trick calls the CreateFileA function, don't even expect to be" D h+ y2 j& x6 K1 N- x& x. g" ^/ C+ i
able to intercept it by installing a IFS hook: it will not work, no way!
, P6 C8 i! n6 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% }4 Q2 W" E$ V* Q* Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 L9 {" ~% ?: S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 D Y$ N+ N6 g& A S# }0 V
field.
" ]& i! @6 ?& L$ qIn fact, its purpose is not to load/unload VxDs but only to send a 0 j4 i& z+ G1 G6 G5 `1 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) U6 @7 A5 X/ _2 r2 x9 e- A4 g/ ~; f1 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( d+ t/ e. j4 }+ @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: K. x5 C3 o, O4 uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 {* y2 p( Y: n1 z' i0 ^0 I% q* Uits handle to be opened and then, will be detected.
" l* X$ J* Y( r% ]You can check that simply by hooking Winice.exe control proc entry point" e: [; w) @+ A: d: H
while running MeltICE.
! W; ]) F6 ]5 @- T: i- B6 o( l3 n
8 V3 s4 L/ O+ R1 H1 z 00401067: push 00402025 ; \\.\SICE
# c, q+ j3 W8 x: D+ }: ]1 z v0 ` 0040106C: call CreateFileA# B; l7 D( c2 g+ N4 U+ D( i. {
00401071: cmp eax,-001
5 `: C1 S( z. n z0 T 00401074: je 004010910 h8 q6 T7 S9 U! M
* X P. {5 ?/ Q9 n( l0 w' H
7 \ m8 H; J# y% M7 x# g2 _
There could be hundreds of BPX you could use to detect this trick.
; a, ]) ~* j0 g5 I" t7 e& P-The most classical one is:
/ Z+ m) \' q4 _) s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) X* l# I6 J! K" e9 i *(esp->4+4)=='NTIC'5 B( v: X/ T% X
0 a7 x/ b' y. x/ O( H/ [4 ^
-The most exotic ones (could be very slooooow :-(
! ~3 y' f* s* _; u! P8 P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 d* n/ ]7 j7 V0 N' |6 v6 C
;will break 3 times :-() E: W/ A1 Q( U
8 l" _7 m& _6 C* z; \( v-or (a bit) faster:
" e- L% J9 w1 H5 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 m$ ?) }9 D3 ~( o7 \( f
* D7 O8 x! Y5 |5 e2 V8 e" l2 U BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. K4 q5 i+ k4 Z! O( o9 w L ;will break 3 times :-(+ |2 ~' A. A; O' I% N
+ l' f+ K& l3 n( Q6 H
-Much faster:: ?, ^7 a, A7 u! N' L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; T5 k: q& v5 v. c4 E* G+ i& [+ T8 H- K; B9 k7 I8 x1 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
Q9 Q5 r4 z1 _' K5 ?! Sfunction to do the same job:
9 b1 V4 T# g# P8 F- r& n0 n* F7 V; D8 d' {0 y4 y- ]$ r
push 00 ; OF_READ
# {9 c! E& V! a' y7 ^$ I) i; s mov eax,[00656634] ; '\\.\SICE',0
+ Q3 _! k! W* d+ O4 b push eax6 j' q J: s% q1 i1 h+ l! e
call KERNEL32!_lopen7 w8 Y S6 f$ h2 P5 r
inc eax
# v, n+ z3 x6 v1 c: k2 N jnz 00650589 ; detected, n: F- {9 a+ M( _
push 00 ; OF_READ/ X$ C+ A7 F; W! u
mov eax,[00656638] ; '\\.\SICE'3 Y4 J% D& G2 i. O* _& q
push eax
3 w; L% B+ p4 g; f% t call KERNEL32!_lopen
6 Z' |- }0 e: N3 e5 X inc eax
3 D; \/ _: n- e; C! V jz 006505ae ; not detected( z! f! N/ Z9 n, o4 V& m" S6 D
" `% _# h3 z( P6 k
+ C6 y) x7 v! u4 |
__________________________________________________________________________: g" B5 _9 _) r+ n) u/ K7 \7 o
3 \3 C' n8 C+ ], q- e. y% E* A- O& ^Method 12
" F8 P4 g. k4 p: G" q- P=========
W, d0 x0 w# q8 D+ C$ N- r- A/ ?0 n4 s& M6 Z( X
This trick is similar to int41h/4fh Debugger installation check (code 05
- k# L' V& R6 r6 B+ D& 06) but very limited because it's only available for Win95/98 (not NT)/ j: l) H9 a4 F5 ^1 X7 N/ u" Q; q/ J3 F! X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% d* d7 L% V0 p* k* v+ X3 F* d& ]
0 I) r/ u6 L+ Q2 C6 ]) t5 E
push 0000004fh ; function 4fh2 O+ a, b' b# ~# A1 t( d; i
push 002a002ah ; high word specifies which VxD (VWIN32)
' M+ e( o5 ^" |6 k* D; t7 j/ P* m ; low word specifies which service
$ ]" x% f% q L- i$ T1 k (VWIN32_Int41Dispatch)3 B) w! ? a$ z& x: Y+ t$ t. G
call Kernel32!ORD_001 ; VxdCall% W: C- K8 k. H/ ^6 Z1 y/ r d9 g/ F
cmp ax, 0f386h ; magic number returned by system debuggers/ P' s4 ~* N) H$ [8 I/ @
jz SoftICE_detected
6 Z/ M$ ]( k! [ J$ W. j3 V; c+ [- C/ X9 r @4 ~& k* T; E' T
Here again, several ways to detect it:, K \4 I! s' b0 \7 u1 M$ _2 P
9 ~' _9 j2 G, P9 u6 R- d; t
BPINT 41 if ax==4f, ?* s4 i/ g- V) Z
7 f4 R s/ W$ T, h2 x3 f+ K+ G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( O0 {: W: w+ h) I5 {+ @' o D D; V, M* s/ k$ f) `( P
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& B& l0 H5 o! z( \! Z& q) [2 s+ E5 E
9 C+ C" T* K6 O, m1 O9 Y2 X) `5 N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 s' E5 x6 m5 L, ?8 u
8 F M+ l4 c; V$ y" \__________________________________________________________________________+ A8 d s* Z' b; M# ?. y* R
! f, `* p8 ]1 w# h* }
Method 13/ _; \8 b$ U, `/ s
=========
. ^- z( S- u* w, d n* x2 k3 }, R) Y- C3 x) m6 B/ W
Not a real method of detection, but a good way to know if SoftICE is# K% H$ O+ H5 F
installed on a computer and to locate its installation directory.5 v4 r2 T1 }; k' p
It is used by few softs which access the following registry keys (usually #2) :6 L8 W! J% S( r7 s' _* E
0 C0 }" b8 ] [: O" z5 x! a6 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, \# l# \" d+ q4 _ K. B$ ?\Uninstall\SoftICE/ h: |' o( E, M. g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 @3 D3 f1 K" d/ I6 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: {, U, d- ~) {5 J) q5 [1 _) D* g7 Y
\App Paths\Loader32.Exe
$ Y( t. ~& ~8 M) }; d
1 C; Q" v, u) X; Z& \- z
. b7 ~. p& K9 ]* TNote that some nasty apps could then erase all files from SoftICE directory2 v1 r" P; c; ?4 x F4 X1 C% t' _( i
(I faced that once :-(: Z# r" l1 e) D' [
& Q$ n& L' |, Y* H0 ?0 {8 h
Useful breakpoint to detect it:: _" r) `) `5 y# U+ E$ ]6 L
1 \5 `/ \) i! E: u* g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! p8 L) G1 \/ a' r9 J
, Y3 G' P( N( Y- J0 |5 _3 v
__________________________________________________________________________) D$ b: m, M: E/ d! ]4 _0 _: w
6 i" {( \/ E) P+ n: Z
2 M# T' D2 n3 rMethod 14 % M% N7 J( c" m, s' A+ e6 g$ i. x' d
=========/ f0 E e/ _/ O; L/ {# q
; q$ Q# U" p7 i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" {0 N3 `$ U; X6 U* E; v
is to determines whether a debugger is running on your system (ring0 only).
# T& h( J( p/ Q$ | H+ W0 b! K! y, S/ C
VMMCall Test_Debug_Installed) y8 {5 t6 a3 s5 y; G* l3 G& M5 s
je not_installed
8 z8 \# l0 X: c. T# r
- Y7 Q+ a8 U9 C0 |" ^This service just checks a flag.+ k {# p5 e; o- C e0 [5 a
</PRE></TD></TR></TBODY></TABLE> |