<TABLE width=500>
9 N1 m9 b* ?9 d<TBODY>& B- S' F* e& m9 |" d
<TR>
3 z R6 J4 }1 ?5 |# Y6 G/ \* V<TD><PRE>Method 01 4 @' w& |4 d) C, V, b2 o" j
=========
3 q9 b% Y. U- q, i( [2 t
' `) i* X/ T9 j* \7 ]This method of detection of SoftICE (as well as the following one) is
. \7 Y @. o7 f" z8 A" lused by the majority of packers/encryptors found on Internet.; {, _5 |4 @3 m4 I3 B
It seeks the signature of BoundsChecker in SoftICE
" C( M; P8 b/ M2 H; Q$ k/ r& I
4 r0 @8 M! X4 [# a/ ~: X! k: p/ r+ L mov ebp, 04243484Bh ; 'BCHK') P& W2 t- V7 p4 w D( @
mov ax, 04h. s- X$ ~" A {
int 3
2 T' h8 q. G& y/ n5 n6 C cmp al,4
/ b. u/ B' N; [' p0 Q- ^ jnz SoftICE_Detected2 I5 }! d. }" `! Y: U0 N% c3 |
0 i0 t [) R$ j) `___________________________________________________________________________: J( |9 @; x8 p. o: h7 f5 ~# h% a
! R2 I5 d2 ^# R+ W) @, N
Method 02( P; | P+ s" A& n8 X- U6 K, k8 E
=========/ g: u3 S, G: ]' D9 ?9 D R
1 ?* V2 Q. l2 ~9 u$ x4 C+ U( D* jStill a method very much used (perhaps the most frequent one). It is used
" y/ i8 q, {: Y' a& q, Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ z. D" f* Z7 f8 `; b8 j. E6 |
or execute SoftICE commands...$ q3 |% ]& L" t+ r
It is also used to crash SoftICE and to force it to execute any commands& w; S' G6 v& @: G/ Y" q2 r
(HBOOT...) :-((
" \8 n' A1 i4 d) d
7 Y0 w) u$ v) _Here is a quick description:! O* p; G1 b4 i& u$ Q# b
-AX = 0910h (Display string in SIce windows)
; K- _+ q$ ~! N1 w. b-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 @2 g/ T; y' d) ?-AX = 0912h (Get breakpoint infos)
1 }. |7 o3 ~" u- V, h-AX = 0913h (Set Sice breakpoints)
) i! Z1 E# D7 C: v# b$ X: ]8 a-AX = 0914h (Remove SIce breakoints)
# t8 A# \: n% z
& o- a6 o+ J; C& {Each time you'll meet this trick, you'll see:$ W1 p2 G9 k4 [7 I
-SI = 4647h
' v& s+ Z k( g+ {. \-DI = 4A4Dh
* n; l i L8 ]' s2 tWhich are the 'magic values' used by SoftIce.
+ M U% Z" ^+ m+ Y1 a& yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ S7 d6 P- m8 f1 R+ c! f6 s; y! }. f3 w" p7 w4 t1 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP& }$ m; z7 G& Q8 U- i
Envelope utility use to protect DOS applications:, R: j! l4 e$ h/ q9 t) D
7 P* ~( K0 h6 j5 ^
0 O; K; h$ ~% X, h, {4C19:0095 MOV AX,0911 ; execute command.
+ L8 ?6 a- c1 d7 Z; Q4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 g) y1 [8 b5 }# p7 m3 M9 N
4C19:009A MOV SI,4647 ; 1st magic value.
4 o! k3 |0 l3 Z" D$ K2 B D" ?5 K4C19:009D MOV DI,4A4D ; 2nd magic value.- h8 x8 Y# J! {/ a. _/ B4 f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); }% p6 D$ K# d6 P: |% f
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 e. I& y, }0 \6 d4C19:00A4 INC CX" j5 a3 u, j/ k8 z/ Y, r* E
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- y8 P# d. n1 [! k, u
4C19:00A8 JB 0095 ; 6 different commands.0 e% {+ H" C2 V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ z4 D8 k8 W" `0 o9 Y: l& j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 X) S9 s I5 b5 Q/ \1 B8 s
8 I2 g8 G# P6 x; ?The program will execute 6 different SIce commands located at ds:dx, which8 a/ Z2 n; u+ G+ n5 }; W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* f5 E+ Z* t& d
* \- Z; @ S- h4 p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." z" I% X5 ?% i* U) e% [
___________________________________________________________________________
, N; U4 B1 J* k2 e! ~9 `6 [! V# X; Y. A0 p% Z. v$ P% E
; F- ~( s$ i( M3 } G
Method 03- [* h' s# Y" h3 w0 O
=========7 B5 X3 W3 T; r0 L5 h
5 m' D) m1 V @! K( e4 J" B0 v5 [* ULess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 a4 [, J* U- i(API Get entry point)
) B2 q% d2 @% e0 W V 6 c0 ~* j/ I0 c+ g! e, c$ z' e
- J6 B- c: {% y; N8 U/ f3 K p& m
xor di,di$ d1 A* x1 Z, u* y% K
mov es,di6 p$ \' y: f L7 Q
mov ax, 1684h
" N" P! D3 g" N# C1 `* @- o4 r mov bx, 0202h ; VxD ID of winice
6 R" H/ {; ^; R! m& r! C4 i int 2Fh
3 U4 T; D4 ~3 z# x! Y mov ax, es ; ES:DI -> VxD API entry point" `' o2 \9 r9 i4 y- D1 X+ b& g% F
add ax, di1 E) c4 G7 |) a6 @; r3 W) I
test ax,ax
) m2 l2 P7 H0 n jnz SoftICE_Detected
+ \0 t+ n; b" i+ b% z5 z; V# K! |8 ~; s/ b
___________________________________________________________________________
+ d- f0 R& d* B o2 N0 |; h' e7 k7 P9 g6 h/ Y
Method 041 Z- j: n" a! u& R9 \& |
=========5 H- s8 x8 L! l3 M2 y& {! Z
! Q& B0 }. j# Z3 U- X2 HMethod identical to the preceding one except that it seeks the ID of SoftICE
. Z+ V& T: w1 d4 ]- Q% AGFX VxD./ j: |; S, N3 k" z; R1 L4 P
4 G N/ D8 b7 b, Z N xor di,di, W$ } s R* u2 F1 O; y. A5 j
mov es,di/ M }. a' \; x* I
mov ax, 1684h 7 `: o2 z: G% r5 T R2 e! I
mov bx, 7a5Fh ; VxD ID of SIWVID
. {$ D5 C) A" S+ [0 L& N int 2fh
: _; }1 J& I# x mov ax, es ; ES:DI -> VxD API entry point
) E+ K! \1 m) Y: `% r add ax, di
9 N# {: }; t D P6 }7 U+ f$ q test ax,ax
' j+ h/ @. B- n/ v5 T jnz SoftICE_Detected7 v# `8 J% n; o$ x/ G
3 N7 \! T4 Q6 D& j, D9 j__________________________________________________________________________
1 x; a3 u0 ]# _9 k! l: V" f
, U2 Y! P) K& y7 N, }8 [: r0 Q7 |, j8 ]$ ^
Method 050 i1 z% e" {4 {$ p. d
=========$ U( _ Y& B5 O5 `8 _: K1 }
. n; C3 s- k/ b8 t6 y F& h
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 W7 W% Z# ]0 R, Y3 K/ Wdebugger. It calls the int 41h, function 4Fh.
2 J$ t$ q' i$ I: c7 { R0 D2 ZThere are several alternatives.
3 D; m8 d1 c# z0 F( o9 Q
8 B; L& S5 Q2 v, ^3 w: R& {2 nThe following one is the simplest:
, ?( `* B+ u! `* E3 L$ ]1 V1 U6 C/ o; ~( e' |
mov ax,4fh0 h8 S3 F& U) X) V3 p/ K
int 41h
! `3 N" `+ \/ J: v cmp ax, 0F386
/ j, F% r8 g2 u5 V jz SoftICE_detected y, I: s$ [, x$ q" N! W1 `
. J4 I* F; E" V C
1 U( L' W$ @! N% a5 ENext method as well as the following one are 2 examples from Stone's
3 t: T/ R. a/ R/ {# s/ Z% u" }"stn-wid.zip" (www.cracking.net):, f. c. w* T! i! I
% P" e$ R* e8 ]( G mov bx, cs
7 o- z- @$ E, A4 f4 z lea dx, int41handler2
o4 w" `6 s: {/ e5 h$ }2 q" } xchg dx, es:[41h*4]
. C( M1 P. p0 o% x6 A4 x0 k3 g xchg bx, es:[41h*4+2]
; c1 z g6 J/ v4 @ mov ax,4fh
; B6 E$ K+ Y- t6 h int 41h
/ ?4 y U, L" d/ g1 ?: R xchg dx, es:[41h*4]% R( F( \' g. I+ i/ [7 C6 J$ {' {
xchg bx, es:[41h*4+2]
# V+ u% i' t( T" I# l" d8 s( i cmp ax, 0f386h
* h9 n7 m3 \2 b" \( K! ~ jz SoftICE_detected5 E! c h9 ?: I
( X. C! L3 t4 Z$ T6 \6 e
int41handler2 PROC
. o; ?( O$ \$ F* _ iret4 D6 z. x9 u& f- b5 [
int41handler2 ENDP) B1 p/ m4 A3 g4 A' J
* L5 Y ^4 n9 ^
2 W! _, I h* o( V9 I+ \_________________________________________________________________________
( h- [3 v/ b) I' L. v
* L7 T: ]2 P! X4 ^6 S
0 ]# Q; l: c: FMethod 06( O: c, ?8 }6 P4 X5 M, k
=========
* j# Y& `9 T. q) g/ s& P0 ~: l/ _6 m, C' L! O- _% r2 p
& K( |' a, v3 n, S! v& A6 R2nd method similar to the preceding one but more difficult to detect:
7 y; c% L, U) z1 l) t3 R+ b' m7 \ m; d) m+ G
6 G; C- [; }% ^. {( C* m
int41handler PROC
( e9 z/ ~ M7 C( t7 @ mov cl,al
: p; j* P9 L+ F/ N& y iret
! }$ b j$ q7 e/ ^3 ~4 qint41handler ENDP
; T1 b- U' r M0 x M( L: o3 D) D8 {% I% t4 l
( z# C* ~; J$ c# t& v! U" N
xor ax,ax
6 B" T/ ~3 T. d4 a6 ?2 A* C mov es,ax
( G# U I, ^% W6 N mov bx, cs
1 s! _ p4 v8 Y! \9 d, A9 W lea dx, int41handler7 ?4 D9 g8 n" Z# L+ L
xchg dx, es:[41h*4]+ j% |6 O7 s% `7 }9 n9 r
xchg bx, es:[41h*4+2]% H+ R; `/ L. U# Z8 ~' T" M& @ x7 u
in al, 40h3 S" R6 {; H: [1 H0 J! s
xor cx,cx2 l4 j7 \( Y/ q: M' Z
int 41h
4 @3 r l, _9 T V( {3 F. m3 Q F% c xchg dx, es:[41h*4]
& h5 v* |) }' F* I8 }, R xchg bx, es:[41h*4+2]- A% U4 V: B) b( z
cmp cl,al
9 h# M- F7 @0 Q) \$ R' m% j3 I jnz SoftICE_detected5 b# }, m6 @* D# K
2 \* Y& `8 F; L$ \6 q, @& R( L0 N_________________________________________________________________________
2 K- F8 y2 H! ~: y9 q9 g
& l( r8 j4 I! v4 _Method 071 L' r9 P8 }. K
=========
. ]- r- M3 Z: x7 H6 y& v; S9 Y" |, T4 r3 G5 }
Method of detection of the WinICE handler in the int68h (V86)5 c6 F9 S# ? O$ j, `+ {& c9 d
# x/ b Q$ v, e" ?/ w. E0 H
mov ah,43h
( H) n8 i+ u# u3 B G ]/ L- [ int 68h$ L2 t, m' B! V+ T9 w" O
cmp ax,0F386h
$ v. D3 ^5 G+ V jz SoftICE_Detected
6 A0 J. p) m8 x( R6 w; ~; t, P8 A$ Q; a L
, \" m$ C- D3 d5 l( @, p
2 W ?3 w& R) m7 E$ |0 H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
I8 B* J9 ?. E ` app like this:" y' I! X) n+ \- Z" }
8 r8 k5 Z9 g: J4 o+ D: } BPX exec_int if ax==68
7 i2 a. u8 M8 t (function called is located at byte ptr [ebp+1Dh] and client eip is5 A9 i& J% ]3 f: U! B
located at [ebp+48h] for 32Bit apps)
. @, J' {0 } G6 s" o__________________________________________________________________________# F$ L% X8 |7 R# j( V# W5 F6 W
: m4 f' r7 I% K7 n
8 {6 I" d. `+ O' `' g* o/ [Method 085 J: H( u4 P- V: q$ i: }5 W+ t" q3 o
=========
% F: ^- q1 E! ]" {& W7 U7 p, ]- S; d* Q
It is not a method of detection of SoftICE but a possibility to crash the
" n6 f* w z |+ A" vsystem by intercepting int 01h and int 03h and redirecting them to another
8 ]3 c# a ~& proutine.
O8 x# K6 }# S4 A o' ` HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 ?9 w1 O* l7 Q& T7 h5 M0 S
to the new routine to execute (hangs computer...)
3 u" D5 z7 d9 ?: ~, K. J1 }/ S! T d. W+ l) S4 i: a8 q
mov ah, 25h% O: y6 T9 k7 _
mov al, Int_Number (01h or 03h). Q. O$ t1 V3 v: j9 p- W5 Q, _1 t
mov dx, offset New_Int_Routine
. `! e( @0 _/ E2 e Y9 r int 21h! I- @. z7 t$ [/ M
& j' p) }5 p8 W& x
__________________________________________________________________________
! e+ A9 p& B5 j3 R
@% S0 R; s6 w( E5 n4 DMethod 09
$ `3 t6 H7 T5 q0 x0 L" [=========
% c4 K5 P+ x, z( R
2 j }* e& t. s8 z4 q9 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& V; Z+ o& \* f, {4 T1 {performed in ring0 (VxD or a ring3 app using the VxdCall).& L, c* e0 \: a+ T
The Get_DDB service is used to determine whether or not a VxD is installed
5 { `) p; H# [( z& Y; Vfor the specified device and returns a Device Description Block (in ecx) for8 j; L- R8 y9 J( j
that device if it is installed." A, _- K3 e2 o$ o' l
9 f: W& g; u$ q5 O- X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID q' j2 C8 _5 w' ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! m+ I5 o9 c0 q3 a VMMCall Get_DDB& a% {+ L% M( `" H t1 v4 \' ?/ P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ z0 x& }. D5 k/ c5 o' Q! a' F2 i* z3 u$ s' n3 T
Note as well that you can easily detect this method with SoftICE:
- {) M5 `/ P% Z; d bpx Get_DDB if ax==0202 || ax==7a5fh
2 s5 Z& f% N9 W3 u; A) w
9 }# I2 C, H7 l% p__________________________________________________________________________4 z0 ~6 u6 O3 ]- o- m/ s
0 B4 V* p, k9 }; E" q
Method 101 e& u8 I; B3 |' O' V
=========& {7 o; K/ R" g0 ~) L5 `
) B+ e% r' G& q$ ^=>Disable or clear breakpoints before using this feature. DO NOT trace with4 q: {. l6 M3 }4 ?
SoftICE while the option is enable!!
, e8 [4 J7 |' j& V% t$ X/ L5 V; W
' W7 n% v. X, @0 fThis trick is very efficient:% o! V! d9 V( n: A1 r
by checking the Debug Registers, you can detect if SoftICE is loaded
2 E# [; s$ {+ _* r7 {3 f8 q0 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" s. }* r5 |+ O, n9 t- L4 G& U6 xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 A( w5 a5 p* h! u8 A: F0 `1 Jvalue (in ring0 only). Values can be manipulated and or changed as well% j$ Q; Q- [. B9 d" z
(clearing BPMs for instance)9 \2 C# q( ~3 D: {
- j5 i2 G) z' b- h" h0 @; K4 o__________________________________________________________________________5 u. V" O8 D9 `( u8 Y. e( Z
& ~2 l8 v$ q2 w6 |0 a
Method 11
% B5 @" g& @; G& J. K=========; U/ c: T1 c9 |8 \* ~6 {+ h
2 _. H$ a5 E% [* P7 PThis method is most known as 'MeltICE' because it has been freely distributed
; b$ V Y9 B8 ~, K- p, W. S5 ]% o" {via www.winfiles.com. However it was first used by NuMega people to allow
, M* D& S# \2 D1 V$ fSymbol Loader to check if SoftICE was active or not (the code is located
/ L2 L/ X; z6 h& Sinside nmtrans.dll).- {4 h. u; l6 Y5 }8 P5 _& P5 e
" e* k" }$ V2 X. X- u' G* J. N
The way it works is very simple:1 v R% ?# E0 c1 k
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ?, [1 g) W5 ?; @2 d
WinNT) with the CreateFileA API.
; {" H1 n* Z+ L, [$ C; C
$ o$ G+ }( Z' D3 |Here is a sample (checking for 'SICE'):( {- z C9 l+ l8 ~+ P
4 G5 S& \( K9 eBOOL IsSoftIce95Loaded()' o! B3 y. I4 s. W1 e
{/ _/ v( g% G" X7 w
HANDLE hFile;
; H J: e) i9 `) l2 W' w hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 Q; w2 L" e5 X9 H' n9 A& v
FILE_SHARE_READ | FILE_SHARE_WRITE,$ H) s- l; c" @; w/ Y) s1 A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 q" s- ]% Y0 ^ Z0 d
if( hFile != INVALID_HANDLE_VALUE )
# ]' T: L# P+ r9 z) A& Z0 ] {
9 p9 K0 Q$ r5 I2 ^) A: R+ s CloseHandle(hFile);
9 O" F9 Q C" [ return TRUE;
! y& |" a, r% }3 N% T3 C0 V9 z$ q" R }# F. ]& E# A; e! i7 ?6 z
return FALSE;6 t- x- j0 p- u
}8 Y5 V! w2 h& y6 F2 I
+ Z4 p% f; u3 a& u/ I/ Q' r6 JAlthough this trick calls the CreateFileA function, don't even expect to be6 }8 l- u/ }, O A
able to intercept it by installing a IFS hook: it will not work, no way!
$ k8 }$ @: }$ m* p# ^# GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& b! L) `2 D/ P9 ]. y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* |4 @" z: I: U9 [& |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- V0 Y4 J* o' w' b3 Rfield.
3 G( R" V3 A ?2 }2 S, m: zIn fact, its purpose is not to load/unload VxDs but only to send a # p! [8 e1 `9 m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: s1 d: ?) |6 N' y J$ g1 Y3 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 p% d( g( ]/ s+ B" ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 Z6 F7 p9 v8 e' L5 D! c
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 R; |# X% p$ ]1 P$ n
its handle to be opened and then, will be detected.
7 k; ]' i7 ^# `You can check that simply by hooking Winice.exe control proc entry point
' g4 G+ h% F2 \3 Iwhile running MeltICE.+ G; f5 }" r; c1 u1 \5 L6 s
: A6 d4 J; J/ d) L9 K7 U" ~4 j: u6 \" ]% i9 j/ C
00401067: push 00402025 ; \\.\SICE
, x$ y5 d4 ]7 Q2 Y8 M2 M: P* ^& @% R 0040106C: call CreateFileA9 o- m0 S. O8 U* P9 p8 o/ ~
00401071: cmp eax,-001
2 P" w' c6 s! r* { 00401074: je 004010919 e" h' A6 D4 {0 v! M0 `
# `0 }* L' e: G5 Y( f2 j- M
7 T7 P0 m+ A4 H) WThere could be hundreds of BPX you could use to detect this trick.
6 A0 B4 T$ o0 V( `9 x2 |5 ]-The most classical one is:/ e0 ?0 E6 ~. p( s$ [, r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* m( Q% i6 y+ s3 B' g; s% _& c *(esp->4+4)=='NTIC'7 n$ h% D' Q! u- P$ s) P
6 [' H7 f- D, W# ~$ |
-The most exotic ones (could be very slooooow :-(
- W* r% D8 E3 F- j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: J! @$ L# { Y. v ] ;will break 3 times :-(
, G- U; S1 F( l- N* b% K; j' v! N0 Y; O9 ^, ?4 ?- A: Q
-or (a bit) faster: 6 F! z; G' ]& i& h x* l. ^
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' J& [6 {8 C- f' L
3 l: u# ?" r8 i4 ?- C* R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # r5 K- o6 L6 L) M: C
;will break 3 times :-(6 ]2 Y' J; a F4 |* N
. d4 a4 j7 P0 v: v% w
-Much faster:
1 x5 G! i) u9 t6 H BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; R5 d# b& o4 w+ s/ `+ w D
/ t3 L( d1 p* T2 H/ p/ o- g( V% YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 u8 P( W, P$ A3 w- v
function to do the same job:/ w$ N, c& ^( m: s7 a0 U
( [1 j2 R9 i# V( _3 [) ~5 f X2 _ push 00 ; OF_READ
+ T0 a8 R: n4 S mov eax,[00656634] ; '\\.\SICE',0# A3 i* D6 ^; }+ k, K n0 O) b8 J
push eax7 \" M! o+ F5 w) ^9 o( J; C( i
call KERNEL32!_lopen
2 }, l4 X# ]) y9 E& {4 N inc eax
7 I4 F" s: C. N; Y7 }8 [. r jnz 00650589 ; detected
5 v# v- |0 o0 |% y( K$ t push 00 ; OF_READ1 e' U, c! D4 |# `. \5 L6 C
mov eax,[00656638] ; '\\.\SICE'
6 @1 |5 l1 r8 D# v, E, Q& Z6 I push eax
3 D6 }7 {& ]) S# I3 ^ call KERNEL32!_lopen
7 d! }: X& {3 | inc eax
& R5 c0 |! k/ w2 n: I" s5 O& F. y6 d8 S8 ` jz 006505ae ; not detected
. Z% X$ |% V) A
) h1 W* @% Y! K( S9 E0 ]& e, @$ S! B7 `3 M0 U/ W( M6 H
__________________________________________________________________________
8 I& f% D8 E) V# z0 d \/ q) a# X- \ o
Method 128 S; h5 i9 @: @* U
=========
/ c' {- h- j5 u4 R6 B& D7 e9 F4 p( C4 T) i% f2 D1 x
This trick is similar to int41h/4fh Debugger installation check (code 05
. ]3 O7 ~* M) Z8 T/ L, E& 06) but very limited because it's only available for Win95/98 (not NT)) [" N+ q* T0 X( Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& P/ ~$ s, v" F& }
/ f% }# [) l3 I, S, |
push 0000004fh ; function 4fh
" n* ?5 n( o+ h push 002a002ah ; high word specifies which VxD (VWIN32)5 r) r$ J/ R0 R4 E
; low word specifies which service" w( i& a( T* o- \% z$ f7 T# A( ^
(VWIN32_Int41Dispatch)
4 \5 W# j# f3 t call Kernel32!ORD_001 ; VxdCall
) K9 g0 \; }) S( v+ ^% Y cmp ax, 0f386h ; magic number returned by system debuggers6 l& q$ n/ ?& }. x( }" N! ^0 b
jz SoftICE_detected9 W' [. R( b$ Q3 q/ c
, G8 b0 T0 D# \2 U8 q
Here again, several ways to detect it:
8 M- o+ |4 E e- I- e/ F6 x1 {9 e6 L+ R( e
BPINT 41 if ax==4f
+ F9 w2 \3 u, `2 d6 F9 h8 T0 X3 y( O0 B) V" {+ N0 p* C9 a4 Z7 C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# N" r- x; l4 L; g
- Z* D! x$ n7 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 O9 Z6 r+ n0 k l: m# Q
) P( b. o$ F }; O4 h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 N, s: F9 P/ T3 k9 L
" J% u1 d1 c4 l1 W' |__________________________________________________________________________
, F; @- N9 w6 l: N V# \) u; ?+ H" l: a
Method 13
5 [& V( _/ V+ F/ K1 {; P7 l* P1 C=========
" E/ Q. w0 b8 f5 r6 ]1 l
" d0 T5 D u! a8 n& `Not a real method of detection, but a good way to know if SoftICE is
& Z0 P$ x0 K6 m4 F; v$ E* e$ W" binstalled on a computer and to locate its installation directory.
6 h3 l- T/ n9 c* @: i1 J! ^7 S. BIt is used by few softs which access the following registry keys (usually #2) :
( {) s( Q9 T/ Q. y- f" y! H' j) z7 w9 N9 n6 s8 J5 t1 N
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\8 K; ]% `8 F+ D" y( _8 }\Uninstall\SoftICE
. j' M2 M. |9 {, n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ m0 P; ?+ L. ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; D Z0 B j9 {$ y6 P% P- }\App Paths\Loader32.Exe3 A( _) {4 m+ }
: u! @( ]8 b* ?/ B
$ y$ ^ b a- FNote that some nasty apps could then erase all files from SoftICE directory! T1 _4 a# T8 o& x
(I faced that once :-(/ P ?2 R* B a: e; I% t
+ a0 z! w' | A' d& s: H- T5 a
Useful breakpoint to detect it:
$ v4 f H4 o; g: Q' c Y! V9 U/ T* }4 Q2 @1 H# @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 y7 u3 X( x* E' g* |2 D$ q6 Y
8 B) z$ r7 S9 k5 h8 x, e' c9 @6 W1 ^
__________________________________________________________________________
) Q1 r2 a- L- e
+ E! k4 P. A+ u
# |$ |6 a/ A) MMethod 14 , U! O ~7 [: Z: u
=========/ T3 \3 J7 m( _% V1 j, r, Z
* C' Z' U7 O3 r) w- GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) Y6 B- D4 ~5 n! ~: p' B$ W3 K4 fis to determines whether a debugger is running on your system (ring0 only).# i: S( G, ^ {0 B/ M4 @
2 q, c0 t4 H4 k
VMMCall Test_Debug_Installed
4 e6 ^; h) x+ o& Z3 C je not_installed# N3 j c, d8 Z( m7 w; R8 i! J
* W( F) x% y% V+ vThis service just checks a flag." U' x2 |) O0 L: _% J/ N* W
</PRE></TD></TR></TBODY></TABLE> |