<TABLE width=500>/ G; Q: ]$ ^4 |4 f, O9 v4 |* a
<TBODY>; ^% |4 Y# c( a+ `( [
<TR>
& g K4 h: t7 ~- W0 R<TD><PRE>Method 01
1 a" m0 `9 H1 a0 q=========
3 A$ ^/ }3 t/ R% f- c5 r
9 x: {1 e: }" h7 F4 ]3 W" o4 S9 jThis method of detection of SoftICE (as well as the following one) is2 c: N# \* S5 u1 I" ]( N- V
used by the majority of packers/encryptors found on Internet.
! A( C$ R0 p7 P: a7 K/ v5 BIt seeks the signature of BoundsChecker in SoftICE
% X) b, F9 Z$ o0 R3 Q/ Y
/ m* B& f7 k( \% ^ R r' m% ^ mov ebp, 04243484Bh ; 'BCHK'
) j' B! l7 L' `% s8 c2 c mov ax, 04h1 ?' E: J6 G4 h, H" b+ a
int 3 7 V s: }) x: w4 G& o( _
cmp al,4
; S5 L, j9 H0 g8 a% E jnz SoftICE_Detected
3 C% G. r @0 O. v2 n
/ u$ W/ g& {4 n' X___________________________________________________________________________
9 H2 Z2 ^% O, D1 [. c* y+ y
8 q! K) b1 x" UMethod 02
" r1 z% q) d. v9 @( M7 f3 Z' q=========, }6 S/ z, w0 @6 H' E- M
- `6 Y; f- x: P* @
Still a method very much used (perhaps the most frequent one). It is used6 v1 x& x" S5 D U" k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 g: `! g4 ?& h3 C
or execute SoftICE commands...
9 [. _ [4 o; f7 |1 QIt is also used to crash SoftICE and to force it to execute any commands, g# Q; }9 M3 c- P
(HBOOT...) :-((
: @- k/ b+ f( w R3 P
8 e0 ?; K! B7 D7 cHere is a quick description:# {# `" p2 ]7 X( [
-AX = 0910h (Display string in SIce windows); h1 k. O9 X0 ]# H% g4 x) M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 d" X% y5 {/ u# v0 H
-AX = 0912h (Get breakpoint infos)# x ?0 }* L' a# t! G
-AX = 0913h (Set Sice breakpoints) U% Q( c8 ~3 t+ m8 o; X6 I' t9 I
-AX = 0914h (Remove SIce breakoints)2 V Q7 O1 c4 i5 b) I# `1 b* S
1 r9 l' s, z4 v6 t4 X% P4 \Each time you'll meet this trick, you'll see:- R) g2 l1 D Z/ b% J4 K8 \
-SI = 4647h; G& Z( X- q0 e% t) Q: }- Z
-DI = 4A4Dh
$ e1 ?" V) s; P4 u2 H) }/ XWhich are the 'magic values' used by SoftIce.
/ x* ] D, C; V3 Y$ NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- o' a' J8 q+ R' g3 M" k. j4 H& ]: K1 m+ o4 {- B4 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP" j& ?" g$ A+ w$ _& L! X
Envelope utility use to protect DOS applications:
3 Z; c3 b, j0 `! Y9 D1 q3 o
( B4 m& P4 x; T9 g1 M# @( ?) |0 @8 F+ g
; Y) H) N }: L7 P! f! O& A. k' ?4C19:0095 MOV AX,0911 ; execute command.
_( n. n1 r$ K5 L: q/ _8 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
$ ?) Z+ N: R+ f7 C& S4C19:009A MOV SI,4647 ; 1st magic value.* x9 X0 r9 T" T" [, {9 I8 z. A
4C19:009D MOV DI,4A4D ; 2nd magic value.7 ?- n; N3 J1 H! |7 |0 W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ D/ A; l% ^3 z' \+ y3 a, b M) z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, j7 F5 o5 U; C3 `4 z4C19:00A4 INC CX
! j( i5 O1 j% o1 M0 S2 O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
0 U, N- k1 B3 n/ ~3 Z( b8 R4C19:00A8 JB 0095 ; 6 different commands.
4 g+ {! w0 D! \- F; B0 ?- A; |4C19:00AA JMP 0002 ; Bad_Guy jmp back.
) U( V5 z* P$ V j) R4 K1 U# `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) ^ P) M$ g) J5 h9 F
4 b9 s; M: o u# W2 ^The program will execute 6 different SIce commands located at ds:dx, which! U; ^1 R4 \; i% `8 d- Y3 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) V9 _( H0 p: i! [" F9 e. R# }7 |; {
4 G$ Q9 W$ @% `& E: c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 P" V3 _' e$ ]" w
___________________________________________________________________________ N; \( x/ U0 Z. D& i& j
/ }4 e1 o9 W4 J: I% e
9 B; M( y1 |& U& }Method 03! {4 D8 o# y: T2 U
=========3 z' f$ p( H O+ |( q
* F" _/ M7 U2 Q: Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( `2 ~( j( c! Z3 j3 g(API Get entry point)
/ C2 \$ B) ]& H
9 I L7 F, N) H, V% v* ~" t9 a# } f
" @" ~- L, N A% @ xor di,di
5 k& ^9 Q% b. k$ D3 y mov es,di' v; K9 S( r* w- y
mov ax, 1684h
' C4 J3 Z9 z) r4 o/ K: \8 F# M: Q mov bx, 0202h ; VxD ID of winice
4 Q* {6 m0 I" S: t int 2Fh
6 }5 g+ U' h* j1 c mov ax, es ; ES:DI -> VxD API entry point
5 U+ M$ \+ ^/ [. \* V add ax, di
3 P0 `0 t) Q4 r test ax,ax
$ x1 {3 H8 K) O2 D! R jnz SoftICE_Detected" u3 a) N+ e2 W8 Y; h
" ^. l7 \1 V) H; g
___________________________________________________________________________$ o2 k0 e2 s* @) E E
6 x+ W. h. S1 d4 B6 E- E
Method 04
& g2 `- j, [/ o) M" X8 _=========
! l' f/ _/ ]# e J
. _7 ?! E( O8 a4 H- K3 y LMethod identical to the preceding one except that it seeks the ID of SoftICE r; \- F; |4 ^1 ?
GFX VxD., B% R1 Q( R; L: J& c
1 d& O( t8 r& B+ u/ c4 _1 o7 \; v0 A: l xor di,di
, H9 F9 ^) G: e; }5 o A/ A6 ?# y2 U mov es,di& H Q- P; l* ]# M% j. \2 Q$ S
mov ax, 1684h 9 F' ?. X. u% q& s
mov bx, 7a5Fh ; VxD ID of SIWVID; v5 u9 {5 E) c, g/ o% l E/ m
int 2fh+ F* b/ y: E# U# U* t1 h
mov ax, es ; ES:DI -> VxD API entry point
3 l2 L! ~6 Z$ ]' R- a add ax, di
# G/ H' L0 l, P; b5 [4 x. o test ax,ax
' t7 z2 J/ A0 i& y$ \! j jnz SoftICE_Detected
* z7 }; E7 J# r6 q$ Z3 M; w5 k" u* A7 U6 i& h
__________________________________________________________________________9 g' Z$ K! k* V
& W1 C" W: y( [ A2 t$ n
) H$ G- L; @. v( t8 f. `7 l: fMethod 053 ^" D/ @6 Z# R* ]
=========# D& X+ U/ F1 L- z0 Y$ |4 D
' ?5 ~" V. |4 }: H' U6 |. r9 X8 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system- Y1 R( s" v$ P5 B! h
debugger. It calls the int 41h, function 4Fh. E( ^1 O; ^& B7 N
There are several alternatives.
( f# I5 B1 y9 C5 j( b* i% }9 i
% ^6 e1 @8 h6 X6 X' p; P( IThe following one is the simplest:
$ y6 F7 {9 T+ V& l# a# u
2 Y* }# } D* P; a0 C( N mov ax,4fh
" e* V7 E( Z" d* l3 ~9 @+ I9 E int 41h
. O, K; x5 } M cmp ax, 0F3860 W" T" o8 d* X, \
jz SoftICE_detected
$ I7 ] F2 Z% a8 {$ U7 f5 G l1 m' X, p5 h8 U9 @: n
- j+ i! x( F" D. Y
Next method as well as the following one are 2 examples from Stone's
' X- a9 f# h4 ~9 \0 x# Y"stn-wid.zip" (www.cracking.net):
1 _ z8 ? X$ [7 A$ t5 V* R2 {* t
% T( m* \7 V1 _ mov bx, cs6 @. p. H, F- g+ L$ n8 U1 Q( i) |/ x
lea dx, int41handler2/ D4 C9 w8 T' x
xchg dx, es:[41h*4]
# m7 S8 T0 c# ?, `% y- t" C' x xchg bx, es:[41h*4+2]
2 h. B* M4 Q3 M. q8 ? mov ax,4fh. c" w1 ]0 |+ D2 a0 Y p6 e. x
int 41h9 H; ? k$ T) J3 b( Q: K" O
xchg dx, es:[41h*4]: T: [4 N) I- j3 ` z
xchg bx, es:[41h*4+2]
/ `1 W; @) B# k( l, E8 [ cmp ax, 0f386h; {; c/ x* \' Q5 [$ W
jz SoftICE_detected& U- Z" |* ^/ {: O* \# r# I
( Y( X$ ~! Y9 B: b
int41handler2 PROC
: S4 _( S& |3 M) H s; G7 Q% F iret0 m/ k) h6 \) u3 M3 U4 B
int41handler2 ENDP# Z, |8 o- y# [/ b# a9 Q! i5 [
: j: u: n) e5 n: K9 {1 H
/ ?( M) @6 t3 ^7 k4 J) R: i_________________________________________________________________________/ L2 D. i; Y* h9 }5 |1 F, E2 |
0 n, `; v% ^6 l; ^
$ H5 V! u; ~4 L6 o
Method 06' D8 s& _5 X. r
=========/ ], s4 u$ l$ ^
$ W" S" u9 n9 Q, S$ _3 @" W* T& ]3 L% t1 ]3 M- c
2nd method similar to the preceding one but more difficult to detect:' Q, a( X6 |- `4 }% P; l8 `
& c/ a2 Z. | S. v( j: h3 V, A ~& t" l5 p
int41handler PROC
' u8 J) c8 q0 t, I mov cl,al
6 E- [: o, q4 P) L U5 }) O' u iret7 u& k( |- w5 A4 M' [
int41handler ENDP& V0 Q. s% R: H: r. e; Z* h
: O5 S9 S0 `) v! k
6 W, r+ b+ f3 j6 F2 e# W1 Q9 V4 K
xor ax,ax4 @4 {2 @ g% ?# t2 ~8 d
mov es,ax, v K" X$ O4 `. Z6 C; C% {
mov bx, cs# }1 b$ ^& `- s
lea dx, int41handler9 c1 N9 P2 }. n3 `9 r9 q6 x$ ]
xchg dx, es:[41h*4]
, T+ o& F0 Q U. }" r# _ xchg bx, es:[41h*4+2]9 i) o0 J, f$ ~+ g
in al, 40h
# ]1 a0 w4 e1 \! \) P5 R1 o xor cx,cx
# g. a- p8 ]/ j5 l# v: O# N int 41h
4 l$ @" n, e. P9 i7 O( f( L xchg dx, es:[41h*4]
0 `4 m# P' y! T2 ?$ T xchg bx, es:[41h*4+2]
6 \) O; c# H" O- z. D: G% ~ cmp cl,al K. Z2 B: o7 Z+ u6 q
jnz SoftICE_detected
" D( x! ?; s1 k6 V) M" @8 T+ {9 s6 m& F6 o+ E' _
_________________________________________________________________________
2 {; s2 J/ O% j% @
+ @$ v6 B2 k6 I6 M+ v' jMethod 07: k( c7 r! M$ F& u' K f. M/ Q2 K
=========8 U# J8 j) h, d8 X
3 a" V, u" m6 p4 h1 t: D
Method of detection of the WinICE handler in the int68h (V86): f& n9 q# |7 R+ V, r9 g
: I% M9 J. h7 G; x
mov ah,43h* {# G6 E* b' ^4 ]
int 68h
% d5 q" @6 V* d& G cmp ax,0F386h0 a+ a5 J4 L0 W% K% a% ?. e
jz SoftICE_Detected
7 P3 n% ~3 ?# B; N. u
/ l9 v* H5 j% C, e
; H6 _4 m7 W4 N* S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' u/ Q0 q; q' n2 a5 R' i% U9 x. F app like this:% l' U) G( o6 }" e3 K( v
2 _4 `6 e! E/ Y' f5 B o BPX exec_int if ax==680 }- h% i( y' K+ L. _
(function called is located at byte ptr [ebp+1Dh] and client eip is9 A) B' X: N! M/ I( S. s4 z
located at [ebp+48h] for 32Bit apps)
, \2 `; B# \( {& U% m, B__________________________________________________________________________
( ~7 C+ [! \3 w( P0 k4 v' Q- i; n2 F# E
' o3 D! ~; D& O2 m
- m7 L; Y' C2 m9 E$ W0 XMethod 08
. Y, j5 x/ M- V5 W9 M% Z& |=========9 B+ R7 F, X2 _& ~# q
/ f Y3 s6 i. E
It is not a method of detection of SoftICE but a possibility to crash the
- p( x) I3 ~. ysystem by intercepting int 01h and int 03h and redirecting them to another
) Z; S2 h' O( l% kroutine.0 K+ b, ]2 Q) r, U% f8 }1 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( ~9 L9 V) q( X$ u: q2 ?0 Vto the new routine to execute (hangs computer...)
7 L* S! d1 z* W* n* a! o. `7 r y0 A; i# \4 G$ |
mov ah, 25h6 ^2 x# r7 F$ p, _) }4 G
mov al, Int_Number (01h or 03h)* l) e) u" u) O0 n. @0 m
mov dx, offset New_Int_Routine% i- C# w3 z- _# V" f( I5 X' H
int 21h' B9 I/ F5 P' O& O
" h0 [. q6 H" ^% C+ F+ r/ C! a6 }__________________________________________________________________________
r' e3 {: z3 E" k( D% U. Q/ A+ `" V" j# G$ Q* \3 v
Method 09
8 j, V; }8 ]/ ~ g( S=========
6 Y; s! \# T i3 {9 z+ _+ C
6 @) U: r0 Y( }' Z( | iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 [5 n! [, h# Q; z* t. L: Hperformed in ring0 (VxD or a ring3 app using the VxdCall).4 ^7 Y C1 H) k1 h8 ]9 }
The Get_DDB service is used to determine whether or not a VxD is installed# w3 s& U" W4 j2 z0 B6 l0 ?
for the specified device and returns a Device Description Block (in ecx) for
( g0 x$ K# \! l: C# q8 [4 hthat device if it is installed.
: r. |' ]' t. i8 \2 N9 G6 W7 p! J0 s( R* Z/ j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# {' [( Y7 g7 b- A4 i8 b: r( n mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" _$ }: {* K/ ]. O! G VMMCall Get_DDB
_9 D3 |6 G0 G# H& P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) p$ I/ X4 h6 ?
p3 o5 F- _: o) C' j1 J$ M1 _5 `
Note as well that you can easily detect this method with SoftICE:
2 P; C: o* K6 L6 n6 E3 u& X, v7 D bpx Get_DDB if ax==0202 || ax==7a5fh
1 O1 ?) K1 N7 c3 }' I, |; q* G6 Q2 b! f& g5 G, v8 h
__________________________________________________________________________
3 E) W0 J! ]9 C: {8 A3 b( [+ n. p
; C' _2 {9 y2 J% tMethod 10
: b. z& M0 L0 g7 [/ T$ N7 b1 k=========
0 R+ s, C9 f$ W" l' \! T4 O, F2 m8 }+ Q- U; e4 [8 a
=>Disable or clear breakpoints before using this feature. DO NOT trace with
" ]% S( p* {$ `7 ^* Y- p1 K$ P SoftICE while the option is enable!!, w% c' F- q% U
- B8 p$ j& e! ], }9 J8 q3 g
This trick is very efficient:
# z5 ]! Z! c# \2 mby checking the Debug Registers, you can detect if SoftICE is loaded
/ {7 u) b; `9 H6 R, t, M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- r m S9 H# ?5 N7 ?/ A
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 ? Q4 l) K. [* I/ _
value (in ring0 only). Values can be manipulated and or changed as well" K+ a- ]/ @# ?. l
(clearing BPMs for instance)# y$ I! I* A4 W2 p4 b) J
3 @* [$ O8 D+ U0 W, X" U
__________________________________________________________________________. n1 j% n' `4 h; z; c" u8 @
. p9 c1 x0 q, `/ e J
Method 11
- C4 S3 p1 P+ F' I8 j9 i- i Q=========, q' \& p9 d! @* w4 b1 M# `
4 p$ ^ F+ T( a% F7 Y: j
This method is most known as 'MeltICE' because it has been freely distributed
7 E: m4 W v/ f9 J( _0 V E1 @, v" Svia www.winfiles.com. However it was first used by NuMega people to allow
" s7 b) y& \: s7 N' TSymbol Loader to check if SoftICE was active or not (the code is located
) @% O1 L! R2 c# Kinside nmtrans.dll).
: M l" E! M7 C# I) ^
% V7 i! W+ P- N9 [, L+ G3 pThe way it works is very simple:9 A. \4 j( r" C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ p( O: h/ N+ ^# a7 ?WinNT) with the CreateFileA API.
- O% U2 [% H. o3 W- |' Q( I& d
9 u0 d% [% R8 l& k! THere is a sample (checking for 'SICE'):4 n% T$ E% _( f; @/ U* v8 G: V7 K
1 { d/ ]! o& D7 N+ {
BOOL IsSoftIce95Loaded(): i5 c( S! [3 Q: `% k, g; ^
{
5 t5 U7 ~1 O; P; y5 c HANDLE hFile;
2 b: n, h* V, |- I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, c( N. P. p5 A; D* Y( e FILE_SHARE_READ | FILE_SHARE_WRITE,
+ U1 ~6 p! H H* | NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# H. _2 E' i$ c1 t: { f& N if( hFile != INVALID_HANDLE_VALUE )/ A0 M6 P. W1 |/ L& O- l; D$ z' _
{
5 _0 {! D |* o% o ]: [ CloseHandle(hFile);( `) l6 u$ |, P& ?& V9 T
return TRUE;2 D* A' R+ q" I) D. ?
}
: h. k& R, `$ a/ V( H return FALSE;1 o6 Y' u* d$ H; J) E( b) W' a
}* x9 L2 N' H2 [
/ F; ]. a9 I; ?9 S) U
Although this trick calls the CreateFileA function, don't even expect to be
) J7 h+ P! R% Q5 nable to intercept it by installing a IFS hook: it will not work, no way!
& [2 U( w; i+ s& `& h" E9 L. ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 ~- N+ I$ o1 J9 w2 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" H$ j& b7 |( L. t4 T! \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 ? e/ _% R" L+ l* Z
field.8 i t5 o( a! k3 v! x- }
In fact, its purpose is not to load/unload VxDs but only to send a
0 E; C) n4 X7 z) [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), s% b; f; V' U/ _7 `# s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* \/ ^1 [1 q g+ ^9 g0 N& d- Z- G# Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 x+ l, L+ C c# _9 R- _If the VxD is loaded, it will always clear eax and the Carry flag to allow- @$ h& m6 B. d8 C/ i
its handle to be opened and then, will be detected.8 K& v$ }7 O0 ^7 \6 ]
You can check that simply by hooking Winice.exe control proc entry point
: G: j/ b; j' ^9 ^/ N2 W7 U4 X- Wwhile running MeltICE.
- X5 z2 O* G- z* \
* R9 q) d6 a$ `/ C% u9 w
$ i# ^7 E% D' b, X! W 00401067: push 00402025 ; \\.\SICE0 p' \! G3 H3 N4 i- D1 p
0040106C: call CreateFileA
. ^/ i8 ?+ U" x: W# s 00401071: cmp eax,-001
2 a7 {& T" R/ g1 }! R9 h8 ~ 00401074: je 00401091
( O7 H' w5 y* v1 K1 N% k0 r7 t0 o/ E/ ~: Y3 Q
6 [) ]5 \1 U+ ]- LThere could be hundreds of BPX you could use to detect this trick.
+ r- H! E& p. N! B3 W6 `8 D! Q$ z-The most classical one is:
4 R( U V: }1 } F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 }5 h7 K2 o. K- A0 j
*(esp->4+4)=='NTIC' G. R9 f0 D8 }/ Z' O9 _7 Z
7 F# j6 D' H* }% z+ t
-The most exotic ones (could be very slooooow :-(
! U" F0 v5 j$ M9 v BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ ?1 t/ ~7 F1 M v! o" V ;will break 3 times :-(
1 b. h6 h- L0 j1 ?* t: l0 T- w" C: D# |
-or (a bit) faster: 8 }5 V' b7 T4 k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! P: q. G6 x2 W8 X0 x
1 G# M7 d$ w. X2 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: t9 h2 U( V* `/ p2 q" I( B ;will break 3 times :-(
0 Y5 Q+ u) |5 \& M8 j% h+ C2 V$ n. s/ _) j* i2 v8 r7 `
-Much faster:
- | t, G! |6 j. x: { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 X$ `. p; X- S0 m) O
8 }% w6 j' B; k; x+ Q- NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" o1 _9 O, u$ d I
function to do the same job:+ m& V7 S% \& w1 ~/ p* t; L
' K; |- T* e* N push 00 ; OF_READ
) B! L. Y: k* l2 ? A mov eax,[00656634] ; '\\.\SICE',0
+ d ?! {4 F; Y/ z; U push eax
5 I$ b1 p5 I( R call KERNEL32!_lopen8 [/ V9 E$ n0 G6 M
inc eax
7 p2 R0 ~. L0 u- H jnz 00650589 ; detected! S; I* F8 q, J7 J G
push 00 ; OF_READ! H8 S# T# t) x
mov eax,[00656638] ; '\\.\SICE'+ H& I' }% C0 E4 u- D, k- U2 t
push eax
: r$ E# i* I6 Z+ j2 C+ N call KERNEL32!_lopen& O! S6 e2 Q# w, W! e+ t
inc eax: k4 n ?# ? r# J: \' m
jz 006505ae ; not detected
( m1 R0 @% n; C' P' R
, z) c: a1 g' r. a: S* v
" N* i0 D( k7 I( J! ?__________________________________________________________________________" U! @* A! c4 r" O6 U4 _
/ L Q1 T3 k) v; U% S0 @Method 12
6 M1 l: V: Q8 v: Z3 e=========( c7 P+ M ~( |/ ~/ g
( _6 l+ Z0 l" h/ Z5 `1 }& EThis trick is similar to int41h/4fh Debugger installation check (code 05
- i/ W' t) [ P3 e; K/ y& 06) but very limited because it's only available for Win95/98 (not NT)
: M) O9 K3 Z B5 e! J; ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
L9 V# ~& U7 y# }
# l+ o5 L0 O* F1 }2 R push 0000004fh ; function 4fh
9 @7 [# u$ ]2 Q9 x8 K8 f push 002a002ah ; high word specifies which VxD (VWIN32)
& i2 ]% u' G& N* G ; low word specifies which service
& `# H" k+ h. \& ?+ H2 A( j (VWIN32_Int41Dispatch)
/ Y5 w5 f$ V* Y call Kernel32!ORD_001 ; VxdCall
7 ~4 v% C) ?( l' f$ L cmp ax, 0f386h ; magic number returned by system debuggers
# k6 U" m9 }: K) X9 L- y: _2 ~ jz SoftICE_detected5 e( E/ [& \+ b
4 T, _) a$ C; n1 D S5 Q
Here again, several ways to detect it:
$ {+ Z; Y* n2 R S9 j1 Y1 ?; v4 a8 m1 F) e
BPINT 41 if ax==4f5 S* h& [/ W& `9 Y8 l( E# N
- G s7 p( y' f7 n BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 y4 f7 v3 `# S3 D1 L5 t# O
: b4 |" W! d: X8 n3 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' C* l/ ` m9 ?- ?5 V5 e! H P
" U$ x4 p" I; J, y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% }/ a5 ]! T9 @# Z9 q; c& n; k/ n
__________________________________________________________________________
6 s- L% I* m/ W2 Y( p1 M0 }2 Q- B w8 z, r# B* s0 c
Method 13
% c4 h* K& A1 o! @0 E! w=========
( Z4 q, `( P" e* ]% z8 N9 p5 U
Not a real method of detection, but a good way to know if SoftICE is
# ^- z4 T7 y4 B$ z: l6 Hinstalled on a computer and to locate its installation directory." W) A4 w! p9 K# m
It is used by few softs which access the following registry keys (usually #2) :( }- C5 J K- I
0 a5 w1 n% }8 O- a, v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ]- d* U$ B# {6 I. E8 j8 O
\Uninstall\SoftICE
/ e( L6 Z; U4 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' F0 Y/ h$ G- c; l2 t% o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( X6 W, I1 Z2 b7 V. ?8 A, X$ s5 J3 s
\App Paths\Loader32.Exe
0 O+ C5 J: t! F2 C ^& J
; C' ~0 [" W! y( ^
8 q4 Y& n+ F% J; KNote that some nasty apps could then erase all files from SoftICE directory" {3 W) y; y- h, h: h
(I faced that once :-(% C$ @ R$ w; f
3 ?8 q- h8 ~2 I7 \% y' R$ K% Z C$ l
Useful breakpoint to detect it:2 B) Y" y& f" J& {' l+ g% ~" Z7 d
* }6 U. o5 t4 R4 U" L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* K! p) z4 | I: M' a d( e1 P
) }) B6 `+ J6 U( K" g0 x3 t__________________________________________________________________________
2 R" U4 u9 T/ J1 {; n! e0 N1 _: @, ~. P% W9 m+ j8 R
/ u: C8 M$ Q& M6 `3 p8 e
Method 14
* |( z# ?+ d8 _2 R" I8 `9 ?=========
7 L! r ]& n6 U6 _' }' e+ H( ^( H1 R x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' ^5 N/ z C' P; Q+ ]is to determines whether a debugger is running on your system (ring0 only).5 X+ p) V r) t# Z
- m; t' |7 _4 \5 G3 N VMMCall Test_Debug_Installed; v/ |% Q) W4 B3 \4 [, M
je not_installed0 G" n- S: c% a
( N, U+ P# W3 T: ]1 F2 I8 N# MThis service just checks a flag.& o' V4 g8 A' { k, I; ^; L' ]
</PRE></TD></TR></TBODY></TABLE> |