<TABLE width=500># ]" C0 q/ h! I: B- y
<TBODY>
; @6 J( u% Y }% Q6 t2 V<TR>
U& G* e8 ]: Q7 M9 c<TD><PRE>Method 01
1 k3 J0 _) B4 i# X1 C v) v=========
0 ?7 n0 _, ]) o/ i# f+ [# _( S1 I% g# u/ ^# h# ]: F- Y
This method of detection of SoftICE (as well as the following one) is
9 U" g4 j/ @' c% Q- \used by the majority of packers/encryptors found on Internet.
( o/ t( L4 |8 r; E& ^- V. l, vIt seeks the signature of BoundsChecker in SoftICE/ Y: y% t+ B6 \( V5 C/ \; S$ T
, `# D3 d! m0 s# @8 G, b mov ebp, 04243484Bh ; 'BCHK'
5 Q! O. v8 f6 ~9 @/ ?9 Q6 i mov ax, 04h3 K$ D0 S' _) H) J ~2 H9 p
int 3 1 i) d4 q% D; F8 c4 i
cmp al,4+ Q" Y2 g) I+ e2 ?0 W2 l
jnz SoftICE_Detected
& h' T# S D p5 x9 @" o, C. ~9 G& T2 c8 S3 H7 L+ x: k
___________________________________________________________________________+ k) w% @ K8 j, r( |9 o9 Y
) c. _! x% H% S% r% {Method 02
6 u% D+ B$ N" g2 N=========
6 t( r) _* W, A% A5 _( M% f7 H0 \
; b& v9 {8 H- K: Y6 n, oStill a method very much used (perhaps the most frequent one). It is used6 k) u7 n& U+ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& [8 b+ |6 C! Z# Qor execute SoftICE commands...
8 C) E, i4 \7 u2 y* ^It is also used to crash SoftICE and to force it to execute any commands9 g9 O7 M& F% _5 h+ k; A
(HBOOT...) :-(( : V$ I8 \4 R6 w/ t
: _' J H8 S. ^/ Y8 \' q m+ U5 {
Here is a quick description:5 V% p( w7 D+ v7 Y4 t, ?
-AX = 0910h (Display string in SIce windows)% |) N4 U; V( M4 j" L: s8 Y
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 ?- O7 K) V2 X
-AX = 0912h (Get breakpoint infos)( Q# i# }9 m3 @1 n% R2 H* s+ _
-AX = 0913h (Set Sice breakpoints)4 f/ E8 S% `9 p3 }
-AX = 0914h (Remove SIce breakoints)+ k$ \% C4 u9 ?- I6 u, b- h V+ i
+ Q/ u" Z/ k0 @' c* y) U3 m) [% I- ^
Each time you'll meet this trick, you'll see:1 ~4 \, H# _" h x/ l9 b
-SI = 4647h( b4 ?6 [9 g! j: y9 B$ P
-DI = 4A4Dh/ O( |2 `( P( S5 M! r$ k& i. @1 t
Which are the 'magic values' used by SoftIce.
0 O& N: q: D, E! S) k% X7 c) qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 r# q2 L6 u6 r% h; u7 M
9 S" h4 i+ p* Z/ J5 R; zHere is one example from the file "Haspinst.exe" which is the dongle HASP
. ~$ F7 |4 s+ P, n3 @. ~2 |$ e) IEnvelope utility use to protect DOS applications:
$ A6 P# E; ` o' }4 v
& `( c2 C# d; \* J/ v4 v
5 X, I5 V6 q2 L4C19:0095 MOV AX,0911 ; execute command.
/ b$ S8 z) o' N* L4 p) K- q$ t4 G4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 |: H6 c. q6 f! \
4C19:009A MOV SI,4647 ; 1st magic value.% o4 E9 U. d0 i% d
4C19:009D MOV DI,4A4D ; 2nd magic value.
: p, v3 p( I9 \3 |$ A9 B! p, n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). r- }0 Y, l9 e
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; }8 k7 Q4 E, `4C19:00A4 INC CX
: M4 K* Z% w; n3 b8 d4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 v% e2 H) s1 k* u7 @1 i6 y4C19:00A8 JB 0095 ; 6 different commands.2 _) b, D" p+ K7 {- n9 B- `; r4 X' ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 R# c. x9 f: y. k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 ~. e7 {. L# S: G+ g% h
7 T0 O& R" ~. d0 o8 D& w- O
The program will execute 6 different SIce commands located at ds:dx, which
. x }$ W" g o( F' Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& W A* ]" Z: L+ W" g8 P
- J& r, Q8 V2 F) y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. }6 ?9 Z1 A, s* K4 v
___________________________________________________________________________
( c( N7 r9 X j9 R+ r" J
+ U6 L. p( f: K$ M7 P. G$ D9 A8 P7 n& V M: R2 w( ]( }
Method 03
0 a: X% n4 y' Q=========
* {0 c& i# j3 w1 A
5 e. `2 q0 b% S: i& u# FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 n5 F; `2 p6 L
(API Get entry point)
s. R7 u& A4 Y! T& k* A 8 J I' l8 ~6 x+ N z" W
7 T u) t5 m% M xor di,di
) ]( c4 ^" f* p' r) z/ u mov es,di
! Z+ z9 s! d: X" N- M( H mov ax, 1684h ! G! n( {8 F9 Y0 W
mov bx, 0202h ; VxD ID of winice
; m" w# F$ ]2 z" Z int 2Fh' K* S4 M7 [# Z( o" ?
mov ax, es ; ES:DI -> VxD API entry point
, w* j6 Q- N j% f/ ^2 o O+ Q0 p$ F add ax, di
& ^$ l( B. q$ [. \# C: j test ax,ax
! m+ f) }9 q7 K jnz SoftICE_Detected
# y8 _9 ^$ V g" [
! L, h8 v& v1 y' I# }1 B K___________________________________________________________________________
4 r" u5 G2 P, V8 e2 \3 l$ s, m
4 o$ V! q4 C: a4 iMethod 04
9 l" Q* ?, M2 E9 z=========
1 X% j, u& c" b% D8 W" W: r
) E( l, Q2 W# j0 I! }2 RMethod identical to the preceding one except that it seeks the ID of SoftICE0 Q _* ?& b) I9 _) ]# [
GFX VxD.
/ K) A: m% V" t9 ?+ a! z6 h
, ~3 J0 ]9 J) {% Z$ \& V xor di,di5 _2 C1 Q/ Q& B/ } `, Y T0 {9 y$ U+ q
mov es,di/ F( }* j: Y% i7 S
mov ax, 1684h 2 ]$ C0 z/ x: }2 W% `
mov bx, 7a5Fh ; VxD ID of SIWVID! x8 p9 P, o$ K' a2 U* C
int 2fh# i/ p' \, x) L4 t8 _6 B# {' t7 _
mov ax, es ; ES:DI -> VxD API entry point) y1 p6 N. ]" `/ w5 {" |( A
add ax, di
# l3 r1 k2 n# Q* k test ax,ax
( x: O9 c1 v$ M1 [. T6 m4 I6 { jnz SoftICE_Detected5 ~. a7 x- d! }* M2 n, K
$ h) J( j& a' y. i__________________________________________________________________________$ O: `) u' h% [5 F' b
0 q3 o; i! h- L- {
4 G2 o* ]! Y7 l
Method 05
/ y0 L4 ?* o# K( y+ F4 f5 y=========" M: v6 |) A& q* C
5 j$ D( D. u% A2 Y% X! Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system- m9 s! K- m( S( t
debugger. It calls the int 41h, function 4Fh.
! ~, A9 l% M& }5 U) I2 tThere are several alternatives. ( s/ L$ ]% ?/ ?$ u
9 N' { u; M0 C# P7 I: q- mThe following one is the simplest:( h5 B! i) C& n# ~& `- e" o8 M2 v7 x
9 n* F/ n% Q! S8 X M) V mov ax,4fh
' u7 @2 ^; a/ y3 j7 ~ int 41h
/ ?. C" O; C$ o$ C' _' H cmp ax, 0F386
% T ]% d5 a" N8 C" n) o5 Z jz SoftICE_detected [* q$ C7 G* r
! S7 N3 ^, |; v4 q0 h0 u2 k1 o/ @9 o: ?6 D$ A# z
Next method as well as the following one are 2 examples from Stone's
- P. c r2 u/ {$ ~3 h+ h2 i"stn-wid.zip" (www.cracking.net):
3 i ]# R* ]- h. F3 o8 R! [$ x1 c# m1 K7 Z$ Z0 _' l
mov bx, cs
6 h9 C- t* h0 x3 Y: g lea dx, int41handler2; Q% O: k2 O. g' k1 v* q
xchg dx, es:[41h*4]- K5 \% c# {5 u6 l2 Y
xchg bx, es:[41h*4+2]
4 L7 x! ~2 p$ r( w5 F! O2 C mov ax,4fh3 ?! @/ q: D$ y, A
int 41h" }" u% l. i1 q! K+ T* p' p1 `
xchg dx, es:[41h*4]
9 ^1 J' g% S i3 x* Y. Y$ [8 { xchg bx, es:[41h*4+2]) w% i5 O- C6 c, x' ]' B8 O
cmp ax, 0f386h* x( x3 u4 |$ J4 x; w; E" S
jz SoftICE_detected+ R! C0 e$ }6 B& I: C( `. z1 [, J
: s8 S+ B4 S9 E3 {& x
int41handler2 PROC, E! P" g3 S3 ?2 ]
iret7 ?0 G, [# }5 j+ L g4 e* L
int41handler2 ENDP
7 M/ W- _( J' t% I+ Z- d, [5 @" p4 ?$ s3 Y- g
8 y- Y- a6 n; Q" c( _$ R; O. b* v_________________________________________________________________________# ~! P2 c# n) C* O' O+ _. `
, B. K4 F/ H. h+ |. b; G S
5 {& S: J* [8 a) ?; N" V
Method 06% \$ k4 b$ c+ l/ R+ ^4 z2 K
=========
6 j4 `! H8 g! K9 O+ R/ l) x1 o; b1 W& k7 v/ V
, O; W' N8 F `& m5 u# E+ `2nd method similar to the preceding one but more difficult to detect:
1 a2 e7 s$ b2 ~% A8 j m5 R" J. |
4 p P6 Z& O! Iint41handler PROC9 m4 x9 a- W* q) @( h8 P/ S: ]
mov cl,al; p7 u0 i/ f8 w, _6 Y% w
iret3 a1 H/ \& z+ Y* a) l1 G1 j
int41handler ENDP- x/ ?$ V' C, b! _" L9 e
4 q5 r& F- A& K8 @+ O% [. p
4 `8 N: b1 G) W8 j# m
xor ax,ax' y! G3 c0 L$ {
mov es,ax! |1 W- G4 s7 ]7 \
mov bx, cs+ e, M3 V/ P% U: a: E
lea dx, int41handler
1 p; a" g; ?- D- V9 A8 A xchg dx, es:[41h*4]
, \2 y3 X& n, @1 d5 b5 k* y xchg bx, es:[41h*4+2]
/ a7 w# [7 j" G2 T in al, 40h, }! }, a& s8 ~! W) _
xor cx,cx; ]# R( ?1 v) K# |: J/ t: F
int 41h* v1 z' Z; ~) K" w# D
xchg dx, es:[41h*4]
' D8 G5 }2 ^* r6 k% I xchg bx, es:[41h*4+2]
' r& b( R& n% T3 ~2 n cmp cl,al- Y R3 i6 k3 t v! g# h" p
jnz SoftICE_detected
; k! u2 X* x4 `/ J4 I' y' k! k
+ ~5 x; e- H. O8 @_________________________________________________________________________
( \9 ]; y n# b2 a: |: }1 s" v# k/ A# Z& ^ n
Method 07
% P7 Y2 n" b" ?$ ^=========+ ~0 \' s3 d7 H3 g
8 S, @6 A) t9 b: L- q& p. KMethod of detection of the WinICE handler in the int68h (V86)
" U3 k$ f) _$ d F. T+ [" j2 w D: G2 x9 k$ T6 s. ^$ M3 X
mov ah,43h0 c' }3 \9 J3 `4 k
int 68h2 ~, }5 h0 R2 l+ v, C# M
cmp ax,0F386h
# B7 {# D. f+ w jz SoftICE_Detected
- o1 Z: h- {3 U# F1 H, Y& N F3 s
# O6 n3 C# B9 B; k8 X=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 |/ @ e8 G4 J0 f! U8 d* p app like this:" J4 S9 ~# S, D, R3 F* q
0 x" t. n6 D3 i& k4 K9 V3 C. @ BPX exec_int if ax==68' q4 V9 `4 E4 e/ F9 L
(function called is located at byte ptr [ebp+1Dh] and client eip is* {* P, e* u% r; A
located at [ebp+48h] for 32Bit apps)
" p, V+ k9 s* _) O% `__________________________________________________________________________
1 G. Q. b. h/ D9 u8 T# w
, ~" _6 E, `: }' U5 e6 `1 t, p' z+ f' H
Method 08) \) L' T8 J R- S& S1 p% W9 a
=========
. o9 [1 B- H' }. k# |
7 L% F0 S) J; u9 o p- E8 mIt is not a method of detection of SoftICE but a possibility to crash the
1 U$ K7 |. m* }( Bsystem by intercepting int 01h and int 03h and redirecting them to another
' m1 N- b+ E9 t2 Z" e1 }0 `0 Q$ Croutine.. L$ W& N! w- Q1 T* G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# K) F4 I" f, v/ dto the new routine to execute (hangs computer...)
/ B3 O! D* |1 c9 Y* v+ M6 O' |' b
) @ Y+ x6 T$ ~7 C( ~0 s mov ah, 25h
+ ~. ^: |) N! j6 A9 u2 d mov al, Int_Number (01h or 03h)" n9 [# _4 s; v( q
mov dx, offset New_Int_Routine
$ l' o' }* @- }7 a$ n5 { int 21h
! M! R% o5 r! K5 Z/ m( N+ M0 g, d7 f5 W+ l
__________________________________________________________________________3 K3 c8 d; L/ }7 V) Y1 y( j4 m
" u. b4 ~5 t N3 Q5 u
Method 09
8 I& {9 n- q% T6 b6 U/ S=========
/ _& ?5 _/ O& R. \$ u8 V$ k0 y/ F0 C% D) L, g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ H, w8 C, M# q: t7 A" ]performed in ring0 (VxD or a ring3 app using the VxdCall).
) g, T1 s- _/ @( d% lThe Get_DDB service is used to determine whether or not a VxD is installed( F! ?7 U# o; R
for the specified device and returns a Device Description Block (in ecx) for
$ D7 D5 ~$ _" j, k" @6 T) Nthat device if it is installed.; P3 X+ n- m0 [: x: _9 n/ H4 r0 `
3 p4 m" Y/ \5 I% g1 S5 q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( B$ r5 Q8 _8 M# m
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. u2 X: Z, v% j; h2 |- \* ?- W VMMCall Get_DDB
; `+ r+ F; k6 C mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 u9 B" S* X& l, t1 C' K5 w
s: u G) O6 r6 W) X h% E* RNote as well that you can easily detect this method with SoftICE:
" o; s* c7 R+ O |# T0 o S bpx Get_DDB if ax==0202 || ax==7a5fh4 d: r+ u8 E; v. Q$ M* D) j
' S: u- ~4 i* x1 e3 O. G
__________________________________________________________________________1 y8 e5 J S5 ^) [
; {; E$ F/ h1 \2 @9 ZMethod 10
, w$ B$ P5 Y4 v& _=========6 v [6 h& M0 w& p
) ?, `7 ]$ w- s4 P" d2 X/ K=>Disable or clear breakpoints before using this feature. DO NOT trace with/ @2 S4 ^; }* F- P7 ]
SoftICE while the option is enable!!
" x5 d4 N ^# T3 M4 A, N4 }$ u. y ]& W# i( n. k
This trick is very efficient:8 x0 d' L' y# {, c% n
by checking the Debug Registers, you can detect if SoftICE is loaded
8 V9 _$ E( A" b, l4 t9 ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ ?- S' k8 l2 n6 H% o% Y4 ~$ lthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 i* T, e% L! k; `. U5 i4 l
value (in ring0 only). Values can be manipulated and or changed as well4 I7 H) x; D3 [! H- h( E7 ^; @
(clearing BPMs for instance)0 q$ f% n. O0 x, x. i
( H, G& u/ j9 M* }+ H4 Z) Y% H
__________________________________________________________________________
c X) q1 o) `* O2 ]6 G* W* l
8 u3 p; \% J7 D& bMethod 11) H" X* t+ Z, ]! }7 U
=========
! r* V( P4 d! T6 }
- a3 k% O! g. CThis method is most known as 'MeltICE' because it has been freely distributed! r' Q' l" K3 J2 s; B
via www.winfiles.com. However it was first used by NuMega people to allow, e, Q- s+ X, l9 @8 ]2 Z3 S" q
Symbol Loader to check if SoftICE was active or not (the code is located
( x5 C& O: n& N8 \! M* C3 Cinside nmtrans.dll).' ^& y* l/ u$ d# }& Q8 u
, N5 i, f- e; p3 V( U3 ]4 X, f" |The way it works is very simple:5 @+ S9 h, n6 l$ L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: w+ a/ t) {- X6 }' R) v+ L! V
WinNT) with the CreateFileA API.' S" \; P/ `: d/ Z! ?2 E
, k/ N$ c5 G2 C: j$ D( p3 }Here is a sample (checking for 'SICE'): \( Y. ^' h8 W( g! U
9 z1 K6 r T" A9 ^: v9 UBOOL IsSoftIce95Loaded()6 S" e5 c+ B/ F9 P6 V
{8 B6 K' @! Z! C- @6 Z
HANDLE hFile;
) D4 `4 T& Y9 G5 V" C/ q! ]$ Y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% A1 B0 o; _7 Z) I
FILE_SHARE_READ | FILE_SHARE_WRITE,% {, ~' T/ W" X" G+ J& R0 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. i5 k$ [6 k/ N, Q& ] if( hFile != INVALID_HANDLE_VALUE )
# E# A' m2 i4 g6 @1 n+ C2 j4 a {+ x# d4 T0 t3 O/ u% G
CloseHandle(hFile);2 z" J1 _6 _8 ~) V" I3 a0 y
return TRUE;, T$ w* u; `2 d& q$ E. ]
}% ]/ ]+ O& `0 F% \; F6 s' Y
return FALSE;
/ q Y- @& \+ ?5 a# `4 v3 z$ e}
0 |9 @3 E8 b7 r, X# [2 w- H
& d5 p, ?/ Z0 I3 uAlthough this trick calls the CreateFileA function, don't even expect to be7 z& g, K3 ^ J) e, i: y
able to intercept it by installing a IFS hook: it will not work, no way!
0 {- ~* I, w1 U4 ^& F- x. j' u0 {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 t8 d! M# x) w& Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 t$ C2 X) n& J r3 k% o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 j. s8 E2 B9 v9 H# Efield.
, v; d1 r2 Z( C; [In fact, its purpose is not to load/unload VxDs but only to send a ' m( x" H" |9 p$ J- C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). P4 f7 e) W- z2 F1 L% D! I3 n7 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: a' {0 N" l) {4 I; Y8 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-)." K# |. P. K; E0 D, n7 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 l7 S( i: V7 p8 ?
its handle to be opened and then, will be detected.) Q, G$ |- V/ M( u5 w
You can check that simply by hooking Winice.exe control proc entry point! e, c0 i+ I) G
while running MeltICE.$ ?4 v( c, T5 h
; F% }% Z' D2 h0 n% o' [) h
0 ?2 C* f; n9 t. J 00401067: push 00402025 ; \\.\SICE
2 [6 z7 j @; ]% x! H 0040106C: call CreateFileA
% }9 {7 K4 ~" a* U: t2 i# R% F 00401071: cmp eax,-0013 G/ N D) d, R1 J. ~6 c8 ?& P
00401074: je 00401091! s" C$ `: _ F* k
0 ^$ L2 k4 @, i% F+ l: K" a9 Y! R
There could be hundreds of BPX you could use to detect this trick.
' w9 ^" m7 K! @/ d) z; e-The most classical one is:
8 k. H% e5 k" Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ m+ N6 s2 e" \3 f+ o) ]: I *(esp->4+4)=='NTIC': [, x- f0 l; M: b7 U( ^
( \# U0 O' Y# S/ P
-The most exotic ones (could be very slooooow :-(* c$ J7 O3 y$ J# F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* W U, m% L0 m6 n0 K! j9 _6 |1 J ;will break 3 times :-($ s( H- o# S( D1 C9 F( Q
8 C) R# w6 D3 F" A-or (a bit) faster: : S9 ~: e7 b' H1 B# }; o" }) {
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% F/ x: ~* l: \
/ H! }; ^# @, k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 Q$ V- P6 I& M* p7 Q
;will break 3 times :-(: [1 ?# p/ v0 P
% d" i. B1 J" h5 @" g$ y-Much faster:
( {; r" F7 J4 c$ \9 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. a$ [- }" x/ Z0 Q6 c1 f6 t, G; R. e+ M5 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen ~0 R) b/ y0 n$ ^) F0 K
function to do the same job:
0 j* Q7 h1 B" e& I6 V7 a+ q
4 D8 s8 b! w7 i/ y9 k+ B push 00 ; OF_READ
2 n6 O, }9 t; G6 e mov eax,[00656634] ; '\\.\SICE',01 I4 O4 {, H! ~4 g1 p- Z
push eax
5 e9 w5 c2 `8 ?1 s( Z call KERNEL32!_lopen& H6 i0 Y( ]) ^# J
inc eax
# B2 S( F& l& {& e8 `6 g" l3 H jnz 00650589 ; detected& z* ]' V. J4 ]- l
push 00 ; OF_READ
$ l8 z; d. @( p( k" s! p mov eax,[00656638] ; '\\.\SICE'# n! @" `2 }2 V
push eax4 x L% Y4 c' H+ r8 z
call KERNEL32!_lopen
* I# o, w; W& {+ z) \, `6 { inc eax
$ ~ c6 _9 L! P5 h" @ \ jz 006505ae ; not detected
( t% a( W( F n: x! B# y6 d! |# a$ i( N# {' z0 h
; [) e4 S. M% b2 w# ]
__________________________________________________________________________; h" H/ g' _9 T6 B5 e5 d' p
. U/ f, K+ E+ W
Method 127 F2 @7 K" V7 \9 r; E B4 n( {
=========
3 f! H2 f6 m0 v3 ], {& U1 R
! D, j2 ]! g! JThis trick is similar to int41h/4fh Debugger installation check (code 05# { f. K* ~7 d# u7 K9 ]% v6 D
& 06) but very limited because it's only available for Win95/98 (not NT)
0 r1 {/ Q) j, Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: m- c4 {0 i6 t' Z
4 j( p1 ]6 a/ L3 U push 0000004fh ; function 4fh
- U* x6 m0 w, i& L e+ D push 002a002ah ; high word specifies which VxD (VWIN32)4 _" \: ^, J: i' V T
; low word specifies which service- d) h8 ?& M. J& Q1 F
(VWIN32_Int41Dispatch)
8 R! S! U9 `, }$ w; s0 g9 N* u call Kernel32!ORD_001 ; VxdCall" B/ I* }$ I# e7 H& i: N
cmp ax, 0f386h ; magic number returned by system debuggers
- M0 }" |" \, M+ E9 P% K, J( ~ jz SoftICE_detected9 |7 W- [5 X a# p9 W
& p4 x `) u# R$ e3 v/ q; ]8 [
Here again, several ways to detect it:+ H3 A' v! Y- w6 F/ g
. r3 X& N' M7 [4 H; @3 T1 |" W BPINT 41 if ax==4f
+ x% a' y" o1 H$ G9 X' t" \ n
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 I) ~ R9 {8 E* L; U: m" a3 ^
+ A; @7 r: O( b$ E) J" }3 D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: }" M2 n. d) s
2 X: {, j% T0 C) k3 |8 s+ @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* Z& m6 V2 ~: L4 W! \( x. a8 q- W! ?( u
__________________________________________________________________________
n" E' ^' I' V B5 a) M
/ C' A4 p; Q# lMethod 13; V# p* {, M4 W" ]- }4 T
=========. X* @* y- W l7 t9 G+ P* V5 v% r
b; Q0 l- e. F1 a& ~
Not a real method of detection, but a good way to know if SoftICE is! v" g+ {' J, ~& O L
installed on a computer and to locate its installation directory.
1 c; V) j9 C' c: ]0 J# BIt is used by few softs which access the following registry keys (usually #2) :2 t6 x) I# z" t' _* g- @
p; {& I! _5 Z4 [3 }) {! R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 V9 ~; J6 S& [& w/ I\Uninstall\SoftICE
* n$ L6 J0 Z. d4 ^ h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' x$ [7 K3 X, ]6 ^8 @6 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( r& H8 E( F# I f6 v7 l& a# z7 i\App Paths\Loader32.Exe* m- X) [; m" V. P* e# g6 }
& ~& d1 G% Q& y: S, b \) O+ Q
1 i/ p$ {; N. b0 x- iNote that some nasty apps could then erase all files from SoftICE directory- t6 V5 D5 k+ i! m9 F% j3 p( Y
(I faced that once :-(
! n: w8 M. P- p, d' t8 j% m8 I! t: d
Useful breakpoint to detect it:+ E% i2 \- F; q0 d2 O5 g$ c
6 J, l5 S; k. S8 R% q, U* `& F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'+ H5 @3 o. {4 E- g, |
1 E8 N! }: l T+ `6 O1 g__________________________________________________________________________ f& ~4 [5 @. ^7 w; G8 H7 _! ^6 H
' |) o2 K* x1 J# V, E9 }8 k9 ?& O8 v. ~
Method 14
" l; ~' N( R; y+ u R" i=========
2 { |1 g/ Z' Z# y# K+ S3 Y% o, [# J0 M2 t1 y% D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 y8 ~' T; B; m s4 x
is to determines whether a debugger is running on your system (ring0 only).7 y. V' f+ O7 d n2 R* A4 q
3 m; M. U0 Q1 U/ F) @ VMMCall Test_Debug_Installed
1 R2 ^) ~% ?2 Y je not_installed% ~3 ]# J/ j: ?* u9 a
6 Q' u+ E6 N" g( KThis service just checks a flag.6 w8 A2 Q6 n7 f' i: h
</PRE></TD></TR></TBODY></TABLE> |