<TABLE width=500>
/ S2 `* J; V+ |6 Z. U z* _<TBODY>
& n4 M( G2 s0 l) f<TR>2 v* u6 ?' d, `, x
<TD><PRE>Method 01 ' a6 H: b! W, ] J% ?, {% Y
=========( N# A* q- }: d' D
9 C. k, V `7 e5 Z% s
This method of detection of SoftICE (as well as the following one) is
/ g2 C) ~5 ~- B# ~( T+ ]2 n$ T, w. aused by the majority of packers/encryptors found on Internet.
' ~: w8 j" e9 ~5 eIt seeks the signature of BoundsChecker in SoftICE9 ]* P0 R- {# z7 J* A ^8 ?
' T+ q. |" C' i. y
mov ebp, 04243484Bh ; 'BCHK'2 |) x- Z; L2 ]0 ^
mov ax, 04h
: y/ ?% N& d! m+ c @0 a int 3 % f6 H" D( i4 `& a9 u, o4 J0 Q1 t
cmp al,4- M4 l# ^' i, \9 U
jnz SoftICE_Detected/ A1 P8 F! K# M& U. J' l, h
w( N8 F+ j% D
___________________________________________________________________________# ^, R1 [) B6 d1 T5 L& Z& t* E
; ~( o7 H0 G5 ~1 M. v; jMethod 02 q% v' m' [' I6 p$ t
=========
8 O% ]/ x1 a- j# W+ w; p9 i$ I0 D* O/ f6 F1 N
Still a method very much used (perhaps the most frequent one). It is used
, n1 b: f; G+ _7 j/ e* Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 R4 h: v \5 v8 gor execute SoftICE commands...- O5 ]2 G8 Y3 q8 w1 K0 u E4 \3 L
It is also used to crash SoftICE and to force it to execute any commands
/ m+ L. B1 [2 z3 l6 ^; L(HBOOT...) :-((
2 p$ H" }$ p4 d3 q7 I/ c; E2 ?, e
+ C9 B! U& n0 zHere is a quick description:( { H* ]- U K
-AX = 0910h (Display string in SIce windows); p& n a/ \6 d2 M
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( V, W; P9 x1 L* M& r8 f8 j-AX = 0912h (Get breakpoint infos)
s' ^4 ^) k _8 e-AX = 0913h (Set Sice breakpoints)& p+ H& \9 n7 u% @+ k
-AX = 0914h (Remove SIce breakoints)$ g' o( i9 J/ L8 \% A- n- i
, I! f7 u" J6 B$ aEach time you'll meet this trick, you'll see:
, u& j6 t( _8 F' M! G7 }0 V; B-SI = 4647h$ K. J7 p3 u4 s! _& v7 Q4 l
-DI = 4A4Dh$ f) S% S; X( f* j% m
Which are the 'magic values' used by SoftIce.
* W) ]% Z! R5 J2 d" m* CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) R+ d7 v; [+ r- R& a. n$ k8 D( W
1 c. k1 P/ W6 Y% r h" p
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 M O9 P5 L9 n( J# z- f0 _8 s
Envelope utility use to protect DOS applications:" J5 C$ ]& f8 g
7 O# K; M9 E- a
. Q7 T! q# z# S! c T
4C19:0095 MOV AX,0911 ; execute command.: J' `2 @3 I' E6 B
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ V; j) Z9 k. V* s: A3 X/ U4 e# B4C19:009A MOV SI,4647 ; 1st magic value.5 @: W" c3 F2 F
4C19:009D MOV DI,4A4D ; 2nd magic value.$ A2 I7 A" C& S, P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& G' E! @' O2 {* r& A9 V. o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
1 }, b3 L2 c: l0 I f* x, X" L( w4C19:00A4 INC CX2 N6 L( _# K& `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ E( x* D+ W3 v. f5 _5 f
4C19:00A8 JB 0095 ; 6 different commands.
1 K/ }# s. k0 u- V4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# u" |+ W( \0 C( u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
( A0 }/ C6 H& F' |4 C9 [" [: [/ H" \# y; k& {7 o
The program will execute 6 different SIce commands located at ds:dx, which
+ p! v) X. e- G. Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 J* @* r' B C% P7 Y* P: Y7 ?& g0 G/ q4 u* Q# u& B, J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; M9 q, O3 s# \6 h4 ]8 ]___________________________________________________________________________) k$ C# K3 t) b9 P' r
& U# O5 m6 P+ h& M$ {9 X) R4 i
) u$ [+ v- j# y" e' R& P! o5 j$ BMethod 03
$ Z; ?' H: u6 g& F=========; G, z. j( s0 P0 i1 s
1 [/ y! B2 N" [4 @. Z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ^5 I) T! ?4 l6 Y) |2 C& h2 `
(API Get entry point)
+ c5 _ F4 T- }9 n; `; E) s- T+ E: a , D" x- l: ?4 E/ t
6 m/ D w2 ?4 U
xor di,di
7 R) c6 [6 |1 I. h% K e5 T9 P mov es,di
% P) ^1 }) z& a- p& x; a mov ax, 1684h
( a j1 _/ R% J1 Y& \8 p mov bx, 0202h ; VxD ID of winice/ Q- i5 Z/ Z0 a* Q
int 2Fh
7 V: G( E+ `# u7 g1 k mov ax, es ; ES:DI -> VxD API entry point
: u! ]9 R+ O/ r& U4 s: B/ V2 Q add ax, di
8 i+ y6 t9 H- b3 l0 t& x- d test ax,ax
6 Y- {( k8 f& N jnz SoftICE_Detected
# ~* ]* V% {- A) X. D( R& Y6 r+ ]" q, ]0 r% u2 \
___________________________________________________________________________
) J' y2 E+ ]" o* T, j, M: a( {& U2 t! V1 M
Method 04
- b5 J( W N/ u! c2 W=========5 l! f& \* N) T7 R# S, Z' Z- k
' l' K8 Y5 ?- M" hMethod identical to the preceding one except that it seeks the ID of SoftICE
2 e5 t7 x+ W1 a7 V* |$ s% {GFX VxD.# g7 \( N; r t# i1 J4 Z6 C- s
( p; R2 @: w# D xor di,di l/ |5 `- v) R" D( |
mov es,di
+ @: H1 C. {" H+ O mov ax, 1684h
0 Z# {, H6 N1 H; T/ p) z; O mov bx, 7a5Fh ; VxD ID of SIWVID- h$ F9 q e5 u; c9 a! Z8 \
int 2fh9 M' N( J' X; w
mov ax, es ; ES:DI -> VxD API entry point
7 A2 g. i. [6 s9 \7 c5 e add ax, di* G O& _# d( `
test ax,ax
9 v) f) o+ i5 r0 l. g jnz SoftICE_Detected
) A3 Q/ B6 z1 k0 L! z8 E, S i' Z% q; I& Z9 B, S( `
__________________________________________________________________________3 i6 T- C* i: V1 A6 n; h( J
2 F0 Z# D/ U9 ~8 \- a4 S1 l" V. e& c; ?, k
Method 05
6 O% }$ z3 F; \, j1 Z4 s: K=========* d" l0 V/ G" B3 }7 a% S
0 q# ^. }$ a2 V% |, t/ H
Method seeking the 'magic number' 0F386h returned (in ax) by all system! w2 L3 N6 t N' q# s9 d; k
debugger. It calls the int 41h, function 4Fh.5 F1 N4 p8 F `7 K8 C) l# |
There are several alternatives. % x8 c7 q! q- a {
, I8 }" q6 }' t+ {- HThe following one is the simplest:8 M$ d! j# V( F ^! N& I+ X0 T
7 L7 d1 T# P2 b6 }- |" N mov ax,4fh1 V+ ]5 a3 K6 P# k, |3 R% v
int 41h
: X2 f9 |" s ?1 w, [# o) t) H cmp ax, 0F386# Q) V: o% m3 G6 @+ D# V
jz SoftICE_detected1 B1 z9 L7 b* L" s( ?
! @9 K+ q# @( n$ g i4 _
4 M! J. F1 @9 F( N" y! `5 NNext method as well as the following one are 2 examples from Stone's
& p' s' M6 [- Q0 |+ ]"stn-wid.zip" (www.cracking.net):0 @, i+ h z5 b
6 ?- J+ d' ]; }+ F3 ] mov bx, cs# Q3 H8 o% o. l$ a* L. N
lea dx, int41handler2, e5 K x+ A# ^$ a U' `
xchg dx, es:[41h*4]" a R# F8 I: f1 C5 y3 S+ [: u
xchg bx, es:[41h*4+2]: P, {7 c3 _0 D L& P7 T5 O& W
mov ax,4fh5 ?. b8 _5 y/ Y' b( A% l) K
int 41h
& H8 k: n' O, e xchg dx, es:[41h*4]2 u0 j" w: {. B& G
xchg bx, es:[41h*4+2]
: q/ A+ ~" {1 V9 G0 b) M% L: L cmp ax, 0f386h8 c2 l) n' d$ U
jz SoftICE_detected# `) r9 \& k/ S5 W
1 G! a" x* q$ G4 P/ Q% h
int41handler2 PROC
2 s" {- m# m0 d iret9 ?/ \* G8 M. i4 M2 S- ?' I& c
int41handler2 ENDP9 u" i5 X5 x" Y
0 l+ C% e* j7 g" G% W/ T
# B, m/ y$ U' q% y# V2 ^
_________________________________________________________________________$ M) n& K1 U' Q* P( D' }$ p
1 w5 d4 P. j- X' V# l) d8 A3 R) \* h( z+ U2 ]8 _! ?
Method 06
' S8 a1 g1 _. ?" X2 k; y9 B=========
7 e% ^7 ^: Y# m+ K% ~, a
4 N2 `6 Q$ S8 P' m7 K4 [' r) r/ `3 U8 c( c2 x
2nd method similar to the preceding one but more difficult to detect:7 W A# @, \" K4 T
5 v% u% ]- \6 h' ~& y: i# ^# S- z! X( I; g
int41handler PROC
+ J q8 x6 k4 m; n" H K( J mov cl,al
: R+ \5 e0 g+ u3 H iret
- x' y2 S, O! f5 u# q- nint41handler ENDP
$ Z3 h) ^! P9 q6 a- E4 z" H' O
1 d2 J. N" h2 q) L* ~$ v# n/ H3 }
- ~. K" ?$ v" P: ^ xor ax,ax% z- y+ Z+ m) [7 ~
mov es,ax* j2 L- }/ |% p- |9 o# y. Y
mov bx, cs
' v* {) x. B6 B2 h2 m! o- U; h lea dx, int41handler
) E& w+ O0 q8 ` xchg dx, es:[41h*4]5 m' J1 j, |2 z" Z2 _
xchg bx, es:[41h*4+2]
0 s7 ~% B; ?$ j- t: k8 R7 a in al, 40h+ k% q: g( N# T( j p& Q2 f$ N' v
xor cx,cx' Q+ V9 d4 E% v2 X& M- ?4 }0 n
int 41h
' M1 u5 p5 ^& s \ xchg dx, es:[41h*4]& a* `. _1 U2 p2 H0 N2 y5 ]
xchg bx, es:[41h*4+2]
6 C: G: f; t% p' n- v cmp cl,al, b+ p; _: O1 w c) @% d
jnz SoftICE_detected3 D& R$ m( P/ J( o& q
6 M+ [! w9 M0 T8 h4 S( E; c. E
_________________________________________________________________________
* u, o* f9 F4 G# r& P) z
R* a( v# o) t4 L( K2 LMethod 074 O9 y+ @& k. x' W2 r0 |4 I
=========
9 M K/ w8 j, G. t. D# j7 z2 ~2 l2 k, o% L+ ^3 {% p! i) y
Method of detection of the WinICE handler in the int68h (V86)
) S4 q# }+ k6 S- z3 g
0 J X, q' W* Q. s9 d* y mov ah,43h
2 i) j, L3 ?8 _7 [7 V1 J4 l L int 68h- y: [5 H1 M" F4 p5 j8 p. M7 x
cmp ax,0F386h7 }/ t+ s4 j" n4 b4 x
jz SoftICE_Detected
- x( I0 t# P: r l2 `- U
4 V1 T/ s& e+ R$ p) C( v/ d& o( v2 ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 C. I2 j# n$ B2 S
app like this:/ T3 j: k/ C2 X2 a, ~5 e2 j
5 D# @8 M+ l3 v5 L BPX exec_int if ax==68
7 P5 _4 Y% s6 Q& G3 @; V0 P (function called is located at byte ptr [ebp+1Dh] and client eip is
* s# Q- T, S8 f* N9 G- j& _6 t" c, g located at [ebp+48h] for 32Bit apps)- @3 M; e0 L* w
__________________________________________________________________________
/ M$ }' D, T5 W$ I3 s3 i% Y ]5 B
" g/ s( R# g; F. q/ h" ~8 \6 V9 H0 N3 K: B$ @! d9 M
Method 08- p& _# F; x' c7 r/ L+ B
=========8 T% ~/ Z* N, N. k
/ s0 H4 G" [1 `7 ~It is not a method of detection of SoftICE but a possibility to crash the2 l1 |) i- J( n6 @1 z9 A P
system by intercepting int 01h and int 03h and redirecting them to another" ?; N; c& e6 u7 ?. s$ L1 M
routine.' k3 f7 W4 l2 G- T9 j* p4 u8 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# v) a2 Z w9 `( w) y) |* F. w) K
to the new routine to execute (hangs computer...)
2 H+ h# k6 ]7 E) H
0 p' M( @5 ?+ L8 W# R3 ? mov ah, 25h# a* B) i S# G+ m& Y
mov al, Int_Number (01h or 03h), Z# Q3 }, `3 P1 j$ W# Q2 U! i
mov dx, offset New_Int_Routine! C* H4 i7 {; D$ V, t
int 21h0 O# K% f9 {& `8 I
& X+ R [2 u$ w/ \
__________________________________________________________________________
/ I+ j, q8 y# \
) |) v f( h- D, s: @0 rMethod 090 F7 `4 O$ U+ g$ m. _/ I2 M
=========! d' q0 T1 c0 s4 m/ L- G
" W4 L& S4 n( z# d2 E+ F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* T) \: k+ S* m+ \2 tperformed in ring0 (VxD or a ring3 app using the VxdCall).- h4 _, `7 a* e' z, T
The Get_DDB service is used to determine whether or not a VxD is installed ~# O* a+ x' \6 M/ Z8 ]7 B
for the specified device and returns a Device Description Block (in ecx) for: x- g c0 u$ Y4 f
that device if it is installed.
% L# I9 a8 n* d/ v+ n
) b6 C" l7 V; w" V& n0 ?0 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% Z$ v4 |, [4 Q) Q% k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 l& E- a% ]; g7 q2 A VMMCall Get_DDB
) D; B! f# y: M1 i+ k V2 o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% u% y/ u" t; x- k9 U: V
+ B7 s( _5 U1 i* U* k* w! ZNote as well that you can easily detect this method with SoftICE:
8 N% U/ U) z3 g- i- ~ bpx Get_DDB if ax==0202 || ax==7a5fh
+ c2 h2 V& a0 b B' m+ ]4 u G! F- x, V8 O* y3 k
__________________________________________________________________________9 B4 j4 c N/ Y* d; j2 O
: Y% l3 [) j- i$ r7 V8 {2 B8 @
Method 10
* Z( r! v, D8 \0 g' V0 \7 R=========, r0 H& X% X" { j% m" U k
0 ]: O) l+ ]4 ~+ o=>Disable or clear breakpoints before using this feature. DO NOT trace with- S) V2 b) a" c6 F3 o, Y+ ~" b" P
SoftICE while the option is enable!!
0 ^1 M$ o+ }0 S. a' ^
& c h3 U8 f U5 O. X6 D; IThis trick is very efficient:
4 Z' W) ?; G6 F$ T. \3 Xby checking the Debug Registers, you can detect if SoftICE is loaded9 J6 q. W" J. L' R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; |* e! I! a+ k* X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* R2 x- }" }) P* b$ {* Cvalue (in ring0 only). Values can be manipulated and or changed as well0 p! }$ B9 u" f" [+ y
(clearing BPMs for instance) a) P+ }$ V5 c- X1 i6 h8 k! ~8 }
' g3 g% M% I2 G0 ?$ r__________________________________________________________________________
- ?4 t. u/ a9 @$ J4 w. k* S( K+ x; T/ R9 N( t) y+ Q3 _# J9 `2 e
Method 11; p( H8 f: T5 ]2 q6 [ ^
=========
8 H3 s! O, o9 J
0 K+ I7 s J, G6 _- y/ E nThis method is most known as 'MeltICE' because it has been freely distributed ]( _, u- `0 \ y% R
via www.winfiles.com. However it was first used by NuMega people to allow# g% r4 C# @# z0 ]
Symbol Loader to check if SoftICE was active or not (the code is located
! H( a$ ^7 W5 M: F' f% x) y7 _' Tinside nmtrans.dll).' G- _1 {0 U# _( L
0 u* k5 d5 }; D& @- R8 F& c% S
The way it works is very simple:
6 n% w3 ?4 T. [& ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" T9 M; S+ N6 }( v4 y z
WinNT) with the CreateFileA API., [" g" C7 N$ Q5 A
# k1 B( V* f6 A) t
Here is a sample (checking for 'SICE'):, {+ ^ l# ~# q$ u
0 j6 Z$ |2 {) T0 g7 x7 O
BOOL IsSoftIce95Loaded()
2 S" ~4 Z- c7 j{8 R: Q" B; Y# d( H
HANDLE hFile; 5 ^9 X4 X8 c+ K: [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ b3 V2 r3 b7 R1 f7 z) F) q1 D
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 F' u4 g: y+ h3 ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 e7 h4 E" q+ ?$ \# U
if( hFile != INVALID_HANDLE_VALUE )
! B% x1 s* L0 C5 H! { { f6 F* Z3 v& f% Z) E! ?
CloseHandle(hFile);
2 \% h9 K$ v! @' b return TRUE;0 T+ o: D; G6 E3 Z( w/ ^' `& b
}
) O7 }; s8 J& k/ n return FALSE;9 s7 k3 v, r ^) P- P
}
- d& I7 K6 ]$ Q, y u; b& y1 T0 k& @2 _
Although this trick calls the CreateFileA function, don't even expect to be& w. ]2 [! N7 T# K+ J" V& f
able to intercept it by installing a IFS hook: it will not work, no way!
1 p# i/ m k3 D- D% c: K5 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 O. j' O, V6 j0 {8 _0 g+ h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b- }( S# p# S. F8 D1 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) |7 h" z) E3 R3 L, H3 p( j! A
field.
% d* c/ r4 w; S8 |2 X4 k" n. BIn fact, its purpose is not to load/unload VxDs but only to send a / P x2 T, Y# q) ]8 ^' K8 l$ D: O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' P- b# M3 c1 [0 T: ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try) ] t A' z" l. X: ]3 ?; @$ @2 D k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 ^+ R/ x, j9 b% b7 o3 |8 `0 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 O: e Y' p; h0 jits handle to be opened and then, will be detected.
0 E& U: A1 {: A+ n, yYou can check that simply by hooking Winice.exe control proc entry point, U& u/ {; Z6 r |' o8 {6 g8 n% d+ O
while running MeltICE.' `( [3 Q" S, }, B
8 }" G p0 ]9 I5 P( [. Z" S1 y5 e
2 v* e9 g( P: {+ @ 00401067: push 00402025 ; \\.\SICE
" u( A# c; }0 y 0040106C: call CreateFileA
* p" H" h1 s1 c' E- ^ 00401071: cmp eax,-001
0 o! a( j, M8 u 00401074: je 00401091
, E: V* r" U6 K& L) t& \: G8 x
0 S7 f8 Y+ m( ]0 `2 r3 j; J4 M( ?4 \; y# {" x
There could be hundreds of BPX you could use to detect this trick., i c4 W4 ~; [: b( F. b( w
-The most classical one is:: ? P& p5 z& g1 E& u8 t' H' `6 b7 t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 }# \' L, o, K
*(esp->4+4)=='NTIC'4 z3 }$ F$ S" c; W( R9 f: l3 {) P% a
" c8 w! h# Z, Z+ C7 W6 S8 ^
-The most exotic ones (could be very slooooow :-(
6 b6 |- u) L1 S3 n5 q3 V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * c" `5 s* S) s* |
;will break 3 times :-(0 O/ k9 C$ C( p
' i7 e/ e) D, z$ _' i8 X
-or (a bit) faster:
0 K0 X: ^6 M6 q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 m- X; I2 W4 e* s
& y. K/ Y8 v( s/ D4 X/ A- K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : T5 P( U9 b; {1 E0 d/ O# u, Y
;will break 3 times :-(
" E5 I! ? t" u& @% x
* a5 |% _- ^+ J B-Much faster:% I; f# A9 `/ Z- s
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; S2 S- ]* i1 z" d8 T
; x( b" j) q& |; l$ w0 p# ^% T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 \- n8 i; V4 a- Y9 I' D6 L2 O$ Nfunction to do the same job: i1 Q4 y7 I% m2 ]/ v. J2 ^, l' k
+ N# o& U/ T; `7 Y, y, D; n
push 00 ; OF_READ% @1 W# d: b7 J& G W
mov eax,[00656634] ; '\\.\SICE',0! O* C2 K- _! {; |" k; n( X
push eax" ]3 i% D( q) u7 z& P7 u2 o0 ^
call KERNEL32!_lopen
3 `: G' l. J% Z( o/ K5 d inc eax
7 S& @3 I4 i S Z% e3 s1 I jnz 00650589 ; detected
% L8 Q' L) ^, Y6 z push 00 ; OF_READ
7 `2 \, p' i1 b5 e$ l9 k mov eax,[00656638] ; '\\.\SICE'
' t7 \% Z, A9 a6 i9 x( w0 | push eax
; s+ v0 d, \; s% c; Z7 t2 e0 @ call KERNEL32!_lopen8 M* s7 Q! o# o% m6 ]' J
inc eax; I5 @0 G; @; G, Z* U
jz 006505ae ; not detected$ x& d F& C& o4 `. [) Z
& @/ ]& H5 ?2 {4 K* q
" g: v9 H8 g: W% ]7 W__________________________________________________________________________+ O- m% R% ~9 g( k
- n+ z1 }. j# M$ {- b; UMethod 12 H2 U- X. _& {+ _6 n8 s
=========
9 r* D) c; l$ b; D( Z8 [# S! b# c( T2 X" _9 H
This trick is similar to int41h/4fh Debugger installation check (code 05
$ ]' y' k* |( e7 I, h: l& 06) but very limited because it's only available for Win95/98 (not NT)4 R, m: ?% A# M+ r) f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' c, R, }, Y* T( d0 ^8 g7 q" W
$ E8 V! \/ {4 M! O- X
push 0000004fh ; function 4fh
: N z4 v# C+ C1 n push 002a002ah ; high word specifies which VxD (VWIN32)
' ~5 V# c, g/ y! g4 F1 @ ; low word specifies which service
: G* c6 T% P8 a3 E' F9 R (VWIN32_Int41Dispatch)$ t a7 ~1 U X R; R
call Kernel32!ORD_001 ; VxdCall
6 P- m1 y9 o5 v; Y* G1 c# N) O cmp ax, 0f386h ; magic number returned by system debuggers
, {& C( M+ z) W+ A: q a jz SoftICE_detected
7 u* _5 \7 k. d: z/ M; Z$ R9 D/ M2 o
8 D8 ]- [( v8 Z0 hHere again, several ways to detect it:1 D: V& m. A+ a$ A+ _7 _5 X" M0 E
, a8 E9 x6 Q) c' m, v; G5 I c
BPINT 41 if ax==4f
( Z! b8 {7 p9 V+ j8 X t: R2 B W. I, t0 p# @% o v% b/ X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ ?! T2 m1 n3 l2 l* N% U
+ t. c* F6 M3 D. w& E
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 p) q- ~5 X" i4 o3 S
: K* h: F4 U# `5 [/ L2 ^4 _ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 d3 y1 P" s$ x8 p+ T5 j
# `4 ^9 T8 w9 x* |2 q
__________________________________________________________________________
7 G8 L' b( S; t
' f' B0 G# S' b" ~, q: p# z5 fMethod 13. T5 ]0 i' d. s1 s. H M u# W
=========
3 I- M1 ]4 {3 j2 ^: O# }
1 Y1 A5 S# u! ?# p( K: pNot a real method of detection, but a good way to know if SoftICE is
- d' x2 n. ^7 X# {# yinstalled on a computer and to locate its installation directory.
; E& {0 I+ P X* }7 G# ~) J3 g6 DIt is used by few softs which access the following registry keys (usually #2) :
, }% e5 G W: {7 A4 c/ ^6 h; T3 P4 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' t/ Y) W! { g' ?\Uninstall\SoftICE
9 b& `0 {* e) O* k; A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; p7 i& `, R/ n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: m9 K' r9 X* s\App Paths\Loader32.Exe2 F) H0 c7 O5 L0 ~
4 \7 m' K6 m% Z0 R) Q
2 r9 \ S7 a0 C( E- ^Note that some nasty apps could then erase all files from SoftICE directory# h. C V5 U% C& A
(I faced that once :-(( N4 @* H- B7 Y+ c8 \( L
7 h4 h+ t' ]4 L- O; \7 r7 G0 IUseful breakpoint to detect it:
2 U+ P7 ?& L a! V- k8 E/ T
# m, q, M X/ F! v" a- V7 P8 b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; M# W' Q1 t# S" z
5 b* N9 T# O" q1 N3 I__________________________________________________________________________
3 t( K8 ?5 d. p" N# ~. d% J! a& P$ q& a. \2 H. L
! F7 q% ~" ~4 L' f
Method 14 3 n- t7 y1 }* [) m& H' U( A
=========% b: z! r# F$ E. _
0 i* u" o% U- k5 h0 D% MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
b- L, d; E" xis to determines whether a debugger is running on your system (ring0 only).
# O- y2 W9 K. L# r4 Y& `$ T l4 O" x% q! f
VMMCall Test_Debug_Installed
2 U& O; o: H3 {9 K* j- S$ N0 h" R je not_installed
+ P! K7 I/ H9 U6 K! @( O& E
C, H$ I; E' h- n$ X" _This service just checks a flag.9 D' ]7 @1 J6 @+ j6 a0 C
</PRE></TD></TR></TBODY></TABLE> |