<TABLE width=500>
" ~( L" ]+ Y- W<TBODY>0 `0 d" {0 a3 j6 d
<TR>
4 Y; Q+ C3 q4 Q# t0 u) g<TD><PRE>Method 01 R* D' d) d5 | }) u
=========* D1 Z) p" ? p8 j
4 n7 f" s# G) v' O7 g/ E* ?
This method of detection of SoftICE (as well as the following one) is: ~2 t7 `! Z( r/ L
used by the majority of packers/encryptors found on Internet.$ y" @; n5 x8 o0 m; a, y2 K
It seeks the signature of BoundsChecker in SoftICE
% ~! `3 @9 s7 d; k4 n$ ^3 F9 i+ H9 H/ |! O' ~, e
mov ebp, 04243484Bh ; 'BCHK'
+ t$ [+ S) \5 E% M mov ax, 04h
3 m- t9 N- o. o7 e! ?6 k# n int 3 ' Z0 b. ~3 ~* p' L$ ?
cmp al,4! k- o0 z+ _+ w- [) S- P) f
jnz SoftICE_Detected2 s5 b/ U. A5 j: u) Q
) {# C( H& E1 s3 G/ J
___________________________________________________________________________ D* G/ z( ?7 o' B5 P9 d5 x$ z z
1 L# w& J1 R5 }4 bMethod 029 y' T W! S) _& l' q* s
=========
0 e' g* p3 X( \9 F2 Y9 G: v1 e0 r% l7 ^0 K9 A: ^9 }
Still a method very much used (perhaps the most frequent one). It is used! d) y$ l/ [& p. T+ S, a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) ` @; M* E# J1 E _8 S) V
or execute SoftICE commands.../ Y; W7 I& l0 ]4 n
It is also used to crash SoftICE and to force it to execute any commands
7 _2 }- @% f) `(HBOOT...) :-(( ( A: W/ m' J `2 G
1 p6 r& m* A, J' B* d! j
Here is a quick description:% d+ n" l! l B, z. E8 W* E4 y
-AX = 0910h (Display string in SIce windows)
# _; ^! P: C, Z5 J* d6 S2 _# q# T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% L g9 U) f# Z, G-AX = 0912h (Get breakpoint infos); b3 g" W/ a+ @9 w, t
-AX = 0913h (Set Sice breakpoints)
?/ |! E5 R# m7 f, Q" }8 ?-AX = 0914h (Remove SIce breakoints)
1 y( H- ~0 @! q! |4 a& x/ L h$ p& b, V# i7 j+ Y. d
Each time you'll meet this trick, you'll see:6 }% I) t0 ]2 v7 d5 P9 s2 C
-SI = 4647h
, L2 K R: O6 p! N" A-DI = 4A4Dh
# g2 t3 q: [+ WWhich are the 'magic values' used by SoftIce.* i; U+ t& S6 m: Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 J) y9 l. ^8 ~2 b* C1 m
Q, h0 ~$ {& l) P$ J0 A ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
; v2 z* y! ~; f$ AEnvelope utility use to protect DOS applications:1 ]5 g3 G' f b8 v5 u- l
2 o1 `7 P3 q; z) M7 [1 g0 [9 Y" P6 m3 Q5 X0 O2 H
4C19:0095 MOV AX,0911 ; execute command.( r2 o( L6 q8 T
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 k& h5 M' L2 W5 v @* L4C19:009A MOV SI,4647 ; 1st magic value.% u7 K9 F2 c, Y; P1 i, s1 K
4C19:009D MOV DI,4A4D ; 2nd magic value.4 y- e# V# b1 H2 Y+ P/ |
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) g: }+ D( j8 i4 z; \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ v' s$ Y+ r: w% k+ D7 k0 b4C19:00A4 INC CX, s( b0 r6 l# ~0 I6 e3 P% t5 S# Y
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ P' K. w7 Z5 S) j C% [4C19:00A8 JB 0095 ; 6 different commands.8 {$ u. j- K' P: ^4 s" P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 V- |+ V5 }* K7 R( f) ?0 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 |8 N: a7 Q- d7 A9 F7 r
( X9 o( v7 l4 g. e) x: X4 PThe program will execute 6 different SIce commands located at ds:dx, which
+ J# K2 h' V' t: x$ k, Q1 s. {; Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 V, J$ |8 r; `$ Q6 {2 L
$ q' w7 ]) U6 H1 ?, V0 O4 W8 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! C9 @! Y% w: t+ Z1 O
___________________________________________________________________________
8 \5 @, H( s5 n& D& d P8 J k6 }, t% O: H2 i5 S' R
: Y0 Z9 R2 O5 ?' h
Method 035 `, v" _" v# o* G* R3 L
=========
* Z3 \$ W! h# I7 W. v" q& \6 L, T
5 l( V, r! F/ \( I2 _8 a( nLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h |7 n9 \8 t, ~; a V
(API Get entry point)$ s) e. b0 T! z+ a3 @
" O* _: f' V1 Z) O4 [$ E8 S
" e1 J/ z4 k" y+ E xor di,di
, o R( o5 c' w mov es,di4 C) ~1 J% r% G V0 e% T+ t
mov ax, 1684h ' ?0 g8 M, C+ G
mov bx, 0202h ; VxD ID of winice
# `8 X+ {: F$ V; A0 n# k3 j5 U int 2Fh! g& N, y4 R4 ~; z+ S
mov ax, es ; ES:DI -> VxD API entry point4 y! Q# m( r" _$ g
add ax, di
# M8 F( }8 l q: {5 c test ax,ax
5 R6 h4 \- ], f2 F$ q3 c7 u" d3 i6 o jnz SoftICE_Detected
5 }/ }: M- N' v( C2 _ C! ~7 ]7 A1 i0 x' K+ a" x. p* k
___________________________________________________________________________
- g+ b- p) S* \5 K R. y9 K
4 {9 |, f% @) iMethod 04
! y, h' N }6 F- T=========8 E/ L0 U1 K0 l$ N& Y3 q
6 K Z4 r$ i) c5 M
Method identical to the preceding one except that it seeks the ID of SoftICE. J6 ]- Y5 W" g1 }: [8 p/ J! d
GFX VxD.
0 R7 I; I1 w% {( Y, w5 h, n
$ s9 I& f& D2 ?+ x( O xor di,di9 l; t1 k& u0 H: g' f. A* \) P: z
mov es,di! ^; p# g# a: j6 c5 q- \9 N
mov ax, 1684h
! Z2 N# g! u& G mov bx, 7a5Fh ; VxD ID of SIWVID3 r' C0 K! t3 c
int 2fh
5 Z% { u+ c. O* k4 N h6 E M: R4 f mov ax, es ; ES:DI -> VxD API entry point1 t5 S0 n: _$ w% y; } E
add ax, di( }! H" h' Y& ~8 O
test ax,ax9 l6 T! L0 _9 y: P8 g( _2 m o- j
jnz SoftICE_Detected
3 ?) C' U: D, Z' r$ h# z) h4 M8 P
+ o n7 X+ B/ Q9 D8 Z; @5 g__________________________________________________________________________+ H8 \( [* @+ S7 C5 B
; `) p4 F2 b' s5 x+ r
7 Y7 l+ L3 R- t" z; S( t
Method 05* m z8 Q6 h1 a" }4 |1 O
=========* f/ V9 E: `0 i4 g8 U
) L+ R& ~& i/ X2 L
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 d, \ w: r. A4 E. J
debugger. It calls the int 41h, function 4Fh.
& T2 ?3 ]4 e9 L* Y) UThere are several alternatives. + J3 D% f) v1 l j
* m$ G/ y1 d8 Y, k* L6 }8 h3 j
The following one is the simplest:" K% ?' [; M1 h3 C3 }& ]
# T$ D$ C% I$ Z! X
mov ax,4fh- N3 C" Z5 V8 T2 D& \+ g( v2 t
int 41h
1 f) u7 v* U+ q* K cmp ax, 0F386
/ i, S1 V. ?: ^# S jz SoftICE_detected8 Z* N: _& p3 f4 G5 W5 x$ C
0 T/ g6 U3 O" ^7 Y- |; E
- c, ]9 o/ h: p7 Z( V0 g, u* u- V# ANext method as well as the following one are 2 examples from Stone's % Y- r2 T; F6 e- G: s
"stn-wid.zip" (www.cracking.net):: L, W5 `; S3 V9 |, ^6 j
# z, k: B% q& `: m) d3 X
mov bx, cs0 W! T% o3 `4 h" _' J
lea dx, int41handler2
3 i' u+ a4 n2 y( t/ b# G xchg dx, es:[41h*4]+ q0 { R1 B; G) g1 j+ ]
xchg bx, es:[41h*4+2]3 z" ^( D% ~: L! c2 a
mov ax,4fh# P' A4 N: S5 m
int 41h2 O5 F3 M9 [/ ], F3 b% O) R
xchg dx, es:[41h*4] K4 M' h# c$ ^4 o, c
xchg bx, es:[41h*4+2]
" X6 @" W6 S$ N( Q; | cmp ax, 0f386h
]* v* j0 z; o$ a, c& b jz SoftICE_detected8 W0 X" B/ M# \+ h; B3 Z1 F' q
' z5 T( B% C7 U: Q3 W4 o7 Dint41handler2 PROC7 F1 N4 I$ s, w {
iret
* c* b( I! P M+ v7 V( ~) W/ gint41handler2 ENDP
) X! \" M/ L/ _/ X. E, T& H9 h1 E, p9 q! O* l
. r1 r, C9 k/ w8 v! f1 a& H_________________________________________________________________________% E1 g6 O7 K" `4 v9 F2 i, W' N
# n: r. x/ s4 Z/ q) m* ~( s8 [3 Z: C9 P
Method 06' S% O. B1 ]" w7 r" {$ w) v9 o
=========7 f" W+ O. ]8 I( _% ` t
2 @' f7 a% @/ Z$ }3 u5 B7 `
& V4 p6 P4 x0 A. X1 k, j9 b' `2nd method similar to the preceding one but more difficult to detect:( w% o) c T1 ]; l Y# L% Z2 A
7 ~/ {. V; I% h8 L- J0 ^
0 ]" F$ F4 t3 e0 m2 qint41handler PROC
, d) o. e' U' X: n" R1 r6 m mov cl,al% l% d7 m/ c, S: w. i
iret
2 W2 T$ d" D& N6 W) ?' P eint41handler ENDP
' l! s/ v" M& \+ T, Z
! d& K7 x3 `9 r. t# U* _) L& I" V& i. a9 `' u; K- k2 Q' V0 b
xor ax,ax
1 G$ W0 M2 F% S& k( ]; Z# i mov es,ax7 ~- {/ X' @, E, U& n0 }
mov bx, cs4 s- }0 o: X! V2 b) x- X
lea dx, int41handler( f: ^ Q8 f/ n$ |3 S! `, K5 p
xchg dx, es:[41h*4]
) G# R/ @' u2 N! c z! \' ` xchg bx, es:[41h*4+2]
' G9 |0 L! G1 R" H- b in al, 40h' `3 ?8 B9 |, b# \& ], b$ M
xor cx,cx
, p, \9 p3 M& z# V. R6 a int 41h
/ j6 G( F, A! Z3 |1 T; @ xchg dx, es:[41h*4]
; F0 J2 M# G9 m+ Y) Q9 p xchg bx, es:[41h*4+2]
7 \! r" _- S' W7 C) Z- a; F( d8 ]! ` cmp cl,al
# d* t$ N: Q: O' c jnz SoftICE_detected+ u1 ^4 G. W/ e5 P! T) j" S+ L4 ]
# ?; c' K& P; i; A" K& M_________________________________________________________________________% i( `) D* Y5 G- ~# B
) U, ^! N( `1 g+ }$ _4 S
Method 07
/ J P4 r7 i' n4 o1 I4 S) O- T) }=========$ w3 C4 i' A3 Y" N% W
# n1 G# F. `" g# H& r) C. I- cMethod of detection of the WinICE handler in the int68h (V86)
1 Y6 l6 S9 J" W" [ j: F) r
# q! n- |& q& \0 t mov ah,43h
X( d. B7 X1 D; D0 ~ int 68h
, R. `# H2 R% X6 p. n. H2 E cmp ax,0F386h0 g; U& d; d- T! \) I( a) Q, R2 O
jz SoftICE_Detected
& T- {" c, F! E
; x0 _% U7 K. @- ~5 T5 v+ n
R* F" u7 \4 @* J* r8 O; y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 i$ t. ]# I C
app like this:0 a. l7 [3 m8 w& ?! K+ s
; X( I) F8 z- U2 l$ u( r' z
BPX exec_int if ax==68
8 J+ j/ i3 d- {2 c (function called is located at byte ptr [ebp+1Dh] and client eip is9 f% L+ q3 Q4 d3 A# v
located at [ebp+48h] for 32Bit apps)& i- g4 H/ M0 h* {2 J- a# z
__________________________________________________________________________
1 [" C( W4 K3 ]7 X- o7 X' N
2 s7 E9 N" C, B2 u6 B6 ?2 @0 l Z% y' [
Method 08
$ v' A) `0 H- N& d' L( [5 G+ V=========& j! k9 R9 i9 G8 A( A }
/ |0 w+ a$ O0 X- S* i2 V- w* wIt is not a method of detection of SoftICE but a possibility to crash the
- y: h* S/ d' F6 s& \system by intercepting int 01h and int 03h and redirecting them to another
. }9 x7 w' A! _9 `' v) @5 ^5 Yroutine., g7 I7 o/ i# C- d. U6 r, r/ B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 _2 J& E2 L% q- W! A' Ito the new routine to execute (hangs computer...)
6 d5 w8 m5 ?! t$ n" {
/ E& y: @) s7 I# Y/ J mov ah, 25h$ I5 r# B, J# w0 x
mov al, Int_Number (01h or 03h)
r* q4 t2 ~+ R7 c' w( ^/ a mov dx, offset New_Int_Routine
$ ^- K% i. K; |/ K4 Q; ~4 \ int 21h# ?+ s, C: J) b8 R+ m" P+ Q
, D% v8 r% |5 k+ }7 K( h4 z) p__________________________________________________________________________2 O# B& b, _- g; R
: o, ?' v- m t
Method 09
9 r S+ Q. m6 O/ C7 a7 k=========
: H' ^( U3 J# n, W! _
( r) t* \' p6 W2 U4 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 _4 q( H$ A% }+ G5 p7 ^3 y$ dperformed in ring0 (VxD or a ring3 app using the VxdCall).
) c/ V* s7 X/ v+ O/ _8 }* @The Get_DDB service is used to determine whether or not a VxD is installed9 j; m5 O2 q. I8 S* ~
for the specified device and returns a Device Description Block (in ecx) for
, b1 _% l$ X6 `8 _9 Othat device if it is installed." P& A1 r E6 z8 c8 G2 H2 [3 f
3 b/ N2 a7 A/ o. x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ a+ Y* t( F3 W) m5 R/ z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) ~; w+ W& q5 e: I
VMMCall Get_DDB
2 E0 P% o' g1 h, l+ h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: X- Z2 t7 A% Q6 t( G$ g: w# ?( U
* M: m- I! z* |5 rNote as well that you can easily detect this method with SoftICE:
# h j7 L- j6 y1 y9 E" T bpx Get_DDB if ax==0202 || ax==7a5fh* ^/ g$ Y* I/ W" m- y
) f5 k4 h/ p3 ^- c$ m4 L
__________________________________________________________________________: y1 F0 O; S2 t9 p& ]
0 R: p4 k# U! TMethod 10
) `' T* `: \1 o) D" Z8 u! G4 @=========
# S" E" m1 ]. W* a5 R6 _7 Y* A" B
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 |) I6 t" C- U0 s% J1 R8 \
SoftICE while the option is enable!!
- i1 H$ ?; ^$ I8 s0 T/ v. b4 i" \& @8 G j% r( B4 l0 Q' T
This trick is very efficient:( B. y8 U) A$ B+ _& e9 i
by checking the Debug Registers, you can detect if SoftICE is loaded+ B( } F% h5 A# }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 V6 x% m# r6 I) H7 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ i: Y/ {( b7 Lvalue (in ring0 only). Values can be manipulated and or changed as well+ n& C1 |8 A; f' q2 {3 J8 J$ k
(clearing BPMs for instance)
! X$ @- X& h# H2 _) K
% _1 Y& B, _; R Q; L__________________________________________________________________________
) w. f! _. @' g& B1 N- x; X1 l; W$ Z1 `. P) X8 ?. v4 K, S: G
Method 11
; Q* i$ u' N0 p0 D7 c$ m" k=========
( H9 k2 J, F2 i0 h1 I2 Z0 U( m6 `
This method is most known as 'MeltICE' because it has been freely distributed" W2 b, e3 m' R K' ~
via www.winfiles.com. However it was first used by NuMega people to allow$ }# A2 o& I' L) j: t
Symbol Loader to check if SoftICE was active or not (the code is located9 _% K" L; H9 J1 S
inside nmtrans.dll).
3 \5 [3 i& d) M; o
+ f @' Y( j3 w1 |The way it works is very simple:2 \0 X( R& g8 p* W+ [. j, S7 J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" S# B1 \/ Q! C/ m a5 t
WinNT) with the CreateFileA API.: P9 I- Q( U5 [3 c2 k" y
, m$ K* |" L; a e
Here is a sample (checking for 'SICE'): Z8 {# T4 ?' C8 A, u
C. ?8 P3 Z; j' Y7 D6 H) X1 iBOOL IsSoftIce95Loaded()
8 V' i6 Z V9 E{% B8 f1 P" B# {: ]( H* z9 g
HANDLE hFile;
0 i0 Z0 T2 W# n) Y# ~, {6 L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 Y" t/ [0 ?2 S2 q$ G
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 g% U0 @/ v5 f( ^. ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ d6 h9 s- y" ?! G, ?) Z) T2 H
if( hFile != INVALID_HANDLE_VALUE )! @5 p9 v/ P% v/ M7 p# z
{# u4 [' H. Q( }. Y: b# z) q
CloseHandle(hFile);
, a( }3 t! g i. I8 g0 l return TRUE;
" x8 e' [$ i7 X/ [ }
$ f7 a2 ]5 Z6 I* i; j, u6 B return FALSE;0 J! I) Y# f% ?) W
}
0 f. [2 t5 ^+ U7 ?+ B( [7 s
* t" P! `8 n6 H- eAlthough this trick calls the CreateFileA function, don't even expect to be8 g( N# n1 u+ T. F7 H
able to intercept it by installing a IFS hook: it will not work, no way!8 `$ O% T2 a `9 Y0 h2 h! j5 ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 l9 p. @7 I, p; P; w$ [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 V e6 O8 h9 k$ r" d# ^, ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* {% I2 `& i4 f1 f
field.! n4 e9 U/ ?1 i7 E/ O" v! K" `
In fact, its purpose is not to load/unload VxDs but only to send a ; P. A6 ]. U: p6 |2 `( k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 Q4 C8 U1 m$ S0 A% z. J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 V( J, w; p1 I) |8 d) Q9 T. N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( }& y1 g. S# v& k/ |7 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 b, E: p1 r, p* x7 h/ x
its handle to be opened and then, will be detected.
" b% s" b x' |+ `6 W9 eYou can check that simply by hooking Winice.exe control proc entry point) y; C4 _, U% Q6 J. }
while running MeltICE.- c9 I3 D8 i& z
7 e5 a0 l M) t
7 f" C5 h' Z; b2 f f+ r
00401067: push 00402025 ; \\.\SICE
) h* L" T2 z: D! j 0040106C: call CreateFileA1 m H" J( G" @; i
00401071: cmp eax,-0018 Z; @3 o0 {. z5 Q3 L8 L }
00401074: je 004010919 L, X1 O: T# |
9 t4 Y+ [5 Y! K/ R+ A
$ G4 |# d% T- eThere could be hundreds of BPX you could use to detect this trick.
/ Y% A9 i0 O9 p* Z2 B3 J-The most classical one is:' b' V; Z c" m4 r
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- S& C' x+ {" T$ {, N( i4 ?, K3 e5 q
*(esp->4+4)=='NTIC'" [* f; q* f& a& y6 g
. o6 D9 R' r% {$ X+ D-The most exotic ones (could be very slooooow :-(7 K: ], F0 H0 P5 T% S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 K/ D+ j& g; o* x* P
;will break 3 times :-(
6 m, D0 `# m8 @! {
, z7 k, F1 o8 L) |-or (a bit) faster: 0 O$ P2 v" B9 X3 ~' z \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* c, \; Y$ n5 w
5 N4 x+ Q( t( h. Q7 O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) \/ |* `. y, s9 ?/ w" u. [% c" P9 P
;will break 3 times :-(4 D" e9 f! X8 Z$ v: v: F
/ y7 L( R5 @& x* I) }( v; v0 n. k-Much faster:9 y, t3 J6 n! n* {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( a( s8 Y3 {2 _8 u5 J1 \; i( {% L: s# n- H" h4 a3 ~# T8 m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: o( _$ T2 }8 E* P: N
function to do the same job:' |; k+ x0 [; h9 ]0 `7 O
7 f% a) e0 B% I# z& |7 a, c% F push 00 ; OF_READ
1 e: i- t% ]5 \2 X; V1 F mov eax,[00656634] ; '\\.\SICE',0# ~, x7 [1 T3 r7 x
push eax
& ?# r) t) D, g4 D call KERNEL32!_lopen
9 [' Z( B9 ]7 A inc eax+ s' O$ r/ s7 C$ N& U
jnz 00650589 ; detected& _9 K' B9 K) j: y& G, F0 a1 |
push 00 ; OF_READ+ O6 }4 Z8 }; ]3 M. ~
mov eax,[00656638] ; '\\.\SICE'4 T, Q) P6 H( X; r( ~' p
push eax1 q4 J2 o* x* U% G; x
call KERNEL32!_lopen& `: |% e0 X: e+ O Q
inc eax5 z" r# ]- \, E
jz 006505ae ; not detected
~" l) J( m" C6 e3 C6 l" T' X* C R8 a+ {! O$ R5 R; f$ T7 W0 D" _
" Z& L5 q+ c( j& [2 o3 J__________________________________________________________________________; r, t$ K, ]& h6 M
& b1 U/ R0 s7 F1 R1 r3 W6 B9 VMethod 125 g: d' T- v9 I4 k) U# W8 x
=========
. m7 v6 o1 V0 c) m+ s+ ~0 T3 W7 v2 B/ w
This trick is similar to int41h/4fh Debugger installation check (code 05- y9 c$ y. g2 n6 r% ]* p e; G- ~
& 06) but very limited because it's only available for Win95/98 (not NT)2 ?# k6 i- L+ \' F, q9 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. X# [4 f: Q! s% y; Y% J& l1 k1 k% H B" Z
push 0000004fh ; function 4fh
: x- S {; O9 y; \7 Z. U# e9 E push 002a002ah ; high word specifies which VxD (VWIN32)
* ~8 \" p( D6 r9 F6 i8 G7 G6 E ; low word specifies which service
! i& D% p0 O" W+ U% \/ |" n/ K (VWIN32_Int41Dispatch)0 t# n6 g6 L/ X- I7 F# F
call Kernel32!ORD_001 ; VxdCall
4 ?3 y* ^$ |- [) M# T cmp ax, 0f386h ; magic number returned by system debuggers& {2 A2 [+ X: h1 y) c: F) l
jz SoftICE_detected
, t+ y: |7 A7 E0 {2 u2 s9 ^3 ]. ?5 p" X3 \' a$ ?$ U; }; x# _
Here again, several ways to detect it:
& r5 \1 N. z% ?% {2 k# n
9 e$ n- s- ^ m$ p6 z) ` z BPINT 41 if ax==4f1 z; i7 u# V) U0 Y& M8 G
) H; ?8 ~) z f7 x8 _( o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ z+ \- X" z c7 m7 d( q. u/ r# x/ n
& S/ w. E; o3 ]8 C# G6 f6 [; G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A) p5 w! Z; m6 A5 V" f
" }2 [3 A, P9 H; t) u$ H' W( T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; Q' K9 N% q. {: ], y! v( w" i
2 Y& e7 Z2 f4 @: A__________________________________________________________________________$ ?$ _' z/ t0 s% I7 p
& n- g% l3 l D4 F2 ?4 W& n+ \
Method 13" L5 v3 ^. V, p: r( C: J
=========
, s4 l% U2 ^( _8 m6 F. |
9 |9 F- i5 B- aNot a real method of detection, but a good way to know if SoftICE is2 a. V: v* c2 G: m
installed on a computer and to locate its installation directory.! q t4 F: z. Y1 O' Z
It is used by few softs which access the following registry keys (usually #2) :
) |; U* o- R. A1 b$ z o
% F+ a" d, Y9 T( Y( _0 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, c: G9 d+ h9 e3 W: u, x5 W\Uninstall\SoftICE' J/ K. u' D9 D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( x" M, f4 I, o: V& E8 G. `" G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; T% i, l# E. ]7 C
\App Paths\Loader32.Exe) ~2 n: \: z8 M( T
# w) l* \* E9 J: n9 g% [7 V8 j: f( g
: Q e, n. r" l
Note that some nasty apps could then erase all files from SoftICE directory# h; _( k3 I4 ~( \( a
(I faced that once :-($ O8 `5 o: @* t. `# w9 N
( `: n) L+ q% l0 wUseful breakpoint to detect it:
2 ]. ]7 t' N' z; q
3 o4 i% v+ H5 U! Y z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& a4 @4 a$ h4 e. [' U( K
5 q% F7 a# I6 N* W0 q/ W+ x4 z
__________________________________________________________________________
1 h# \3 ]* v, n
) U* ~* p# S$ @! X; b8 X0 ]; Q6 Y6 b) i( P2 y/ t4 R# H
Method 14 $ h$ d7 a% V* A
=========" X9 n2 Z) C/ l2 r d
% U/ \) w, h0 \% K& |9 U1 ~4 q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ` J5 q! @* A$ [, p1 ais to determines whether a debugger is running on your system (ring0 only).
! |; T, I* a" [" J4 b# j/ M/ Z3 W9 c8 B7 E0 V
VMMCall Test_Debug_Installed
; P" k& ~) U& j je not_installed
. l1 G' r1 d3 i+ ^) K- O/ O O- y. V1 l% C" k8 F. b
This service just checks a flag.
! u5 A8 ^$ n* R& q</PRE></TD></TR></TBODY></TABLE> |