<TABLE width=500>; I6 j" |/ u* q2 ~1 f# Y6 \
<TBODY>
* `# y7 ]% i1 s b4 k<TR>: A2 D/ b" | Q- ]) N3 i" w
<TD><PRE>Method 01 5 X1 p2 x4 S3 ?0 a4 ~. `( x
=========
& T: M) |$ Y2 \' P5 G& o! u# K/ d" b9 F3 b- i; C7 u* a K
This method of detection of SoftICE (as well as the following one) is2 N: F8 w3 [6 m5 Y# z" e7 v0 v
used by the majority of packers/encryptors found on Internet./ T( y2 f2 q3 q) R0 L
It seeks the signature of BoundsChecker in SoftICE
" ?; M& W* L; U/ y& S) Z
- m' w0 c+ |( ~$ v+ \ mov ebp, 04243484Bh ; 'BCHK'! B, Z8 t, Q, N" }" c/ U% c
mov ax, 04h/ G7 B) R( s" u5 B6 l4 i
int 3
* H" S/ y5 K. A6 S% o cmp al,4
4 i8 C" A7 s8 ^ jnz SoftICE_Detected
2 [% x( A" ~1 {9 j
g3 Z' ^6 Y' d+ S( H/ i. R, U3 U___________________________________________________________________________: c/ O4 W ~8 b/ B2 c% ` M
! J; i5 v2 d5 R( s: O
Method 02! b+ M0 e* R5 o1 {+ S; J& U
=========
" C n9 \+ Q$ l5 I4 |7 E
% ?( {* f9 Y3 `Still a method very much used (perhaps the most frequent one). It is used
7 c! h: m* ]" L c. ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ S c1 r# g p- R- S) p
or execute SoftICE commands...3 ]4 ]# Z3 L* W& N
It is also used to crash SoftICE and to force it to execute any commands, Q3 o' y! E& C! D. ?+ s
(HBOOT...) :-((
5 w/ ?$ d( y4 _6 \$ u$ B+ j2 U5 G
* h8 H" b) n" Z" XHere is a quick description:
$ Q% [% }& V5 E u9 e& D-AX = 0910h (Display string in SIce windows)) R5 X% N5 K6 ~8 V1 k& z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 H0 R8 F8 C4 Y) q4 \/ E1 ^5 ~8 ?-AX = 0912h (Get breakpoint infos)
$ x8 P& K6 Z4 _-AX = 0913h (Set Sice breakpoints)$ n; Z$ L; L2 f+ c0 {. N( P
-AX = 0914h (Remove SIce breakoints)" ?0 Y1 S9 v8 C4 [% E
: U1 S4 L% y$ |Each time you'll meet this trick, you'll see:
; }" O1 V3 c, L- x- Y+ @-SI = 4647h
. ^* ?5 X1 A5 | [8 _-DI = 4A4Dh6 Q6 N! W0 _6 Y" v+ p' C& T
Which are the 'magic values' used by SoftIce./ k! Q" n3 _# C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. m* y. z7 m$ f
8 x" a) p$ U% N# gHere is one example from the file "Haspinst.exe" which is the dongle HASP4 S( j$ x- Z! y
Envelope utility use to protect DOS applications:
7 @& c& |: R; q
" ~' a1 { i; q6 s& e" l/ a2 X- v( q
8 U% G# c8 O8 E5 a9 s% j' l4C19:0095 MOV AX,0911 ; execute command.. |4 t6 ^( ]' T Y( |# K
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# C5 W# x4 v7 e; p2 I) u3 b# ?4C19:009A MOV SI,4647 ; 1st magic value.& [8 b8 m) g$ u. i$ g6 l' n& y! h* t
4C19:009D MOV DI,4A4D ; 2nd magic value. K* k: K5 T0 G* C+ S0 e0 K7 {
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 L/ C' J& ?/ n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* }3 G) u& d1 }1 N8 I+ r( ^
4C19:00A4 INC CX4 K: i* T% c4 P" u; c1 s8 X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 D% i% R6 J3 Y- x, u4C19:00A8 JB 0095 ; 6 different commands.
+ |2 S% ]0 x" g ^; j/ E2 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.( O7 Y+ E) S# U, d# ?2 d
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ h" }) l1 l1 b: b" z& y; K) }. G8 a, B
The program will execute 6 different SIce commands located at ds:dx, which7 P- s: I6 S l
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 C3 E( n$ J6 i
; I; E' i; [& b( s' P0 V$ @( o8 s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ f5 v y7 G( X+ N3 g( E" V8 M9 ^3 j: c___________________________________________________________________________! S* ^- Z {6 ?6 H2 j( b
; M$ N: o) H3 n5 P
; T5 I+ p" x5 S) iMethod 03. Y; Q+ o: |( Z, x3 m. g
=========
7 m# e! E) E( T4 x5 p$ \. L* e* S8 @' b' O7 `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- x1 M+ d& v1 _+ o' N1 \6 d
(API Get entry point)
) X1 b( a% b3 Z/ h% R# I / m8 \3 k# G/ p
: t: i) o* I% i! U0 c9 g
xor di,di
8 d: s' P2 p" Z! B2 D mov es,di7 O1 f" d! A6 L9 e1 ?( ]. ~1 l
mov ax, 1684h " j4 _3 P! W! _1 |) l" R( |3 ^9 Z" O
mov bx, 0202h ; VxD ID of winice
. b% P# Q' i- p' ]1 T int 2Fh
$ n( }$ p2 t9 @& b% R mov ax, es ; ES:DI -> VxD API entry point9 Q4 ~8 F' J5 Q
add ax, di
; ^& y0 z! h/ ^2 w0 b test ax,ax
, R* x# C6 \5 P- {+ r0 o3 T6 Z jnz SoftICE_Detected- j# D$ t; g2 y+ J# u6 T' A7 t
o+ s3 R9 U0 p( p
___________________________________________________________________________
+ d1 v% w M) p1 p% c/ B) g
0 ~! w9 t! Z2 { e: W/ N+ sMethod 044 [. [ W- S/ v- i6 `1 ^% v
=========
) J% ]8 r* \. W* ~9 G$ Y, \+ n. K7 ~0 L
Method identical to the preceding one except that it seeks the ID of SoftICE6 Q. Q0 W+ A6 s
GFX VxD.3 S! _0 B Z# B, D
: ]( t# ]" h, } xor di,di
# V5 J& \1 }' a& ^% L. u mov es,di4 p8 V0 A9 l+ P- g1 U, }* h
mov ax, 1684h @+ i- g* ]& W3 r6 m
mov bx, 7a5Fh ; VxD ID of SIWVID
7 }2 C' C5 @' v- K; [: X int 2fh
# M; p, \3 x9 A4 O% l: B mov ax, es ; ES:DI -> VxD API entry point
, L7 C& A9 \7 e. M- ~# b a4 v. `! y add ax, di; x8 f- D' J$ x7 R
test ax,ax- [8 w e! A- V4 |0 n- I& I
jnz SoftICE_Detected
- E, t" g7 f7 w$ N! D/ i4 {0 f4 n% M4 l; p( r/ |4 p
__________________________________________________________________________
1 n6 b, i, j0 U* A8 p9 |1 D0 ^# E4 V. j/ L/ Y; L$ V# |. X( Q
' L2 r3 y5 q+ @5 X C7 q( P( {6 i- s2 p
Method 05
# d6 V; S: [7 r" H% F0 h' ?4 }% l=========
- H0 k! I: d% W% |( n
$ G7 t$ Z+ v# ] X0 {4 ]8 ^! SMethod seeking the 'magic number' 0F386h returned (in ax) by all system* z+ f/ s7 @0 |5 p* S
debugger. It calls the int 41h, function 4Fh.* e# m2 h, C( @3 `* a
There are several alternatives. 2 Z2 y! f0 K( j7 U0 ^8 H" q
* I( l. E: u; N
The following one is the simplest:; ^7 U* B% |. B9 ^
- n/ x1 u0 i: S& R+ y mov ax,4fh
9 ~! i( G( u( q9 _8 w$ K$ i) C8 k, f int 41h
% _" O) \5 ? R2 F' h- c; Y; L cmp ax, 0F386
% J; O# H) W: G' ]( D. J jz SoftICE_detected% R$ Q! Y9 z+ q
r7 s$ d5 S! n7 h& u5 Z% @
+ n8 D7 y ?, ]. i/ E
Next method as well as the following one are 2 examples from Stone's
/ j( A' I- Z ?"stn-wid.zip" (www.cracking.net):; l; s; P. S- R1 s4 h+ A
! p7 s" E/ i3 Q; [, V; m- G
mov bx, cs }2 }4 {/ U5 A. c2 T
lea dx, int41handler2
& M. z( P! L- I+ k xchg dx, es:[41h*4]+ d5 W* Z$ y) ~2 k6 F1 _
xchg bx, es:[41h*4+2]
3 `: S: R# F5 `# J mov ax,4fh3 I/ b8 z' W* {$ g- g
int 41h
: p ]* B) @7 ^/ _1 F xchg dx, es:[41h*4]
6 ?, p" N+ a3 H; S, U/ v xchg bx, es:[41h*4+2]" ~% [. |) \) l) @7 y
cmp ax, 0f386h
]! o! T. B0 P$ c, d T jz SoftICE_detected
: s* l3 u) V* ?9 L3 p A$ H1 ]$ f0 H$ j9 J. H
int41handler2 PROC H$ f! y* n! m3 W. @7 g/ s/ P
iret$ g+ w5 Q6 a) W/ a( c1 ?2 E( g. O8 b
int41handler2 ENDP
; B( \9 D Y ?
) M; D4 `1 I: _ _5 A s! w1 g* K! |9 y" z1 Z: {/ ?; c$ J
_________________________________________________________________________
1 f* Y8 X3 A; E% d. J# P) [2 M0 w+ d" t* G" w. Z4 o
: ^ y. Z; m1 u H! m+ A# o9 J
Method 06
7 d' }4 J% X7 V' m* a=========
; m* D2 U( E8 ` M! m3 B' y- R* T& R
R3 s: ^4 N2 O4 {2 t
* _6 I& E- D# |$ N$ R! z2nd method similar to the preceding one but more difficult to detect:
- C8 v9 z- ~% ^3 Z7 _0 L9 z+ {+ m
& V9 N" _/ I5 ]
& H- E( L% q& a- e" cint41handler PROC/ d% l/ O, y$ U% F$ e3 V
mov cl,al
+ {& [3 Z0 u) V! z; N iret
& |, T3 Y. i6 p+ {int41handler ENDP) d! g4 P F! ` O# I+ q* h
* L4 F" Z4 H. ?- q1 t+ |% Z
, V) L6 V/ }- a. S6 m4 j xor ax,ax5 }; ^# v9 i# F9 O( f; A
mov es,ax
% \ l4 {1 \7 W3 A mov bx, cs
: K1 t0 q+ _) V: m) c# o: Q lea dx, int41handler
. b/ }; i2 ~# b& X9 z6 [ xchg dx, es:[41h*4]
+ o$ a6 i" i6 B6 m8 @7 g xchg bx, es:[41h*4+2], {0 z3 ~3 |( C& @9 f
in al, 40h# \1 _" E; y9 ~0 S0 T0 u
xor cx,cx
6 {7 H- K! |2 n& U) t% @ int 41h
0 Z6 s+ S6 f% y* v& W xchg dx, es:[41h*4]
/ f/ D7 C( R: r( r0 a) |; m xchg bx, es:[41h*4+2]
3 p( n8 R; D, u cmp cl,al+ g( ~& |. N1 R
jnz SoftICE_detected( K% k) H* q" S' ~2 |. R1 I2 }
. n" B6 r, P9 a# w$ T, L_________________________________________________________________________
# h8 [' p0 s6 [& |% R
9 r! C4 f3 A( a+ C4 V* X: c* cMethod 07
8 E Q- }6 i J/ P, x7 l2 Y=========! {" M9 H% b; Z2 ]+ o0 q/ J/ ]* o! z
8 c# D- x7 s3 |5 u: u5 d$ LMethod of detection of the WinICE handler in the int68h (V86); P R* Q7 K( L$ I0 m
) ?- I2 m2 D6 q. p mov ah,43h
$ R. s1 o$ {! Z( v+ T int 68h
* I3 F. N' | [; m* g cmp ax,0F386h
# p$ G9 P$ l+ x, ]( Z, k jz SoftICE_Detected
8 x6 W9 J% R ~: R% \8 L
: m- E6 @& e) ^
- z& q4 [2 B( [* C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; w) R5 C! D" M( E# f7 ~
app like this:5 e( [( v/ ]+ Y) z! m7 a+ |
8 v; K- K5 P( A2 C BPX exec_int if ax==68
- R% v, ^' @- x (function called is located at byte ptr [ebp+1Dh] and client eip is8 E2 K [6 U2 s" |: h1 Y( [9 J8 F
located at [ebp+48h] for 32Bit apps)7 h3 s; I; c0 k8 ^" J& h
__________________________________________________________________________
- u5 @9 j2 E1 ]; c6 ?9 q+ D! J! M; D) k) l; [: W* `3 Y
- A1 ^$ A( Y5 v! x, S H
Method 08
( N) A6 j$ Z4 t. _2 O/ o=========
. C' f) n' O1 Y B( \
5 p1 ?+ R: T0 u$ W8 X6 e6 \( j/ HIt is not a method of detection of SoftICE but a possibility to crash the
& M1 d& c( n$ h' ?7 osystem by intercepting int 01h and int 03h and redirecting them to another! {4 q+ [ E' l( h5 [
routine.
5 I6 }4 _- N' Y# h& D* NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 z& O4 x4 D2 |& _! [5 w
to the new routine to execute (hangs computer...)* u/ U' T5 `, t1 H" O4 q7 x
( D) v' {# M4 D Y* {
mov ah, 25h& v! x: Z& l0 d% f+ V( @, O6 {: r3 d
mov al, Int_Number (01h or 03h)/ c' p3 b# s% B t& J
mov dx, offset New_Int_Routine7 B: t; q7 I6 h
int 21h
2 ?" W; }# ^0 L% Z. d$ [0 t2 G9 |+ Z j4 n/ \5 S% u+ h
__________________________________________________________________________/ _: }8 o- M+ ~+ a* r
" U# C2 ~4 i% _Method 09( V1 ~& P# k* f9 r
=========
4 M7 b+ [# p0 [0 w7 l2 s" a S/ c- c1 q% q& o$ C9 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 ^9 O& E) n% G
performed in ring0 (VxD or a ring3 app using the VxdCall).
" e- d; l: K" r3 tThe Get_DDB service is used to determine whether or not a VxD is installed
* Z+ ^0 |, V4 F/ {5 afor the specified device and returns a Device Description Block (in ecx) for
; c0 Q) A& Q( V9 K5 p6 R" m" jthat device if it is installed.
2 k! f' ~7 F, O2 D5 R6 m
4 u' P9 C* O8 f, t u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
`& o! i$ _+ c- c" v mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); k" K3 U, H, F5 X' s" d9 @; m
VMMCall Get_DDB
- q1 ]$ r" {8 H, Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* ^# v4 _8 r6 [: l/ F
5 X6 a# d3 o! r Y3 P, A! `; |Note as well that you can easily detect this method with SoftICE:
0 l9 k/ C j: f, C bpx Get_DDB if ax==0202 || ax==7a5fh& ]8 L. t. t5 d1 a* g- D6 ^( M
1 P% `- ]6 w1 f! z& y
__________________________________________________________________________- l0 J5 o$ u) z' N
% j5 i, ~/ q" ZMethod 10
8 N9 O; h/ e+ @=========) q7 \" P# O; g0 _/ K3 @$ ^4 P
7 e& b: s3 R# m=>Disable or clear breakpoints before using this feature. DO NOT trace with* u& T5 |& j" A7 Z# t! k$ {. V
SoftICE while the option is enable!!9 a4 ?4 @/ F6 c% H% }8 U% x
% J; E. S5 n/ _1 MThis trick is very efficient:
?: p) M: c( b5 y- _5 Q1 ]/ eby checking the Debug Registers, you can detect if SoftICE is loaded
9 |4 x, E& s$ e ]% K* \5 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ a9 S2 b7 ~2 S1 z0 c6 F; ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 W# j! Y H9 svalue (in ring0 only). Values can be manipulated and or changed as well6 g( q# T" K5 t3 R' ?- ^
(clearing BPMs for instance)
/ {6 q- }& t) m0 y. J9 f8 K0 ]* D& [, t3 P, V: l( K- |# \$ b) z9 E9 s
__________________________________________________________________________
( S( z9 \& o3 a) [
1 d- J; a& Z2 d# U1 f( iMethod 11/ W8 R" d3 s, I1 A' N
=========9 X1 l4 U6 G5 X' Q9 E
. k9 ~" J; [( F
This method is most known as 'MeltICE' because it has been freely distributed
0 X; k( J% H4 q& ~% ~' s( ^' c& _via www.winfiles.com. However it was first used by NuMega people to allow% N' K! Z* x3 t$ W7 g6 ^
Symbol Loader to check if SoftICE was active or not (the code is located
3 H5 n$ v8 g) H1 p: a6 w3 @+ Winside nmtrans.dll).8 B+ i1 g0 K ]) Y* X
; F5 @. f0 n, S& ?0 _& n
The way it works is very simple: L5 p' l1 R; V4 `* V1 T
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for A" Z# S# z4 q3 ~( W2 _
WinNT) with the CreateFileA API.
4 D2 |; X/ Z9 K5 z a1 c% M( i: U9 i: h* h' H( T' x. N1 z
Here is a sample (checking for 'SICE'):; w) [0 G+ j7 w) D7 y" q7 i8 c
0 S, y: H; |) \, cBOOL IsSoftIce95Loaded()9 ]7 l+ Y' O8 x! v
{5 X* v% t7 [1 {5 X; V9 K! E
HANDLE hFile; 0 G2 R2 A; E" k8 G, V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, n. S+ ]" i( ~. }
FILE_SHARE_READ | FILE_SHARE_WRITE,
% b6 G2 n; A8 w& n! ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 a5 y3 G2 F r- e# L if( hFile != INVALID_HANDLE_VALUE )
& z5 j8 N' u7 e7 d# O {8 v8 B/ G, Q# m7 m0 X" e! x
CloseHandle(hFile);
8 O2 B( u/ Z# H5 F* J return TRUE;
/ p: l8 K- c2 d) g7 D- {, ?9 \ }( r' K9 n2 W" E9 F5 v
return FALSE;" e7 x: w& {7 i) B5 U
}; L4 V* d* x/ f1 B9 S
9 k; S T P8 d& `1 m5 [! O1 }Although this trick calls the CreateFileA function, don't even expect to be
; A6 s$ ~4 [* p4 Oable to intercept it by installing a IFS hook: it will not work, no way!
% i7 B2 b6 W& d/ D1 w& @8 X- XIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 u) g# ~; c1 W, a5 `7 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 ~5 G( A" U# c8 h: `; Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc n; B; W2 ?/ r; O- v3 f
field.# [/ n+ ^5 A2 h" z' s
In fact, its purpose is not to load/unload VxDs but only to send a
. i4 B( l) s" ]$ p: `& k. {8 f/ p" |6 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 {5 X4 l# U( N) tto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 p$ V/ z( l7 I) Y& T
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( q8 W8 U, A# m. }
If the VxD is loaded, it will always clear eax and the Carry flag to allow
x2 F9 d, q) mits handle to be opened and then, will be detected." _& Y& D; o# D W
You can check that simply by hooking Winice.exe control proc entry point
) w5 h2 M5 W. |) x7 _9 W* k0 `while running MeltICE.
; i& ~3 n7 w9 _2 q, I; b4 x& Z, `/ ^" b0 F) w# D% i ?# x
4 O e* y2 ^+ R0 ^; E4 [; w) C9 R 00401067: push 00402025 ; \\.\SICE( K) Z7 b9 ]5 W) J3 s, Y) `
0040106C: call CreateFileA
) _1 B& O2 S! O( t# c' S+ w 00401071: cmp eax,-001
+ z# z0 z8 [1 P* R: ]: m1 J 00401074: je 00401091
+ f4 J+ U4 `# |# ]6 ?& J4 g9 H6 n
# A7 i0 t1 w0 _. t+ ^# Q1 {: j) U6 s1 qThere could be hundreds of BPX you could use to detect this trick.
* v6 y. b4 Z$ t) P; a* r" e-The most classical one is:) x( W6 u. v( z. T( G; d/ q! \( Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ x; q+ {' V; ? *(esp->4+4)=='NTIC'2 I* Z/ a: V, \) O2 j- K- T
5 p5 d! o4 W- w+ h
-The most exotic ones (could be very slooooow :-(
/ M6 p3 x) }9 f. \, P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( h( K7 j7 M* x ;will break 3 times :-(' f* ~7 l) X+ N4 v6 G l
0 k4 ?) ~0 H! L$ x8 q, u8 ~-or (a bit) faster:
% n; M& @3 n f$ P+ W3 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& N7 D+ s& _# q; M, E9 B5 R% m8 I) W) R O8 w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 p" b; R% f! D: o ;will break 3 times :-(
- }9 l% T0 e6 B4 O l8 }+ C2 w( @. R/ Q. m
-Much faster:/ ^- Z8 Z F9 O' }( M/ Y y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 |/ p% k2 ^- N- _ |1 n8 P
% U: u, Y4 v& P4 L+ L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
h% d! [# U5 L* ~5 y) L; i% gfunction to do the same job:
# D, M! i0 L7 d6 t& _/ i8 d- m2 A$ R5 p s
push 00 ; OF_READ5 @3 F1 M+ F, A- g# {5 M
mov eax,[00656634] ; '\\.\SICE',0
) n( O& V, f" C" x; f push eax7 c/ x6 U7 d7 O& u) J- f
call KERNEL32!_lopen
3 q% _1 C% t" e9 j inc eax
2 y/ X$ G$ i+ n- ? jnz 00650589 ; detected& T" {: Y5 a% u1 ^
push 00 ; OF_READ7 t6 P. O1 `2 Q0 y3 ~
mov eax,[00656638] ; '\\.\SICE'
& M. `9 L/ O0 B: @, b push eax
$ M/ V4 X6 u/ r# ]( x: ? call KERNEL32!_lopen! \( e. d( N" G- ?2 }/ ]6 l
inc eax, }4 t2 O5 c; ]. B5 N9 q) x! m
jz 006505ae ; not detected
- ~0 H5 t) O A# K* Z0 Z3 y0 I4 m; o: L% b7 n1 X1 _
5 c; I* }/ i, o2 U. Q3 U__________________________________________________________________________% s m; ]$ P; u; r
$ r( i% u2 V# E
Method 12/ n( c A$ @% f/ w! t1 ^5 V( C
=========
- }/ d8 _/ l6 ?+ F2 y/ ^. I5 Y' [6 m1 ?8 _$ a7 _
This trick is similar to int41h/4fh Debugger installation check (code 054 ^4 s# P1 B3 V( J0 @
& 06) but very limited because it's only available for Win95/98 (not NT)
/ {1 t: y7 t# f8 c0 }8 qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( g$ r! h4 @; s5 I; d# S
f/ Q+ b( Y! S: e
push 0000004fh ; function 4fh
, S6 ]4 s" Z# S- y q. h push 002a002ah ; high word specifies which VxD (VWIN32)+ I! [& h3 G/ l6 d
; low word specifies which service( z# n3 g4 E" W! k. q
(VWIN32_Int41Dispatch)
! @" b% d M& C call Kernel32!ORD_001 ; VxdCall) N' {9 h: J" A& W0 Z- {
cmp ax, 0f386h ; magic number returned by system debuggers+ T9 e. D# f3 N! r C
jz SoftICE_detected3 {) H2 `, S+ n- P
7 V5 z. b% B5 X2 ?/ T( `5 AHere again, several ways to detect it:
) r" G2 V, x: U! z- ?
; p( |# n6 w) { c6 e+ M BPINT 41 if ax==4f+ r8 |. Y% P+ K' Z, F( e J0 W8 Z9 a
: k3 E ^- s: Q* W" S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& E8 t/ Z3 h: Y* x I, g/ D/ U2 M& V6 r- x9 s3 \: Z% q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- L/ m1 O: P/ p% T& k8 Q3 Y! p7 I# V2 d' k ` T
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; M5 n) P) A0 j8 { }; i
& ?5 u5 S) [( b7 e7 K( U2 B__________________________________________________________________________ K3 V/ w: o! p1 P. _
. n& E; {# b2 ^: l2 p
Method 131 W% C, h- k; {8 Y) m, y: U
=========/ v' [4 \+ O% G6 C9 y. N
) Z: X0 ^& T# g* ~0 B
Not a real method of detection, but a good way to know if SoftICE is
. @9 O9 D3 f) ]1 uinstalled on a computer and to locate its installation directory.3 x" S; t8 \: M5 j' H4 L) l% V/ `
It is used by few softs which access the following registry keys (usually #2) :
' L3 u7 J: n9 |. U- _3 s! E9 h. f
v$ }6 {# a; O& p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! ]5 |4 B* s/ P\Uninstall\SoftICE5 I: X+ f; m! t5 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ F+ Y2 B. L* i2 Y( `- _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 C) @1 Y, b) q& s\App Paths\Loader32.Exe3 P& V8 V3 B/ ]2 [
) L6 ]8 |3 O& u ?
- h; N" E6 z8 e( j- D" l& |Note that some nasty apps could then erase all files from SoftICE directory9 b# j0 ]2 E3 K
(I faced that once :-(
2 R9 {! J0 d" l+ U$ B( ~+ |3 a3 D5 k3 E6 @4 W8 h: X' O
Useful breakpoint to detect it:" P$ @* Y) n6 e2 f
9 ^+ |0 e1 U3 X' M. v$ a5 P# @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- Y$ |0 d1 d( ~
$ u8 s5 n0 D: w5 a9 k% y* r( J5 b
__________________________________________________________________________
: m, I+ d9 e* _; I, W$ G0 c9 `' p, l$ N
# R' L% O, Y- q" X9 _; W
Method 14 1 q9 j/ Z/ _7 u" K' h; [; b1 V0 B
=========
Z( l* P9 Y: Z3 c! I9 o$ i/ ]
1 L% Q K6 |$ ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& O8 Y9 e1 n% Q8 g+ |
is to determines whether a debugger is running on your system (ring0 only).
) ] z- J3 T- O' Q. C B- y" S/ @' t% v2 W9 A( [6 c% c' i1 j
VMMCall Test_Debug_Installed
0 }. w1 A. ^& M# B4 H$ V je not_installed3 f7 L' b! {) ]/ C' N
& y+ C' k2 E- p1 x
This service just checks a flag.2 A R' C4 C: h& }4 B
</PRE></TD></TR></TBODY></TABLE> |