<TABLE width=500>
: R& Q3 Z+ A T6 h<TBODY>5 @0 T8 h+ u; j! O' L ~" Z
<TR>
; I! z1 |9 t# ~3 y F" ^<TD><PRE>Method 01
( Z. I* K; y2 I( Y& X=========
- L3 |: Z) W9 r: c: L& K9 t; J
' h9 ^) L! ^3 ?, a2 d$ qThis method of detection of SoftICE (as well as the following one) is* [4 S- x! g, r% \ ^
used by the majority of packers/encryptors found on Internet.
! V8 W% b( ?/ K& |It seeks the signature of BoundsChecker in SoftICE" ]) u. N! b1 @0 o# w
/ y* w4 D4 b3 B1 A$ e mov ebp, 04243484Bh ; 'BCHK'
2 W. o, d3 S) k6 X1 t mov ax, 04h/ w1 n5 k% E3 k; U. g
int 3 ' F7 w! t l, A8 ]1 { _
cmp al,43 k- m9 c: J `5 f6 v
jnz SoftICE_Detected( f3 h, v$ P1 v$ x8 m9 E# d
4 v9 ?" R3 l4 r' N
___________________________________________________________________________
5 v. f$ ]. @1 @9 A' R6 |% S5 O: `
6 i5 e& K, h/ |6 e" mMethod 02
. ]; r: Y& @2 ^- K& y( ]! s=========
. o* n6 E) L0 `' C4 d* l+ v0 r0 K% V+ S: }* G$ N1 B! D) R3 I
Still a method very much used (perhaps the most frequent one). It is used
3 k2 J; _' s3 K. ]; Q$ C4 m8 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" j+ s3 S( Z' ?8 |5 x8 oor execute SoftICE commands... z4 w* ~! ~: n3 Y; K( ~9 X& x2 D
It is also used to crash SoftICE and to force it to execute any commands; E& B9 W4 g: g: P0 \( d1 r
(HBOOT...) :-((
8 x+ c( R* A+ \1 q) W
9 n: T; x( e# I! D6 V/ o$ |. VHere is a quick description:8 x$ Z& @* p5 {4 L* a1 l
-AX = 0910h (Display string in SIce windows)
0 | L. j, e1 J" C5 L3 e; s+ P1 ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 k9 I" e- U9 z/ P8 ]-AX = 0912h (Get breakpoint infos)
+ t& a0 N" k* s! R* d-AX = 0913h (Set Sice breakpoints)
: d/ K5 ~. Z% Y$ O-AX = 0914h (Remove SIce breakoints)
9 C& \5 h0 p) U6 q0 w
* q8 H# p- s6 k4 n4 E, f$ IEach time you'll meet this trick, you'll see:% a& y9 @- |" L, p2 T
-SI = 4647h
! Z9 o# E/ H6 S" }-DI = 4A4Dh
6 l4 y1 s4 E0 A3 G( jWhich are the 'magic values' used by SoftIce.: P: y& x8 E6 y/ K) R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ n0 ^2 s3 |1 F# K) c* J
! K$ e m9 u( t$ e
Here is one example from the file "Haspinst.exe" which is the dongle HASP; d% a0 v$ o8 `7 M9 T* L
Envelope utility use to protect DOS applications:( f( D s' i/ s s1 g1 v9 l1 t" v
- g" V8 N3 T# y3 o+ d$ D8 z9 W# ?+ f, g6 ~
4C19:0095 MOV AX,0911 ; execute command.9 ^% t: g) \- v( a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 ]+ C' O# y# s5 G7 W
4C19:009A MOV SI,4647 ; 1st magic value.$ y$ d, k7 S7 T& M$ E8 F0 X
4C19:009D MOV DI,4A4D ; 2nd magic value." b% ?, E4 J- z& R; L8 ~5 P$ Z
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ?# v! S: d1 W( Y+ H9 ~( D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ n: F) h1 O4 h ^& J* q _
4C19:00A4 INC CX
2 I4 j+ h% |$ z7 \. X) y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: K- A, R; u0 q" R4C19:00A8 JB 0095 ; 6 different commands.
) j& t* ~; p/ A; r; Q5 N* J. n4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 d* n( S w' h6 k2 N; s0 e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 l/ g( R" n, I7 F* n* c
4 ^% { w7 c: f# [The program will execute 6 different SIce commands located at ds:dx, which
( {5 f* B9 w4 _/ E6 `& W- z& nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ L/ J1 p! H3 [0 w
b! a# y+ W% s4 a1 L8 ]! Q9 j5 M/ X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' o; ]* v2 d6 o___________________________________________________________________________ d. p0 m3 C, M5 T! {
- ]$ C+ O9 Y/ ^% P g5 u1 H/ j+ P- B6 f5 ?* H- ^- t: ?. V
Method 03
- g( ?- X3 X: O& O+ F } ~, e' ^=========% I, y0 Z* R8 R5 m) y2 r5 w7 w
( }, M6 A; P7 P: f# zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
N9 g; s% s# @+ O* U(API Get entry point)% c8 O# s+ h$ E6 p
. p4 M j4 Q( r* I% k' J# H+ U4 \* [4 Z' N9 n
xor di,di
0 q- _, C! r9 m/ g! [( J& { mov es,di
# q5 p: m2 Z; G2 ~5 Y6 L mov ax, 1684h * K; N( _( {& b& W$ {* `
mov bx, 0202h ; VxD ID of winice
" E0 F1 ]) `/ }% T3 m+ E; M int 2Fh! Q. o$ O% T* j; h Z' C- M7 M
mov ax, es ; ES:DI -> VxD API entry point6 x0 s# O/ M6 G k: N" f
add ax, di7 ~. R! M) m2 j# D' A" V" s
test ax,ax
" j5 M' c+ { R2 x! T) Z/ j jnz SoftICE_Detected$ M2 S0 r; J- ~: L
4 @# O2 n1 I5 B! w S___________________________________________________________________________
/ B$ X6 \( N @ p! y2 G6 c; l g. X6 o# r" t$ l6 E# O" N
Method 04
0 W! x) @1 G+ P=========, s& V7 T$ m7 l6 c$ P( K
9 `* F$ B; n( {/ m
Method identical to the preceding one except that it seeks the ID of SoftICE1 e H; h& @2 T$ }
GFX VxD.
) X E0 \. c) |) r* C% q6 A5 p$ a1 L `- i% L/ r+ _
xor di,di5 |4 @( n' x) K( j- C4 v9 M0 x$ ^8 h" L
mov es,di
$ r3 a/ o9 ?5 ?! @ mov ax, 1684h 3 m' _0 Y- q) b: `) E! J
mov bx, 7a5Fh ; VxD ID of SIWVID& v+ D+ }: I7 \+ j% p2 c
int 2fh
6 f. X3 F" n& }+ Q/ F/ o mov ax, es ; ES:DI -> VxD API entry point1 M* [2 @* \! n! v* {
add ax, di
5 j+ S _" x$ w8 q5 e* Y! o test ax,ax7 r0 v0 C2 k4 k3 d6 s; W
jnz SoftICE_Detected
& a" y% E2 r( ^! o: t$ U Y/ H5 `. z7 |2 S: {2 n/ ^
__________________________________________________________________________
0 f8 C& O$ ^% ]
$ u1 }+ x6 ]5 } @- G) |- g$ Q7 w8 }3 G
Method 05" W+ ^$ Y2 a# r4 Z! N
=========2 |: P4 O0 H2 }8 f& b
. L5 m: v, P. D! }4 y4 X. ?; T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 C4 U0 a. E6 j3 E- B s! M0 }8 Xdebugger. It calls the int 41h, function 4Fh.0 c y1 s7 A+ c1 E+ i$ f! w `
There are several alternatives.
% I( R6 U. @% ]/ W/ c, c' a
8 o- h; C% U4 k( UThe following one is the simplest:
. {3 P5 `& U! }5 m# M" R0 y
c- G! x; a& B0 i mov ax,4fh
+ b, j; m% h- [5 [% \- {( b int 41h( B9 C: P& z T( N* G
cmp ax, 0F386
, I5 Y. y+ ?$ X6 u) d jz SoftICE_detected
7 d, O$ ?( _6 C% ]# r, q' d, R
3 U' X- |+ c, Y( h, f v' M1 @+ y" [' }) d+ P0 H
Next method as well as the following one are 2 examples from Stone's
: C/ ~) P1 u/ g" U6 B"stn-wid.zip" (www.cracking.net):
, _" C! m% X7 Q3 |4 L; B& Q9 X
( B' M( ]- [- D& D9 Q' U9 K4 \ mov bx, cs
6 W6 w" H7 T3 ^ lea dx, int41handler2
& ?+ ]' d) l1 S' }) H4 [: H xchg dx, es:[41h*4], U2 |. f- B% E& S0 N9 f
xchg bx, es:[41h*4+2]
" y; ], l; S9 Y& l$ d$ k" `( f$ q- a mov ax,4fh. |2 x) H; m$ L
int 41h, i" ?' p8 b7 i$ g+ O% n! V# I: V
xchg dx, es:[41h*4]3 D1 o: C% M6 e
xchg bx, es:[41h*4+2]7 t" t% p5 K6 {7 L6 V
cmp ax, 0f386h2 S: ^$ U( }) ^
jz SoftICE_detected X1 a- ?/ | ]: G6 h ]
6 B9 z0 N' z: _; K4 Q, N v. r
int41handler2 PROC
3 t+ n& M: z% M iret# O2 k0 G* _5 `' O- c8 b1 `3 Y
int41handler2 ENDP$ x5 w# a c$ o) g+ t7 M
: }1 P* r+ y* c- `1 T5 n0 q. D
1 C0 u+ ^. @: @4 B7 N
_________________________________________________________________________0 O) V0 Y$ b. H! ~' m
4 q/ O. Y( V# H$ K& I- |, g5 r
, ]8 Z' B3 \7 ]Method 06' b, Y$ g5 _2 _' p' Y V; z7 O
=========
& `; U0 }: J4 x% c. c
. m" d/ I' O6 ^' i! V, r2 f; l. ^ j" I$ W( j! m+ D3 k
2nd method similar to the preceding one but more difficult to detect:3 Z: o9 N" f! Z/ J, `
3 W7 l+ A5 l3 D3 G O1 w
. U2 ^! @0 {. Mint41handler PROC
! p: L" q" q# Q ]; d8 o7 Z mov cl,al; r) ~5 I1 m, ?; l1 |
iret( @& f8 R5 ?- b. |; K
int41handler ENDP
# w; i2 k# y! k; u- x
- R% [2 M$ U' V$ i$ D/ H/ b% G7 M$ h r7 ^/ }+ I; K7 e
xor ax,ax( [$ P7 d6 t/ _ O" d% Q
mov es,ax `7 W1 U) D- w( F. q- R
mov bx, cs: E5 K, W- K; u
lea dx, int41handler
( r1 V3 @; d9 X# v$ p xchg dx, es:[41h*4]
% r- ~9 m3 S7 x5 r xchg bx, es:[41h*4+2]/ j6 V& [3 X- y3 G, D- J ^ }
in al, 40h
/ D* o# e$ X, U& @ xor cx,cx
3 a0 _ A }. Z+ I9 |6 A int 41h
# e* ?5 g4 n9 s3 E xchg dx, es:[41h*4]
! E% a4 p7 H5 ^ xchg bx, es:[41h*4+2]3 [. s% M: N: ?+ c5 l& [, i3 f P
cmp cl,al* P3 N& b! W: `2 B0 M
jnz SoftICE_detected! h7 y, |% O$ K( x) x: p. p- c& u O# j
; V' J- ?& U) ~+ __________________________________________________________________________
( ^0 I1 B6 S* W% F) @: ^' p3 ? R: Q, z
Method 07 K5 E8 o [5 ?* E' P
=========2 f& P# ~ ~+ T4 a; v: w$ W
/ U0 ~. f3 u! G+ S# A& F
Method of detection of the WinICE handler in the int68h (V86)' }$ Z' Z3 k! k- U9 T
4 s S4 `9 N$ k! z! S$ o% B" |
mov ah,43h
+ X8 T/ M4 X$ _+ D! G7 ^ int 68h
+ {; D5 ^9 k! f' R& M# r" N6 ?% W0 d cmp ax,0F386h
" D W1 O4 h1 ?6 y jz SoftICE_Detected2 P2 g& f4 ^0 j4 m
- C1 _6 B9 \+ ?5 r6 c. U& Y" f n* q1 e5 O3 t C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: ^( ]' L" E% W1 Z4 W, }& G* o app like this:
s4 D1 y) ^) q+ j; k/ |4 g
" c* }+ a2 |- x2 D7 a. D+ Z2 } BPX exec_int if ax==685 w# T! N0 H# W7 z3 i( `' Q6 k
(function called is located at byte ptr [ebp+1Dh] and client eip is8 Y% f: d! x, n: ?% D
located at [ebp+48h] for 32Bit apps)5 w' @ p! w ~
__________________________________________________________________________9 u: {) y2 x0 M' d2 H
* Y; `( Z' U( d3 T
1 u3 q; y) s6 TMethod 08
. E1 h& [. _$ R9 s, Y=========
; S4 D2 {4 I' U0 j* }& T; k" }& x4 Q) r$ c- m
It is not a method of detection of SoftICE but a possibility to crash the
& Q( V: T" u3 L; vsystem by intercepting int 01h and int 03h and redirecting them to another
% c. G q1 d! O# X$ `routine.
' U& n. e! b$ J' I4 I- O SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 d' k# R4 s1 ?0 O- A
to the new routine to execute (hangs computer...)
4 R, H5 ]! ~) \( o- Z
- F: `! r% N9 ^0 E9 y1 t' C3 v9 F$ R mov ah, 25h: v& q# L7 w m0 d3 j( k
mov al, Int_Number (01h or 03h)
) o& o$ m& r; f$ ?+ l# ~; E# L6 ^7 D$ j mov dx, offset New_Int_Routine& i2 A2 u4 ?( u4 \
int 21h& Y/ ]) f3 q: U1 J
1 T2 n( y" h* |+ [3 @% S
__________________________________________________________________________
8 A. [: F6 j" n
( B* Q, }% M9 n. WMethod 09
9 o# @) v+ r$ K/ ^' L! s( S=========# z8 i1 u O# y5 x# F; o% ]" z0 c% Q
3 r! h' x, x) }4 e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 q6 Z( E/ V# `% ]+ Tperformed in ring0 (VxD or a ring3 app using the VxdCall).8 Z/ j z! G9 j7 S& v
The Get_DDB service is used to determine whether or not a VxD is installed
6 b+ `; e; R- T3 s- S# ^for the specified device and returns a Device Description Block (in ecx) for2 J& T- z0 w; p; f0 |5 v7 Q
that device if it is installed.
. `+ }! U! A* G2 R. Z% z
- z/ v) d5 \5 `+ l/ a; ~4 M# C. y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- h" M; F5 _0 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( K3 e1 B2 `/ W3 S
VMMCall Get_DDB9 r, J( l" V; V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed% k C% T3 v4 P3 r5 K+ f2 J
* Y* I9 E2 ?' d9 c5 r. G; K+ f, }
Note as well that you can easily detect this method with SoftICE:8 N% n. I" K; S
bpx Get_DDB if ax==0202 || ax==7a5fh
. H+ |# T8 M1 M W: n/ g. S
) Z# M$ Q8 P; w, S__________________________________________________________________________4 R5 @4 ^) o0 Y/ y5 [& X/ [0 s
1 `% l7 g4 z1 jMethod 10
n0 ?% c, u: m6 c=========
/ n5 s% E( S7 R. O/ I, x8 n/ E& q+ s( l0 e5 ]1 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
0 h3 e! [7 Z K/ a3 ~9 @ SoftICE while the option is enable!!
( G: ^! I! ?' h# B" _* }. v
+ \5 A& v3 n6 f5 OThis trick is very efficient:. _ x/ L/ v8 U" o7 b+ U
by checking the Debug Registers, you can detect if SoftICE is loaded
+ V+ c) Q1 D. a' k8 d( J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 K3 N5 }: L6 B& \; M: k3 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
( k5 R* c' V5 f# \) ]value (in ring0 only). Values can be manipulated and or changed as well( k3 V7 K# C; p5 p) C' K" o1 Q
(clearing BPMs for instance)
8 b1 b# M7 _) w& I9 X
/ ^' a9 L5 x7 C% H& R" E- X: ~__________________________________________________________________________6 ?, S3 P$ s* ?. o( Y
7 n T# ~3 R( D* z% mMethod 11. G) A3 S% s! b! k
=========
0 g" h4 y. c& h/ ~0 j( d$ l4 C/ ]' i' `/ O$ W4 e
This method is most known as 'MeltICE' because it has been freely distributed% S T5 G9 ]4 D( P; G
via www.winfiles.com. However it was first used by NuMega people to allow( b6 \$ b8 [, [9 Q( V
Symbol Loader to check if SoftICE was active or not (the code is located
. Q0 }) Q: _" c% `; d4 Q5 G' i `% Ninside nmtrans.dll).
1 i( I$ q; e w; K% |
" S/ M: S0 l+ w0 u- SThe way it works is very simple:
5 o' W! j) J9 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for L e# H# S/ W* y: s: E7 X
WinNT) with the CreateFileA API.
- R) }% F! M7 K1 w+ ?
1 _7 {! w. o* g) ~1 a) ^Here is a sample (checking for 'SICE'):
) s- @) m8 e4 s5 J0 z: ? K8 m; B4 z( Z
BOOL IsSoftIce95Loaded()7 f8 \% }. N! w) ]+ e2 D
{
2 ^1 y1 N$ N1 F: g HANDLE hFile; / d2 u) T9 p( u( l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- t, h0 I" ~- `" E FILE_SHARE_READ | FILE_SHARE_WRITE,
/ m- G5 i& \2 h/ P y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ W& O. w# Q- D0 c
if( hFile != INVALID_HANDLE_VALUE )3 _5 D& m' f6 y
{7 [# J8 b) v! C- Y6 F
CloseHandle(hFile);
- h' y4 @0 F. x return TRUE;4 F# z9 F& m7 w; X8 Q
}
1 r# C5 n' q9 R! j8 [ return FALSE;, d3 c2 r2 A4 }) L# j
}
* y: W3 c/ N8 T3 G# P9 R9 L; u! y1 U. ]4 e" W
Although this trick calls the CreateFileA function, don't even expect to be
% `9 O1 n0 q( C' b2 Y. `; Cable to intercept it by installing a IFS hook: it will not work, no way!$ {: M- w& ]: T8 d1 N5 p, t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. t- n- [1 T7 P( R% A& |4 c# O( ?/ E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- |( ]$ ~1 x8 E# X/ aand then browse the DDB list until it find the VxD and its DDB_Control_Proc; X+ g3 p: _7 Q/ }
field.
; a' E5 r' C) n1 T' l% eIn fact, its purpose is not to load/unload VxDs but only to send a
8 ?$ v% a4 H( q8 ~5 A% HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 m# C% o: h( f4 ~3 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' C5 J. K! k- Y& w1 kto load/unload a non-dynamically loadable driver such as SoftICE ;-). C( j( S& L' K
If the VxD is loaded, it will always clear eax and the Carry flag to allow _0 p% `( J: c6 R! N
its handle to be opened and then, will be detected.2 `7 k3 j( m* a8 h4 F3 S
You can check that simply by hooking Winice.exe control proc entry point& r# G T/ A ~; F4 Q! Z; e
while running MeltICE.+ d, l5 k+ |- A# M# t
0 F W% U5 n5 b g
! _/ `& U) @0 K0 { 00401067: push 00402025 ; \\.\SICE1 H; [6 t$ h, s' k) _7 H9 ~2 G* w6 s
0040106C: call CreateFileA
z: G/ b* D2 W# R% h 00401071: cmp eax,-001% i' ?1 {7 A% ^5 w& x9 _) a$ a* z
00401074: je 00401091
! Z4 F: {6 M$ _1 i$ Q" m* v! |' n! ^1 j2 `# w: n
# ?$ k: I$ u6 c/ v @/ ?; L JThere could be hundreds of BPX you could use to detect this trick.
# U4 `. k$ _2 k1 p T-The most classical one is:
2 d. z6 d: q- v6 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
; R' F+ Y3 `! G: [2 \ *(esp->4+4)=='NTIC'" [/ E$ N: C+ V4 i
9 _1 w0 x" s9 A. i-The most exotic ones (could be very slooooow :-(
# i! ]! _( u) f$ n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- q- ~8 t8 A! {$ z; a2 m7 n' L ;will break 3 times :-(
+ b! m/ ?, C( ^
* `" G7 e6 k/ U; i; t-or (a bit) faster:
8 N/ n2 y# ^- }- Q/ {3 M BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 Z& X) i/ ~/ F6 X( i% T! B1 Z: H9 G2 }8 K! K4 D" V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 e6 l. p; y' J" O- @) y4 T
;will break 3 times :-(
9 B. Q( v% i# a
" z ^, E% j3 E5 I/ |# k+ H-Much faster:- d( [" a5 a8 Y+ }, F" C$ l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" N, M3 [" w( M# e7 p- f! M; P
% b6 T9 g: g4 |* ?4 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" L# D" [9 b! b( a9 N0 g8 s. \function to do the same job:* [9 z* b- N* i4 u8 M- I# W l
- ~. f+ [( O6 r/ t( g. Y* j' i push 00 ; OF_READ
" N5 p2 {6 M4 ?. x mov eax,[00656634] ; '\\.\SICE',09 c2 I7 ~- w; E9 g8 |8 p. z% Z
push eax+ n3 {7 g% u: u& d" T5 c4 a/ X& p9 @: e. `
call KERNEL32!_lopen2 c; o$ Q' v% G) _+ p$ J; r# T
inc eax
/ c3 |$ A% U0 h/ Y/ U jnz 00650589 ; detected; d# z2 r0 m7 {+ e" B/ C9 e
push 00 ; OF_READ
( r7 Z2 s8 R# F7 H mov eax,[00656638] ; '\\.\SICE'7 m4 B5 @" }, k/ r! R
push eax
, j( z( ~$ n. `6 I- a call KERNEL32!_lopen
; i4 }$ `' T9 g inc eax; j$ L6 m1 _+ i! y' B* Y. O
jz 006505ae ; not detected
( Q" |$ N8 U8 }; v* e$ c% d
" T0 u( _- }3 E- U* s+ m* t1 t& z
1 X8 z, w g; |8 q+ p) X__________________________________________________________________________! |; A- @# M$ f8 E! w; p6 K* e# x
9 e E S) B q! V4 d2 E2 FMethod 12
! B @5 Z- R4 Y6 f0 c" s/ u" b5 B2 ?=========
& W, q& W! B( ~4 k" z& H
' T6 |. M- M+ f, O$ f8 s, _; u8 rThis trick is similar to int41h/4fh Debugger installation check (code 058 ^" s/ H( D/ a) j3 T' X
& 06) but very limited because it's only available for Win95/98 (not NT)
0 ], J3 `, }2 g. a0 Y$ gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ v8 P, l7 h9 D7 m% I7 ?' L q
, s& I! G: r& m! f/ ?4 }8 S push 0000004fh ; function 4fh% X4 A4 \& V4 V, r, s
push 002a002ah ; high word specifies which VxD (VWIN32)$ x6 B4 n9 J8 I' A2 t" S4 `
; low word specifies which service
9 {: Y3 t$ t$ t (VWIN32_Int41Dispatch)
* {9 m9 V: i# }& q call Kernel32!ORD_001 ; VxdCall0 Q& R$ B/ F! @
cmp ax, 0f386h ; magic number returned by system debuggers0 k) u1 r* H$ `7 H8 W% h
jz SoftICE_detected
7 O! f3 t9 V+ i: ^! S/ u/ h
& ~6 J# K: }( M9 b* l2 x6 FHere again, several ways to detect it:- J! Y( o% j- ^- o# q' K/ u$ r( V4 ^
8 b' {4 x& f) @ BPINT 41 if ax==4f
! ]+ M- ^ Y" w$ _; L
( R, l6 P* I; E3 b- T& F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 y% M, ?' Z& ?2 ~) M% T4 V+ T* t l2 {/ w8 y( v+ n3 ~+ b4 \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 E- V1 w7 }8 T- B5 |3 H# }: }* I$ B5 y2 O0 _& @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
% e! |2 a/ x3 F) A8 [! m# W! J; c
- h& \# R0 ?3 v; Y__________________________________________________________________________1 Z8 R" r3 I" P2 y- H
8 P( q: v7 R2 E, U) cMethod 13- ~& L8 ^- c% r
=========0 E6 E1 Q6 L! o* t. z
3 D, r5 I0 c6 t8 |/ P5 I3 G/ xNot a real method of detection, but a good way to know if SoftICE is: M$ U3 q: m: l) `& G3 @! t
installed on a computer and to locate its installation directory.
1 E9 s/ ]2 d, j6 S/ k6 Z/ y/ ~It is used by few softs which access the following registry keys (usually #2) :
& D* \4 N" {, y& G' N5 r
k) F' K% s1 T$ `5 o; Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 p0 g' J8 k- p0 o- K\Uninstall\SoftICE6 `, ]" J% q$ v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 ^) D' m! C6 J0 ^7 t, a; B' ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 x3 m7 C' X3 L8 _& Q
\App Paths\Loader32.Exe
; N3 ^3 [4 d; e) _; I) |& I. c% J" {% n9 h" a: a6 ~
7 `" c: u' o) G8 O& Q
Note that some nasty apps could then erase all files from SoftICE directory
; F3 ^4 V& m0 P. X! c9 @2 P(I faced that once :-(
0 D8 `/ p# z9 C$ Q$ C
3 d( w/ O; o: Q9 w1 z6 O, N8 oUseful breakpoint to detect it:
! y1 V7 a. s, ^0 C4 ^6 Y
' m9 S! y: B( U" s2 b* K8 F! b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 k' n5 @5 E9 y( s! _6 e
+ H I0 P& @- }' F3 F, N
__________________________________________________________________________7 B( k6 p% O0 L+ X$ _
$ {: c3 B3 o1 A8 i/ k4 `% Q& K& x# V+ ~2 E
Method 14
# r* p- X* r" ]$ d& s=========) f' _' f0 B3 Q& M4 k( B- D4 x) Y: n" p
" i* T6 _7 l2 g% o; P7 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! n. C4 B, l; }, q0 X5 lis to determines whether a debugger is running on your system (ring0 only).5 \7 [5 H7 E, y B" ]9 v! p
P; u: S" B) X# z VMMCall Test_Debug_Installed8 e: z! p4 Q( X$ I. t2 T; K
je not_installed+ O/ o) x v, g7 e# p
+ x* k! k# N2 p j/ s. s: N! ZThis service just checks a flag.
" X9 v+ I% h" `2 x; w</PRE></TD></TR></TBODY></TABLE> |