<TABLE width=500>
6 e5 P1 n/ M) H" {6 B<TBODY>
# S3 x- p" S$ n1 U7 N( G9 J<TR>5 X: K' {- _4 z1 V+ ?2 K4 x9 S
<TD><PRE>Method 01 ) {1 ?6 C+ R8 [7 }0 b2 ]/ _: B7 A
=========
7 n: F `7 c/ |5 A, J/ b/ d; d2 g$ N5 J: A: n/ J; s
This method of detection of SoftICE (as well as the following one) is
1 Y& e p& z8 {$ l) T3 Jused by the majority of packers/encryptors found on Internet.7 E/ }9 b$ n4 V% Z( q/ y8 L8 K+ F7 \
It seeks the signature of BoundsChecker in SoftICE4 W) k0 s& l: h; x2 i! W4 X
2 n v1 F* W4 G7 U
mov ebp, 04243484Bh ; 'BCHK'
8 H( h6 @1 V, `8 A8 {* U mov ax, 04h E* d% D: m/ l; _( b' M2 a
int 3 3 i9 X9 R: c7 i( b. p- B
cmp al,4
0 x0 Y) m9 y( f jnz SoftICE_Detected! d! {1 O4 |* `7 Z. |+ Q5 i
. a9 T s4 m7 H8 t! P9 v; s___________________________________________________________________________) E4 N; d+ _3 f" ^& j2 u
( Z4 L( R$ z3 A$ o8 K
Method 02
' _' N) q- Q. p2 T0 D=========
6 [* ~2 S( F9 G" A3 e7 V1 [$ I4 a5 W8 b* K1 H0 A) {1 f% A. o
Still a method very much used (perhaps the most frequent one). It is used* N" S% R9 t# g' X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' ~- V5 x0 h K+ }9 C5 Lor execute SoftICE commands...: T! Y y( m# _" M7 S
It is also used to crash SoftICE and to force it to execute any commands
. S# }/ E- `. j! K0 D6 @4 ?# L5 l(HBOOT...) :-((
5 a7 A+ G( ]9 A6 [4 M, Y& Y" H" `
) `4 X& m5 R6 e( Z. OHere is a quick description:% }7 G# L- M6 f N8 a
-AX = 0910h (Display string in SIce windows)
1 o. o% \ R" t2 _-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# Z- w- `$ u* F) z
-AX = 0912h (Get breakpoint infos)
3 {8 p' s% Y7 C-AX = 0913h (Set Sice breakpoints)5 {, o3 q+ l5 {, q8 r, g: J- z
-AX = 0914h (Remove SIce breakoints)/ h* Q5 }) S: D `6 H8 X& ~; @
n @6 \" W& ~Each time you'll meet this trick, you'll see:
( @% w9 i- B5 J1 A; h-SI = 4647h
; N; T! l# x! o6 U$ t) R L-DI = 4A4Dh
. i; ]* i. }# C9 rWhich are the 'magic values' used by SoftIce.: g# r& }2 C& Z! m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ k2 P$ s* x& z9 h$ P
, H( h5 w7 `4 D* X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 }" u0 p0 n' G' t8 _ F) KEnvelope utility use to protect DOS applications:# C V, R" b0 U" k& R! Y; d/ |: ^% Q
/ D+ U a9 F0 u7 i
; R* D6 k1 B- b/ D6 @4 G! n+ d9 P4C19:0095 MOV AX,0911 ; execute command.8 i H$ X: W, H5 q t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, j( J! D# E! {6 z4C19:009A MOV SI,4647 ; 1st magic value.2 R9 R ]' w$ N9 ]5 b
4C19:009D MOV DI,4A4D ; 2nd magic value.0 B" y5 g _ g# R# M @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- c: E9 G& |2 u' W* S/ `6 W. ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute. A, V9 g( N+ d2 @. T
4C19:00A4 INC CX
% q. [: a) w3 f! Q% W0 p5 S! g! p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 \. \& c% m4 n$ N: J
4C19:00A8 JB 0095 ; 6 different commands.
* r3 r C& N7 v! Y" Y4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 ~; D# [ I+ e( o2 P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 R9 ^( E/ X9 _) o3 i: ]2 z2 G
2 c2 g: `3 g5 k7 w# o$ JThe program will execute 6 different SIce commands located at ds:dx, which
% U0 q5 e% f) k8 D( Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( @- y/ _( \+ a. r
+ w$ N* K4 P) z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 S+ `/ m" s) P0 @. q
___________________________________________________________________________
. v. _- [* J- N. a6 {3 t; }) C( X
3 S5 d& X3 A8 T* r! S' L# N6 s- j: _7 x
Method 03+ T: f- S% N3 z8 V4 d1 l& m
=========
4 {. n* e4 H/ B
: _$ _" S- F4 h) c9 l4 LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 w$ q3 Z- r2 B) X& S( s. m6 S" P
(API Get entry point)
4 A7 H% Z4 a3 u' [" U! D5 w ' @& x& e8 B7 @. ]8 K: I
v! U9 r' b. F6 ^, f xor di,di0 \8 R4 t0 F2 B( u$ |8 s
mov es,di. R A" w. t1 c. F; P$ d- p# j* Y$ S
mov ax, 1684h * S" ~% O# _( ^7 h) B4 w. A
mov bx, 0202h ; VxD ID of winice
8 W* |9 z( R" f int 2Fh3 @1 r$ t$ ?8 R1 z, s- k& ~+ w; `2 y
mov ax, es ; ES:DI -> VxD API entry point0 G- _0 \& O; G6 P8 ]: k" F
add ax, di
* Y8 W0 l4 ^, { test ax,ax
1 _8 O' s/ y" {6 O jnz SoftICE_Detected
$ s7 V: L" Z% S) s8 f" C' ]
7 G. |; u3 Q& N) T" G0 M K+ p( u___________________________________________________________________________, |- Y$ `; s0 F3 k
1 `* j6 Q# P5 }* xMethod 043 u! R; a6 R: c% k
=========
1 M! c6 q1 J7 b0 k- l l9 _
% P! a: d% R3 m5 w( OMethod identical to the preceding one except that it seeks the ID of SoftICE
% V/ c: J! J9 |* ]+ Z3 e; u$ zGFX VxD.2 `; I0 d8 L+ G( R
) b# E3 T; ~0 O
xor di,di) T/ w5 K; ^/ \2 t
mov es,di
( ], |! f: y% G# ~% P7 _- y" a- b% y: R mov ax, 1684h
2 z$ ]% a" X( W8 L- A3 E8 j mov bx, 7a5Fh ; VxD ID of SIWVID4 T* B1 ~5 l, u9 C7 }+ p1 s4 Z8 S
int 2fh
- ^3 I# i# \9 m% ]+ R* v3 ~ mov ax, es ; ES:DI -> VxD API entry point2 k4 t6 E* J0 U7 U
add ax, di7 h4 I. N9 i* N. u$ P& g
test ax,ax" B8 @3 f2 k( ?: V3 z& K# y9 j) R
jnz SoftICE_Detected
% ]) L! [5 p/ r% _ I. s( z# H- ?$ t; X% ~# m# Q# _" J* I
__________________________________________________________________________
+ q! s( k. W7 H2 Q4 S: Q8 w
# I7 Z. ?4 p% p# P$ _
2 W2 Q; _% f& PMethod 05
# y7 [% n6 [0 A6 C; T4 Q=========- e9 g6 H* _& V' y
, o/ Q# W: a2 N' W1 c$ u8 x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ D n2 ~1 o7 o. M1 Idebugger. It calls the int 41h, function 4Fh.2 T" t: | D5 T# n% g" ^
There are several alternatives. 3 v- L5 a% s5 _, w$ [, n
# V) F$ k0 [' X2 E, O! f, zThe following one is the simplest:
! n# R6 Y# f- O! y+ h6 T
. W( G: L4 y/ Z1 L: c mov ax,4fh
) t; W1 F! e& _0 ~1 x4 e int 41h6 R5 z1 e% a, i1 e+ I
cmp ax, 0F3867 l0 y6 l" z9 f
jz SoftICE_detected
# b5 i) G. A5 q5 f$ P% c J7 D
! H' f$ f7 N* Z3 [% d9 Z( G2 }! ~8 G0 K$ t. x* h: Z. Q
Next method as well as the following one are 2 examples from Stone's
0 g. z- K2 F% d2 t1 k% z3 W"stn-wid.zip" (www.cracking.net):
) S+ R0 M S5 {8 L" T: ]& u$ w% ?9 C, K4 p O3 @) S; q
mov bx, cs/ f2 q; s* t& X# n7 Y$ y1 c
lea dx, int41handler25 B5 f' H! v, P: l+ j
xchg dx, es:[41h*4]
3 J# O( T6 {; `4 \2 g8 U, ^& X xchg bx, es:[41h*4+2]% ]# l$ ]; E2 O3 s/ \) ~: G. }3 Z$ m
mov ax,4fh
# }5 C# l% U8 `, Z, e5 ^% s# P int 41h7 P0 t% }# N" z: Y) G
xchg dx, es:[41h*4]
" t; p% q8 B- I6 k: [: b xchg bx, es:[41h*4+2]2 [3 p1 {( F9 p
cmp ax, 0f386h" m T( @; x3 P3 u
jz SoftICE_detected
/ W7 Z) M- e5 Z( T5 n' ^/ {" e3 h
int41handler2 PROC
/ ~0 K I1 A# t" W3 C iret
s* b, z5 ~+ g" [2 S* q2 yint41handler2 ENDP/ }4 j* ~1 ] \
j$ I* P( ~. N& U# v8 W5 p9 ?/ G1 q/ U+ D& O4 C* W- N! J
_________________________________________________________________________: }. k" n# u2 u5 @2 |) ?
$ k; n% e' e: ?. N# A
5 O- D8 O8 g+ ~2 P; U; S+ |9 z& q
Method 06
6 `0 o) m" z+ A6 \5 _=========) |: [8 \) u- i# M# O( A
0 m5 F2 a/ j5 G' F& G) S
- R8 [) {0 `; F1 X# c( B9 _
2nd method similar to the preceding one but more difficult to detect:
7 z) E9 w; }! R$ \" J6 ~, m3 V! {- x$ ] N% H# m B
" {8 f2 y( r. Z( Zint41handler PROC$ Z2 o; z# B( K+ J" X# u
mov cl,al
8 [3 h5 n U- P6 q& s) b iret% b- T& p5 O, W/ }4 G( M
int41handler ENDP& Q3 V- y6 g7 v: z8 X( c% ]
/ O0 w) p6 `+ w$ Y/ ^4 Z' d- f+ h, e+ ~& d, r
xor ax,ax
5 C) W1 s8 o+ b7 D/ h' z5 K mov es,ax
1 X. K# t7 X* I" E9 q mov bx, cs$ ?$ x5 @: \. n; x
lea dx, int41handler
$ t9 C- K9 V ]! ?0 e xchg dx, es:[41h*4]: [5 J( @, C# J( p8 Q4 |
xchg bx, es:[41h*4+2]
* K# {9 {% D" }5 F in al, 40h: c3 U3 t* \, N8 r8 u9 F
xor cx,cx
) L* C; Q7 ]( N int 41h) l2 Q5 w1 A% x9 x k
xchg dx, es:[41h*4]3 D% X0 r: P3 F2 l* |; G4 H+ p
xchg bx, es:[41h*4+2]/ F! r# c3 J3 W* k; k
cmp cl,al
' D( ~. s7 h' i5 \/ J jnz SoftICE_detected
7 E% N: A2 t/ o9 c( s( K, t, O- r. S6 `+ `
_________________________________________________________________________
7 A$ J$ r* _# p. h" J* L; ~
2 P; A0 n# Z' ^, S: KMethod 07
: b. R- R" Z! A=========
! b$ b( {* t- P# z9 l: r4 L5 F. ~( d
Method of detection of the WinICE handler in the int68h (V86)
* z4 t( e+ T. {; K" t5 |% A& _4 M, I4 D6 b$ T' {/ z
mov ah,43h0 q3 z9 |6 G" ^) k! F
int 68h
/ Q' _6 _, Q! [. S4 { cmp ax,0F386h/ {# F1 } z6 M/ L. y; c) O8 ~! |
jz SoftICE_Detected
, ]8 U: W8 c+ B# A4 p* ^3 X
: a8 K! \8 n, j3 I- e6 B1 W2 q& v' ? ^% _6 T' K+ d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 c ~! y- M9 l8 U7 }3 D7 N
app like this:7 m) ~. I7 }3 p1 N/ |
% Y) a9 K, t$ [ BPX exec_int if ax==686 E- H; G7 S! _, q
(function called is located at byte ptr [ebp+1Dh] and client eip is Y% h9 r5 O- P$ d: _
located at [ebp+48h] for 32Bit apps)
" D& K; e: B8 J$ P* l3 J__________________________________________________________________________+ u, a+ E4 D, H+ l/ W9 ]
' P. R1 r* U& L9 d4 Z1 s* B- F
! m! L- n- f2 w2 \2 N
Method 08/ I3 _: X5 D9 F0 X
=========/ {! b2 m7 X: O* O' x3 Q$ v" e
4 R+ t5 B0 F* f' a
It is not a method of detection of SoftICE but a possibility to crash the
1 g) U/ |9 h- }" `8 hsystem by intercepting int 01h and int 03h and redirecting them to another$ r) F) c7 T- }. n8 o
routine.
+ Q+ |3 V$ z. WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
_' A5 e7 ?& l7 J) P5 cto the new routine to execute (hangs computer...)
% a0 ?7 `, s6 ^1 {: J& C5 v% L' b" J- D
mov ah, 25h
9 ]7 u% f$ l# p: y( o# y7 I mov al, Int_Number (01h or 03h)/ c# Z5 J2 i, F- j/ @/ }
mov dx, offset New_Int_Routine
1 \0 h+ D( v! s3 r& r int 21h
3 [ A! g8 D/ q
1 M; e+ w' x- h4 G! E; {0 |__________________________________________________________________________2 w/ K7 j9 S4 W
: w/ D! N' V' O& b$ R: o$ A
Method 09
% y1 S k3 L/ c$ R=========
: y9 ^/ q1 T9 X; o1 k
& p, v4 r, Z0 w5 pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 u+ c+ M, i/ `7 O1 \. Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
: S6 y) K5 V" E# Y$ ?/ i: `The Get_DDB service is used to determine whether or not a VxD is installed
+ F$ ]0 }) q- \: g7 Jfor the specified device and returns a Device Description Block (in ecx) for
# _+ e- O7 ]) q3 ethat device if it is installed.
4 y$ h- ~2 L; C9 s' q' E# n( n- A- `$ }% Q& `1 n1 z) q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ^% K8 m( n0 F; @' | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), z1 B5 H3 z1 `' w0 C3 C
VMMCall Get_DDB
1 w1 j+ n9 s9 |% H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( G( X9 {3 {0 J, t9 ~: x/ U1 k' Y5 U; z
Note as well that you can easily detect this method with SoftICE:; B7 {* C$ t: R( Z$ Q: z0 z+ z
bpx Get_DDB if ax==0202 || ax==7a5fh
. b& G3 o. k! P* s/ r
* Z9 L$ f- Z9 E' c, n: d& O; d__________________________________________________________________________2 Z6 p, x- |! c( x% F
2 \8 |. e7 o' D# A- G
Method 10+ c( D- z1 X6 v. M% |% J- E
=========
4 V7 e' e" |% o
8 }- z& [- B% ^ s# m) x! A# T$ l=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 `! c/ p8 m# P SoftICE while the option is enable!!) `3 e: b. W/ m+ x4 P, d* s
' s9 p X" A7 T1 o$ P2 VThis trick is very efficient: q( V, O: h; M1 @# M- r
by checking the Debug Registers, you can detect if SoftICE is loaded
, l3 ~4 t G- I6 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; S# R% ~4 _. a( q+ ]. d
there are some memory breakpoints set (dr0 to dr3) simply by reading their% R/ W# q" {1 b* S. E5 t
value (in ring0 only). Values can be manipulated and or changed as well
- v! p, J/ d7 ~(clearing BPMs for instance), m: V! W% I$ K; r
! {0 _* z% B1 V3 h0 H1 q
__________________________________________________________________________
; j9 o# b. Q+ k- Z; M( l9 A: \* c! G e$ a8 F+ a% F. z# o( Z
Method 115 P/ h; C! w6 X7 O
=========
; k' s* L2 @+ ]0 K7 Y% `0 u
5 }; V# h/ @( K5 eThis method is most known as 'MeltICE' because it has been freely distributed. f, S$ F! M1 Y
via www.winfiles.com. However it was first used by NuMega people to allow
4 e( K6 N* i, r, |$ p( A* C) o& lSymbol Loader to check if SoftICE was active or not (the code is located
) k& e/ l0 k- H7 f- ?( K1 }4 Iinside nmtrans.dll).
: _/ s0 f* t' v$ D4 p3 ?4 |( J) v+ R! W! ]2 J
The way it works is very simple:% L# Q2 X1 Z: A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 Z1 D$ {, h$ W. J; R
WinNT) with the CreateFileA API.
5 `1 N8 }. ?5 X3 x2 b$ T. C' y( Q; a- D) K& V3 V* a0 a
Here is a sample (checking for 'SICE'): b7 F2 I3 q4 x' U8 ]
$ F3 w2 J" w1 l X$ x3 C4 G/ d: j* x
BOOL IsSoftIce95Loaded()
. I4 H, a! e x+ W3 ^{
- o0 g8 a% I; B6 r HANDLE hFile; ( W# U8 y* h' Z/ X+ T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! P A; i, i3 R+ ?! `: S' C- F FILE_SHARE_READ | FILE_SHARE_WRITE,
" @+ t1 R- A* S/ k6 `1 W# U( _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 l. S$ t# t7 @, c
if( hFile != INVALID_HANDLE_VALUE )
2 F$ q; c) E7 v6 N3 A {
( p* M$ m+ x2 G. ]6 O CloseHandle(hFile);9 o1 p4 _5 e& D' @! \& U0 O) }
return TRUE;
l! _2 U" C5 d1 {0 f a/ y l }0 ?* t; l* X" t
return FALSE;7 ]+ `! p$ r& {8 H) P; G, K" a
}: y& A& b1 G# J
& q# v8 d4 s" {/ x8 X' @ NAlthough this trick calls the CreateFileA function, don't even expect to be
6 N9 ]5 T7 i" m6 [0 z3 ~able to intercept it by installing a IFS hook: it will not work, no way! s' \. Y' W, r6 m3 s
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, G6 H, n/ H( Z+ t+ j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 I( n) q4 I' @# _# p. i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 A7 b( K# q% E, T. Lfield.; t8 K& F5 |/ F; G; c6 b0 x6 L
In fact, its purpose is not to load/unload VxDs but only to send a
% i9 q8 i H9 L( T# U. WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* b) v, R0 y: x' M& X' M: O( d
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" v( g+ M2 f5 }* xto load/unload a non-dynamically loadable driver such as SoftICE ;-).* z+ C2 k ]& D1 |0 q! H7 w
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 B7 [! C& W( W2 \* x ~
its handle to be opened and then, will be detected.% j0 i2 @, G0 V/ J
You can check that simply by hooking Winice.exe control proc entry point* L7 L P' K) W6 K6 h; l
while running MeltICE.
% w6 y- r4 T$ n! s; v- G
7 l; y; ?+ F3 K3 d0 H* s$ i; H: u8 {7 ^% d r- C7 R& T3 Z. |
00401067: push 00402025 ; \\.\SICE
% E2 N; {/ S. P$ M; X0 M, B! `9 N5 H 0040106C: call CreateFileA* Y) M( Y( P" N* ?5 Q
00401071: cmp eax,-001
6 A c( E% O* M: F, b 00401074: je 00401091 D* r$ }4 V$ M% I( }, `9 h
7 |! G8 h8 M a4 @6 {: A: L6 F5 [* e* S: x7 E% Y& `- x
There could be hundreds of BPX you could use to detect this trick./ V6 M2 v4 ?% ]. _! H" W
-The most classical one is:
/ ~, U& I4 ?% c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||& v$ ~5 J7 ~" h
*(esp->4+4)=='NTIC'
# F7 l% ?6 Z. J" w$ }
4 p( l" E$ u' P- t9 ]) w-The most exotic ones (could be very slooooow :-(4 N2 h9 J" K) h1 `
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 O U) g: n" P3 a3 Z' w ;will break 3 times :-(
+ B; b: z+ L, M. |9 }
9 y9 |( e4 x) M-or (a bit) faster: 1 U! i/ V9 N, d) u/ N) R3 `8 N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 y1 F+ g2 O6 E
) ]( L8 Y/ d1 [) {. e4 N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 Y3 ]# n5 z' U2 K
;will break 3 times :-(
3 I9 o, d. k! n T( Z: ^$ C) N
/ ~+ f$ V( k* |-Much faster:+ O! \, ^" t: w* o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- ~% I4 p+ d z
2 g) z. S( j2 z/ ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 l! m; o9 S8 c( n
function to do the same job:* Q/ `0 ~6 Q2 c. S5 ~; J- i+ I. G
4 m3 p- X2 k/ A! C3 H: s$ }4 h* A push 00 ; OF_READ! b+ g. j a! T( g6 [. _7 C! i
mov eax,[00656634] ; '\\.\SICE',0, b$ K: A0 ^( ?2 v6 o
push eax6 B" [1 w" Q* e; Y8 C8 t
call KERNEL32!_lopen% ~% d- p( O7 k% ~$ s
inc eax" y) o" c# }5 s# b+ v5 X
jnz 00650589 ; detected
7 I" H2 ^$ [0 f' D6 Q! H2 w4 a push 00 ; OF_READ% H: p: U9 V: U$ e3 t
mov eax,[00656638] ; '\\.\SICE'
* ^6 s3 F" H1 e; i) e: B l! b push eax# U5 z# G7 s2 v0 g0 L4 H7 D. M
call KERNEL32!_lopen
& ~- p) ~. \) j% s5 Y inc eax
0 C1 w Q# B5 o/ ]8 T1 X jz 006505ae ; not detected' l: e/ j% G- M0 O! ~ S
! S* A& g9 K: q" C% t7 [2 G, W' p5 D" U/ z+ a! x- a8 N) j
__________________________________________________________________________ u9 w6 P, u) d h; @+ i& B% O
' i% I' Y- l6 v" A
Method 12& j/ f2 c$ a% O* I6 j
=========% d2 R9 \4 p$ I: T6 V. G, d. E
# w1 [/ }5 i; Z& Q% @9 RThis trick is similar to int41h/4fh Debugger installation check (code 05# _) a b* W1 a8 g" K5 N* k, x
& 06) but very limited because it's only available for Win95/98 (not NT)
5 T0 D% y+ E( W* Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 C1 I; i3 \% I% J7 F! M
; ~. y. G- j4 |) n; E0 A
push 0000004fh ; function 4fh
9 o& e) }( v. P G# u$ _2 v push 002a002ah ; high word specifies which VxD (VWIN32)
% S9 c N, z. U2 {7 }2 b4 O$ ?) Y ; low word specifies which service
" z* i5 S3 i2 m2 d6 { h1 _ (VWIN32_Int41Dispatch)
) e2 R% G; R" a# w. ` call Kernel32!ORD_001 ; VxdCall
. `0 W( z1 {" D cmp ax, 0f386h ; magic number returned by system debuggers. ]; t1 O* h% ^ g+ ^5 n$ v! U
jz SoftICE_detected) q8 D* M8 i$ d
1 W2 d6 R2 O$ ^5 q) k
Here again, several ways to detect it:9 V# ]! H2 k- ]1 z$ H7 x
% m0 q! N+ D: I5 A2 M BPINT 41 if ax==4f
; {$ Y. n& L; M4 [& f; i) j( u1 J3 z: Y# l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 P9 \6 A0 W' C t
* P1 Y8 F& r4 ?3 o, Q( R0 W BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 R/ }! r6 g* X# n* o7 E/ U4 y! `- M$ T$ `3 ]/ o3 _* s( x) m$ y
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' a; {% f& Z5 ?- h" R/ z2 u! S" D7 ~
0 v: B0 }. c/ G
__________________________________________________________________________
2 G( x, ?+ o6 F* p8 B+ ^
# K p0 ?, G+ C0 S- H, v/ UMethod 13# r t! V9 m& r- J; L0 M" m
=========' t( O" r: X& O9 B% J
+ z2 E) Z4 H3 D! N5 J2 d
Not a real method of detection, but a good way to know if SoftICE is
' P: _2 I5 z& N" _+ |# xinstalled on a computer and to locate its installation directory.8 m; Y9 F+ Y, Y% S
It is used by few softs which access the following registry keys (usually #2) :
+ a2 H: Z3 O! d. a' f3 E
4 `$ X, t1 ~3 y: t" E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 R1 w9 e9 Q* }. ^8 ~\Uninstall\SoftICE
7 [. y0 z' {) c0 ^& ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% S, A6 a* G, L* ?$ `: y0 z* _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 c8 [! |0 B3 w: L
\App Paths\Loader32.Exe
2 B1 N5 X1 a1 r; w7 V, o6 k% b8 e
7 q7 D$ N9 E( L+ g+ J+ {/ k
Note that some nasty apps could then erase all files from SoftICE directory
7 Z5 Z; b/ a8 ]0 G, v8 j) V(I faced that once :-(
5 {2 W: j" ~; ]! P- C& S3 Z7 k+ d& k9 I
Useful breakpoint to detect it:
! u! E) b5 ~$ H4 h m% ^
0 d D1 c2 v0 w! o1 ]7 V/ x1 v8 J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- |+ m: I. s7 {6 R8 n
2 V( K6 L: z- ?& R5 {__________________________________________________________________________/ U# O0 A8 l3 S
" _0 L5 B/ W4 E: R3 w; ]) q+ G9 E( ^
+ m2 Q2 u5 G& [7 J# g
Method 14 - k- i5 C$ Q% E, v& ~
=========4 j m6 G [" v/ n0 W9 L$ ~, V8 V
3 p- Q8 f0 L+ `" S8 j* l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* r. f8 _( S4 {2 @is to determines whether a debugger is running on your system (ring0 only).; |" l! |" X- S( {# V, Z1 }
3 } ~) N2 I8 |0 ~8 P& Q+ p. g VMMCall Test_Debug_Installed
: q2 c6 Q$ a$ o1 p0 ^' a9 `4 t3 d je not_installed0 I! K7 Q5 w* [' Q7 r) M M6 Z
# j( ^9 e$ z! o t: |8 d5 @) e/ _This service just checks a flag.
( a" b2 q; e- e9 q" o8 a</PRE></TD></TR></TBODY></TABLE> |