<TABLE width=500>
* k8 j; J. U1 {! V: J! Q<TBODY>+ R- q1 C* A9 d! a/ s
<TR>9 u. [: O O) l" ^0 ^9 Z0 }
<TD><PRE>Method 01 ( V- B! C' \. K, V+ ?( K( g
=========
- Y7 }' a. C5 o3 z' u
! X5 J* A8 s9 z d5 Y# H) sThis method of detection of SoftICE (as well as the following one) is& v3 j' ~6 N2 d# P' c, A2 _2 V! \/ u
used by the majority of packers/encryptors found on Internet.; j" A+ d7 _3 _) z5 v U+ D1 h
It seeks the signature of BoundsChecker in SoftICE
& `+ \3 Q+ Z+ ~
6 _/ f; P+ A& | mov ebp, 04243484Bh ; 'BCHK'
1 X* G- q$ k. _" ~! O mov ax, 04h
$ u9 s3 C% ?. s0 r int 3
c" r6 ?; W5 \, B/ k cmp al,4) V' n. s% ~( E/ z2 N" o* r" |
jnz SoftICE_Detected
; g0 w$ [. I" @; M( P! e- X
4 B2 Z& d- v5 Y! A- Y___________________________________________________________________________6 U; g( j: C: j. m$ Y* J
/ t, Z) |$ m7 J
Method 021 J8 k; F; S. V- s
=========2 G0 W& i8 \) r. G% G% ~
$ R0 Z/ U$ A$ P' U" gStill a method very much used (perhaps the most frequent one). It is used# o1 C. p$ o( k1 u4 ^( d' H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# R& P: }; S$ \& b/ ^$ W
or execute SoftICE commands...
+ S% A! v! {- Z6 A, k0 C9 q6 vIt is also used to crash SoftICE and to force it to execute any commands0 f) s& |5 z5 N" ?+ q" ]0 M2 f% g
(HBOOT...) :-(( 5 k, R- d) z1 K0 h2 r @; R
+ {: a" ?3 Z# \: c. g$ X
Here is a quick description:* n2 C$ Q. Z# D# T' ]# F% H% ^
-AX = 0910h (Display string in SIce windows): ?" K: O$ R8 L8 Y( u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# T8 M. t/ d1 n0 Q$ ?-AX = 0912h (Get breakpoint infos)
( x& D4 v8 L6 I* M1 ~0 Q-AX = 0913h (Set Sice breakpoints)0 E# C( Y( j j0 P w
-AX = 0914h (Remove SIce breakoints)3 n9 @( P& _. a
) G0 Q4 c. d. U% S9 ^Each time you'll meet this trick, you'll see:6 K% L# m3 I% _. b1 D( S
-SI = 4647h
. I5 k& _5 u. }2 Q1 ?. f9 d-DI = 4A4Dh
9 `; x4 D+ M7 v! \7 y" m1 [Which are the 'magic values' used by SoftIce.
( y# i9 Z& ^2 p& x4 G0 ?, t* P, sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
P, A" L) X9 {/ ~
. G& ?) ^% H7 m* Y! m( V$ g3 JHere is one example from the file "Haspinst.exe" which is the dongle HASP0 B `% e5 i+ d+ z& g% m1 J( p
Envelope utility use to protect DOS applications:: v* g: k# h* |6 d$ z
5 i$ j( r3 g4 z3 K( D+ ?
$ [2 U) b) [9 A4 Z2 k- J2 @
4C19:0095 MOV AX,0911 ; execute command.9 l6 q& j: u ^4 q' O1 c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
G3 _+ L9 q! t. s) X4C19:009A MOV SI,4647 ; 1st magic value.
/ p ?7 F- C% b% E: m9 u4C19:009D MOV DI,4A4D ; 2nd magic value.. H2 W! \+ P$ ?" K$ h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 ^% D$ S4 g$ t3 E Q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
+ e5 U+ ]2 O, I' e9 L! }+ h4C19:00A4 INC CX
. k' Z) S: B' R6 T- t5 u7 ~6 _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute6 W, R8 x/ Q* L+ h4 A
4C19:00A8 JB 0095 ; 6 different commands." W L; [4 g" l/ I3 J' K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" s6 |) a8 |# S$ {1 K# w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" g: f% R z: Z! ^
3 L7 y* {& p) E3 F8 K/ @The program will execute 6 different SIce commands located at ds:dx, which8 Z4 b( N! M. n7 t) P0 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: O+ C, H+ R2 q
, k; ~% |% z6 i6 |0 U- a+ T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 w2 g; y/ n6 e7 ]
___________________________________________________________________________. {2 s) d. d4 k8 ]* M
% N8 g1 j N# c
8 u$ k9 K5 H6 @) zMethod 03
" ?8 |( M( _6 d6 w9 F/ n=========# \4 s" Y: m/ T- @, P$ ^3 W4 R
8 Z7 A, G* V' F1 r [4 w6 C% mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ x& v+ ^5 u+ _6 E( ~( `(API Get entry point)
c& i K9 J9 n4 F) R& ]: c1 L 2 C$ F0 D. P7 k
: x6 D5 W/ z' u4 B; N7 N" e xor di,di: I/ z2 |8 m. A, R
mov es,di
+ L( p8 }$ g' j: | mov ax, 1684h
1 W/ ~7 N/ R* C) M mov bx, 0202h ; VxD ID of winice" O" O8 O V- j6 ~
int 2Fh
) I7 D! L1 [+ r9 F3 |1 E" e; O mov ax, es ; ES:DI -> VxD API entry point
' F; T9 d6 \5 P, j add ax, di
, S! C2 y2 { r test ax,ax
9 ?5 F: N: H) ^; Z! E& O jnz SoftICE_Detected$ c" ^+ Z) e2 ?$ {6 G3 ~) n, V
O; L) l# N; M$ e* H$ u___________________________________________________________________________
} S! _5 D( u d4 k# E7 q
& A: ~- x# Z- J+ _! V) ?9 O4 _7 v5 AMethod 04" z# B6 k, m5 | X8 _
=========
5 X0 r+ j8 b6 }- j0 T2 i9 g! V" R0 ]2 l- s( s% x% {% s W+ {
Method identical to the preceding one except that it seeks the ID of SoftICE6 }5 Y% x8 D5 D* l
GFX VxD.
4 \( w B1 K6 e8 H4 I u- V! l7 t1 p" U5 r" N
xor di,di, L8 l0 } e" O3 ?# U
mov es,di; }: N5 L2 |) O, q+ Y
mov ax, 1684h
2 l5 ^& t$ K3 m+ {; H mov bx, 7a5Fh ; VxD ID of SIWVID
9 Q. x& I. o0 L- y/ Y& A1 f8 E int 2fh9 O4 w* Z2 y5 t/ J
mov ax, es ; ES:DI -> VxD API entry point
3 F$ T1 B( w& z$ r2 q+ S1 W add ax, di
}/ m. {" g3 v6 G) r test ax,ax
3 z" R. ~3 |( [& e; U. c0 x jnz SoftICE_Detected
2 e" v; Y0 A& [) l
0 `% R, m& N, ], g/ R9 f/ `- k__________________________________________________________________________" w( u% F. y5 E, L! g/ I _
/ r( P1 X6 ^4 l7 ]# W) i& T, \) c
Method 05
8 s3 X6 e' R. N0 }=========5 A3 @8 l' u" j: R1 F# u1 s3 y3 G
( T8 }# D0 z6 n# EMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 Y# Q k! f1 Q- D; p" J
debugger. It calls the int 41h, function 4Fh.) e; j; h! |9 E, B0 \6 Y- F8 U g- T
There are several alternatives. / z8 D4 L2 C% n! w% q+ L* V$ m
, _. f" p/ t% J# P7 fThe following one is the simplest:
; {4 }2 c- P' h9 L5 y6 \0 G9 w/ H3 j: K! x1 i
mov ax,4fh7 Q6 m! M; ~5 `/ M9 b& C% G
int 41h
, T2 s& o# E' G/ x5 V% ~ cmp ax, 0F3861 w0 m' n P. w) ^4 v x2 E; N
jz SoftICE_detected
' B W8 a5 e! R' V: T6 h# Q/ @1 b$ l' `* C1 E6 ?7 p/ M
- @: V9 I/ T8 F3 A XNext method as well as the following one are 2 examples from Stone's . J/ V% e( K0 [% b2 J; t1 o
"stn-wid.zip" (www.cracking.net):! s0 _9 n- |6 G& P# e0 z. Q
% O, t! p8 ?1 l8 T3 K& S mov bx, cs) W( U, q$ U+ P, K0 m( F V2 E
lea dx, int41handler21 R! y! i; q' M# q. A! Z( Q& W
xchg dx, es:[41h*4]+ W$ h. |( y) g! G5 ^4 l
xchg bx, es:[41h*4+2]& }, b' @- I, t- f4 a0 G
mov ax,4fh4 \1 Q& q, S. Q" _2 I
int 41h- D, W( B4 ^+ z
xchg dx, es:[41h*4]. l8 R6 ~" K9 h( {- D; D& H
xchg bx, es:[41h*4+2]- T8 C2 Q: Y# {% d% U1 L$ ~) P
cmp ax, 0f386h
- A) ~' M( o2 q! o2 `5 q0 `/ ? jz SoftICE_detected
) l6 o* T% y* E+ {( k
. [- e3 `; j* Fint41handler2 PROC
- ]3 w! f0 G: Q" Z5 ` iret( F# [8 r& _3 S. J7 a1 |
int41handler2 ENDP+ q+ N& G( k! i5 N q
- i$ W" f$ ?8 ~, ~; t
: a+ {" E8 ?3 I G! \3 \" R& b_________________________________________________________________________: F& X' w& G H
- N; X$ E* ~. s8 i7 t& x* F c& O# M
Method 06
5 d4 c* q$ ` M, m9 X! d& H=========$ F) Z& C/ g( c( c
7 F: D& q/ e6 \* g- n9 M( A
/ w/ p% D6 u. T2 a) V2nd method similar to the preceding one but more difficult to detect:
# J5 [' q/ J7 k& v0 i# O- T, Q, `' [6 g7 {
+ k. `8 O" W8 |% A; F0 Mint41handler PROC
# K3 `' F7 o" @: T3 S! f2 H* J mov cl,al
6 n, E* p! v0 G: t2 i iret: H% g& l" C0 \) p; O0 f
int41handler ENDP
& o* I! X4 O- R0 P8 A3 m: n6 k" C9 a7 m
3 b4 [6 @6 t/ A0 u1 y% M+ I$ m
xor ax,ax
6 P* g9 y$ Z; {/ z) w mov es,ax: O* W1 b2 {5 C3 T. @
mov bx, cs
2 ?% U5 `4 _# S- G/ G5 q lea dx, int41handler
% w8 i9 |+ Q( } z xchg dx, es:[41h*4]
" {- Q, d( N, H, G7 F1 j xchg bx, es:[41h*4+2]
+ O# P( V X8 n3 C$ a7 b8 W1 a8 c in al, 40h
6 I7 E$ Q: O5 \8 A5 I xor cx,cx7 C. y& m1 l/ [ c. x
int 41h0 _" o- j' o: v% d1 E0 M. n
xchg dx, es:[41h*4]4 v/ m/ O8 r8 l0 v3 J& K$ f; P! T
xchg bx, es:[41h*4+2]' k$ g+ |1 ^$ [4 Y
cmp cl,al. ]* D* x; I* {. X
jnz SoftICE_detected* t: C0 [. `8 A0 w' g
4 N- A; W! T- F- L/ [1 _
_________________________________________________________________________4 N g3 P4 T8 T' z( S
; N% C m% [: H ZMethod 07- N; P+ a; \( }; i$ e7 O
=========
V2 {* M7 d' ~. f- ^7 V5 |
# x+ {. T9 {" F8 ~/ Y1 ^5 [Method of detection of the WinICE handler in the int68h (V86)) O' a* O( s e9 a
! J, Y: Z) N" j2 n' m9 c' ~
mov ah,43h
& O7 A. I6 f8 a1 d9 G int 68h2 M& V& M5 t6 k7 K
cmp ax,0F386h
) |# H5 S, X9 r, u& ~) j- y, Z) j$ p jz SoftICE_Detected% M5 \2 _4 E6 Q
e P9 {; h& r* p* w+ b
9 x$ C2 @' t1 n$ E3 k! \2 u$ P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 z+ B5 Q9 ~& S" d8 t; g6 K
app like this:
( Y6 L4 D* m5 T! u0 e
$ Z5 I+ V# h: ?) B- A BPX exec_int if ax==68; ~" q2 S$ V( z' e
(function called is located at byte ptr [ebp+1Dh] and client eip is' `; r) Q4 R) n6 o& x( |+ n
located at [ebp+48h] for 32Bit apps)
1 S+ ]6 J1 t/ N- m P% W# H& i__________________________________________________________________________
7 K( Q. X' a6 x% [, @. m8 u
* ~8 Y6 N7 k, F1 A; T% W! ~. X+ u5 p
Method 08
. y9 Y: S' W4 v! k=========2 z' F c- V$ |+ C- X
" C6 {( T. R, Q7 ]; r4 r( Q. ^2 f: tIt is not a method of detection of SoftICE but a possibility to crash the' P8 C* r& m7 l1 Z* D5 l1 M, j* f# A
system by intercepting int 01h and int 03h and redirecting them to another
" E4 g2 g* U7 X1 k! a$ w1 O3 Vroutine.% F d0 C a, ^2 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& [# v, Q* G4 |5 M! gto the new routine to execute (hangs computer...)3 u0 q* ~, W& V1 h& M# \
: ?3 y& T+ U: W4 b q6 n2 H+ W mov ah, 25h
( P4 ~# x X+ N8 F, O7 g mov al, Int_Number (01h or 03h)
* R C( D b4 K: B5 T2 c mov dx, offset New_Int_Routine* t% }7 r6 B& \! _' R* |# t
int 21h1 t$ M3 v# M; A- u5 u
; }1 @' J5 _ N) z& P' V; b
__________________________________________________________________________& A& O s- c3 y2 e) A+ L
( C+ l) n( S; `9 MMethod 09
! P1 E$ E% V- J$ w6 l b) ^) k=========
" I! R2 L0 v7 p9 f& {8 D; h3 M ]. m. V9 ]5 O; X9 V Y0 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 s- A ], }( qperformed in ring0 (VxD or a ring3 app using the VxdCall).
& Y7 U5 t( I$ ^The Get_DDB service is used to determine whether or not a VxD is installed
$ k# q/ g! q9 g' D4 F @' A0 rfor the specified device and returns a Device Description Block (in ecx) for
0 g1 Q$ S! T# N( T; kthat device if it is installed.
1 |/ V. q6 `( O5 X& D$ J3 e Y- G+ \1 S8 t, w* V( K4 t; I
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 H* A1 n& Y0 k6 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 k* N0 A! Z+ ]# r
VMMCall Get_DDB
0 [) m9 _: h- t& Q/ `2 y, V: \ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" U0 f( T& n$ R% c2 g- ?
6 i; q8 X6 q8 R: c" ONote as well that you can easily detect this method with SoftICE:
3 Z7 R7 w4 ^8 A bpx Get_DDB if ax==0202 || ax==7a5fh
' ]$ }; J. U( S, |" m
) d4 B& q) {# P" R' M, r) \__________________________________________________________________________
2 V W h& a: U7 N7 i
/ Z' A/ u* ]; _- W& y0 eMethod 10) S! i; C: s8 \0 v
=========
' N2 U7 B! C' A6 r/ M$ y; b+ V* n/ u n) \5 Z9 n% ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
- U' z5 d2 q) N& C4 P# B% R+ { SoftICE while the option is enable!!" z* k O5 e/ `4 N$ z% \
J# g% p) y: [+ f3 U% p0 wThis trick is very efficient:5 S2 q+ c$ X( G3 |" _
by checking the Debug Registers, you can detect if SoftICE is loaded
4 A; `6 w- ?7 g# Y' L, t. `1 y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* b1 d: o; f/ v- N0 \, p0 e' A6 r1 ^( \
there are some memory breakpoints set (dr0 to dr3) simply by reading their r2 i9 G) M5 l+ ]/ N( \
value (in ring0 only). Values can be manipulated and or changed as well! {* Z1 B- r8 c. B
(clearing BPMs for instance)- [/ M9 f: f! Z9 ?$ U
, F/ p; D. `( Y2 w% Q
__________________________________________________________________________4 l9 a* u) g3 Y" _( Z+ Z& f
% V: |: _+ V3 u- y- q% l6 j4 OMethod 11 G \) |' K+ V2 A* y4 f5 M
=========
8 h! ?/ c. R) _. q# I! i) a) z3 X6 P" ^0 p& Q
This method is most known as 'MeltICE' because it has been freely distributed
# r* X2 \2 V5 C9 [1 i% ~via www.winfiles.com. However it was first used by NuMega people to allow
+ o, ]* e" D8 i `) NSymbol Loader to check if SoftICE was active or not (the code is located( C' a. s6 S$ w3 a4 j9 z2 G
inside nmtrans.dll).
& u2 l! R- c8 ~7 {" o L- k; g" j. O! {4 [ X8 q9 ?
The way it works is very simple:8 u6 M( F7 S7 Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 E8 B/ _' y1 d8 S: @9 BWinNT) with the CreateFileA API./ ^( E, F) p# [' t6 w7 O$ G
6 v5 c8 y3 v& @& A
Here is a sample (checking for 'SICE'):
! F' _9 C, [3 b0 Q% i6 ?* Z
& ?1 V, z5 P" S: O; D5 `BOOL IsSoftIce95Loaded()
( ^% j; a o' t0 G+ z. D/ P{0 Z* q: \4 S# @0 n1 d( I, U' d* x4 r
HANDLE hFile; 9 h/ t' a0 R: G+ j+ f+ n
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# n: g$ O% O3 B FILE_SHARE_READ | FILE_SHARE_WRITE,
8 u/ S/ a3 W3 O. ?+ } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: L( k9 S1 U: W, u( L" i1 \ if( hFile != INVALID_HANDLE_VALUE )4 w; Q: B5 q0 b
{/ P* O7 n6 o% M/ P; h S
CloseHandle(hFile);
! Q1 v0 s7 Q( o6 L! X0 U% }" } V return TRUE;
. k% c' u4 m: M5 i }- v4 h1 V' Y x ~0 B: g3 O
return FALSE;
- w- w. ?9 R& i}" s6 T) W( s- v% g" w3 Q+ x) K
[: j/ n- u- [ VAlthough this trick calls the CreateFileA function, don't even expect to be
2 S$ w# h+ Z* ^" F M% q" J+ N* pable to intercept it by installing a IFS hook: it will not work, no way!
! m: ], c; Z' v& {. V0 @ sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: y0 @# r2 y! n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 e2 y8 D6 w4 c/ Q% y+ r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' I- t) Y# s) A# ~9 s J$ d- dfield. e0 x$ B! [. h: c* G
In fact, its purpose is not to load/unload VxDs but only to send a 4 H7 P% X; T( D* U5 k( ~; Q$ Q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- a: _; |- l, d, [! E3 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try7 ]6 t6 _; m; {; d0 {$ y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; @8 A# {2 `; m, |5 O% h3 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( Y! [9 m8 \% }1 Kits handle to be opened and then, will be detected.
. W; n8 T F+ S+ ^You can check that simply by hooking Winice.exe control proc entry point9 s" f3 O, A) p- W, i! R7 f
while running MeltICE.
4 B% e C3 b* P3 L9 s7 o
1 `% s: t* V& {$ a8 m: o4 T/ f6 m' ?6 S8 F
00401067: push 00402025 ; \\.\SICE' g8 {1 Q" t, l; ^/ v2 ]
0040106C: call CreateFileA
6 f9 t: M3 o' z 00401071: cmp eax,-0011 s L. N( E ?3 {3 k7 w5 l0 p3 M
00401074: je 00401091
9 G1 i% \9 A$ b) Z. u8 w: @* g+ V3 G/ J
3 R) _' k' `, [
There could be hundreds of BPX you could use to detect this trick.
- |" }2 r; Z8 f1 M% P/ r4 K4 r& ?2 J-The most classical one is:9 c4 ]6 p. ~2 O) A( s! [- f8 R8 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 l4 V$ L( C( R, F% `- D5 B *(esp->4+4)=='NTIC'* A: O) _* `' C- f
, l) z. }( D$ t! @! ]-The most exotic ones (could be very slooooow :-(6 p+ ^0 L7 f, c* P' m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 ]/ I9 D7 x6 M: Y9 G
;will break 3 times :-(
: h* q5 t9 c# m$ G F/ Q+ R
: D u3 \) p) s, K: b( i+ P* m- u, v-or (a bit) faster:
8 _1 V- [5 C1 {. l( A9 c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~, p I& O) x0 Z, O: N
/ z% O! k9 L, V h, l) N BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; c" X( f( x6 e1 [
;will break 3 times :-(# ~" f8 Y: w @0 |: F
9 p: O" D! U3 ]: t' o8 \-Much faster:$ [- \# N3 ~; X+ W$ l& F" \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 A- ^8 T$ [0 J. @: }, O# d" X( s+ ?- H+ }7 _' k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 C) e1 b/ U* F$ }0 U
function to do the same job:
$ M6 p9 J2 V5 z4 i, Y, Y4 M' d1 K; [0 e* h
push 00 ; OF_READ4 p2 M5 |6 ~/ i) w. f
mov eax,[00656634] ; '\\.\SICE',0
: V+ E; r$ l' N1 w2 J! N! `9 o9 F push eax
* z. c& c& U6 O; S+ J call KERNEL32!_lopen
3 F% t9 M+ e( @2 F) g inc eax0 W- n1 C8 y& S% k
jnz 00650589 ; detected$ o6 { W$ C; M/ T7 H
push 00 ; OF_READ& g# U% w: w3 S# |8 M4 ^
mov eax,[00656638] ; '\\.\SICE'
. E4 r$ |6 O% ^% i/ I7 t; x# P2 Q push eax
$ E0 q; Q o; B: Y% R/ X call KERNEL32!_lopen
: H% d1 t; \; }! u inc eax% L: \2 v2 L6 e
jz 006505ae ; not detected: P" P G! L0 p& @5 ~1 P% t
. Q3 m+ y- O. m2 H2 o) e
% E8 G# m, X, | x
__________________________________________________________________________
& ]; ` ]. N& ~' T# I! u* T2 U. s- X/ I+ _
Method 12/ E8 }7 W9 ~: [8 B8 R3 D
=========: W. S& L0 D6 F" e9 g+ h
1 i- h# p; ^8 y1 v, L. a7 P
This trick is similar to int41h/4fh Debugger installation check (code 05. {$ u* d, e: M3 C) I
& 06) but very limited because it's only available for Win95/98 (not NT)! ?# b4 g' F: E# |# ~7 K/ f9 H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 I; M; F N7 Y! X1 t
% _8 q% n6 j! q* l8 h push 0000004fh ; function 4fh2 N$ }6 d- C5 y3 h# S. {; W
push 002a002ah ; high word specifies which VxD (VWIN32)7 {/ @* b+ Y, H/ X& h
; low word specifies which service* C( H p! k4 }& s
(VWIN32_Int41Dispatch)! l3 y' t+ O, o4 ]
call Kernel32!ORD_001 ; VxdCall! q- ~# f% g2 \/ e3 f% e
cmp ax, 0f386h ; magic number returned by system debuggers
; y; T' r- u7 W2 I% i, A' y jz SoftICE_detected6 S" y) i$ G% `7 n; Z9 c
1 J k: o: z$ H" X% X2 kHere again, several ways to detect it:, V) z$ x0 J/ v' i/ Y" J
$ `" ]9 T% M# ^- h! G BPINT 41 if ax==4f
5 W" l: Q# c5 a. r! ~' E/ Q+ e2 E: ~/ ^4 N% y( ]7 m
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 i, u- ], N7 d9 ], `- m! c: h$ J& l' \& M/ p1 r" U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ E, {( ^$ M2 M( a
& s4 M! t5 F$ I: W) x BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* z ~' U* s& y t! Q# ?# h% F2 V* K* _9 z& f) s6 W
__________________________________________________________________________
& K6 f1 j% c( d- s2 X. x/ ~4 u, v* w' n) E* y2 L
Method 13
4 [8 _5 _& q' ~: x R+ m" K2 e0 {1 B=========/ W- A' D! N! D/ K
. W7 Z" z: u; u6 B
Not a real method of detection, but a good way to know if SoftICE is
" U; n8 P* T$ l/ P& Ainstalled on a computer and to locate its installation directory.% @! Q- V' m- z% V3 q* ^3 R7 w/ W
It is used by few softs which access the following registry keys (usually #2) :; ]6 F( G$ Z4 o5 g
' M/ {( D/ B' D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O, u9 `, l- ]3 b1 f- T\Uninstall\SoftICE
4 {2 z- k! [0 c$ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ S9 V3 |8 P* W9 s2 h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) }4 t& u8 _& m" ^ O! y
\App Paths\Loader32.Exe
) S7 o& F0 h) u& u" V' I( |
8 Y+ c7 Z5 |8 m) J. [
9 B7 U% V5 f( H D4 HNote that some nasty apps could then erase all files from SoftICE directory ]" l+ I y. k9 g1 ?" o2 z
(I faced that once :-(
- n: r( u4 \9 w6 [$ M' `# ~$ M
2 T) X7 A! z) V) D5 X ]: mUseful breakpoint to detect it:% f9 o$ Q9 {% ^; j5 A
2 f# ]0 b, n! k6 H- a, P8 J8 X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ C2 u1 m; c8 w" Z
/ t# z; Y$ z$ _9 I7 H+ P
__________________________________________________________________________
0 U, L! q% W; c4 s8 c1 \& R
, P* P" H6 q$ H6 I
. H- r! C4 |7 A1 \( |* O; ~Method 14 , w$ ]2 K2 L4 x* ^3 I2 e G- m
=========! E, n1 U& V. _2 |
2 p) i6 N: w4 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 G# \' n8 |' p4 v& B
is to determines whether a debugger is running on your system (ring0 only).) z. B5 E7 x. T* U, s. X; z
' D8 ?6 u C7 l. x7 c0 j VMMCall Test_Debug_Installed
9 @0 o/ w+ u. B4 A2 N* m/ @) L je not_installed' _1 c u8 F2 l+ R& g" Y
4 h v* b; d8 p' U4 m9 g+ cThis service just checks a flag.
7 \8 U4 [+ Q, l2 a# l* v</PRE></TD></TR></TBODY></TABLE> |