<TABLE width=500>
6 J) Y) t' s( j$ B<TBODY>' ]5 n+ ^$ Q( o8 N9 n: l" A
<TR>( l4 T4 I- ]; s+ ]* b5 s$ ^2 X
<TD><PRE>Method 01
! D* @+ d: Z" G p5 q/ E& X=========2 w- e2 m+ o9 P2 D! A/ y' F
# `* S5 m6 \! k! h! B P
This method of detection of SoftICE (as well as the following one) is8 n: c7 _; m4 y1 h: \8 U. s
used by the majority of packers/encryptors found on Internet.! A5 ^1 ? A5 r/ X6 _
It seeks the signature of BoundsChecker in SoftICE
9 N' k: }* b0 n1 F6 G2 k+ X
! k" H" H& h/ t$ t mov ebp, 04243484Bh ; 'BCHK'
s1 E2 D, }& T5 S mov ax, 04h
+ q7 z: e2 a& L4 ~4 ^; j, y% ^& P int 3 * Y$ z- {3 @- X3 n2 E" `. H0 [
cmp al,4
; E- {+ D( s: D6 ` jnz SoftICE_Detected$ C! Z- g; l+ ~# J' Q, u
% ^6 z/ H/ ?4 X___________________________________________________________________________
, |; x, W6 _9 K( @0 C6 t' Y A5 N9 N
Method 02
4 K4 E& i6 g' r' `% x: P=========
& ^8 t# a4 M' L6 t1 v
' V( K$ U \9 a) NStill a method very much used (perhaps the most frequent one). It is used
) U" {1 x& u# r" \' ?& u6 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( f$ s( L- H$ w& \1 c2 eor execute SoftICE commands...( @# z; ?4 }4 u* r
It is also used to crash SoftICE and to force it to execute any commands! I4 k7 k/ c2 X: w2 ?6 C; T, c# }7 t. Y
(HBOOT...) :-(( ' y1 B4 c8 T `" N3 A
: h) }' p3 R4 e# j* H+ k
Here is a quick description:, l5 A+ C D* y1 ^% T |7 C
-AX = 0910h (Display string in SIce windows)
" n; {* z* ?: W a: E/ t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); M8 T2 a0 \8 L& J- m. H2 J
-AX = 0912h (Get breakpoint infos)- g6 D, h3 j5 A8 A
-AX = 0913h (Set Sice breakpoints)
0 p9 s; ?: S. g" `3 l# @, d, O-AX = 0914h (Remove SIce breakoints)
. k$ \% G) D4 f; y1 A( Z
* m$ o& Z# X# VEach time you'll meet this trick, you'll see:
: r; e. [4 M; b( S-SI = 4647h
" K) L# W8 A% K4 m; e: \ f-DI = 4A4Dh' y4 w4 ~" G* U1 s1 l, [
Which are the 'magic values' used by SoftIce.$ z) `8 s' H% T a; u1 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 v' V- F% z b& y% F" h' b( a; a6 K+ _
Here is one example from the file "Haspinst.exe" which is the dongle HASP: K( o$ c/ ^8 I. }2 x Q
Envelope utility use to protect DOS applications:/ Y% |7 c4 s% e
4 p8 C9 T7 s; M- @ K
( D4 D/ I2 b+ i4 L( Q" y7 g' u4C19:0095 MOV AX,0911 ; execute command.
k5 a# ?+ ` f8 K8 M9 F% S7 Z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' T; N# H# e" U% T7 i" x4C19:009A MOV SI,4647 ; 1st magic value.
" `, j3 a! o) ~$ S; ]4C19:009D MOV DI,4A4D ; 2nd magic value.
5 C+ @1 e4 J- k( g5 W! J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ m7 l2 {1 Q' b9 A4 t) j) D1 \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& J' m2 r C' g5 j% k+ U
4C19:00A4 INC CX t9 `2 i. Q8 }+ e9 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- ^1 N' e6 {7 n6 `9 [3 ^. l8 ] |
4C19:00A8 JB 0095 ; 6 different commands.6 C9 D T* n( r/ U" ]1 o" A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.) P A$ y* j' N+ b8 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% s; a' n% V! D- o/ w4 B
) M P$ d$ ~% ^5 s& O8 DThe program will execute 6 different SIce commands located at ds:dx, which7 e! u3 A* M7 l$ L" Q, c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ }( D% ?9 n6 X6 A8 F- r% r$ U( A" n4 x. w7 M R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 W8 b. {. B7 A9 j! l___________________________________________________________________________* s' }. m! i6 E/ m: Y. u5 a
# T& i8 d \9 [+ T V
) `1 ]+ }6 e. ?' z$ _Method 03
! L0 D/ j, F1 L* R" \& ?5 l=========) J; i% ~) a0 g+ O9 C+ k
, Y9 O- k4 R7 |) F! lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h) ^- |5 }* K# Y7 @0 S7 U
(API Get entry point)1 U2 S# u( H- {
0 H. n2 R; V3 g9 m7 c3 i
+ [! W& e( \: V0 N0 \- X8 K% ~
xor di,di
% u2 N" P* h# v6 h1 E. M mov es,di8 Y# {0 z4 D0 o& v9 I$ k4 L1 ?: u
mov ax, 1684h H4 T# k' U- K/ \! ]
mov bx, 0202h ; VxD ID of winice9 |/ ^" I: U+ W& f
int 2Fh; q. b X$ u% E4 ?/ t+ N+ {# B7 o: e1 }0 k
mov ax, es ; ES:DI -> VxD API entry point4 k0 E% q+ {1 z8 g. o
add ax, di
& ~, l q w- |. t) W4 D test ax,ax
+ Q8 H4 q, P1 {! ^6 f jnz SoftICE_Detected' V5 O$ f( ]8 J% \
6 `0 P# ]! c7 r* U) Y___________________________________________________________________________
4 t! @. h) E B6 ]+ J( ~& z' W7 s3 i) f* v+ w/ H
Method 04" n" E( _4 i' ?1 _0 w6 F9 a
=========3 `- W8 M1 d, _. g) c* T
6 h% a! o( n, i3 f, w/ h/ q: n: z
Method identical to the preceding one except that it seeks the ID of SoftICE4 Y0 Z' G( v5 r
GFX VxD.
) g9 C5 R; n/ y4 l0 }" z
9 v0 I# x5 R! d xor di,di
) o; _5 K1 o. ?1 f- H! b5 F x1 E mov es,di
3 h0 b* h; k* `. W mov ax, 1684h
0 G8 i; j, M8 H- E h1 o) P& N+ b mov bx, 7a5Fh ; VxD ID of SIWVID
& Y3 e: e5 Z+ e) m; `7 b int 2fh
* r% h) W6 g9 O* {2 G/ c+ P mov ax, es ; ES:DI -> VxD API entry point
: K. x4 N, }; \: Q- y4 B; w; B add ax, di4 ~) o. g: l" a; _$ \ J
test ax,ax
. p0 N8 U/ w& i4 l t& e2 } jnz SoftICE_Detected
, t }7 A" V- W9 r
; [2 b4 x3 z% C3 y5 y! T8 q9 I__________________________________________________________________________1 p0 u( k% ]3 ^) x/ [. p/ h* t7 a
5 k4 R7 t) Y) H" F( H* H7 s6 Q% q( c
Method 054 X% W/ V2 z4 R
=========
$ B7 p/ s7 i, j" s3 l1 h, S x4 g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& H3 Z; e/ ]7 }0 @; Vdebugger. It calls the int 41h, function 4Fh.# p @! u7 X- j' Z& s& \' u
There are several alternatives. 5 l. P$ y7 h" f2 \6 e( ?
( O9 N% Q& S" A WThe following one is the simplest:+ d( x9 m8 R& J! ]) W5 U7 I
, e) i! z1 D! S( a% f; T; c mov ax,4fh
! H6 P `! H1 c- r, _2 q4 q int 41h
/ H) ^3 Q1 y9 p7 X7 B, T cmp ax, 0F386# d% `* f6 f0 f' \# A
jz SoftICE_detected
( ]3 A$ R" S8 s* u# x6 D6 q4 b
. A4 a* f, J" C2 v* J h$ F x# H1 | I- _/ b# _& a9 H9 c& J# _
Next method as well as the following one are 2 examples from Stone's ' }+ B1 ^- \3 I# G$ L' ?
"stn-wid.zip" (www.cracking.net):
) p1 t ~5 Q9 `" v' f7 M$ h& y0 p
mov bx, cs
/ E& n% U9 C4 o5 d7 S* E lea dx, int41handler2: K1 @8 b7 R8 e+ P- g
xchg dx, es:[41h*4]* y3 [& {: J6 z4 C
xchg bx, es:[41h*4+2]
w/ l5 k, ^* X: ?3 `2 ~0 W4 F mov ax,4fh5 p+ G8 g( }2 m
int 41h" \- t3 ~' b& m4 S/ K9 ^+ S9 F
xchg dx, es:[41h*4]
v- ?+ [; W- x+ d* {7 Q1 V* h xchg bx, es:[41h*4+2]
( ?; y( c2 \+ F1 p1 n* h cmp ax, 0f386h1 q+ D' b1 A9 m, u4 g" U, S
jz SoftICE_detected
4 h( r! w, ]& Y2 z9 O' p
- V4 R9 W0 u6 Vint41handler2 PROC3 O3 F. j: k3 k9 h9 w5 ]7 R
iret0 c! }) M [. N
int41handler2 ENDP" W5 C7 @: b# `; U$ m
4 g& O% N* x- C9 E/ C8 I. Y2 F3 j
' Q: m, V$ T h" m Q_________________________________________________________________________- _- c& \( J8 ]$ `" |
& J" R+ P6 \0 b
: d0 A% ]: u" |8 H$ oMethod 06
/ f; q7 R2 o- j. O=========
0 I* Z( Q, O( Q: K v/ ?( F* m/ g9 x0 [: d6 x' C
- V* G/ B) k6 b9 P6 L# }2nd method similar to the preceding one but more difficult to detect:
& N$ i9 A; V; N& ?% f7 K
6 p! \; x- \! O. B% q- _6 V. o4 n" P/ l9 K1 ?8 d! Z2 w0 d) B% i, X2 A
int41handler PROC
, O9 b/ f- Q+ v+ C- f- C. k mov cl,al! F$ o; c& }4 C# ~4 o0 @2 L3 w4 P
iret
" s( L, \: L7 @+ Wint41handler ENDP, }! P) [* P2 M7 g ?$ H
' ?7 W- S- K6 O) r5 i A
6 v5 |! ~; w: Q5 E" g6 G1 V) u7 z xor ax,ax/ a ~) H% I9 z: `0 o/ T
mov es,ax) @1 a) e. F& g
mov bx, cs& o6 h% P, P( C" d3 {1 J6 [5 a+ s
lea dx, int41handler
- ~; Z" l6 D; z5 W5 M! w xchg dx, es:[41h*4]
8 |! `9 v) p( \5 X" _3 x xchg bx, es:[41h*4+2]
% `) n- T6 O- ~" w in al, 40h
. m5 |4 q- ~$ z) q+ N' ~( P xor cx,cx' R0 G: \$ n* O
int 41h
1 m$ \) n1 y% ^5 [6 T2 R0 k xchg dx, es:[41h*4]
! H& R. ?" }+ D! {, f( | xchg bx, es:[41h*4+2]
2 M$ q7 q1 b9 B' ~0 e0 V cmp cl,al
* v, i+ {& _( O- _' R `- g7 B3 y$ K jnz SoftICE_detected
- [6 P4 J& S: U+ y& c& `& S$ A% h$ y
_________________________________________________________________________# l0 K# V* _/ S. v J
r9 M3 d S/ Q% g) s6 J, AMethod 074 ?5 K* G; \! ~& Y) w
=========* o8 B# m" g* o
$ K) A, ]; Z3 D6 ~. u* j* _" n" mMethod of detection of the WinICE handler in the int68h (V86)
) ?8 Z) b1 a5 m
$ l* g+ n- [2 L# x" k# ~7 } mov ah,43h
# J0 C+ d, \5 M# ~1 u* E int 68h5 ^ G+ W, i$ c: u" V
cmp ax,0F386h
+ b2 T+ |# C- H. x$ c jz SoftICE_Detected- K _: f2 O2 X" v5 b
J' u1 G; S$ ]6 X- p
. \- }1 q% O% Y+ x- _* f; g. H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& U$ u b1 e" V! _! | app like this:! i, y0 F5 U" ^& l1 ]
: o- l- p' ^/ {9 @0 G \
BPX exec_int if ax==68
8 Y; g3 q) w; C1 M+ u8 z. C% V" @ (function called is located at byte ptr [ebp+1Dh] and client eip is, W" j% o8 L4 k, u
located at [ebp+48h] for 32Bit apps)9 V4 _- j) A( _0 _. X& k: K6 U
__________________________________________________________________________) L# g0 D' _1 L; \+ B2 H# N7 B
8 X% @% R, R( v$ n* a8 a. H: K, N7 f8 K3 ~* Y
Method 08
+ C2 D! f4 W0 T=========
9 K$ v" i, l' @8 s* o
* U, v3 X; k$ I# {8 }5 K& E& F- c$ v& TIt is not a method of detection of SoftICE but a possibility to crash the( N0 h1 \1 Z% H& O Q. B
system by intercepting int 01h and int 03h and redirecting them to another" {' d6 r" F7 [+ y- S* x
routine.. t8 U6 u5 U1 }' W3 e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ _# [3 S: m7 S, u) a# M1 @' o
to the new routine to execute (hangs computer...). C7 X7 q+ N3 Y' X; u! a4 W
9 n9 T& H- M8 C% Y8 v3 V+ v& i
mov ah, 25h
# ]2 @' N4 |; D mov al, Int_Number (01h or 03h)
- c5 B, v* ~7 X' Y, g I mov dx, offset New_Int_Routine
6 ?- v V! d& O- o7 y ]7 E int 21h: y: ^! T+ `; {5 A1 i1 c X
z# A) W" L. @4 c- b9 D$ c
__________________________________________________________________________
. r$ w3 s% d$ m) S- @3 e
3 |2 B, Y7 w6 z* q8 Z) W/ QMethod 09
+ S" V) k, t7 I8 @=========
! y3 n5 K1 ~( {. P" H" u, `; J6 p
- Y9 O$ R" W7 T) o; wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! W: i, B' D& W( kperformed in ring0 (VxD or a ring3 app using the VxdCall).' g" A+ n2 Q4 u' j: v
The Get_DDB service is used to determine whether or not a VxD is installed2 t& v4 @! w4 \' R
for the specified device and returns a Device Description Block (in ecx) for5 B( x! T/ |2 W: p5 b/ t
that device if it is installed.. ~+ ^, K% B; \& X1 k7 Q) g; E
4 I' s3 h2 T7 r$ g3 G( e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) N. p7 K) ^2 L) ~ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ W, x4 I/ n) M# H) H: m* f+ e VMMCall Get_DDB4 Q6 g* P0 {5 X/ F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) y p# b" l5 i4 S9 J. |. j
! ?6 {) c9 @8 V5 e0 lNote as well that you can easily detect this method with SoftICE: F: f: Q% [( F" a: ^
bpx Get_DDB if ax==0202 || ax==7a5fh$ N4 @7 [/ F7 ]
9 O4 V) [- Z: R6 ]. }& D4 o3 l__________________________________________________________________________2 H5 u, j( `/ U; b4 K
+ O5 |; h2 j6 c8 z7 j9 F. z/ E. ^2 fMethod 10
) {( F, A, p ?; v1 k=========
1 A/ B. p0 Q. o. h3 ^
4 p/ X" Y& c3 E8 K! \8 ~: V+ e' I=>Disable or clear breakpoints before using this feature. DO NOT trace with
# L% r1 J6 P m SoftICE while the option is enable!!
: R6 O7 p# r0 D: A7 ?% q* H% X$ H% ^( e( C! ^- q D
This trick is very efficient:
2 E( s( H# \% N, v1 n6 I6 n$ _by checking the Debug Registers, you can detect if SoftICE is loaded& {# q- E3 Q2 J4 |" @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! R4 X1 }% ?" w/ D0 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 }, l3 B! |+ T7 X3 e; \0 o+ n0 r7 H0 o
value (in ring0 only). Values can be manipulated and or changed as well& P8 R7 `2 u4 _+ N
(clearing BPMs for instance) s' v5 g; {) y8 X
+ Q) ?8 m0 Q; n) K0 z
__________________________________________________________________________
( R2 Y) t+ m& {* X2 U: C7 J) a7 C7 k. h
Method 11
; \& R6 Q: v y! L/ X. {=========0 }9 M: u' {" n8 L9 ^
: W: [8 W% H/ W0 X5 L! g
This method is most known as 'MeltICE' because it has been freely distributed- ] K; J0 ]' j& E) |) w) E
via www.winfiles.com. However it was first used by NuMega people to allow$ F" J: Q& c' b7 [, w0 Q a9 I P
Symbol Loader to check if SoftICE was active or not (the code is located
& S0 M' S) P* C& v4 _ [% D) einside nmtrans.dll).
' E' q# r" K. O: _# {' e& J& n& H
2 s! N- b/ B! g* vThe way it works is very simple:" ?4 |+ K" r, Y" K2 a3 ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# F4 p ^( w+ fWinNT) with the CreateFileA API.
* b+ o9 S- h2 D- |. k. G7 E, y6 q Q2 T& u# r1 T% p* \' G
Here is a sample (checking for 'SICE'): c0 ?7 I; Y/ D8 N
6 \, \# x6 G0 x- j/ ~% Q
BOOL IsSoftIce95Loaded()
/ F; p. I" T( j7 P1 p# z9 K& }: _{
- W6 v. z5 Q6 h7 S HANDLE hFile;
/ U4 Q: I0 k; l' e3 B, y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( _1 n3 `/ y; c- a
FILE_SHARE_READ | FILE_SHARE_WRITE,
1 ^+ g" U3 `$ s9 [6 K! i$ a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 W! M# v* G5 G1 S k
if( hFile != INVALID_HANDLE_VALUE )
8 h `7 [, Y' `( X& {7 W- O {
+ A2 g/ G% D3 x# q0 \ CloseHandle(hFile);
& q; @# Z" b+ S return TRUE;6 j2 ?% J, ^$ Y% X
}$ f* m* v" v, U' T
return FALSE;
4 w4 I1 U7 H9 H2 ?" k7 k9 R; j}/ p; G' [' t/ A+ J
+ t5 y* R5 Z$ w: @4 s5 fAlthough this trick calls the CreateFileA function, don't even expect to be
) \1 {1 g3 X$ S- vable to intercept it by installing a IFS hook: it will not work, no way!* ?6 V, `7 }8 T* ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# i% e8 U! v* B- v Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 Q, |& R* r2 J) R, O0 j: Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: w! O( F# `5 @! rfield.
! d7 O3 c) D: r$ U( aIn fact, its purpose is not to load/unload VxDs but only to send a
3 n6 _: H& J% u. A" d, d: g! g$ |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 f% d; R% \* n8 Q! @9 Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ P7 V9 T! R( Z4 Y. P9 Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
K0 m! d* J7 s, R" PIf the VxD is loaded, it will always clear eax and the Carry flag to allow* U# ?2 @/ e! r: F% ]5 C _$ u
its handle to be opened and then, will be detected.4 \% s1 U& F) J) u' ]. k) J' l
You can check that simply by hooking Winice.exe control proc entry point5 D; o O. }2 N: y/ B/ A; @$ `
while running MeltICE., @1 H# }9 e9 P0 o5 @
! [! P9 l- I0 X0 t* ]" l' `/ _; ]* x! f' J2 U
00401067: push 00402025 ; \\.\SICE
: k: H* _: y! I) s" v1 y 0040106C: call CreateFileA8 Y& B) m( B. K6 X& ?- }
00401071: cmp eax,-001
+ e4 A8 r, V- M$ X) _" A 00401074: je 00401091
; c4 t2 d- U0 I4 y1 {- S0 V
( ~# [6 r$ I# o2 [. e* q+ v" a# h/ {, C* R' J
There could be hundreds of BPX you could use to detect this trick.! L1 ?* j8 o6 F0 C& X
-The most classical one is:
) K( a N8 M8 M2 C. r* o1 u3 |) L: v0 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# ?% {. O& x1 y! s0 }
*(esp->4+4)=='NTIC'$ H9 F1 R# t/ c# x: }
0 ~$ E7 Q4 [3 z0 C2 `! `, O-The most exotic ones (could be very slooooow :-(* U2 v0 S# J Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ `2 h( M) R8 m8 H/ f. P ;will break 3 times :-(
6 X8 C6 w; _+ F# b. w) W
: H# A; j4 Y$ v- I- ]-or (a bit) faster: % j3 G1 \* j) u1 n. \: |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; p4 d3 m7 t4 P7 \0 G! E
: y- r. n8 A; x' D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 y) W9 |6 o& a- i# J7 _0 D
;will break 3 times :-(
& F* E# n6 J, [1 f. D5 K$ G1 z( A! c1 o5 U6 t! W* {6 w
-Much faster:
7 T5 }, `# p6 E$ n1 w& R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 i5 O% J% R' O. g0 n$ A& a e+ C! ^- W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- u- V5 ? j. h* @* F5 bfunction to do the same job:& e# q* f8 G- ?9 ^3 E& O/ X* _& C% v# t
- Q/ \. W! s) k( P; B6 W& V
push 00 ; OF_READ6 l$ b% L B0 K( C
mov eax,[00656634] ; '\\.\SICE',0# L, z# [( Y; r" v. J& Q; o
push eax
! G# L3 f& N4 l, s6 d. t T6 f call KERNEL32!_lopen0 t7 x3 \' t0 G+ I1 V: I, D! N
inc eax/ Y- R: Z, c) T$ ^& | w4 [
jnz 00650589 ; detected, c# ? t. }6 f
push 00 ; OF_READ
- X3 Z2 b# q" Y2 Y$ f z mov eax,[00656638] ; '\\.\SICE'
, V8 G* J; l- y1 Q$ n' O% _ push eax
( J2 \5 Q7 O4 H# _' ` call KERNEL32!_lopen9 h. Q, b& h1 s, x8 H/ a
inc eax* l/ U: B% I) r
jz 006505ae ; not detected
, o! w2 _3 T9 {+ a: X7 _$ ~% |1 \* Q. X/ r
9 Z2 X8 V4 A2 s+ U& u# a3 k9 u1 O__________________________________________________________________________
8 s F/ [) n# w. G. J, j" d2 `: j K: {
Method 12% Y' n7 V6 r) C
=========6 C* N% ]$ q% _; ^+ T
) M1 H# ^! y+ e& Y
This trick is similar to int41h/4fh Debugger installation check (code 05
8 H% H8 ?3 K8 q" o8 U) ?7 Y& 06) but very limited because it's only available for Win95/98 (not NT)
. r" L. u3 r' Y" Kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 B6 @1 m: b: l8 c M- |# _% n+ [
8 w- J* o B; h) d8 V push 0000004fh ; function 4fh7 l+ \" j! n A r1 u
push 002a002ah ; high word specifies which VxD (VWIN32)/ H9 v0 w2 D1 M, D: t# y# a& U! s
; low word specifies which service$ F4 e) E9 E# I4 L4 I
(VWIN32_Int41Dispatch)3 v- H! F; g L) e7 R, l
call Kernel32!ORD_001 ; VxdCall
* Z6 A9 B1 Y' Q e& g: c cmp ax, 0f386h ; magic number returned by system debuggers
5 S" P/ X. b. z0 `5 Q3 |2 O3 r jz SoftICE_detected" U4 `! G# P$ h8 I% H
9 R. J" x) R) q0 }0 m) q
Here again, several ways to detect it:
- `1 I+ x& m' p. o" @
% G2 W, k; S/ j% f BPINT 41 if ax==4f; l& ~9 u, n; P m, v; G% D
" m4 {0 H2 N: U% }$ R BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% c% ~) Z7 X) b+ Z. o
# |& w- B/ v3 S8 T0 H! \! Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ i/ y& u) Y; ~
5 B' Y/ t4 i5 t3 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 S! w: u& `9 U. U
! ?: o# Q4 I3 Z' D n__________________________________________________________________________! I' h, h; `# g
/ Z1 e7 P: o/ G4 h; `) M! xMethod 13! _( s% ?, l' v' ?
=========3 @: o- a. C0 s& D0 U6 L
, n5 W/ B) b Q3 vNot a real method of detection, but a good way to know if SoftICE is
7 z: B$ r5 r& g* winstalled on a computer and to locate its installation directory.
( N j" w" P5 Q3 ^, PIt is used by few softs which access the following registry keys (usually #2) :& S' b0 I4 n8 D% W6 @
. ?9 ^7 N( i5 I+ w# m# s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 X0 M7 h3 t& q& S1 j; ?\Uninstall\SoftICE
3 e& D, I! u7 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! N0 X) u @% a7 Y V g' Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 {4 v) z; M/ e8 s9 w\App Paths\Loader32.Exe
+ g" x: s; T5 m2 F7 P' d8 x2 V1 X) A8 }
6 Z% T( T/ K! e: _9 L
Note that some nasty apps could then erase all files from SoftICE directory
' D# d$ o( p9 }. G3 S/ e(I faced that once :-(
) F3 _5 Y* R9 D1 q
* \% k' T' W9 }. ^9 T- m3 Z4 p( ZUseful breakpoint to detect it:
: s6 Q0 {; ^8 I) F% O) N+ l7 ]7 q% f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# v2 ~* m; [1 r, q
* \% i0 Z( }6 y3 L+ F9 r__________________________________________________________________________2 B, }" ], @+ Z. t2 |; b: m
+ w( s* e w; O; A" {
# u/ P$ Z# J o& _0 N7 n$ d$ e
Method 14 3 S' d! p& b0 S6 [5 ~" n5 H9 H
=========+ J7 l. t5 ]- n, Y! v0 q
1 X! g9 q$ a* e; w3 m' K4 lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ A# ]4 e# l: J- tis to determines whether a debugger is running on your system (ring0 only).- U' Y% X) y) r! A
! b h! P8 ^3 ], @; R" @ VMMCall Test_Debug_Installed
! E( y( W) @$ V/ E4 G# ] je not_installed
; T0 z" R9 h( A- ~) Q( ^* K
! z- R2 ]4 T* L6 f! \! e& K& mThis service just checks a flag.) L L8 @( @. m
</PRE></TD></TR></TBODY></TABLE> |