<TABLE width=500>& o, M9 B5 _$ M3 _0 h2 s, X
<TBODY>
3 G+ Z1 `# ?8 k$ I& a4 a% j+ ^<TR>
" j9 ]6 p! d. v- P<TD><PRE>Method 01 - t, v- v5 }8 ^! \4 H& O2 y
=========
, @) D5 G* }' c8 Q8 a% U1 W! K% V! x5 ^' w; Q8 E& ^7 d% N# q1 I# R
This method of detection of SoftICE (as well as the following one) is
1 d3 O7 Z- M/ Wused by the majority of packers/encryptors found on Internet.
, _2 Z- ^5 R/ O! s( U* ~It seeks the signature of BoundsChecker in SoftICE+ ^- A: p& d! F2 L. z
' @8 ?0 I, A) G+ J/ q! x" F9 x
mov ebp, 04243484Bh ; 'BCHK'9 k8 b5 v: Y) I `- D J
mov ax, 04h7 t( q/ A! a4 ~7 O* _3 j
int 3
% T' d! S' K: D! R n [ cmp al,4
; W9 n; a' y& f- ^! g9 t jnz SoftICE_Detected
# P7 v, g+ I. H, g7 M! c! W1 w/ @1 W; j! u
___________________________________________________________________________7 {4 k: w4 p$ j* q* Q/ H
$ r$ R( x+ U. h' C
Method 02
( n# T2 p5 V6 [/ g( J& g5 \=========4 r5 ^) P2 ]! W8 B" _) W2 w* H D
5 @. I/ p p) v) B+ K: IStill a method very much used (perhaps the most frequent one). It is used# l+ t* R" m/ U# F* S6 T! [9 w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 z9 s/ l$ N# D5 M, eor execute SoftICE commands...
# Y8 v# `# q3 RIt is also used to crash SoftICE and to force it to execute any commands
! x. B' P6 A# M+ X: G) _# s$ {(HBOOT...) :-((
- D: I1 T- y. K& ^; e0 ]* @/ ]! M, b1 C' g& d& `& s
Here is a quick description:
# U. n4 d; J0 ?6 G-AX = 0910h (Display string in SIce windows)$ Y6 B9 D0 A9 |( _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& X" _4 q, O% u7 s5 j-AX = 0912h (Get breakpoint infos)
8 g' v' n) @# f( I" K g' q/ X-AX = 0913h (Set Sice breakpoints)
8 M; e4 g* d6 L+ k5 I% K-AX = 0914h (Remove SIce breakoints)
) v( @& ?2 B# d: t3 m" n& E& G4 p7 n+ x: t/ q# C2 Y
Each time you'll meet this trick, you'll see:3 `& y p1 r4 w8 e
-SI = 4647h, d$ Z: h Y& }8 s$ g" |
-DI = 4A4Dh6 m3 o6 ?1 d8 T3 Q
Which are the 'magic values' used by SoftIce.
" ^+ e& z; O0 TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 n3 l1 w( c9 C( ?
* `) o5 g+ Y% |9 k. E9 c
Here is one example from the file "Haspinst.exe" which is the dongle HASP) y r! V8 ^, i$ J, F a
Envelope utility use to protect DOS applications:
1 m6 h- h" X- B( h1 U3 ~7 i) N; r7 i- e: |0 i, i% I
8 H( p6 E3 t/ ] |4 X
4C19:0095 MOV AX,0911 ; execute command.& u. ]: H$ }) W! a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( Q; O) H$ j/ h( P7 B( h# `9 s4C19:009A MOV SI,4647 ; 1st magic value.
" s, S% l( u! c! C- R: ]4C19:009D MOV DI,4A4D ; 2nd magic value.
* T7 B6 {% ~. `5 |8 u. t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% T3 S! D) v7 W- Q" t# q4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( [0 S. M' ^9 g7 Y7 {! R; n
4C19:00A4 INC CX
7 f/ n# S2 g/ V0 g+ @3 B4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ M+ o* {. H) H; H3 d% r/ O
4C19:00A8 JB 0095 ; 6 different commands.) P% {8 v& c8 [) b. p( {
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; J' r3 Z3 _2 A& u0 T) {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! w, u+ \: ?+ ~/ v8 J3 P" Y* n! ?, ~+ K! Y3 ]1 X7 O6 e$ P
The program will execute 6 different SIce commands located at ds:dx, which
8 J) W7 E. Z3 M* x3 a$ q9 e' Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., p! j t% d/ u' \- q/ ^
+ z/ k/ l1 o0 x- S" n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! z) t$ P3 D* p$ h___________________________________________________________________________! I. i7 `$ j `5 Z x
7 v- A- u. Z2 q, `5 `8 i' C
. r! C8 s$ u- }& I8 I8 WMethod 03
( \( a7 Y/ {" x! J ]# m% {=========5 Z4 C' Y7 u Z
2 B% S( W/ u- K. `. n1 L: w& rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; p4 J, v1 T8 ~9 @4 n
(API Get entry point); \9 L! w# r; M7 Z) r$ e
& H2 V1 a' Q& ~6 z$ b6 g, I; D$ l, Z
xor di,di
( W9 v) B0 t5 I K) ]+ f+ F mov es,di
& r0 T1 U* j! y+ [9 r& a# L) d N mov ax, 1684h # M. i. ^" B! x0 i3 ^; l$ J
mov bx, 0202h ; VxD ID of winice2 R1 n, L1 F2 E6 W+ c
int 2Fh
; P$ t V! I/ o. I8 M& } mov ax, es ; ES:DI -> VxD API entry point7 J# [6 f( F! v' F
add ax, di* h8 Y; ?+ F5 s" J% Q- x
test ax,ax
: ~# }: q" N. F0 f jnz SoftICE_Detected
9 t" I( H* R- c. b/ z, o$ p; @. J8 r; n- Z0 \
___________________________________________________________________________
$ W2 X: `8 a' H8 t N) \
, c E0 W* X: A8 N( XMethod 04
Q# H: I; `+ w' K% m! M=========
( L+ \* E6 y9 ]1 t; t( p {# g* N" ?& l; s E
Method identical to the preceding one except that it seeks the ID of SoftICE9 K" ~9 q. d) g# `
GFX VxD.
, [" N1 T' E2 _* x$ B- P
5 e6 o1 V5 `3 b7 m. ]! I* U9 P xor di,di+ [% `5 H8 l- w
mov es,di
0 E6 {$ E: W- l0 f6 N: M6 N' U mov ax, 1684h ' x3 w6 U: M+ A; [) y2 U0 V
mov bx, 7a5Fh ; VxD ID of SIWVID
" g7 t A. \" }: o/ Z0 V2 u int 2fh
$ v0 ]3 B: \2 V: |! X0 A mov ax, es ; ES:DI -> VxD API entry point5 c( C3 S9 Q; L1 g$ [
add ax, di
% R5 l; O& O+ @1 P, B* B test ax,ax0 `* p5 `* ?( U
jnz SoftICE_Detected5 ~$ l4 Q1 \: ~, y
3 h/ k* v( {2 G7 C, S4 H
__________________________________________________________________________
* `# h6 y. @6 G: S5 ?- L/ M, ^4 |* u V( Q# w1 _0 y- T
. Q3 d, i' I9 I/ F& U, S+ eMethod 057 ^' w8 O( s$ j5 k" T) K: \
=========9 _# J5 Q' e9 n) [% D t7 u+ n3 b
/ w- P6 d" B7 W: L% V* b8 T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 J! Z+ J6 [% r( F. M) mdebugger. It calls the int 41h, function 4Fh.9 d% g6 g/ z( B. ?. V/ W) o9 Y4 Q
There are several alternatives.
) }! F& Z7 ]& E! @1 a+ j6 O, y2 K5 B, {% u2 O" Q* S
The following one is the simplest:
6 @+ D2 l# j( r5 p' s% E
8 _4 j5 u S$ t4 _* B mov ax,4fh) s2 `( R! b+ Z
int 41h
/ x& x2 t" y$ u3 { u3 ^ cmp ax, 0F386
- ?0 `7 b. ]% v jz SoftICE_detected
2 Z8 r$ P) i8 z" A# s9 h5 s
% |" [! l2 S9 u( x, b' k" ~+ m
# T4 B" _- W3 r7 K* i! ^( [& ^Next method as well as the following one are 2 examples from Stone's
% \% S6 O$ ~1 k"stn-wid.zip" (www.cracking.net):
2 V* t4 m6 V9 }. W2 l# p5 A. n9 P; H5 J. S
mov bx, cs
0 N* U# v+ W7 p! f1 h/ C, u+ \ lea dx, int41handler21 b# Y: h6 @8 Z
xchg dx, es:[41h*4]2 k, a- k/ M1 t* P- l1 _1 @3 Z
xchg bx, es:[41h*4+2]
2 _# a+ v9 q; G. S mov ax,4fh
$ T* W7 U9 L0 w) h! K& ?7 f8 k( R int 41h
! k; T8 [' x, p" A9 | xchg dx, es:[41h*4]" _+ P$ p% I4 ?3 v2 \5 t% z5 E8 U
xchg bx, es:[41h*4+2]6 D3 \- b& Y3 O# D2 o
cmp ax, 0f386h
# C, F0 B. ?) t# I jz SoftICE_detected
0 [' Z) _4 r8 O8 S- f V4 s& J+ |, k W l+ r
int41handler2 PROC
7 }9 k9 s W; j iret
9 Z) m+ l' l( h3 |8 S1 h) mint41handler2 ENDP
' @5 R7 [; d; H: o* b1 K& w! O9 w u% W! I0 l0 p( X( }
$ I2 R+ U6 _; }! t3 X
_________________________________________________________________________
! N/ ^$ F+ L$ b" z7 X' C! h/ Y7 X+ J2 ^
' D8 ~- r2 p; z+ z5 yMethod 06
) K3 B$ R& H, ^$ R( x" P=========" J) x F! e/ F+ E4 F
& r/ \% z ?+ r2 c5 u5 e, g, l
C; U3 M7 E1 J! q
2nd method similar to the preceding one but more difficult to detect:9 }% h; r1 e) O1 ?
" [ E4 V5 k8 N8 S- C2 L& O) y) x( B6 c+ o& G8 o
int41handler PROC
% |. a% d/ D3 u& k" ~, ] mov cl,al8 V* ~6 x- ]$ C8 K+ v9 s
iret% ]9 X/ [0 v$ p" Q X" a8 l7 S0 q
int41handler ENDP+ u2 _1 Y3 ~' w g, w
7 D5 m: m8 k+ y, S8 C
& F8 U2 W8 _- F2 G" K
xor ax,ax0 r( v8 i( ^- o- H! j0 [5 A
mov es,ax. c6 O" L; e& ^, V& f2 `) ]
mov bx, cs
% X- T( @' u# Z* G% k4 Y" D lea dx, int41handler+ C' d6 K' m0 S( g* F
xchg dx, es:[41h*4]
! S) A* @2 c ^7 O( n xchg bx, es:[41h*4+2]) w$ k/ {) F9 u9 w2 x) u
in al, 40h
' G# [8 Y$ [4 {4 P# O) O k xor cx,cx
4 V: W' P; _: n; l int 41h
8 N1 R0 P- o E) G4 n xchg dx, es:[41h*4]
- r1 Z& q$ U }" m( L xchg bx, es:[41h*4+2]
2 y2 ?- I$ U/ }# b; r cmp cl,al1 f2 S6 ^- b* ~% U! z5 Q- f
jnz SoftICE_detected
+ b( \& Q% d/ R3 K
o" S- g) \6 T& t r8 |% Q" k_________________________________________________________________________
" ]* K7 Q$ Q4 w9 P% d# Q! j7 [) E6 C* A4 Y' f6 u1 a
Method 07
* ]) l# W" A$ p=========
4 f9 U) I W: M) N, y) O C, c2 I
9 ~ m& y- r" u, p+ M/ t6 x9 UMethod of detection of the WinICE handler in the int68h (V86)
) o* u8 J% s3 u, p
7 X: G! R# H3 O1 O8 K. ^6 D3 n mov ah,43h! R3 ^" D$ r6 A- ?2 I# t
int 68h) d. _. L! E' Q
cmp ax,0F386h" v, r; s( n3 L/ o) G
jz SoftICE_Detected
' p( @" q, Y _ o- x i2 p
' y' k* p5 ~ i
* w/ K& @3 r: n" V# [1 B* r6 I4 r=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 U& P9 V9 Y: x7 y2 W- M app like this:- k3 W. {, X+ }- d0 s( e$ c
N2 W3 `" a0 j: ^7 J4 C k8 ] BPX exec_int if ax==685 u' e4 m+ ~: N, P# h
(function called is located at byte ptr [ebp+1Dh] and client eip is4 T7 l% n/ x" Q/ t/ q, i
located at [ebp+48h] for 32Bit apps)/ I. C5 s! e) v" c. K
__________________________________________________________________________
1 R9 u$ c) O8 t9 N5 L
! J# ^/ R6 G& ?. v& f2 ~4 M: j0 Y1 c
Method 08
0 r2 h) C& T! u- Q! v=========% F7 R. X5 Q" j. S W, i
7 j- E: D+ E7 A6 t$ _$ C6 r
It is not a method of detection of SoftICE but a possibility to crash the: ]' k- F2 Q T, I- f' Y5 X
system by intercepting int 01h and int 03h and redirecting them to another$ L' y6 h: V' l9 ~ p( M
routine.
d3 y, ?+ {+ {9 S/ j! SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 U3 y- l6 N/ n4 j/ J' W" z8 {to the new routine to execute (hangs computer...)+ a( E3 W1 X8 |, G3 l6 m
4 Z8 R' |% A, d mov ah, 25h
! [1 a$ q2 H9 f7 I5 _1 u: \ mov al, Int_Number (01h or 03h)
4 ?) h0 \( l1 {$ Q0 ? mov dx, offset New_Int_Routine* O- `. k+ ]5 J( d; t1 ]
int 21h
9 V! B$ Y/ L; v5 v# G0 u7 P) p' ^! Z. h
__________________________________________________________________________$ n6 O" s5 ?4 Z9 Y
; I5 [5 p% [) BMethod 09- q; e9 d& K. n3 a$ u( I j( i
=========
4 k" @+ P5 p9 |7 x8 K: `4 f5 x! w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 q$ o9 C5 X& K; W0 h I' v3 X/ Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ ?! y% v4 U' F6 J+ V5 eThe Get_DDB service is used to determine whether or not a VxD is installed+ w/ b# S% ?! W. [$ ~, Q$ V
for the specified device and returns a Device Description Block (in ecx) for3 w8 P) c. I M2 x, X
that device if it is installed.
. Y; t) A) P; d- p P. W( y2 F
. ?, Q- O- @3 h* g6 ^3 Y+ k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 H3 o1 k- Y1 m5 b. B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& i# T4 f4 z0 Z
VMMCall Get_DDB
) W4 N' ^+ [9 y, n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed* T' M' f; B' r {0 l3 H! C
0 v6 ?' V; d! S8 PNote as well that you can easily detect this method with SoftICE:
' E4 o, d, _6 c5 v' o6 `6 U9 H bpx Get_DDB if ax==0202 || ax==7a5fh
[: \) ^/ @+ Y* g- z- C9 E0 J- D: R, w! q* g% ~
__________________________________________________________________________# u* a3 T9 e9 i" t: G. {) E
5 e1 B+ _( u6 \: i0 xMethod 10
: `5 F7 e7 ?7 g) G=========' I6 a/ o" }5 [8 F) o( o: f6 ~
$ r; T1 {# H& S; J
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 n, n; E# w/ a3 X+ j9 @9 D' l
SoftICE while the option is enable!!
1 l0 B: N7 g ]; S& h& F: q, ~4 X. R0 W1 [4 L2 _( ]
This trick is very efficient:
/ e6 e% y: u; ^* K7 E0 iby checking the Debug Registers, you can detect if SoftICE is loaded, Q, }8 X5 R: C/ [ c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! Y+ I! r0 J% cthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 S# L7 ]6 \* ?4 H2 f
value (in ring0 only). Values can be manipulated and or changed as well) x. v- O# d4 S% ]- E5 I% e @
(clearing BPMs for instance)
2 W, D- q6 v5 P; z/ e4 j- y' a4 Y. c8 U9 J, J2 \
__________________________________________________________________________: h1 r0 M V6 v. _" y1 }5 Y$ H
, z e* o& f u
Method 11' M9 k. T) B0 P5 y; |" m3 g6 u
=========2 z8 }( n0 `8 T2 u
* v4 U1 o# w9 p+ l% g
This method is most known as 'MeltICE' because it has been freely distributed
1 f8 L. I- b# @! ~9 r2 Z" D l6 H% rvia www.winfiles.com. However it was first used by NuMega people to allow+ i. ~, j# q& j' x. @1 Y
Symbol Loader to check if SoftICE was active or not (the code is located
* u8 [# k/ K V: B1 oinside nmtrans.dll).# `; O( M# x. D% I4 O3 w
: U: A# Z# [7 R9 M& g) o B3 P0 e
The way it works is very simple:
5 k$ e. v. n- w l6 \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) d$ |* q7 ] M# V$ x+ Z" cWinNT) with the CreateFileA API.
9 A, `0 e% s; R! o" [! @9 N) R8 [3 V$ e! a. q8 ?5 b
Here is a sample (checking for 'SICE'):
% d. C( D/ I2 \2 O! }- U
* J- H3 W$ f! h, uBOOL IsSoftIce95Loaded()
4 k# K4 y' d: M1 B0 C{5 V3 i7 _' F. r- p2 o0 B1 R5 t2 z9 |
HANDLE hFile;
2 i/ }+ O3 R+ H6 e1 o3 ^ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 }3 X, r5 B# v* N1 p
FILE_SHARE_READ | FILE_SHARE_WRITE,* f4 {' r& P& z8 m" c8 h Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 m1 ]* Z2 }' _: j" }' I if( hFile != INVALID_HANDLE_VALUE )2 s7 {3 k1 i2 Y
{ c# a1 ?# {7 O; @# e4 |4 w
CloseHandle(hFile);
% ^; v/ p0 B) k. f- G return TRUE;
6 u6 ?4 D8 f- q$ G0 n }
. L) y; K% c( D( ?2 I @ return FALSE;% o, j* ^8 A) K9 E3 U, h
}
7 C$ d, q' |1 B7 o! i
2 P7 O8 K" x* c2 \7 \Although this trick calls the CreateFileA function, don't even expect to be# S; S& g+ F. g
able to intercept it by installing a IFS hook: it will not work, no way!" c W7 n* h( V% a. E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' ~. | m: _+ x5 @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 T6 r+ Q0 D. F' m$ `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 j% s7 s1 _0 S7 Kfield.
r2 J' N# ^2 }2 A( C$ ?5 j0 T s+ lIn fact, its purpose is not to load/unload VxDs but only to send a
7 W5 T* B- ]. Q6 y# r+ x; eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* p. y- }8 T+ ~: _, K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
d2 c1 R" K0 [. zto load/unload a non-dynamically loadable driver such as SoftICE ;-).; {% x4 N# D" A1 Q _' E
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ S u2 B, i0 Z$ [( X9 lits handle to be opened and then, will be detected.3 k7 U- K6 w, I! b) ~1 E
You can check that simply by hooking Winice.exe control proc entry point6 F( p7 Q( q0 C4 y( \1 k) [
while running MeltICE.
6 q! b1 N9 p; u9 x+ j7 U1 j/ m6 B4 c ]* ?! i& f
7 t7 O7 ~+ D" r+ u6 u
00401067: push 00402025 ; \\.\SICE( e [+ |- J* G# Z0 F
0040106C: call CreateFileA$ ~5 A" W3 t0 W5 Z7 ^% P @1 \
00401071: cmp eax,-001
5 G9 D! b% R4 N- f, V5 c 00401074: je 00401091
" Z0 z! ], I% Z h# Z
7 s$ P! C7 q) p/ j% Z3 R/ D& R+ B @+ W8 {1 ~ W5 t) m
There could be hundreds of BPX you could use to detect this trick.* Y, Q2 |% f" P, Y# Q
-The most classical one is:/ T1 l( K) H) E6 \
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 y& K3 O/ X t3 H *(esp->4+4)=='NTIC'% M' ]+ Q' u3 _7 j# c' |. K3 ?, q/ [
7 ]3 x9 p5 G6 n: C% r-The most exotic ones (could be very slooooow :-(" w, n$ C9 [$ o1 ?/ b( V' R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 ?! d8 ~+ v9 b _7 Z5 \8 r
;will break 3 times :-(
% C' x3 G; G+ ?* F2 ~! k6 K2 u- M0 [* x, e
-or (a bit) faster:
; y! _7 ~" T# |# R' o7 k) b% _; Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* V% d) K2 N- U1 ]) N a0 }
7 K& I$ y0 w: R% y* a2 p( n- } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) i* R+ Q4 D! a ;will break 3 times :-(
4 e$ b0 [! Q$ t) L0 {" W4 m& F/ X& D
-Much faster:# C- S2 M' v4 H! G# M* H* L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% F9 q. `9 I1 p+ J1 ~7 Z+ p% `, [; w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 e( r n# @1 `7 O' z8 V2 g4 s
function to do the same job:9 M& P$ Y4 S$ C6 d; X- \
" r# H Y x1 \" B- h" F8 F
push 00 ; OF_READ& k, A2 |& S) |8 {$ [2 F" ~
mov eax,[00656634] ; '\\.\SICE',0# P9 p9 z [0 \) ]
push eax$ t( e/ O6 t# f& K' h7 N
call KERNEL32!_lopen
2 K& I- u" m8 i% v, _: ] inc eax
- d( h2 @: ?. E" h7 | jnz 00650589 ; detected% c% P: o- P2 c& o
push 00 ; OF_READ: x6 x" Q7 B+ `) w' }8 m% a X
mov eax,[00656638] ; '\\.\SICE'
: @2 L \ ]$ g0 v/ p; D push eax
B% ?9 u8 R* m2 _ call KERNEL32!_lopen
! W6 ^- z; \9 a) [ inc eax. F Y1 `# x; j Z/ ]5 y! w
jz 006505ae ; not detected1 o% Y; t3 Y! H; Q# z, ]
0 m7 P" W8 @% h: [8 ^4 b8 N7 g7 a6 C: u% V, f7 t0 Q- r
__________________________________________________________________________4 Y% D: T( u' e. B+ \
8 ]6 ^! ~. [1 t5 w" O
Method 12 O K! ~/ F* Q h" c9 N
=========
& r) j, S) e* P2 e$ ~
0 L9 T) G! h$ }2 f" hThis trick is similar to int41h/4fh Debugger installation check (code 055 z+ }& E5 R" D9 O
& 06) but very limited because it's only available for Win95/98 (not NT); o9 g$ g; P+ E u6 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 s2 X1 f! p2 j& B2 d2 T- n/ |" K2 C0 T7 {: ^" B+ X- W& j' ^
push 0000004fh ; function 4fh- M) W+ g6 g3 L% N" k
push 002a002ah ; high word specifies which VxD (VWIN32)$ s# @6 u K( l$ s$ r' s/ ~
; low word specifies which service
( A" E5 R8 }5 \; M7 @, V (VWIN32_Int41Dispatch)# ~, V% I: h/ b# _: c: r, |
call Kernel32!ORD_001 ; VxdCall$ p& |& s) d. h$ j" I0 G
cmp ax, 0f386h ; magic number returned by system debuggers
/ `, t5 Y1 B) l- G5 R! k* r& ] jz SoftICE_detected
- Q" W' K2 ~' g3 `5 E8 O
" D- l& V9 B" |- p3 ?/ C# cHere again, several ways to detect it:) h) K P I9 q8 Y, ]; U
0 |$ o7 W3 R; f8 r6 O( {: j
BPINT 41 if ax==4f
) k1 H* I7 Y, _7 m3 p4 u$ H. p# v, H! m1 ^5 @4 W& N
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 y$ {" M6 f" U1 y2 J' V
; {$ W4 {$ a) s, V# Y( b
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* r9 I6 `7 t5 b) G5 _- m# d6 s f
( y( {6 Q: r+ D; \! M/ }( O: t- B BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# A; F u# F: O: S. k$ f1 l% G+ p ~! Q3 b6 r
__________________________________________________________________________
. h6 n$ q% c) Y1 ?, t" K3 z W7 t! V
3 {+ n$ Z) }) h( QMethod 138 ~9 X# Y8 T) b/ |/ U( t8 E
=========: b( j9 h- n( P7 @5 t3 J
$ ~6 H0 d% O9 l+ }. ?. C9 FNot a real method of detection, but a good way to know if SoftICE is
" s2 m; o+ q2 V# iinstalled on a computer and to locate its installation directory.$ G0 d% ?3 H4 H$ V
It is used by few softs which access the following registry keys (usually #2) :
7 \) m7 k- O* E1 m ~( Y
5 \* T7 O/ A( l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 M" Z+ ^' h0 q\Uninstall\SoftICE7 g$ c+ d9 t3 H+ H4 t' [0 U* u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( n& X+ |/ z/ {# N5 s. t7 m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" l6 ?/ Y( [8 [4 U& O, x
\App Paths\Loader32.Exe9 n7 I, B$ Y9 _) h6 T' a$ G
1 E$ E7 a+ C+ g. ]3 R: G
+ g7 Z- H! ]. O! x' dNote that some nasty apps could then erase all files from SoftICE directory
; [ |# }; }9 s3 `' `4 d. R8 u(I faced that once :-(1 W" P: Y) l3 C) `8 Z. T
8 ~$ Y2 m8 r9 O% Y5 P
Useful breakpoint to detect it:
# ^" P7 y# T# W/ F: q4 p8 k, u$ i
9 R7 C @. Y* p9 b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 S+ y5 y, s8 r% ]8 c2 m
$ f6 @" M0 L# ?
__________________________________________________________________________
; k: V$ G5 `& O0 r/ z
7 d$ k4 ?2 l2 V) a
+ a. f& ]: E! {Method 14 ( s) y9 ^9 V& I( z, S( C) v
=========
/ [3 G1 h2 E1 ]( {( y# u( s ]8 g& W) b( R. }2 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& j+ \* J9 o6 l8 I" n$ W; Ois to determines whether a debugger is running on your system (ring0 only).
0 ]9 [8 i ?! S1 J) k1 a; D3 w2 v H5 O& {. N
VMMCall Test_Debug_Installed7 J; q k6 }9 ^ f
je not_installed0 Q5 `! ?9 }# J
( W) W- K$ b" K' OThis service just checks a flag.
" D7 G; s# v1 `* a5 K2 v</PRE></TD></TR></TBODY></TABLE> |