<TABLE width=500>
! K! a- l1 ]. o- O g8 ]<TBODY>/ s' a& q6 A4 G1 {$ ^/ W
<TR>
1 c1 C4 I' X. ~7 j# h- a<TD><PRE>Method 01 + a1 t8 A: X, M4 t* e# G& D
=========
# P2 j5 K; k( s6 p$ f
9 G+ g- s9 `; |6 P ?$ N" ]" jThis method of detection of SoftICE (as well as the following one) is
- C( x2 C H, ]+ Pused by the majority of packers/encryptors found on Internet., G; k3 L& m/ B$ W- U
It seeks the signature of BoundsChecker in SoftICE
0 s- _; i9 ? I0 |) l* L. R2 D; q4 |5 k/ V N" |. o* S
mov ebp, 04243484Bh ; 'BCHK'- }# \- R; y7 [- Q. R
mov ax, 04h
8 E0 J) N( r3 q/ O' @6 [& j& e int 3 3 x* \/ N" m0 ]/ H. G4 n" g1 N
cmp al,4
0 \. _' j9 R. b+ `) Q jnz SoftICE_Detected: f0 J. ?, ?- [$ [' Y
L4 ?0 ]8 }- a( h
___________________________________________________________________________
$ ~8 N9 q0 n0 }, \+ y) A: I$ D4 _# s; q, d. q# y( f
Method 02
5 ?7 R; k8 W6 w5 @6 \% P! I=========
& V$ U3 |9 a5 h: K" L0 K/ ?5 {9 ?/ W% p. ]1 j
Still a method very much used (perhaps the most frequent one). It is used1 n: x6 r3 j; v! f. B5 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 y& Z; T; i2 D6 |8 P3 `
or execute SoftICE commands...
# K) J- M4 m1 m8 f6 I; ?+ r& b- WIt is also used to crash SoftICE and to force it to execute any commands
& U+ r, a( ?9 @$ C0 m(HBOOT...) :-(( 6 s" o; T% y5 f2 M3 E6 J1 Y
; P5 A/ X1 e* y0 e I" j1 B# SHere is a quick description:
( i$ ^( s' |. B* F4 _-AX = 0910h (Display string in SIce windows)
6 z9 D! p, j9 b- Q8 k: v- M" L" X-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ k1 L" ^6 d6 p-AX = 0912h (Get breakpoint infos)
& v' O. ]! ^" c* s5 v# ]-AX = 0913h (Set Sice breakpoints)
8 E' s) q0 l8 R% \5 v! n-AX = 0914h (Remove SIce breakoints)# E3 u+ s1 _! K5 ]1 e
( b8 S7 `/ W/ g' M+ H f
Each time you'll meet this trick, you'll see:
0 n6 B$ [! o. ?8 {* c. E1 V-SI = 4647h. V3 @ P/ j8 |$ b. z$ m% j
-DI = 4A4Dh
: N( i, ~3 b4 Y8 t4 ]Which are the 'magic values' used by SoftIce." b K# L4 E; N% g# V8 A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( X r7 o9 L/ q2 V2 g% N" c
5 `7 ~& K! v7 }2 m$ A. l# |Here is one example from the file "Haspinst.exe" which is the dongle HASP
' R! m1 Q$ h" J% \Envelope utility use to protect DOS applications:
Y3 t# B" ^ m- U& ]
. Y* Z1 w# A# @4 c- }
9 @- J# ~* E5 `4 b: b, M" d1 ?4C19:0095 MOV AX,0911 ; execute command.
4 G. z1 R4 S7 y- i! Y0 K, ]9 u4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 U. Q$ i6 m5 m; C4 t
4C19:009A MOV SI,4647 ; 1st magic value.
8 q1 i$ Y4 H' _4C19:009D MOV DI,4A4D ; 2nd magic value.
, e7 t6 N0 k& C# u, {: ~) z5 [/ W/ |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 }6 b2 L" g% f1 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# ?: t& i- F9 O* Q8 P) X
4C19:00A4 INC CX
r( i: W' b0 }! c4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. m) |' x, l6 R' W# j4C19:00A8 JB 0095 ; 6 different commands.$ h( w% ?8 n9 m. r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 }7 x) i/ [6 m* X: S4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 U' s' B3 x/ c- O% H* k! x, ]: v& h! p+ K( L
The program will execute 6 different SIce commands located at ds:dx, which
" ]9 H3 X5 P0 U: S# S1 T- f! [+ Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 B6 ~8 A/ M& G3 e. R3 D6 U
0 Z$ p$ b6 n9 k, D# n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' B1 z5 d; q: h, s3 h+ V
___________________________________________________________________________
0 S! a! R3 D% S5 X. S: H0 f& _$ _- W5 q' q# w8 b# p& I7 h3 C) t
% n0 R' ?$ Z6 m: t* B0 N, _
Method 039 e. X! ^% B A5 v/ l( ]$ m3 I) W
=========
3 R! e, t; V$ b& \% y1 y3 W- D; ~- w( m: R
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
O6 O/ c4 r6 M6 ^+ b(API Get entry point)+ |9 l' v) Z7 V8 _$ q% }
# r5 a, R& n7 P6 p* Q
" ] L8 e( I8 L- n3 f xor di,di$ w# s" s, l: b4 t# z7 P
mov es,di \. }2 a% t8 e: k6 ]4 J
mov ax, 1684h
' V/ _6 {3 F# \6 I2 r mov bx, 0202h ; VxD ID of winice0 t2 E. d8 J l5 @9 ^, b! Y- `& _7 i" g
int 2Fh
- ]9 o* J; }/ X% b mov ax, es ; ES:DI -> VxD API entry point
. o9 m6 N# i: d8 C add ax, di
u/ g) c. T9 T- z/ _' d& h test ax,ax
4 ?, l+ u+ b, r jnz SoftICE_Detected
& [9 U% T. G" S T6 A G* C" g/ B+ o9 t
___________________________________________________________________________2 n; N3 Y( ^$ f, C2 g- M
4 p9 O" s: l! W
Method 045 a) b9 U' _: w6 i6 X. n4 Y
=========# N3 o5 p" ]- c5 x8 `7 d
. k& E4 r+ _; z3 j9 _& u
Method identical to the preceding one except that it seeks the ID of SoftICE( l' M @2 W) @. F/ n! {2 v
GFX VxD.- s) g# j) f/ |! D I$ {5 Y! x* u3 d
( J3 i. c/ L( ?# t0 u
xor di,di# i. x: u4 q4 n
mov es,di( f7 G" E. M5 H. c1 M
mov ax, 1684h
6 B+ L6 m: j# y+ f1 C2 X5 d. f. T mov bx, 7a5Fh ; VxD ID of SIWVID) }- d) L' I: j1 L
int 2fh7 U% y' p( Y- H7 V( t$ i! Z
mov ax, es ; ES:DI -> VxD API entry point
& F4 [0 O9 k+ A, Q* F add ax, di- j2 w- d X* U' `/ K0 r
test ax,ax
# N/ h2 S3 F% ^! a7 _ jnz SoftICE_Detected1 F2 \( w4 t$ q+ d6 ^4 v
% G! V2 b; q% u4 p- Z__________________________________________________________________________ A0 r7 j7 g+ s5 J" |* a
9 T6 i" O- n% j. {* p) x
( o' ^, f) p1 e5 k, r: N |9 rMethod 056 `" P0 h- B* b% {- G' p" H( G
=========
& K. y% W- B* n, ]: y- p
8 L- b" Q& ^6 dMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ B/ ]" E) K7 T4 f, @( h: l1 B* H
debugger. It calls the int 41h, function 4Fh.3 Z6 w" O! c* e, F$ V
There are several alternatives.
* _: d7 L6 X0 p3 Q6 y b8 G
7 l0 G6 `1 Q# U6 Y; z# @The following one is the simplest:3 o5 f, p) b& U2 K) y* ^
- i d+ I4 E, B# s- L
mov ax,4fh0 f; A4 c# w6 I: Y0 M" U. f3 u
int 41h
4 A' J3 O1 i- `& D9 F cmp ax, 0F386$ m* L( H8 m6 \6 y5 T3 d# w/ {
jz SoftICE_detected7 D# x' K3 u: s
2 B/ p! ~4 L: f4 J
# j# ?: f1 C9 W! X' ]
Next method as well as the following one are 2 examples from Stone's
$ x4 Q) x6 A! s+ a"stn-wid.zip" (www.cracking.net):3 K8 r1 [2 z% U0 t1 u! a. c( e
2 V% x1 J2 h2 {1 Z* s4 v3 O
mov bx, cs
+ B8 e4 J |3 P; E lea dx, int41handler22 N, p8 l8 S- ?& t2 a* _& o3 C& T
xchg dx, es:[41h*4]
; ]' d# w( ]& H* P3 S xchg bx, es:[41h*4+2]6 ^4 a/ u0 U8 l. m* p% p
mov ax,4fh/ w- O' _: Q0 Y+ i! y
int 41h
5 T6 m7 F* L6 y9 [# s! } xchg dx, es:[41h*4]
& i( m( K( o" D& R xchg bx, es:[41h*4+2]4 q: g$ Q- q% F2 J9 f' A! w6 `7 W
cmp ax, 0f386h# @) M- D& E; R h3 Y4 @: t1 O; x
jz SoftICE_detected
: l5 j( F3 ?, X" b% |
! _! n2 a* \8 e5 z) R6 ^) }& ]" nint41handler2 PROC. w6 a ^# Y4 q
iret) g0 `& n. E+ F9 N& N0 ]
int41handler2 ENDP
7 S# S' h1 d9 G8 o+ ^/ U) u, h& o' Y9 ?' `2 d
3 `' Y( z8 ?7 E i/ q_________________________________________________________________________
" n$ H0 v# d3 Z+ X9 q8 a8 p
. k$ T& b, z3 x0 c
) h5 Q, _' ?4 `: D* S4 `Method 061 ?2 ^# g: B2 k
=========
- w3 s7 j: I/ M4 @) U% r. } f; J R
& q g/ N" y; Y1 e
2nd method similar to the preceding one but more difficult to detect:
0 H7 x- t% n# {) j( y
) i! E0 z; s7 t, S/ ^! q% s/ `! P9 k0 {+ R$ R
int41handler PROC
% O7 T( _& O* L4 V4 C* \; V" l mov cl,al
( E' c/ q9 v1 c/ p, x iret3 K) s9 `6 e& W$ A+ T
int41handler ENDP, }# T4 ]6 {/ K+ T1 a |3 l9 s
$ u. D9 ?. x4 Y7 U5 W, X0 _2 {9 V$ g- N" E" S( n4 |5 I) V
xor ax,ax
/ Q* C0 Y2 G$ L6 Q mov es,ax3 N' e, K4 Z& z. N Q
mov bx, cs( x* ]! ?) }* A8 ~+ a5 X4 {. O
lea dx, int41handler
7 Q- j4 y9 q% ?8 o( I3 | xchg dx, es:[41h*4]
- A& p$ a) |% `% o2 J xchg bx, es:[41h*4+2]
S, \$ T& t3 E& l+ X) Y in al, 40h
9 i c G. r, v% i2 u3 O xor cx,cx' L3 {+ M" y( t2 E9 I; U$ B
int 41h+ P+ n3 n) x' D
xchg dx, es:[41h*4]* g: f C- I4 s3 B9 i% W
xchg bx, es:[41h*4+2]
3 X3 S, ?, u2 a& r' Z cmp cl,al
/ @4 U% I1 D( R* x5 B2 h; ~& A1 m jnz SoftICE_detected6 }4 S" F$ {& ~" P- ^0 ^( x
4 C( {! h# O* W6 v( r# U" ?_________________________________________________________________________
! B: }+ X* I2 A6 y4 n3 t" b* Z# R3 ?- t4 q% N& B) D7 U& x( R
Method 077 Y) Q+ i y) x2 [/ c0 T
=========) j3 Z6 Y& J$ {$ A8 r1 k' N
j' K) ?, m5 R+ _1 F
Method of detection of the WinICE handler in the int68h (V86)
4 c2 {2 D) q5 \% `8 h/ \
. l' T' P; W! E( v% T) x mov ah,43h2 z0 {# _5 X. d5 C
int 68h2 H9 }$ w. F/ g) W
cmp ax,0F386h: c o6 @9 Y1 M; P- G q7 x
jz SoftICE_Detected, i- r/ i1 x4 |# z) R8 d
" ~: a, ^: `6 v% y9 q4 o) ?4 {
7 s; i+ V! h$ I. R* l9 R' U6 U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; n- q* w3 V$ h9 C! a9 b* S
app like this:
C* c( B& z% m! C' G+ [- D
# @9 ?) {4 F% T7 g9 F BPX exec_int if ax==68+ z A% O* c% F1 s8 I+ U9 L% A# m
(function called is located at byte ptr [ebp+1Dh] and client eip is1 `* R" I: |" P
located at [ebp+48h] for 32Bit apps)
W) m. h+ s' m' i6 Y: _4 N6 [__________________________________________________________________________2 L4 L( Q2 z4 }4 ~
) B' `4 k# ] H9 @# Y, D! g
3 Q c$ S$ M$ GMethod 08
m7 E. o1 L- W h; g- L=========0 Q' e) O! H3 p+ \
% a/ b0 T! K% K- F& \+ }
It is not a method of detection of SoftICE but a possibility to crash the
0 o+ U( Z3 r. msystem by intercepting int 01h and int 03h and redirecting them to another' g9 V9 B2 |' p3 M
routine.
+ I$ C% e( C' P1 i- Q5 TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 S% d& g0 Z" ^ k' r% M3 a; Cto the new routine to execute (hangs computer...)
& G! M# t _, b- J( O) O: j( }/ l4 Q! Q1 J" n8 A
mov ah, 25h
7 Q2 X+ u* u0 G0 w mov al, Int_Number (01h or 03h)
! z m: `& Q( I mov dx, offset New_Int_Routine+ v% i; B ?' c7 |" `
int 21h3 W* a, _8 |- x9 N( o& P0 `
% Y) q) F. H. o* t__________________________________________________________________________& V) b. T% g5 m$ Q
* D- O1 V, J+ w/ k0 `! _
Method 09# \& T3 j5 a& D# R5 D' x# a1 ] m( d
=========
& e& B' d) t8 N/ T# t& S& P/ X6 V) m# J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 Q3 ]$ {; ^, O0 Operformed in ring0 (VxD or a ring3 app using the VxdCall).
' ^" |3 }. E( {8 hThe Get_DDB service is used to determine whether or not a VxD is installed5 {, U% F4 |1 F& k7 S1 T2 w# [; o' e/ r
for the specified device and returns a Device Description Block (in ecx) for
4 ~" U' D# j8 W( athat device if it is installed.( e- C7 @; N5 s* H& q
3 X) c: E. k* |8 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 @/ T7 L# s2 F% l& Z' P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# M1 `6 I% H0 P6 x H. f VMMCall Get_DDB
4 G0 K0 \/ M& q9 z, U* ~7 J mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' y" f/ @5 J3 a1 K. a p
6 |, D& }# L3 }- f( t5 j; `Note as well that you can easily detect this method with SoftICE:6 B0 @0 e5 E5 d( L
bpx Get_DDB if ax==0202 || ax==7a5fh
( f S9 u& K! i( A! j6 \( e6 F
3 n1 N! x6 T. g7 [2 e( Z__________________________________________________________________________
. u5 {6 ~# P- N9 ~
/ `2 C4 ?3 X4 Q! K) r3 U* A! Q' RMethod 10( V, ~! w$ k, b+ G- `$ E1 ?
=========$ Q" V! ?! i; m0 ^ w i
! P# ?) X; K+ r=>Disable or clear breakpoints before using this feature. DO NOT trace with) H3 q: C( w+ J1 A5 R l
SoftICE while the option is enable!!# P! R) H6 c% D. Q7 g/ c/ N4 f/ {
+ [8 Y; a6 _: d0 G' V/ kThis trick is very efficient:
9 n9 P: U: l# _by checking the Debug Registers, you can detect if SoftICE is loaded1 R5 `0 ~7 h, C: [) Z+ g! C3 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 T" C, a+ V0 x7 }there are some memory breakpoints set (dr0 to dr3) simply by reading their
! J% w G' ?+ U0 Hvalue (in ring0 only). Values can be manipulated and or changed as well- B5 G" s p" M' q5 J; I% N
(clearing BPMs for instance)
% X8 l3 M: a5 v* K! W0 V/ N, B( @: G
__________________________________________________________________________
& ]. m) ?2 J/ s, m2 k) s+ U' T5 l" R5 K% ?
Method 11
; o( o3 y7 p# x5 p0 `1 d( ~=========
6 o) T: F2 x% b) H. o1 N
. P8 h/ a) h' j# d3 zThis method is most known as 'MeltICE' because it has been freely distributed, R* M6 q/ F+ @: `9 B* L4 i
via www.winfiles.com. However it was first used by NuMega people to allow
/ p8 p* F+ }4 I: ?) `, a' e$ fSymbol Loader to check if SoftICE was active or not (the code is located
9 T7 H0 \+ S- ?; z kinside nmtrans.dll).
0 [: c @* \' V& z3 a
/ p8 m. O; l: F/ Y4 s- eThe way it works is very simple: F" W/ m3 K6 J7 K, H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ \8 z+ z/ X L7 {; n4 G5 a1 e8 f
WinNT) with the CreateFileA API.5 h* w4 t$ {0 G3 d
x. d2 |7 D1 E6 z% x$ BHere is a sample (checking for 'SICE'):7 _0 s& N: W5 z# `
( y) L3 w- C+ c# D7 g8 |BOOL IsSoftIce95Loaded()
+ ?# i& C$ F8 D% |# w4 X. J{
1 g6 b; H6 N6 W0 ~8 `8 s+ | HANDLE hFile;
* Z; {+ e5 B: K hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 I9 U0 N$ `8 @% Z
FILE_SHARE_READ | FILE_SHARE_WRITE," P$ s7 I+ Q% U/ K3 N3 K% i2 t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 p; {3 W. I( C* [: j3 d Q% @
if( hFile != INVALID_HANDLE_VALUE )
; B- ]3 F2 _, k v {
3 S) D/ F8 s! R0 R) [& \9 S CloseHandle(hFile);
" E% Q" R) Y4 U5 l H0 y# C5 R" s return TRUE;5 V5 O. W7 l6 z% k
}- l$ o" q9 c/ [( _
return FALSE;3 l9 [* n8 H' W& ?( h$ ]
}3 @4 V# q+ S5 _, T4 Y. M2 ]( q
* J$ L% u) F& D+ F( ]& U. ^8 _Although this trick calls the CreateFileA function, don't even expect to be9 H9 K7 B6 H0 y7 _
able to intercept it by installing a IFS hook: it will not work, no way!
4 D" O2 C; S6 i* s8 Q$ H* `' UIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' P* o* M8 S8 `8 C; o4 E7 b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* ?' d: z0 `9 ]7 U3 _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% P; ?7 w% v( J) _6 W. q' {field.) T2 |& R, W% K
In fact, its purpose is not to load/unload VxDs but only to send a 7 q+ @) T3 s5 A( ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 K/ _4 o& k. O ^6 ?9 ]- ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 w) s& }. x+ [* \9 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: u8 c6 _' t6 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 S9 R( L% Y( l3 t) S
its handle to be opened and then, will be detected.
7 w$ K; C8 R6 ~You can check that simply by hooking Winice.exe control proc entry point8 }* x7 K% [, l3 S w. y- @
while running MeltICE.3 C; s5 g$ t3 i4 { H4 g4 V
1 u* ?, `6 p7 X
- O+ k3 r K6 Q4 q$ }! O4 P2 P
00401067: push 00402025 ; \\.\SICE( A2 X$ f7 N% i! F
0040106C: call CreateFileA: `* c" e3 V! n: r R) a
00401071: cmp eax,-001! x8 f0 V0 U9 x6 u* Q4 Y5 n
00401074: je 00401091
/ Y: M2 v2 G: r! z! Z$ t6 t+ |
3 C7 n! A, }7 z Q# UThere could be hundreds of BPX you could use to detect this trick.
+ U6 I* b5 k, ?$ O1 R. s; W: ]- _-The most classical one is:( q9 j: ~* R% ^ `; [1 {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 C& l F' t+ i N3 [, Y; R
*(esp->4+4)=='NTIC'
# w7 b. M* ]1 m# R7 B" x
* Y9 d$ z4 G# r4 R6 X6 e-The most exotic ones (could be very slooooow :-(
9 t$ t# @3 i4 F7 B5 H- r- L, P# q9 V BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') * ?, b* J& g; g$ U/ z
;will break 3 times :-(
7 t5 w: V3 J# Q* ]( y' _2 V. R8 L1 r) T$ m* d) a/ }
-or (a bit) faster:
3 n# ~0 Q; s! Q& O9 D, W2 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ B) I- v z6 } q4 s) m6 }
T `; V" E5 O0 R$ ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . x: v1 q3 z- o
;will break 3 times :-() ?6 r3 H y9 }; v, o2 n
1 U9 ?+ S* g) B* Z) x; y U-Much faster:
+ z2 U. N2 ^/ _ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# T* c, x" ?/ E, ]
- A5 f* D8 e; f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' o0 D" d* D& C( l" G
function to do the same job:8 g' S$ J6 {2 N4 ?' g# S, H
! n8 A4 a* h$ `3 L push 00 ; OF_READ2 z# c; ^& }# \4 G
mov eax,[00656634] ; '\\.\SICE',0
) `5 f! c9 c8 k; r5 p push eax7 _5 F7 _; l8 U1 N1 I* A
call KERNEL32!_lopen
6 D+ _, @0 O2 L E- ] inc eax
- B) [/ ~- [0 _. K( x jnz 00650589 ; detected: Z& Q* y( W; ~# J
push 00 ; OF_READ
) N0 L/ K8 E4 a) ~7 g- X mov eax,[00656638] ; '\\.\SICE'
; b- a( D6 {6 ~7 c- p push eax
. P% c3 J* G7 ]! P% C/ p4 X' {( M% [ call KERNEL32!_lopen
7 [4 d; x' H: |6 i; K9 n; }$ ` inc eax3 W# j! P$ T$ \3 q0 L K# [
jz 006505ae ; not detected
9 d( | [: N2 V* w& ~4 Y, n0 A! X
0 r" x: S: A3 M; U3 w, Z' t5 u O6 [' M* F# x ]
__________________________________________________________________________
/ l3 N: [2 q7 S
0 c9 u7 R( r. v0 a: u( D: P6 _Method 12
2 r3 _. g- s$ x/ Q) r6 }5 d `; k=========3 V% _* c: f g" E% L% w3 j/ g7 \- r: a
6 M' c6 b$ N! p6 ^# b" h5 b, O2 MThis trick is similar to int41h/4fh Debugger installation check (code 05" p. |6 h; O$ v9 r
& 06) but very limited because it's only available for Win95/98 (not NT)
6 X% m" `" s' F9 Y/ P0 Q- Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.* X) S# J E/ f" e( Z& `
8 l+ f$ m; q, W' f7 s- F
push 0000004fh ; function 4fh
: D) B# ]9 ~8 {# d' c/ \9 [ push 002a002ah ; high word specifies which VxD (VWIN32)
+ ?! S; Y, X$ ]0 i9 S. I& l; p) V ; low word specifies which service- p. q& A( i& \. A5 A! t& a
(VWIN32_Int41Dispatch)1 t4 N4 b. e+ B5 @6 W8 N9 j/ m! O
call Kernel32!ORD_001 ; VxdCall
. d9 x2 }" X: ?7 r8 S cmp ax, 0f386h ; magic number returned by system debuggers0 n# E# y p" n* C
jz SoftICE_detected- F6 `+ a' M2 W# Q
4 }& M! q: X5 K. ]# KHere again, several ways to detect it:
4 U, U4 M$ p8 w1 j2 V1 T1 Q5 ?7 D* r" y& o
BPINT 41 if ax==4f: `& n# |* x3 _/ g
9 c2 q ?. ?: {1 _7 {
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ a$ `# \$ `5 |( \- i% d( K
' e) b$ S: q) O: j3 K6 } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ ^# s; P0 S$ l1 o, C9 T$ X6 S
3 U1 q1 J" }( ^2 G% A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. G, ]1 z5 W6 i) y( \
0 |0 U& B0 f! `. ?__________________________________________________________________________
, j e' ?6 H/ o* e6 P: E/ `6 h( w2 i
Method 13% P5 \" U% Y# o6 o( ]( p2 E) _* j
=========
7 o7 W% t+ w+ g Z4 q$ m
; G9 U# F' D: m+ K: [: N$ s' HNot a real method of detection, but a good way to know if SoftICE is
# Y5 \% @0 X# f2 X/ Qinstalled on a computer and to locate its installation directory.; ?8 t- r( |3 Z
It is used by few softs which access the following registry keys (usually #2) :
% U+ L+ a, X' a
1 K9 w: |& ^9 E2 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& S3 G! [. Q6 A/ T+ ]\Uninstall\SoftICE+ }; L2 G- j! Z# x/ V/ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 @9 L/ Z, P8 _1 S1 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" b8 Y& Y. A) `6 Q+ ~ m% v\App Paths\Loader32.Exe6 ]& \7 L* n4 j4 W
6 T/ @1 b# D# K) u( E
* a; v8 G- b% F% }$ DNote that some nasty apps could then erase all files from SoftICE directory
9 \, V. \! _/ ~$ }4 P p(I faced that once :-($ |6 g+ l) Y0 t8 X$ e0 S- W
$ z0 d* z w% A) d* T1 Y2 h& W
Useful breakpoint to detect it:
a3 W1 x6 U# Z; Y, s# V1 `& N6 S3 n
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# T: q! k& Y8 R* q; A% \8 U$ O6 z* W( ~5 I" E; h1 q1 O+ t
__________________________________________________________________________
- t4 _* w, ^, W4 p1 L x& b6 F. r Q. r+ ^8 N7 Q2 l7 `) c7 _
$ T6 q5 j; E3 y# n6 RMethod 14 1 j# w$ a6 P% u* @- S" ?8 d7 U
=========" b& z$ d- ^2 e9 I; Q( x
8 l0 @% \' j! _; U# F% ]- x# {5 O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' K% I4 \( H' W3 H$ `. t* his to determines whether a debugger is running on your system (ring0 only).* }, I1 _$ G' }* q$ ~5 S- k Z
: w- w& J& R E( Z" S- k VMMCall Test_Debug_Installed
8 ^9 W; S+ q" z. a+ t je not_installed
a" X$ n; b/ N! y2 u& o5 Q, ?2 J! \
This service just checks a flag.
: e# \1 q/ s9 r</PRE></TD></TR></TBODY></TABLE> |