<TABLE width=500>
, X% k6 k7 Q- ~2 M$ w, y<TBODY>
3 q/ @, ~- J. k<TR>
" M( j5 ~9 ?3 Y Z, u9 V* b<TD><PRE>Method 01
( D: }3 M, c# _" O) b0 O' B8 N/ L=========
' A+ \; F0 {- Z
4 y/ x1 ?% y C! j: jThis method of detection of SoftICE (as well as the following one) is$ Z# \ t1 L3 i. a: {( N
used by the majority of packers/encryptors found on Internet.7 a3 W% w! A/ d* ]$ g+ G3 V
It seeks the signature of BoundsChecker in SoftICE0 L, i5 {9 _* h: \ \6 C
7 |- s6 H2 J l6 C3 c ~- A) ? mov ebp, 04243484Bh ; 'BCHK'! e# O9 S& z0 i" @/ M
mov ax, 04h
* c; g7 T! p/ H( N# Z0 v int 3 3 }, s. K2 c; N n8 o2 K
cmp al,4! _. u, G5 J/ F- R" }
jnz SoftICE_Detected
7 ?8 T1 b& j$ }- u1 ^% v3 S; W' p) J. u
___________________________________________________________________________
8 R n7 _+ p& Q' R
8 b, Z& l( {) h' yMethod 02
# R5 M: x* g) `$ y========= m4 b3 j4 U: e) t$ n3 A
# d: _9 W' L" E
Still a method very much used (perhaps the most frequent one). It is used
! R( B. d @8 N5 _1 xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# e2 G0 t6 a7 T w" b
or execute SoftICE commands...( f# ~9 _, r0 K
It is also used to crash SoftICE and to force it to execute any commands' Z8 W! Z8 x0 L; f
(HBOOT...) :-((
0 {# D5 v" Y F
8 V& z* [6 R* V: x$ d. f6 D$ GHere is a quick description:6 p( P7 C$ e5 k# @
-AX = 0910h (Display string in SIce windows)
+ Y+ A }: V J! Z9 o# g. ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), K: r) N9 m- u
-AX = 0912h (Get breakpoint infos)
+ Y) h/ z$ T' b-AX = 0913h (Set Sice breakpoints)7 ^" ^9 b8 y6 ~( |" g
-AX = 0914h (Remove SIce breakoints)
3 a& r, A- f, h5 S2 z8 j" N$ O' s/ g3 A' o" P
Each time you'll meet this trick, you'll see:
" Z% @6 h" r8 I5 X3 M' M) t& J-SI = 4647h
( t- N& Y! G3 o3 j' O1 u" C) ^-DI = 4A4Dh
; \/ E# Q2 c0 g! l; A* _Which are the 'magic values' used by SoftIce.
1 @; v5 ~+ g8 [ L9 O' ?( NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% A- ~9 A# F+ s/ I7 v! P, q/ W# x9 H5 \% J. b1 b( W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 T( v P5 ^- g, b+ z m/ GEnvelope utility use to protect DOS applications:
0 F) u2 q8 V# w6 i+ K8 P. L5 p' H6 F
, ]3 I$ B6 B0 ]
5 }$ V" Z6 T% m. y4C19:0095 MOV AX,0911 ; execute command.
: S* h. j+ _+ j) p* v- H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 Z/ b1 _' Z4 @( ~4C19:009A MOV SI,4647 ; 1st magic value.6 @3 ^( E4 T2 x( G5 K
4C19:009D MOV DI,4A4D ; 2nd magic value.; T9 E% y' o" K+ D) }8 {* j1 k3 Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) u: X$ s8 E, J1 L8 J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 _1 r1 b8 o% } _4C19:00A4 INC CX! E: x# J b/ g4 E. x- ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& [0 u q1 s, A# R2 ]% M% j+ |1 C4C19:00A8 JB 0095 ; 6 different commands.
6 Y x4 A% T3 o3 q+ F4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# w% a# C: I4 `5 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ k7 ]( b+ T. `( T, d! k: P4 H/ y$ [
* _ `( F' x: _9 Z" U0 Z1 o2 z: K
The program will execute 6 different SIce commands located at ds:dx, which# B! M! Q/ X2 K/ C: ^( C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. b& A! N* N' R8 d* L9 H
$ C$ J! B H& _/ P9 a& e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' g4 L: A) B9 y8 e7 E2 v___________________________________________________________________________
8 P6 V9 ~/ H0 t) I; O+ ?' I# t) a6 F' o1 Q
3 c0 D% Z+ F) h7 [
Method 037 Z( p9 x$ V" O" T
=========
( Z% ?7 F! _ X- A/ d# w. R6 M1 h6 R" N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 r, W9 H2 _( T' ~1 H( L, W/ Z) F
(API Get entry point)" B& a# L/ `' \$ P, h
' P; J0 k# _- ], I9 O9 M
" @1 c6 F7 Z# P$ Z' ~( S; a2 U xor di,di5 g0 u" x1 v1 C3 I8 }' D
mov es,di
: f7 j/ u1 m- ~% R: R+ Q, e mov ax, 1684h
4 {6 y/ W! d& Q0 {4 Q6 U' { mov bx, 0202h ; VxD ID of winice
, ?6 \5 W$ A- y$ m int 2Fh
: b0 I* @+ ^; e3 j mov ax, es ; ES:DI -> VxD API entry point
- [ J3 I! f$ r add ax, di: g: w' J0 r: M+ s2 }" ^
test ax,ax
2 Y9 v( {! V9 ~ h; B, I! x jnz SoftICE_Detected3 t h2 O& ~) u: k+ Q* X8 p+ k
& Z, M/ j2 {9 G( j: z1 |___________________________________________________________________________5 d8 t6 H. B n# i- ?$ v
5 b$ r! s0 I. @ J/ V& g0 s; g
Method 04
* M! t( f8 j# u$ n( H9 L========= t7 F) |$ ?8 c6 |6 o1 U" ^
. T& C2 R9 ^% V3 w e" _* iMethod identical to the preceding one except that it seeks the ID of SoftICE
0 j3 u5 Y% M! T% }( f& GGFX VxD." k# V9 _. P! D* K' z
& s3 I- @( ^0 y2 h7 D- L: v
xor di,di
) \# Y8 \* `( N, K+ k$ V2 x mov es,di
( k1 D; F) N3 b: C1 ]: d mov ax, 1684h " B( O' Q D; E, }
mov bx, 7a5Fh ; VxD ID of SIWVID$ r: X5 L6 k( K5 H- ]% L
int 2fh3 t0 U6 Y7 B- m5 S7 u/ p
mov ax, es ; ES:DI -> VxD API entry point, I5 p; F: A& L. m4 `0 f: A
add ax, di, |4 t7 Q) z) D. n
test ax,ax
+ w* W+ a. T/ Y# p7 ]) T0 D jnz SoftICE_Detected
3 Y; v0 {5 J; J, O: B8 J7 B8 Q8 h$ o1 I& n+ n6 N
__________________________________________________________________________) |4 {& B! j: C" O
: t& z9 ?: H# b; a/ g7 X
# C0 f5 a- F) E5 }$ n2 U6 N" @1 jMethod 05/ J/ T- a# f- L L8 ~- r
=========
, i" G% y: f2 r% j/ o8 ^: ^- z; C" ^# Z4 N3 ?. E& v4 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! O, p! x2 T/ `* q! sdebugger. It calls the int 41h, function 4Fh.
3 ?3 _% y( @7 n) ^There are several alternatives.
( p& R& M% S: f2 Q/ L
8 C2 t+ }/ k9 x; ^, ?The following one is the simplest:: i2 E+ P8 `% m
% L/ Q! j+ [* t) j( d" L
mov ax,4fh
+ h& @- G p4 d& D8 K+ P7 J int 41h
; r: @: S7 S2 J0 V; W |2 B$ s( D: m cmp ax, 0F386
7 T. s5 K- c4 g4 s4 V# c" p jz SoftICE_detected& @% J! i6 _( a
" d5 Y' A1 ~0 m) d3 x
$ s7 j* Z- ^- f T5 gNext method as well as the following one are 2 examples from Stone's
6 J8 l8 A9 n, {8 W! O: |+ _"stn-wid.zip" (www.cracking.net):
1 K+ L9 \- ]' [5 E+ u1 j) q' ]2 D- M0 _( ?( i
mov bx, cs
$ J5 @7 }+ I1 T8 C$ g1 Q9 ^& ^ lea dx, int41handler2
P2 n. s0 V5 [+ ~2 s xchg dx, es:[41h*4]! N5 W) A8 v3 m q X N
xchg bx, es:[41h*4+2]1 O0 l0 b( Z9 |9 g6 B
mov ax,4fh
$ [: y, @$ N* G int 41h- K% e' p) H2 T! r
xchg dx, es:[41h*4]
I" o# f8 L6 Y; b+ I6 n xchg bx, es:[41h*4+2]
6 s9 t5 i( y* G9 O# w2 E) ] cmp ax, 0f386h5 ]' {/ M9 S& m
jz SoftICE_detected! a9 p. t) y6 S7 q
3 V: z4 _ J2 t- zint41handler2 PROC
% q( N! F/ M% M3 D( ?& l% @2 w+ a iret% ]1 w/ O/ `, f$ r+ a$ w( P
int41handler2 ENDP
8 B! j9 w0 B5 L1 e
% X/ a, X z# X2 {& i# D& F7 |( u1 r3 N0 f+ s& V' X2 ^
_________________________________________________________________________
' r( a3 n0 O. @9 o* ~) Y7 C
7 G% {" q( ]3 u" g% x0 A0 N2 q$ R4 m
: v6 h5 j4 i$ r) QMethod 06$ B. R5 l6 S4 x7 U% i
=========
+ D3 ^4 V1 {: F
8 M2 B. k! S$ q0 ^8 P2 i0 ~6 \1 |9 o, X1 H/ d1 P6 n% O5 Z
2nd method similar to the preceding one but more difficult to detect:
( \. y+ L {/ |; D$ p2 C/ C9 a5 s' |4 m+ P2 F. S; P) {- M
6 [( v+ R8 [1 {
int41handler PROC! F* j. ]+ R& H! X5 a
mov cl,al
) d6 ]1 @( Y. N/ f& B iret
- {" k$ z0 J; B9 J Cint41handler ENDP( K/ L8 u. K9 U1 {9 f
0 a5 ]7 A" l4 c6 |: N6 a2 @8 x4 ^+ n( Z' w2 |* E" I+ c: Z$ o
xor ax,ax
, v. p' R; Z" Y: y' r6 q c4 l mov es,ax/ w! Z8 W% u% |# i
mov bx, cs1 c2 K; Q0 Y/ _5 q
lea dx, int41handler
* ^/ C! v/ o+ U% e. \5 `5 j3 } xchg dx, es:[41h*4]
& h( ]! u6 Y u3 M* g! O+ z xchg bx, es:[41h*4+2]* M9 l3 r, W7 ?7 _$ V# A
in al, 40h; P% x- R) o2 d1 d
xor cx,cx5 j$ f+ S8 Y5 r( [
int 41h
+ q* c9 @; P% I3 k7 o* t xchg dx, es:[41h*4], ?$ q9 t. `) _* j
xchg bx, es:[41h*4+2]- _( b" K) ^2 e, W$ J
cmp cl,al
! g, B" B e% t% m* O jnz SoftICE_detected
1 z4 S+ C; I$ A2 k6 h8 u' L: P" k h* r) K9 X1 ~% `( ^; e
_________________________________________________________________________. z' t2 L0 A2 O" X2 n1 d9 u+ Z
; }- m- Z% ^! x, y: `. b) V
Method 07
& a+ {5 y/ m6 A$ W+ L=========
& r4 S* Y1 A w; o8 ^ A5 z- c/ ~% t0 f8 p( T' o4 m
Method of detection of the WinICE handler in the int68h (V86)2 @7 U% p6 z( R$ J
9 K! p. f* }# R mov ah,43h
# h8 _" L$ `# f/ |) P4 E int 68h
. i6 p) `3 |$ X+ A. X cmp ax,0F386h3 K ^4 W. s* V9 q; Z; B& z: [ D
jz SoftICE_Detected
" o, |" C" V. }+ u$ e8 B) f/ w8 I! D7 C Z5 q g5 |- D
7 c7 A- H: s5 O! M
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. _6 N ~, H) ]8 P1 k: I app like this:# D$ g* X) m) B9 Q
9 e' ]8 `* H: O. U q
BPX exec_int if ax==68( \' p4 A0 U, _4 B! p, o/ j4 @, t
(function called is located at byte ptr [ebp+1Dh] and client eip is7 ~9 B" \, c; [6 K
located at [ebp+48h] for 32Bit apps)4 A0 O6 g8 c3 J
__________________________________________________________________________
! X/ S( x: q8 D. |& C( G
, }: R9 w" u. X$ I7 [, Y' g: j4 q: y# e( h
Method 084 F$ E, _8 O5 z0 D4 N
=========) c y; ?, M& I: Y. i
& {6 k |) h1 r/ P5 t
It is not a method of detection of SoftICE but a possibility to crash the+ [4 `/ M4 F3 m' t
system by intercepting int 01h and int 03h and redirecting them to another! ^- x) a, O2 [% h5 v" O9 T
routine.4 L. D% _6 n( K: |5 f% u+ M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 U# j( k D7 Fto the new routine to execute (hangs computer...)8 V* a7 X9 c! u Z+ b w
, X9 g+ d! k& S. O
mov ah, 25h& ]5 p6 u. M7 O: y
mov al, Int_Number (01h or 03h)+ o+ d' k9 H q( t# }& q6 f7 \
mov dx, offset New_Int_Routine" ~9 k2 e4 d, P/ P# U
int 21h: ^# \; j4 b3 V/ g/ V8 ~
) p( `: |6 |) {% h% G$ p
__________________________________________________________________________5 [& L, q- s4 H4 r% d
8 O$ O$ l+ z# W; s/ I
Method 09/ ^8 Z' P( Y2 [* G) |' G
=========
+ c- R8 J! o# ]5 { P7 v# T- L9 ~; c0 ~8 P j& e' P' @ k6 l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 f& l K# D3 u8 T4 r4 vperformed in ring0 (VxD or a ring3 app using the VxdCall).9 v" `: `$ M8 s( y6 a; p) h
The Get_DDB service is used to determine whether or not a VxD is installed
0 q5 g' t) w4 f7 ?! hfor the specified device and returns a Device Description Block (in ecx) for5 V3 n: ]4 m8 {4 D1 g- F* R
that device if it is installed.
4 d5 ~, l T; Y6 X& W; R0 V
; G+ H, R* P8 x- ]& i$ W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 y+ q8 l' X, B& ]3 u) M4 p. A3 U) o mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ K$ V6 l8 E6 |4 L; T VMMCall Get_DDB
3 L, T v- ?5 ]# D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) D! T' l9 m5 G: b) x
& {4 @9 c1 g; A5 e$ i5 @8 JNote as well that you can easily detect this method with SoftICE:
4 @' B& d/ a3 w1 @3 R% Q1 N bpx Get_DDB if ax==0202 || ax==7a5fh$ r g4 {" e( L
- c, G5 b" R7 K2 e6 p$ F* m. V+ T
__________________________________________________________________________' e* D% m+ o/ f% N1 |3 j% k E
5 {1 E/ K' v1 S' ~& s3 j& d) a4 c. YMethod 10; `0 ?# e4 W1 M. j1 B7 B
=========1 H7 x- i3 u/ }; F8 O! j0 V2 D4 T! H
2 z8 _ s) D0 O
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ k _% `1 P3 k( X. \. v
SoftICE while the option is enable!!
. S1 f' Q9 S- d& _: [' c/ v: ?9 o( Z1 e
This trick is very efficient:
- l. T! \0 w3 h; K& u; _- G6 k6 K: Rby checking the Debug Registers, you can detect if SoftICE is loaded
1 A9 H f2 ^/ P: V+ j1 M! t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 [( l0 b: \8 r% W+ _# P5 Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
) C' P2 p6 x" I5 e5 n$ T- ^/ ?value (in ring0 only). Values can be manipulated and or changed as well
1 s. U$ { O6 e( A, X4 k(clearing BPMs for instance)
3 u, f2 P4 h9 z7 Z7 Q% I4 P7 l; v9 i* \( l& `+ c- M
__________________________________________________________________________
! M) t1 W* z7 ]# A7 f
2 D" i5 T1 W3 c; h$ aMethod 11
; c6 t2 ~; w% k+ H=========- P! \! g, d. l9 j/ S
$ `5 o/ a+ R. Z! [This method is most known as 'MeltICE' because it has been freely distributed; m. O- h7 W: i: f" w
via www.winfiles.com. However it was first used by NuMega people to allow
; T% k4 T% B# ?: c& _& ~Symbol Loader to check if SoftICE was active or not (the code is located
8 Y ?. d$ L, }inside nmtrans.dll).
. Z1 a: Q" O6 z4 {! A9 S$ N" w; W, @! _
The way it works is very simple:
' F0 k/ }+ `- _" {$ ?; sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* I% Q' t, t, M% [0 r3 h
WinNT) with the CreateFileA API.2 M Z w9 E& ]/ h) ?
1 N2 j4 \* k H
Here is a sample (checking for 'SICE'):
+ C6 ]- Y* L k/ ~9 X" S, ?5 X) q! L. [2 c p# m$ ^! y
BOOL IsSoftIce95Loaded()( s( }- f3 m, L9 x7 X: g9 e$ ]( [
{
+ Q" y. y( N( q; [ HANDLE hFile; # D( S, q% Q* e& a/ a: F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 ?% O F8 `- N( [! n FILE_SHARE_READ | FILE_SHARE_WRITE,' \( N( I# G2 Y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 B u$ T* c+ u' c( I3 g
if( hFile != INVALID_HANDLE_VALUE )
) X5 f4 ]% z S% f0 L* }2 L6 D {9 N1 ?1 a7 R& O1 L
CloseHandle(hFile);: p2 L! ]* `4 D: R2 W
return TRUE; e2 Y. M5 w, s/ Y* g# t
}
+ p' E: k4 p) L- m! D8 d! }; Y return FALSE;: W/ R, j3 M# ]8 P) s0 p' U
}
8 F: y, b( s9 u) x% o$ ~! ?+ x4 `
Although this trick calls the CreateFileA function, don't even expect to be' v# H3 \1 K2 j5 A7 u/ o
able to intercept it by installing a IFS hook: it will not work, no way!
/ t9 Z, g W8 d4 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 c" g% m6 B! d6 Y0 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 j& R! |' e5 U1 Z) @and then browse the DDB list until it find the VxD and its DDB_Control_Proc; x* N( U6 I* r! C/ R+ [ ?3 `
field.
3 i$ x2 M4 m% Z% }$ b; j/ vIn fact, its purpose is not to load/unload VxDs but only to send a
* T, d/ n: ~, J+ ~& [* v. V l8 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) C1 L1 ^ M: B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( S6 {4 z* o; y5 p0 d3 x4 L. i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 {5 b3 p) R$ p/ S$ F3 S2 _. a6 X% x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ v+ e2 ^5 G+ ~* M. k5 \( V8 Zits handle to be opened and then, will be detected.' H1 O4 j/ q5 c% Y, B* P
You can check that simply by hooking Winice.exe control proc entry point
+ M. M9 K( M: Q) I4 T# a2 Q7 @while running MeltICE.
5 q, K. a( ?/ `/ A) `+ [$ ?6 ^$ j+ o# E5 p4 n- f1 z/ {
4 ]% s8 ]7 \7 V. t$ Q# a$ T7 ]
00401067: push 00402025 ; \\.\SICE; [3 t8 }) S. Q5 D. }0 ^
0040106C: call CreateFileA' ]+ X' Z; n- H. g- s3 {! e, Y
00401071: cmp eax,-001
( Q% M0 W3 a$ _4 w6 }$ ? 00401074: je 00401091
0 Y* [- e/ s/ r# c8 `
9 {1 U6 C! m8 |! D# B }! {( u; f2 w7 C% h' O) t& C; i' i' A4 |
There could be hundreds of BPX you could use to detect this trick.- X# c6 X% c; m, z
-The most classical one is:
( A7 `1 u" s% P a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 N+ ?) ]) Z. q4 ^
*(esp->4+4)=='NTIC'0 l. t0 d- T" J# P3 _
: s+ J! ?% S" s9 d-The most exotic ones (could be very slooooow :-(% Z1 b6 k8 |7 }: [) Z {
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & E% X, D" m; v. X0 z
;will break 3 times :-(. q9 s& l2 o; _7 K' _+ q; b
: B/ V7 c9 r$ m N-or (a bit) faster: $ w1 ?1 D8 u. U4 N8 `
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. l/ k; h) }) N+ p8 i* O j9 ~ {4 o% g% j* P$ C h2 k5 {& @
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & p" a) {% \! w/ I
;will break 3 times :-($ n) B+ D; T% x
3 }) I& T' U8 f* S* z2 e5 }5 m m
-Much faster:2 j* L! c: l c0 k: ^- q% [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- X' r) z0 d- h) B2 i
+ X) A/ |+ a4 L' R3 }) `# M9 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& L/ O% t% Z# P5 @function to do the same job:
: W9 W+ D" h% c7 {
+ y3 {* [# E i. d9 T push 00 ; OF_READ
. K( F( w5 c4 {! Y8 J" ?+ x mov eax,[00656634] ; '\\.\SICE',0" k# I J2 p' m! X* @
push eax* w$ W+ W7 X6 m+ W/ P& a
call KERNEL32!_lopen: s' k- |# {1 E& w0 \: k1 s- b
inc eax
2 `* [, e$ Z& Y I: F9 @0 \* [ jnz 00650589 ; detected
: z% @/ F B: G push 00 ; OF_READ
! b: F8 `% t: g% n9 | mov eax,[00656638] ; '\\.\SICE'! q# E: N/ u, H& l$ M" h
push eax
$ ~/ T$ b$ D9 R1 m- ]7 o+ P8 K* ~ call KERNEL32!_lopen2 D" c9 P: z6 [' W
inc eax
+ W! _( m( Y' f* w/ O) P jz 006505ae ; not detected3 l. q: d8 M8 m3 [% ]
: o4 }6 x. c1 [4 t7 z- h* I2 E2 V
__________________________________________________________________________, ~9 A: ?0 ~+ Y' j! o6 }
9 ]% x; ?& x R/ W2 y W- u$ Y' g) yMethod 12
- O v6 X& s) a=========
. z, j$ v' `: Y2 P8 N9 h0 n5 v
0 ]# i/ ^ O* V' M' h: EThis trick is similar to int41h/4fh Debugger installation check (code 05
( a. n: b* [" E5 v4 T& 06) but very limited because it's only available for Win95/98 (not NT)
+ d' r5 Q( Y" }: b. m$ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. r y: V/ X* j5 F9 _
" E0 y5 W8 o1 _ push 0000004fh ; function 4fh
* x* u4 \) |3 I4 m5 b- p push 002a002ah ; high word specifies which VxD (VWIN32), {, Z, x& N3 m& M3 C0 n" O, H
; low word specifies which service
* H3 m1 m8 I" {7 W$ {3 w (VWIN32_Int41Dispatch)+ G$ ^6 S: G" a3 w; c+ @
call Kernel32!ORD_001 ; VxdCall1 |4 X2 Z! I! O. R. ~. d
cmp ax, 0f386h ; magic number returned by system debuggers
4 D" P( E0 L3 T8 a6 t2 ^$ s# }9 x jz SoftICE_detected+ C& b9 l! z9 R+ {! c+ ~
; \ k5 O& ]5 L" J9 p9 T
Here again, several ways to detect it:9 i, u' R `1 C
f: W6 o8 F/ D
BPINT 41 if ax==4f
+ F' f, ^9 ?) ?% v7 ^# l9 H: p9 W& n. J# D* l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- a8 e$ x+ [! G7 x& Y E9 c
: L3 [- Q4 S4 r5 k2 g: s, G8 S6 f; f# q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 S7 ?7 O4 Z( I; l0 p2 t, v
6 r7 \. @ z: f/ n a0 C0 `' ~
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, j c; N- w2 @" [' q; R. K4 r$ @$ U& g0 T I8 `3 A' I
__________________________________________________________________________) x, L7 L, w5 u5 y; f
% ^( _ Z, R- S6 J
Method 13
$ b5 [0 z6 m2 \. Z) t=========. z, l( W+ F$ D
* q( H1 n( q! n4 s& c/ W7 ~Not a real method of detection, but a good way to know if SoftICE is: O9 f. l* o! `# j4 R/ d* Q
installed on a computer and to locate its installation directory.- c# e* e- F d, |% J
It is used by few softs which access the following registry keys (usually #2) :
4 t9 K) d% `$ D7 |) V8 e8 q( D5 W9 f' o1 u, L- u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' d, G- _# x! j* r+ c
\Uninstall\SoftICE
. o7 B* |- c! J% A8 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 z% L6 U3 I2 D% n- ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ B$ X; z0 E z: n\App Paths\Loader32.Exe
9 q9 M. X3 e7 k' \: B5 V
) d. x1 a( c. \
' o! P6 R! T3 vNote that some nasty apps could then erase all files from SoftICE directory
( {+ o$ j6 L) N8 t0 A(I faced that once :-(
7 k) P8 P* w8 i' s! P9 i# p( Y$ e5 |- g/ o+ @
Useful breakpoint to detect it:% r7 ^4 j5 s/ @1 _
' U# M0 e# Z# ]6 C3 ] BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ N h% d3 F2 F4 i$ G2 @7 x' c
" |- C# a; c2 I3 t" g__________________________________________________________________________' \8 V& r0 r: R
) y( z1 ~- {0 u) s) A
, X( E" Y- L% i5 NMethod 14
" D, h3 \) E# b$ U9 n: D=========
% L! ^3 ?: O: Z. \* p
, i$ N$ R% Y$ `9 D, y2 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 Y. G# y( d" U( @7 r) e( ` lis to determines whether a debugger is running on your system (ring0 only).2 u- E; z: G" Q/ h/ _6 e
# E' Z% h9 z, g. F, j VMMCall Test_Debug_Installed
1 k- w6 Q$ Z/ j! p6 q) M je not_installed5 q/ e1 K3 ~" z- U9 z; a+ n
) x/ N6 n }) v1 l! ^This service just checks a flag.& W* i& C) T5 Q+ b n' w2 \5 i
</PRE></TD></TR></TBODY></TABLE> |