<TABLE width=500>9 }" e4 i9 o" x/ Y( v ^0 p: \% v! n
<TBODY>
0 t; r) F/ D9 B5 k<TR>
9 |# ?8 S* [ }1 V* o( ~<TD><PRE>Method 01 & W. e$ K7 }* `) y1 U
=========
; t6 K2 i. A. P3 F i! d9 W: }
0 M( b" X5 s4 z w; m( WThis method of detection of SoftICE (as well as the following one) is
1 k" F4 D- v) R. e2 N% Aused by the majority of packers/encryptors found on Internet.
6 \ `& p# ~# c" i( I- fIt seeks the signature of BoundsChecker in SoftICE
0 W+ j: b' L# B2 s' H1 N8 N
4 o7 w" H+ Q. } mov ebp, 04243484Bh ; 'BCHK'! ?( F) D/ t s% t5 m
mov ax, 04h
, y4 D% f% P7 l6 m: O: V, m. a int 3
3 M9 C9 n% W [3 p/ y v, [& e: ], S cmp al,41 J# S3 L; g7 Z- F- [
jnz SoftICE_Detected5 { c! V/ z9 i3 D7 B8 D
# g" z; ?6 y- i/ ^) B7 U2 e2 F
___________________________________________________________________________7 S. d1 y5 m1 J) S+ y, t
2 m; L z i" L4 z5 ]Method 02. _, D% L0 j, V, L$ q
=========# N3 U' r* z' c |8 H& ~- X2 B9 R
7 G2 M$ c: b* b* t
Still a method very much used (perhaps the most frequent one). It is used4 d0 E; W; G5 y" I9 m& u; i4 k) _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) [' [& o- D/ q+ v+ eor execute SoftICE commands...
$ R* C; d& Y* p! lIt is also used to crash SoftICE and to force it to execute any commands
' v/ p! B! K4 ?7 S(HBOOT...) :-(( 9 X- x# T& r1 d8 l
: k0 p# e2 n5 j, s6 n+ |9 d) [
Here is a quick description:
# Q @& R6 s3 {% A5 \! U$ H% }-AX = 0910h (Display string in SIce windows)
6 L' i( G' `+ |: y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ p S$ Y d) g" }. f- G-AX = 0912h (Get breakpoint infos)
; W" `& I8 k, Z$ G. l3 d+ _, y% J-AX = 0913h (Set Sice breakpoints)& [! `' S+ U) T z6 x
-AX = 0914h (Remove SIce breakoints)
2 C: Q3 H2 E( U. M* J. T- ], n7 k! b2 J7 C5 ]. r- B3 E+ \& P+ X
Each time you'll meet this trick, you'll see:
$ ~5 _# R" D9 X. D-SI = 4647h
/ O0 Y) t7 u# O! L8 i6 y-DI = 4A4Dh1 S! j& @6 p! }$ s5 J3 p: Q; r9 y
Which are the 'magic values' used by SoftIce.! ^: v1 _( K0 `1 B P3 d9 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( m. K7 Y- }& W3 |1 w/ H4 q! t% m* H' D! W% y {, J2 V. s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! t3 d: k" V2 s; c' H$ A7 m0 z) C9 aEnvelope utility use to protect DOS applications:; m$ C* z7 D, b) ?. q+ R$ w
6 n0 U+ D O/ n5 z* y
. E$ C7 u6 l- O4C19:0095 MOV AX,0911 ; execute command.
/ w" O6 E" W2 |, D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& J# D0 s P+ ?" }: f2 E$ {1 o1 p: X4C19:009A MOV SI,4647 ; 1st magic value.+ Z& l2 e) V# U# _: _8 J t2 E: U3 y
4C19:009D MOV DI,4A4D ; 2nd magic value.
@; {8 e# @) j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 ~; L. W- J# [. z2 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" b ^! V$ v8 [# R9 T8 k( b
4C19:00A4 INC CX
8 j2 Q0 M$ L P. T9 ^0 Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 N3 V2 _7 b3 \: v! W
4C19:00A8 JB 0095 ; 6 different commands.2 H% W6 s9 C. p4 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! J8 V/ S4 X* u9 Z( i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! f$ x9 ~8 o' r& P* n% V
9 _9 @3 J( m% p3 Z
The program will execute 6 different SIce commands located at ds:dx, which
7 t- c% y$ Q# l* d$ i- t/ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 v" d `8 d' G3 d) m2 R6 I6 W# m! G- l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 m' T, Z" ~) L& W1 |% t( _$ Q: ~___________________________________________________________________________
0 a/ R m& Y9 @) ?' m/ D/ [8 V2 X' D V5 M2 u
. ^: R {, s& `. AMethod 03
' T) E. z& P5 ?% j0 J=========/ z: V" {1 [; h% W+ _" D
# w0 j3 T6 L- y4 t8 ~1 ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 b9 z" X" Z9 x6 O(API Get entry point)' G& f$ w7 @' T. c: w
: ?0 k; j) ~/ I. [/ o
# `; H5 b$ O* i; l% ]+ W+ i
xor di,di
6 S3 k- s& N, c2 L mov es,di
0 e9 p! k. M' v. s mov ax, 1684h
4 `9 q$ V" J/ z0 x7 p3 a g mov bx, 0202h ; VxD ID of winice
2 P9 r* K. O' Z int 2Fh) i2 x3 U: ^2 s8 X) p7 V+ e
mov ax, es ; ES:DI -> VxD API entry point
: E! G; x# ]5 g- X4 C! d add ax, di
7 U! z1 r( N' L9 {; D test ax,ax; R6 f C/ L5 `$ a
jnz SoftICE_Detected
6 |( v4 l/ |) u: Q: w
( v X, ~. U t1 R___________________________________________________________________________
# ]* @2 t5 E- b! J2 ^, t @& z
% _. H4 u( I2 d0 D0 }" Y3 LMethod 04- e/ I! v' ?) z3 G. E
=========3 |8 ~6 }1 P/ X" k
$ K T# u$ F. Q5 ?1 q; M2 W& rMethod identical to the preceding one except that it seeks the ID of SoftICE: R0 I9 d: F. I$ ]# X# |
GFX VxD.0 C. F8 }9 C5 g: f; b1 B
# q7 k }0 m: j/ k5 n
xor di,di
- W' J$ H- o4 S* D5 D mov es,di
/ m& u3 \! K' ]9 g% t mov ax, 1684h
5 d6 H3 m6 U# R mov bx, 7a5Fh ; VxD ID of SIWVID
# L1 j6 i8 h0 m- V9 ^. j, C int 2fh
+ ]+ J0 Y! f) w: o9 l mov ax, es ; ES:DI -> VxD API entry point
" ~2 w2 n$ g6 W* X- I add ax, di
5 R+ b8 o/ a/ I" j test ax,ax0 R {: J. J f, {
jnz SoftICE_Detected
8 i3 N( X \$ t" t# w- p/ v% O# b* i4 W
__________________________________________________________________________5 c+ ?( Y# T5 c. E- j
* i" y2 H& m2 R, b- {6 A i; ]* Q+ g3 C4 w; K
Method 05
# O$ ]$ O. [3 x, c6 [4 l=========
! `# }; i- G& R
9 C/ l' Y2 F) ~ K% H' uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
?5 P: X# B: H2 F9 `' q" T1 Qdebugger. It calls the int 41h, function 4Fh.
) \( H' j# l: K; X' e/ QThere are several alternatives.
8 _: Y+ v- Y8 q8 J2 y. t/ z
+ G3 E" J. E5 g1 o1 O- k( @The following one is the simplest:! e7 w( a J% X& K b1 O, o/ ^
$ s* j; _2 k* c- [4 Z mov ax,4fh
+ g& u1 y8 i- c: p. q; S! p% n2 ~ int 41h3 I* @# X& `; T: n
cmp ax, 0F386
* y, `1 `, Z4 u8 k2 S8 \6 G jz SoftICE_detected
6 Y- Q1 M5 s+ @! N; g
/ K3 j, n8 m' z2 H0 M8 Z5 W3 G! ^7 x* q, L) n8 N, z! P3 Y- X5 O* I
Next method as well as the following one are 2 examples from Stone's
+ b/ P. f! v9 Z2 A"stn-wid.zip" (www.cracking.net):. m6 T2 P- {" w/ k: H/ P( p [2 |
% P% `, U# e {7 y
mov bx, cs" Y' K% u$ ?- ~" i, L9 X
lea dx, int41handler2
6 w/ u; Z5 O9 c; g7 t4 i. R4 q% ~ xchg dx, es:[41h*4]
T; [+ L5 S1 t! b# S! f xchg bx, es:[41h*4+2]
3 u% ~' x5 T8 t/ j* T' R0 J* [ mov ax,4fh
$ H3 E) B$ U1 [( \ int 41h1 u" }1 G& q; x! Q+ W
xchg dx, es:[41h*4] Z( V8 A W! m1 q* g, [: R
xchg bx, es:[41h*4+2]# I* f1 e: n m5 o3 I) M
cmp ax, 0f386h% \ q, A" J4 ?9 A
jz SoftICE_detected5 N# t$ K) p& M$ W
# g- E6 p9 ~0 A2 B7 {0 F; p. \int41handler2 PROC) \) v9 } u1 K5 L
iret, V1 a" s5 I( X! Z8 L% I, F/ `
int41handler2 ENDP9 i2 _+ a' ^: \# o
* p: Z# T/ o4 u# p* p
$ e' J6 A- [% H- H2 x6 I; L_________________________________________________________________________
. g: D. J8 W# j& F* b9 k' P" {" a' P3 m# _2 p4 @
! N; A9 C9 k Q7 PMethod 06
: Z; A4 z/ I1 D6 a=========
5 `* A# \6 f, R$ M" M! \8 Q
7 b3 N" K' B9 N& Q0 N; C' o+ j+ t) F' l, n6 Z, `* k
2nd method similar to the preceding one but more difficult to detect:
% s3 n# E# {/ |' m* M& r+ g8 O0 l: w9 P% a& \3 z
* B; p& _1 b$ w+ K$ Q2 rint41handler PROC
' T; p; v% U4 n. P) Q0 }: M mov cl,al' _* s. k9 U: u. k
iret8 r/ c' Z# r. m) e$ c" y
int41handler ENDP
4 N1 K$ v7 m) Z$ q+ U
$ p L/ U! p* {: y3 d* c& w3 F# f, G L0 r9 J
xor ax,ax
9 B$ F* V# o* J2 W0 l$ Q& s# @ mov es,ax6 ?. \7 j8 d: `4 m2 t0 j" m
mov bx, cs8 y0 r- F9 a( O* V+ P5 d
lea dx, int41handler
' V" F5 G; `7 \ xchg dx, es:[41h*4]
- e9 J- T+ N7 T" W xchg bx, es:[41h*4+2]
- r! |0 X! _8 n8 A0 d# ~' q* U" h in al, 40h
' L4 Z: g3 j. P* W xor cx,cx5 l( \4 T/ n8 `+ t% w6 c( O2 [' L% u
int 41h, I6 R; e) p$ j0 z9 U, |
xchg dx, es:[41h*4]
) d0 N6 {) }+ z( A! V6 J xchg bx, es:[41h*4+2]
0 c+ k- X5 H9 B# X& ~ cmp cl,al2 L0 E2 _7 y$ W) E6 g) H
jnz SoftICE_detected& Y& ^* V; X# Y$ Q
% x1 E2 w4 d/ U# f
_________________________________________________________________________
7 v" I2 z! P' f" Z0 r
+ P0 F/ R& x% H, o0 LMethod 07. O. l6 V& e. @+ ^! u: f% {
=========5 `0 h9 y5 D! | ~% p3 {
& n3 D! z1 R; u f. h; l# H
Method of detection of the WinICE handler in the int68h (V86)
* i% `6 t) y, `5 N& }! [: L# r) b" h2 P! D, U! A
mov ah,43h$ |+ g; {% E- L' C& _) f
int 68h/ t, B1 s" g" ]9 {' }/ f
cmp ax,0F386h
- A* w8 G7 t( X& M jz SoftICE_Detected) I: _# ~! C5 \1 x
4 d; u) v8 ^( r- A4 D$ r( i% m9 Y) d& Q7 w7 g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
l) ]# c) R- a* L7 f app like this: v% u* }4 e, {
1 D5 ~! ]( z: e) B. I1 o4 C
BPX exec_int if ax==68
9 z' T4 j3 Y3 t! q% R6 `! T0 h' H (function called is located at byte ptr [ebp+1Dh] and client eip is: z1 K4 Y z- B
located at [ebp+48h] for 32Bit apps)
" R |( y/ g" r$ e. I8 Z l* C6 a$ K" s__________________________________________________________________________
, C/ R& X) Y7 R, a7 g7 {* f4 d3 t3 u9 n/ x6 p# Z
& `: f1 q! [3 f9 G. E* YMethod 08
) K* z0 a4 t' R. Q m, D6 w=========
q! G3 o- e& j% t
& g/ V) N. R& l6 m3 X5 gIt is not a method of detection of SoftICE but a possibility to crash the; }9 A" u/ a/ M' F/ e8 Z1 R
system by intercepting int 01h and int 03h and redirecting them to another1 j1 D/ Q. x% ?, b( P3 f! d+ v
routine.$ B# M" h! j/ r" I9 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 c. p' C6 \3 L) ?0 Xto the new routine to execute (hangs computer...)
% l# i% E. o+ x( z' ~ j
9 i& e' o# t8 J/ @ mov ah, 25h
; M0 M$ A$ o+ d' {+ s! h! r# A: ~ mov al, Int_Number (01h or 03h)& n& \! S' R9 g1 l5 w
mov dx, offset New_Int_Routine% |- }' b! L3 E" ^4 ~- X) R
int 21h
6 n# L& l: a2 v
# \0 X" N5 N, m# Z3 X__________________________________________________________________________
/ ]+ j& x7 i, d6 L1 c% [# T( L$ Y; f: ]! z" Z+ j- S
Method 09% k( B+ W, E9 H! `+ [5 o( ^
=========: ^9 ^7 {2 @+ n+ H/ @3 y
: ` i& {( P0 [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 E' q' b% Q8 V5 E* n# iperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 L' C: p9 T0 N1 ^4 U5 AThe Get_DDB service is used to determine whether or not a VxD is installed. w7 P$ Y9 q: }! k3 e( R
for the specified device and returns a Device Description Block (in ecx) for6 G' r) u( A4 o2 l& b2 t
that device if it is installed.
& |# ~, p& t- c8 w( X; g$ S0 O" l- r! r4 j+ q f7 `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) M/ ]! I1 D/ s' N2 W" \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# G3 x0 X3 b6 _1 m/ | J5 o5 q VMMCall Get_DDB
. Z+ }$ O. N# ~7 r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ~% ^; e, r9 M( r
* f2 N O$ [1 e+ `0 zNote as well that you can easily detect this method with SoftICE:
9 r% g' X* s' Y% Q: H; w) |8 P bpx Get_DDB if ax==0202 || ax==7a5fh# q6 o& h" n3 W- k+ x8 G% U
0 q# _1 Z9 K& j3 ~! h- |
__________________________________________________________________________
# A, P) m% H6 N+ |$ B% K( v
% g% @ F3 y9 r1 X2 ]* N: i" M: c5 YMethod 10! z* W9 b3 M P' b$ \* o6 l' V0 \
=========
3 d7 V1 H. `/ H2 T; Z5 n. a9 v
: }/ T5 X! J- Z=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ R+ |( G" w- N8 ?7 l: N SoftICE while the option is enable!!
. R8 e0 |- K }. v& T3 Y/ O: v; X" Y5 @8 g/ n0 Q2 o* T( v
This trick is very efficient:
1 }, k+ H7 r, D% Nby checking the Debug Registers, you can detect if SoftICE is loaded7 H0 p% K8 M7 c A( K6 \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 R G7 |1 ?0 x2 E# W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' ]! o0 r6 p8 e* N/ o; |2 zvalue (in ring0 only). Values can be manipulated and or changed as well
# T2 i1 `( l7 a, k' ^* C4 U2 {(clearing BPMs for instance)
; G8 h) B, ?3 Z' f8 R9 M& c' \
. l* T4 t. l9 E6 [+ K__________________________________________________________________________ I' B/ Q2 s* h* D( U, {
2 F# c X0 n N6 r3 c6 WMethod 112 ]6 Z/ j: J5 N$ N3 _
=========) f9 g$ L, X/ q v/ ~9 S
5 e# B& ?: k* k/ m0 L U9 d, r* U
This method is most known as 'MeltICE' because it has been freely distributed
- ]! n( B& h4 L* k! x. F2 S1 |via www.winfiles.com. However it was first used by NuMega people to allow9 H/ \) w* Z1 |: ^' s! _
Symbol Loader to check if SoftICE was active or not (the code is located
$ J- D% a. r$ L3 h8 Z tinside nmtrans.dll).
2 I2 J2 ]8 F* A: m6 z# f
7 Q: z( W; i0 S" I$ FThe way it works is very simple:
( n% [1 C5 D+ W9 G* V0 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for e7 i' z5 f( H. [8 _7 ?4 v
WinNT) with the CreateFileA API.
5 L/ m5 h2 T8 k: m! \, Q2 Z( j8 {* J$ e# a p
Here is a sample (checking for 'SICE'):* K: Z6 V; u' j; p
2 h7 A; T; D% w
BOOL IsSoftIce95Loaded()
0 [' G+ _0 P* [3 Q8 h5 p{
' V+ s! B/ T1 t8 a* e% y! f HANDLE hFile;
2 c+ v; a# q3 y( R hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' _5 ^# o X$ l$ o! K6 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
' j5 m3 }" l( c& _# x NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" F# s: D% x5 m3 q$ |+ W% ?# T if( hFile != INVALID_HANDLE_VALUE ). i* i+ V9 M9 o+ r( B* c0 e
{
! `; n. l; T" z7 b( A CloseHandle(hFile);
1 `0 I+ D: y! s2 D. n6 k# | return TRUE;- y% Y2 Z" I3 ?+ }9 q
}
) a1 q6 h5 i1 y return FALSE;2 w6 k6 f( k5 B7 G o
}* R( M1 r! W: M& t' l1 w
) G% [: b5 w5 y8 i5 w: S( j
Although this trick calls the CreateFileA function, don't even expect to be
* | [; {! b4 nable to intercept it by installing a IFS hook: it will not work, no way!
[. \8 R! W1 U; z$ xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& N8 |: k+ `6 @- n' m; F K/ s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ^, v2 {1 N/ W' @- z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc d2 o. p' b3 h
field.
" o( \4 Q/ ~$ a. L( xIn fact, its purpose is not to load/unload VxDs but only to send a 3 Z5 H& I7 l, i9 p @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ f, ?/ V7 n( n) J/ E2 c4 k: y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; h a; x Y2 ^6 ~' K/ @to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 `1 h, p5 h' Z; `8 o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) o# W' f' g. X. ]5 bits handle to be opened and then, will be detected.
# P4 w N9 [& ]" n% M) |# J! wYou can check that simply by hooking Winice.exe control proc entry point
; Z# D4 z/ M6 p0 {5 Twhile running MeltICE.0 q! P/ D! t3 K+ { }- S$ \' p; Q
: G9 [2 |3 i( C# y
% o6 m) \. s, d) Z) F3 X k) j& H
00401067: push 00402025 ; \\.\SICE; s) R/ }( \9 Y' v7 x5 Q
0040106C: call CreateFileA
7 N4 t F9 B. Y4 D 00401071: cmp eax,-001+ @( [6 ^2 n2 n5 W6 y o% y; `
00401074: je 00401091' A/ `) f; B r4 P: u1 J
& B: b6 V) g" N! N
& d6 Y, ]) N8 N0 a4 T1 f# mThere could be hundreds of BPX you could use to detect this trick.: L! q$ y7 J0 f \2 N
-The most classical one is:
' p; Y5 h6 _! q& p" p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ y& _; x$ L3 c9 A/ m1 n *(esp->4+4)=='NTIC'
) D+ h' E! d+ l( w0 Q2 l X' s$ c1 b* o% Z9 [
-The most exotic ones (could be very slooooow :-(
6 x4 _" F) S( ^1 ]& w% ^, G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " e& z# t- o2 j( J( b
;will break 3 times :-(
- X/ y! `3 k: X7 [6 u2 S# g! }
% z; Q6 m& K% L4 A-or (a bit) faster:
, S, b7 O+ F) j% v BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 I8 F: i0 U; y. c. W1 s! [; p' S, Z8 P% C! {: Y1 k- k' |% w* K5 ~0 y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; c/ F% w0 W4 F3 B f) n
;will break 3 times :-(# b5 p( q1 W+ \% S( Y
4 Z$ S1 q* ~. H- k7 I" O-Much faster:
( K: b2 D3 Y! K$ B1 H. C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! ], s+ G0 M1 D8 V2 H. M
1 F/ A$ r' @3 _# ~, C6 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ W$ d0 D( o) V7 p* t4 q
function to do the same job:
, m' ~2 W, K8 D- g3 x7 i9 d9 {$ o' [9 F+ m A
push 00 ; OF_READ
8 J: w" b1 f$ W: y mov eax,[00656634] ; '\\.\SICE',0
0 e1 C. s- |9 c. x! F9 X push eax) n) [2 ` B4 g1 Z: U e+ S
call KERNEL32!_lopen
7 D9 [. S5 a" h* V1 a, I6 ` inc eax
7 e Y7 N% J# E/ ~. W1 F: l$ X jnz 00650589 ; detected( T9 K% ^: l1 ^9 R, M/ d
push 00 ; OF_READ3 ?, r' l4 s8 X2 a2 P
mov eax,[00656638] ; '\\.\SICE'8 S/ `# k' d/ N1 Z% g! r8 h! i; |
push eax
% M( P+ j2 m/ z$ f$ v call KERNEL32!_lopen
% r. d/ D; x& W+ y/ ?' {2 X) r inc eax
$ Z: c2 w# b. N) l jz 006505ae ; not detected
: s' R1 [. `& L4 s# f! A/ \8 u$ k7 ` {3 O1 n9 p8 m6 O
" b/ E/ e( P" K
__________________________________________________________________________8 `' E) @7 Z- x3 {- O( n d1 O
7 A' i8 {6 s- q) e1 ~: X
Method 12) ]8 I5 f! t: j7 g
=========
9 e, c4 d. H0 E$ c4 P! K3 L- W. p1 I4 B- j0 O$ g- r
This trick is similar to int41h/4fh Debugger installation check (code 05/ e& V! ` {- F' x i& A
& 06) but very limited because it's only available for Win95/98 (not NT) _ V- S2 X3 S5 B8 Z5 k1 {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( v+ R+ [ L0 k& G
" |4 g7 I, K$ E1 i push 0000004fh ; function 4fh/ m" X: E9 O( ?; F! J
push 002a002ah ; high word specifies which VxD (VWIN32)
1 M- T5 h9 N' i, v ; low word specifies which service! }. {* @$ o% U# B2 Y
(VWIN32_Int41Dispatch): e. X Z. T7 c8 s
call Kernel32!ORD_001 ; VxdCall
; d/ w: \" i; Y7 C: V cmp ax, 0f386h ; magic number returned by system debuggers
' U# G0 K/ r+ e jz SoftICE_detected
4 t7 @# P& l# t2 Y! u! M
3 u2 u3 U5 G8 [! G, mHere again, several ways to detect it:
6 k, X# ~6 I# ?, N1 W* }/ U5 r2 o/ w* D( r7 ~- [
BPINT 41 if ax==4f
+ h U# F0 J& R; R* k6 _. H! ?9 H& a2 D r. m# j' M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- K E4 m2 } o- J
6 p0 o4 z+ {' D0 D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 O2 l, q8 _# ^* o- n9 d, V8 U2 G
- V/ f) M+ w5 j8 \( R5 a# \ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 B n% _& v$ h$ g5 V2 M
+ X0 S" q! V! a+ {# D/ v! \__________________________________________________________________________* V6 ^- o% `7 J9 Y
( X2 X4 b2 H. M* X* u) nMethod 13: r( ]0 Z, H: y, K0 e" a
=========2 |9 \. d" W: e3 d4 {+ N
4 Z7 F' {6 l) W" ~+ a1 z |# G
Not a real method of detection, but a good way to know if SoftICE is. l# R' T# S7 H- V2 V
installed on a computer and to locate its installation directory.4 b8 i; n* Y' b
It is used by few softs which access the following registry keys (usually #2) :7 n9 S$ _6 l+ i; t6 ~
# z3 h, H# N2 V4 y- N; x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ F! {* u3 Y! B3 ^+ P2 V\Uninstall\SoftICE
" K) H3 B- _0 s$ d+ {; X5 t5 R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 I) L6 l) i1 r: j/ M+ H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" l" C! _# K/ d% Q
\App Paths\Loader32.Exe( @% d2 Z, u! ?: h4 n: H
. F" R, \* J A: D# L h0 X3 j" ]1 R9 l2 z! l0 O
Note that some nasty apps could then erase all files from SoftICE directory
) d' M1 z$ h. T0 U4 h( P0 }(I faced that once :-(
* ^$ u& k0 P# L9 C% m4 ^
. i- i4 _0 _. n" k) [/ q) @Useful breakpoint to detect it:
1 |4 y8 X5 J3 W3 Z+ v8 n! s' B' d$ }6 F5 Z4 m2 ?' t7 Q! @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 j' R D' \5 H' {; p, \
) m2 G# B- W& F; @
__________________________________________________________________________
1 p& U( e0 o9 r4 I2 @( F% a. f5 F4 T/ }4 U; a! A# w& ?% K" X
- h3 h6 P5 F6 V1 r
Method 14
" I, X7 J5 V; U d E. @=========
2 c# s. n: \# h/ l- F4 b O3 I% v& D/ u' y! m! T1 Q+ |# J, ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( U& f* ?9 _0 A: \' \is to determines whether a debugger is running on your system (ring0 only).
- |; {3 y8 {' V5 ?; T1 J( I: ^) P
VMMCall Test_Debug_Installed/ v" X4 j0 M# R' K/ q
je not_installed* w; F7 W* g, y: S7 R2 B8 s
- f, _+ w5 r( \+ h- `! P
This service just checks a flag.
% {) U4 U- d/ a- i</PRE></TD></TR></TBODY></TABLE> |