<TABLE width=500>0 o. f- ^3 ?5 ^
<TBODY>0 g, A8 H7 B6 b8 G9 J
<TR>
) J, v7 q5 _4 A O D" d<TD><PRE>Method 01
& A f0 B2 ?" Q! o=========* x* r+ _ R& q! |
6 w9 i; I8 O) U+ m; B/ U8 Y7 Z i9 W
This method of detection of SoftICE (as well as the following one) is
2 L+ |) p% Q1 D! S9 ]/ o9 Uused by the majority of packers/encryptors found on Internet.4 } f% C) R# M+ A
It seeks the signature of BoundsChecker in SoftICE
: l4 W, o& N8 E- k z' y
: X' w: D* l. Q7 s; F* n/ O$ F mov ebp, 04243484Bh ; 'BCHK'9 B- d" q8 |; l c# ~. |/ v; N
mov ax, 04h
9 B# M, ?+ ]) V int 3
9 @+ `- d& w% X' ~0 L; `; N cmp al,4
5 ]8 T N3 F2 a) ] jnz SoftICE_Detected( b1 z( Q# B7 P- J" K
3 b8 Y$ j/ ^5 _! i+ m& J7 C
___________________________________________________________________________# @0 {( Y; ~* ^- p8 t; i
7 r; u7 m, [4 @
Method 02' A5 @' }* N) s2 L
=========
8 c4 }7 T5 c: K! p$ t) D) _0 V% _3 O: ]5 D# ~: o* i+ M
Still a method very much used (perhaps the most frequent one). It is used! l/ }# Y3 y; _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, Z6 v5 {9 G1 n8 G. J- I, e0 ?
or execute SoftICE commands...
, J# x! L$ U- j' M1 ^It is also used to crash SoftICE and to force it to execute any commands2 N; N4 B0 n$ w: l4 ^# ]
(HBOOT...) :-(( 3 D. p$ h) |* D1 {' A# W: Q
9 V& U& B, y% a( K+ @- g7 i1 CHere is a quick description:4 G9 h- k/ Z2 L9 v c. w; V* u8 G- F
-AX = 0910h (Display string in SIce windows)
5 t* |. ~2 W, G-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
w2 h' G5 p" s: ~7 V0 l-AX = 0912h (Get breakpoint infos); t% a l1 G( q. `
-AX = 0913h (Set Sice breakpoints)
. T! N* Q; b2 d* f. l9 b% h-AX = 0914h (Remove SIce breakoints); @. c z0 c( \" N& s3 L8 w
9 M7 T" f5 \6 |, D& QEach time you'll meet this trick, you'll see:' y) I) w' y/ ?1 I1 S3 k2 Z
-SI = 4647h1 X# ]0 L- B( m1 P2 z4 P
-DI = 4A4Dh
7 `" ]3 n: i. Y V( @, ?$ y( _6 ?Which are the 'magic values' used by SoftIce. [4 j4 Y, f" S* y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 G, i) ^2 ^$ ~# y: i. r
# Z& d& z W% [' m0 k$ @8 ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( N1 L- O3 p* }Envelope utility use to protect DOS applications:6 h5 S- d. K! V$ M% M
& W' P# P: E- C9 }: R1 H; f7 F# U4 w: X, h0 w; e1 [: [7 h
4C19:0095 MOV AX,0911 ; execute command.3 z6 T: ?4 b8 t. U2 P' G* [% w
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 W2 D6 h( q% E6 Y
4C19:009A MOV SI,4647 ; 1st magic value.
( N9 O' [2 T5 u4C19:009D MOV DI,4A4D ; 2nd magic value.
7 j$ f! \$ Z# q# ?/ z; E( |4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) o) O9 \6 m7 r
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- e9 c7 G m) @! [4C19:00A4 INC CX
5 _" j1 C3 U8 t6 C0 l2 E. j1 i5 t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) o+ |. x9 ~) Q* a$ }
4C19:00A8 JB 0095 ; 6 different commands.6 e! u% j, h. E9 n6 Y, D! |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* L# f+ S2 e$ ]" F5 O/ g
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)! C& L9 }: W/ |, J/ h8 x
1 p8 t( ^- F4 }; M$ |+ Z$ L
The program will execute 6 different SIce commands located at ds:dx, which
- Y8 J" T0 F; j) K/ v1 W' }, R8 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 \/ @9 l. |$ Q! T6 T8 [& [/ j- H) M' ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; O+ _( S, J5 t2 z! Y {5 ]& \1 y1 j___________________________________________________________________________
1 g- w. _/ C M- ^8 V. A0 I, M+ P; L7 ~8 y) W
, l! D7 W2 @6 {, i
Method 03
7 }2 D: O% _% ]0 m7 _' R% z; y=========+ E) b: R( J8 o U: |0 z: N; V. S7 y" j
6 [" E) f) O/ ], |2 L0 }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 r7 W( P6 v4 K" [* T! A. ?
(API Get entry point)8 n9 j$ p1 z8 z) |
" o: Z+ C* X+ M# \' c% n3 D. e, K% a! U& B5 d6 u
xor di,di X4 |6 ^. Q4 z9 I
mov es,di* u8 ^9 w' L S7 q- ?5 Z, f* f& t
mov ax, 1684h
0 O1 k5 u* P" x mov bx, 0202h ; VxD ID of winice
: J. Y' K' c+ i7 U8 ?- g( e# Y int 2Fh$ L( c4 ]0 }8 g1 b6 C/ O5 B
mov ax, es ; ES:DI -> VxD API entry point' o0 w5 P+ T4 E) I
add ax, di' }# ]# ^5 s$ V7 M4 p- S
test ax,ax
2 {) r$ T g0 D t& G" w8 T* r0 R) K jnz SoftICE_Detected
9 @6 E. o* @- ~: ^' |: B
M i1 g0 W. q3 \6 F___________________________________________________________________________) u5 z. b0 Z8 k& h$ q
, s/ z* f2 h5 n, sMethod 04- ]3 N2 z4 e) Y" g6 s( `
=========" L7 K8 Y6 X: `$ s0 J7 M
* D% q0 \& @$ y# d- G" P
Method identical to the preceding one except that it seeks the ID of SoftICE1 ~1 v$ t0 ^' d& z3 r% L9 x
GFX VxD.
6 o8 k$ x! z- c/ p
: a) q5 i% U% T7 S: [ xor di,di" }1 N/ ]8 D4 H# O2 B& F- h2 ^5 v g
mov es,di* U2 K$ o2 m/ X
mov ax, 1684h l/ ~1 n; f S& N
mov bx, 7a5Fh ; VxD ID of SIWVID
, u. W; I: F$ v8 a int 2fh
6 y" I) D i8 m+ K. R; e mov ax, es ; ES:DI -> VxD API entry point
. h* j- y1 |0 ` L add ax, di
! ~4 ~. J& v) r' `# b test ax,ax/ a8 I. i( ]) F8 E
jnz SoftICE_Detected
{% p. n+ X7 Q7 l9 f) M+ b6 K9 u7 P8 M* f3 i- E1 Z
__________________________________________________________________________
, U3 h, \# T' R3 l5 a* O5 y
, Y- a2 S( @, q2 U
' j- M8 o/ h! q. d7 B `- UMethod 052 a8 C8 w8 C8 }& u) N: }. k
=========
# R% t4 s8 L8 @/ v" \' x' M2 \+ m/ p3 P6 z; `- y! S
Method seeking the 'magic number' 0F386h returned (in ax) by all system; e3 b9 u; o7 p5 @
debugger. It calls the int 41h, function 4Fh.
. z% L& Q$ |' J6 SThere are several alternatives. 2 H) q( G2 W: B1 Y/ e; O, M6 H' ?
* }1 v2 r- G7 p
The following one is the simplest:
/ l K9 c3 @" { i3 G, ?8 D$ A, Z
2 e; n7 ^8 R$ E. T3 M mov ax,4fh* L1 M) ^: x6 u' V
int 41h
& E F* ]3 z3 M3 E" u+ Q, w cmp ax, 0F386
" l! z0 H1 F( N% }# _ jz SoftICE_detected2 |8 y* d; |( p9 ], N, O# L
2 `/ C: ~' f6 s4 q3 M3 z- @# @) l0 i0 \7 ~0 ?$ n3 _, l
Next method as well as the following one are 2 examples from Stone's % A- \+ ^" m [ ^ z( e2 n
"stn-wid.zip" (www.cracking.net):( s' a& V& d% V
% Y" }6 B9 e# B, H1 z mov bx, cs
3 O& ?& N: P% R& R$ X lea dx, int41handler20 T- a! V0 |: Z
xchg dx, es:[41h*4]
5 H& w v* b* v% b# S3 E8 r1 H9 t xchg bx, es:[41h*4+2]
9 d9 r7 [9 m2 B% y2 G mov ax,4fh& t: T4 a3 Q6 d* W \9 ?& \3 Q: Z
int 41h% A& n0 ?* D! i7 k, E
xchg dx, es:[41h*4]7 T0 h: l y0 r4 _: B# _: d4 W
xchg bx, es:[41h*4+2]: B4 M! @' b) M/ A7 k- y7 X! N4 B
cmp ax, 0f386h; u u( q Y" R4 @2 @2 ^/ }& X" v
jz SoftICE_detected4 S" \7 a$ v3 o, V
1 t4 C0 C) N2 Y1 t! Q
int41handler2 PROC
- N1 m3 r' M) y iret' S! | _: A" x+ P; x- D/ `
int41handler2 ENDP
% j( n2 P" v% n2 n: y
* O# u. v B% w2 |0 t. h8 i& c
' r0 p% L" j" U. ]; b* u_________________________________________________________________________- g5 Z S, A, s: D
# {# }$ s$ w% ]6 \
0 u6 |8 ?7 m2 y6 J9 W; uMethod 06/ ~$ O. w4 u0 x/ H
=========
* v% w& { F# c$ u" A/ P, h5 Z7 y4 L
9 a/ |5 Z! a, W4 o b& A) `
/ s5 j) I7 x' _2nd method similar to the preceding one but more difficult to detect:1 V, e0 e" ~$ \; K
: _1 d1 s7 e0 V8 Q) B: i% K8 W+ Q: [; k3 d0 P+ Q/ l+ o( {( {' ]
int41handler PROC( \% m! [8 g" M5 D$ F
mov cl,al' @ f! r% k% ?2 G% \' Q! N
iret5 |- m' D& s" Q6 M
int41handler ENDP& C3 I' {0 d( V7 V9 R8 c5 p
2 t; f m, I- ]( \7 U3 N" g4 r+ i( G( d1 r
xor ax,ax
! H- ^7 |& j$ f mov es,ax- ~ N* C! ^1 e% i+ i6 A# V
mov bx, cs4 ?5 ^0 r9 [1 M
lea dx, int41handler+ l1 z5 e7 G+ u0 d# {
xchg dx, es:[41h*4]
/ S; x4 C8 E, |9 \9 b0 R xchg bx, es:[41h*4+2]! s: g& j- s- X0 ^1 ~
in al, 40h
1 K! {' t, s1 H: Q/ z xor cx,cx) c; p% y# R/ `
int 41h
) e! I" H0 x* ?+ ?/ b. e xchg dx, es:[41h*4]8 H6 N9 D8 J r9 q$ C9 e
xchg bx, es:[41h*4+2]# n) x7 y+ f- S+ }! G
cmp cl,al4 G" U7 m$ Q* Y$ Q4 Z
jnz SoftICE_detected
; u( r* _* f: v0 U0 H+ H A3 I( d7 I) C) ~6 F2 }6 x4 k3 r1 o4 D
_________________________________________________________________________
: D* p: }8 ]# w$ A# _5 y" H/ A7 |& ?* j
Method 07
, p! N2 u8 a4 H# t=========
/ R$ q$ Q% e% P( l; E$ @
( S* }" ]4 f+ y& }: w2 zMethod of detection of the WinICE handler in the int68h (V86)
5 H' t3 d' R8 E
3 d6 e; ]' P) e8 l mov ah,43h0 A1 I6 c2 w; z. E' W! ?' x& |
int 68h
* _) P, Z, e: X1 Y" ^ cmp ax,0F386h2 _) |! j4 C4 O1 \
jz SoftICE_Detected
; p2 \% H7 }* d) R
9 k! S$ x0 e& }* n5 I2 \' Y0 O
: Q9 T% O' e# L, V: W2 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ s. I, d- B- Y0 [
app like this:
" H9 D: r0 P+ ~# r8 E2 c) X9 H+ m+ y* a5 W
BPX exec_int if ax==68
: }, S+ r& a6 f0 T3 j, t# N& P (function called is located at byte ptr [ebp+1Dh] and client eip is
6 E- ~$ V' H* K1 S3 ? located at [ebp+48h] for 32Bit apps); U' i Q' m' g! E" H% x3 B# {
__________________________________________________________________________- x( T6 T4 `, o* x" D: M% V3 y
3 I2 ]( r6 b7 B% A( P
: u( ]1 H9 c) d6 s4 N* _Method 08" W1 N0 U" X: ~% B/ J/ E( b/ _& j/ }
=========/ r' r' {3 {& ~& d) ^* b
7 `. g/ o0 s/ ~ \- U( D
It is not a method of detection of SoftICE but a possibility to crash the
. a& ]* t8 {0 u2 B6 @8 f2 ]system by intercepting int 01h and int 03h and redirecting them to another* n, ?( [( b, |4 W# s' W0 c- E
routine.
i2 ~( h! G7 `5 s+ X: {! i FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ v" S( w; K8 }
to the new routine to execute (hangs computer...)2 Z4 }+ y+ f* l' e3 S" |, v, ?
( p4 ~4 }0 @$ b2 k4 i) E
mov ah, 25h
2 O ^. d$ t' v8 ]& N$ _ mov al, Int_Number (01h or 03h)
0 F5 a3 i6 T% o; f# ^ ?2 A! X mov dx, offset New_Int_Routine. K& q/ M9 U$ {$ I, |* \; r1 f% `* u w( |
int 21h8 X, p5 T8 \# l% Y, W, @
; n( {3 [/ l1 M__________________________________________________________________________9 ]& {0 t H9 \% h
! x+ A T" Q" p- N' X" Y4 ~
Method 09" Y' y: o* ~! u q& ?* z
=========
% [/ L5 x" C- w9 `
; k. q1 c. E/ p3 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ q! k' m7 `: u7 ~$ A+ D
performed in ring0 (VxD or a ring3 app using the VxdCall).8 N8 \! T! W. k7 D) v/ E
The Get_DDB service is used to determine whether or not a VxD is installed
% F6 |- W8 G8 F3 efor the specified device and returns a Device Description Block (in ecx) for
+ F1 R5 c4 r5 |/ `that device if it is installed.8 V+ M6 Y9 C+ B9 r
3 J3 q5 p# `8 O0 P: a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ e) ] d( e8 F1 b mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" ^2 L1 ]5 [, r* B, }) I. ~; Z$ \ VMMCall Get_DDB
6 n1 G! _- _* g2 T# K mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed; S/ H* O2 q% i+ ]
. l& }5 Y, @8 d
Note as well that you can easily detect this method with SoftICE:
4 d7 h7 t$ t4 b4 K bpx Get_DDB if ax==0202 || ax==7a5fh' t$ |$ P8 T( M* t
6 ?. [4 q9 {# ] b; A
__________________________________________________________________________
4 ?- v6 d' q3 X, l1 |# c# u( h
8 g# r$ D0 q3 JMethod 10, V5 h9 o; q/ q1 Y) x) |( W
=========! n5 h5 q% @# y
0 i) d! I- g8 O9 [& A
=>Disable or clear breakpoints before using this feature. DO NOT trace with; O; F: W5 z% ]8 C. q4 x
SoftICE while the option is enable!!
6 l+ e% t8 G" p+ Q& M
' J# c; k7 {2 x% O+ G# j! wThis trick is very efficient:
* J/ l. ^' b9 t/ [# l: \by checking the Debug Registers, you can detect if SoftICE is loaded. m- b! G1 @$ E8 T' a+ B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ U/ l6 D+ G, i0 F
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ Y* M9 Z% n& d6 f" d
value (in ring0 only). Values can be manipulated and or changed as well0 e$ K& z0 X& U3 O" d
(clearing BPMs for instance)
% x( F4 B; v7 ]' `- F; m( Z
$ {+ W1 X! Y7 u* S__________________________________________________________________________
+ D$ b7 w; ~/ k0 K. I* d
8 i: |% {5 G% Y! N1 z& C2 h6 jMethod 11
0 {/ D7 n, z" @0 w7 |" h=========& @: ~# H2 E) s. d- w* `* m. Y
]$ O% u9 _* e }4 NThis method is most known as 'MeltICE' because it has been freely distributed2 F0 V2 g9 U: ^$ s1 U) w* R: F
via www.winfiles.com. However it was first used by NuMega people to allow
- |7 N' Q0 v7 ~+ u/ nSymbol Loader to check if SoftICE was active or not (the code is located
0 [7 G+ e. @+ Tinside nmtrans.dll).& }" M! j3 ?, z. i
0 _2 j9 ] `% P+ ~0 e9 R: tThe way it works is very simple:
, J9 h% b+ f' f, Q% z2 q0 q( SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ b: c# D! r2 n- ]1 U
WinNT) with the CreateFileA API.
9 A6 y" q d; s( T8 r# N1 _: X: R% c# o; T& v3 H
Here is a sample (checking for 'SICE'):
7 o3 f H; n* `4 i- R" _3 c, |' k3 u/ c8 S) Z" D
BOOL IsSoftIce95Loaded()
" s# d8 a8 z( }" [) n* C{3 w7 F! R+ }. N2 b% F- o$ v
HANDLE hFile; & ?4 P2 w3 O5 Y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' r. Z$ E: c. G
FILE_SHARE_READ | FILE_SHARE_WRITE,
! f* E! M2 a" ?2 _, d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
}0 k$ B. o6 `! F. I9 C if( hFile != INVALID_HANDLE_VALUE )0 C* h0 E. Q3 L; y1 t% Z
{
2 i! k% x7 P g( ~6 S* C CloseHandle(hFile);0 z# H2 q6 ?1 e# _4 g0 X( ~. z
return TRUE;0 m# q. v! V" B# R; C- O" h) ?
}5 c& ~( g( F2 q. v; S0 L9 f
return FALSE;
, S( Y" D; U: X9 f$ M! G}
7 E6 b) O- @2 x: x! x) @
1 }+ \, H1 g8 R: y- l! ZAlthough this trick calls the CreateFileA function, don't even expect to be" i* B2 c0 b9 W
able to intercept it by installing a IFS hook: it will not work, no way!/ @* Q1 Q& U6 N4 b' F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; [+ I% u2 }2 E1 D4 [# `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' n h/ [+ n, F$ g7 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) k7 N* L% _3 B( D: @7 S& B' |field.
# \, O% Z4 w& Z7 ~' a; A% b- iIn fact, its purpose is not to load/unload VxDs but only to send a
. h" Q9 x" r/ p0 O" oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ b0 s) ?! k, E* x+ V u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ U; y8 N* }$ G' z# A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- V' x2 l6 r2 n/ t AIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 K8 A4 A& d+ T! J( c
its handle to be opened and then, will be detected.( [! d8 Z( ~1 J1 N5 j
You can check that simply by hooking Winice.exe control proc entry point7 |9 P( V3 K, a9 ]* n) h
while running MeltICE.
- c( s: s8 B4 P+ \8 K) O K" F9 }) \1 [+ O9 W7 K
' B) I$ ~+ ]; j8 M1 L k 00401067: push 00402025 ; \\.\SICE
; t# [9 K; H, f- T- v0 M 0040106C: call CreateFileA
4 ~3 `' E& u9 v) A5 j5 v1 N4 V 00401071: cmp eax,-001* l7 f* S. |" e/ Z) m
00401074: je 00401091
& t3 r) j6 ~ a) z" J1 V
! q6 J5 ]3 V3 I% V. c0 S* v
' z( g0 h. v; o1 d% UThere could be hundreds of BPX you could use to detect this trick.
; d* U# J! ]' q) v-The most classical one is:8 n, Z0 t1 u4 V& s) V0 W% ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) s9 ?% S& c( n3 v
*(esp->4+4)=='NTIC'( W9 f, w& G1 ]' b% v
$ @& c! h2 ^/ H- X0 w
-The most exotic ones (could be very slooooow :-(
* W" r$ G/ X; @0 r- K BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 S( g* `- X9 ^3 L# q& d) S
;will break 3 times :-(
9 h; j; N" S1 z# t, f
$ h' |: P$ j; F6 N" H1 s' s! X8 o-or (a bit) faster: * M+ q8 `; G( e4 u( d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') Y- O- v# ?5 i- _$ f7 k3 L
" e: w5 i! v- r! K* y1 a BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 j/ d. ^8 ^ r% y; ]5 d0 P ;will break 3 times :-(' M$ J x' H S
]+ J1 q! d: ~7 b% s8 w-Much faster:
, v2 P' s/ t+ m$ W8 n' b& [: X7 ~) [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' N! Q' |5 n" h2 l$ s9 m+ h5 ^9 M" E1 r! U$ ^* K) ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! T9 G2 c% J* F/ {5 ofunction to do the same job: p* S% b! B$ p' `1 o3 h9 h
, T* v6 p% M" y1 J7 `2 v5 c push 00 ; OF_READ! t* Y( u% L( [$ I7 D" K
mov eax,[00656634] ; '\\.\SICE',0) k' i" \) i% E/ [& i) K( E
push eax
) _! T3 C/ F4 U) H- r& W/ E7 W0 l call KERNEL32!_lopen
5 ~& o8 F0 c+ _+ \ inc eax V) T; W. K6 q+ ^! R
jnz 00650589 ; detected
# k: U8 K V1 v3 ^2 Q push 00 ; OF_READ0 L2 g* y7 F, b1 y7 b6 c; r
mov eax,[00656638] ; '\\.\SICE'# i, h; h' h4 C; A+ ]2 D7 v
push eax# D5 {# L- F8 R+ l: s. K
call KERNEL32!_lopen
0 g3 O; ?- e! t2 [* r: u9 I inc eax
$ f ~* z: m& w/ r+ I jz 006505ae ; not detected
! w% G% c0 U# o% ^) b
! ]% D. ]4 {7 m7 j/ W7 }1 K3 A/ ^. K* H, X: {4 ~7 X6 g
__________________________________________________________________________
3 u* Z g1 B* h( A! \
+ e" e0 B. W$ m& Y f6 h9 @6 z3 KMethod 12
1 n4 u6 M; Q# i- E=========1 C5 j- Z6 q; ^1 y8 o# k5 L3 K
F6 Q/ ]7 f" X! d: M' s5 J
This trick is similar to int41h/4fh Debugger installation check (code 05
8 S/ G6 e1 W. g* {4 x: @& 06) but very limited because it's only available for Win95/98 (not NT)
+ I$ p) E9 }0 b8 T' u) fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 L" ~1 L' T$ K; j/ W& _
+ p' ]: F7 K0 V2 Z! t; N5 ]7 }, M push 0000004fh ; function 4fh8 S% W5 ?4 `; G
push 002a002ah ; high word specifies which VxD (VWIN32)
- p `/ u; w, Q r+ } ; low word specifies which service; h) S& B5 o4 g
(VWIN32_Int41Dispatch)
/ R5 h0 Q. L! K6 J call Kernel32!ORD_001 ; VxdCall
' ^+ w5 @4 R3 `. x% j2 W) m cmp ax, 0f386h ; magic number returned by system debuggers
! C& |( j2 C* \- L! Z% L jz SoftICE_detected
c* m6 l H4 D+ ^! X/ k" h6 A" @3 C) y" V
Here again, several ways to detect it:7 r( |; J2 A Q% v
+ d" s+ S6 p" ?2 S" L3 i4 ~( T
BPINT 41 if ax==4f
8 p, j0 {/ C& P% e5 m( k3 Z, k. z) m$ F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( v; [3 K. r1 d3 r/ a9 \( T0 B0 l- @2 M: s5 h9 a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& P# `9 x& B5 r& U1 ~
4 i. Z5 G" V# \+ z, b- y9 ~: H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& ~4 j+ C% H% H. L, s
! }! J& H4 b( r__________________________________________________________________________) a; S( F5 X7 w) D4 j
- Z( Q) p/ a* P2 xMethod 131 e" e: s# L% G7 ]8 F9 p3 K
=========
. K* ~+ S2 u4 t" n
0 C7 f. [1 W$ W0 k3 |7 pNot a real method of detection, but a good way to know if SoftICE is
; i" V/ D8 c3 o3 j* U/ `installed on a computer and to locate its installation directory.
/ U# Q( z5 }6 ]: g. Z8 B5 Q# d3 `It is used by few softs which access the following registry keys (usually #2) :
0 D: @7 e3 _+ B* t! V
; d6 {" u0 @5 w* \ }1 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# P. V, N3 [, W: f& `9 J. T, o\Uninstall\SoftICE% g, z/ h$ v. I2 T3 n, D r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, K! r; Z8 ~! P0 j- t8 a, W" [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! O2 a$ C! f; E1 w% ~
\App Paths\Loader32.Exe1 y5 E0 `5 r, o5 J
; `* |. v- Y/ ^6 P! I4 j0 r+ R
5 _' o0 o+ j' [9 P4 i
Note that some nasty apps could then erase all files from SoftICE directory
( a4 O* s/ S0 l& A: k3 M(I faced that once :-(
6 T4 Z1 F& ]1 _2 f7 }$ m
& B0 c& P/ X& p" y$ MUseful breakpoint to detect it:
; B9 N- c+ H! n" F W* N( u! ~+ N! ~& P$ _" e. [
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'6 ~. z6 p8 n0 \% p, Y) {4 K, ^
& x" B; F6 [5 L3 H n; f__________________________________________________________________________3 {& E0 h- X4 u6 d' n E! r
3 t3 p6 g0 U+ v+ C3 t- {9 }8 O1 u2 S# I) k9 J Y2 T
Method 14
8 K* [' g1 } j: v- N q' C# S2 `' p0 G=========
3 F! o- T1 L6 p$ l! |; D
R3 z! G$ ]0 j/ Y0 H& b2 u9 F: jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; ?/ {6 l& {& |: ]
is to determines whether a debugger is running on your system (ring0 only).- @5 o- o3 R2 V/ P) i) l- |4 i" g
! Z/ O( y3 j6 e4 L2 L" ^
VMMCall Test_Debug_Installed6 u, `, n: p$ X! L' B0 k9 t
je not_installed3 P6 ~% b0 G: M) z
* I" z; t1 X: k. x7 v, [This service just checks a flag.! y$ C& _. @, o- O/ y. H4 H' @9 m8 T
</PRE></TD></TR></TBODY></TABLE> |