<TABLE width=500>, b+ T4 J( \% V) k
<TBODY>
+ L6 @1 @' e1 q& H<TR>
: T" s8 D# K8 u0 g2 {; Z# D% A<TD><PRE>Method 01
6 U: n7 B0 `) U) Q2 {=========
/ X2 Z5 T( z/ E6 X+ u c) S c1 M* F) t, T& ]: b, n0 A [
This method of detection of SoftICE (as well as the following one) is
' K7 K# Z+ O. H$ f: t: Pused by the majority of packers/encryptors found on Internet.' `" x" |$ O9 o( \
It seeks the signature of BoundsChecker in SoftICE5 m0 ] W6 y. t- u
7 y$ V9 ?" H0 R: }# V. h4 G9 T mov ebp, 04243484Bh ; 'BCHK'
% m$ ?# x2 Z7 B6 u" d7 I( [+ s mov ax, 04h! a9 |- D9 Q" d: h
int 3
$ D& y7 n8 E& W1 f( H cmp al,4
. d4 ~- F3 B0 p3 d7 S4 p! D jnz SoftICE_Detected
5 ]0 ?+ c& d m9 P7 h1 r- [! x/ _+ A6 @
___________________________________________________________________________
9 N H* a: `- R3 {6 [7 q
+ k1 N) g* {' l0 A' b: z; AMethod 02
7 ~* P" V6 I1 e0 X+ f=========
* B+ `7 q4 Z5 ?& g! n3 j8 p2 ~; h- w8 h+ H! [7 S
Still a method very much used (perhaps the most frequent one). It is used. D& t% A' @$ P, e6 H: g2 y9 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ K( q f, t. G: E: f1 o( }' v9 M* V
or execute SoftICE commands...
/ b8 R+ r5 l8 h+ W% H5 Y, \It is also used to crash SoftICE and to force it to execute any commands
5 q2 j: J# t' H& l: d# g/ L(HBOOT...) :-((
; _7 o; b$ s# j j9 f8 z% r4 t9 n
. C6 Q) A+ j7 B( aHere is a quick description:, O0 m& F' d3 A6 P9 p8 n: y
-AX = 0910h (Display string in SIce windows)
" ~' R: n$ e5 e; W3 V/ \-AX = 0911h (Execute SIce commands -command is displayed is ds:dx), [: J f$ W- V) v* v
-AX = 0912h (Get breakpoint infos)( B" `+ D2 ~( q+ L* M0 w1 J
-AX = 0913h (Set Sice breakpoints)
, _+ A) F& ]8 `$ A8 ~2 W$ }- ]-AX = 0914h (Remove SIce breakoints)
- T: E3 @% h$ d7 V! W5 r9 u0 i5 \) `6 k6 k# ]
Each time you'll meet this trick, you'll see:" T0 O. W0 N; k$ @' ^& e
-SI = 4647h% s% H& S4 ~' S* w" o
-DI = 4A4Dh+ e( G7 x: x1 \ W; ?) X; J. N
Which are the 'magic values' used by SoftIce.
$ L3 H& |/ n/ K+ P; UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 y% m" f$ y. B. X& B' A4 P
2 s8 Q& E5 E" J5 y4 i
Here is one example from the file "Haspinst.exe" which is the dongle HASP" H) `8 t2 |& N
Envelope utility use to protect DOS applications:; l3 s8 c/ E0 W: ]; z/ g
5 R' h+ X7 U; A) R
v( z8 A% p* n7 `6 L# ?! K+ J
4C19:0095 MOV AX,0911 ; execute command.
* }& }* ^4 D1 y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 Y5 v5 c$ _* E1 N% |* ~% G) u4 {1 G
4C19:009A MOV SI,4647 ; 1st magic value.
* T) @/ O& d" i1 x2 k5 M9 y4C19:009D MOV DI,4A4D ; 2nd magic value./ Z) |( M* ]' U0 S: Z- m0 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). T1 [* a8 c9 U# v9 u$ y! g( _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
$ @- H, }4 ^/ u6 ?4C19:00A4 INC CX& d7 U( N" R4 `/ F: d, V- w8 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
2 v/ v- |) O4 g. L# o4C19:00A8 JB 0095 ; 6 different commands.
0 x8 X4 @6 p7 V4 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.* V' C7 h: E" g1 c4 z# j7 Q, j5 z, F
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% u& s( `' P: v2 _6 \0 q7 U# D# A
$ M, C/ ]1 Z* WThe program will execute 6 different SIce commands located at ds:dx, which
. Y8 {. b5 ]+ D& B9 l- z6 rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: T3 r' ~" Q8 Y2 N9 U G
. ^+ c# O) @4 i! ?$ y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' a) D+ s @, I) L
___________________________________________________________________________: s, ]" X+ n7 @( ^
* Z# d% j4 F# b
& [5 u, L2 S( g5 s
Method 037 \/ t# g2 y" G, f m6 Y' I
=========
' }3 J3 Z# O' D4 b: B- t
2 w& s8 } }. J$ t5 o3 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 S7 n7 ^( }' ]9 o
(API Get entry point)
: O( Z# w4 d/ K+ i
+ k w9 Z+ h# M
; D; S/ g z( g" h! r xor di,di
( j3 y% J4 U- ]) Q mov es,di
* w. U6 p; g [8 {$ z- o mov ax, 1684h & ^8 m5 C& J( p' @/ N p
mov bx, 0202h ; VxD ID of winice+ H+ J' e: \( w: r4 y" W' o; }
int 2Fh8 ~" y$ D' W' W3 ^! t1 {* _) M
mov ax, es ; ES:DI -> VxD API entry point3 O Y8 n, O. s
add ax, di) `/ ?- X, U7 q T" w
test ax,ax
* \# h8 ?8 n2 m jnz SoftICE_Detected6 V% r* X( X/ g; s2 ~
* }. S% |# L1 K$ J___________________________________________________________________________0 K7 _$ z. i9 [& X
; j. K: y' k" _7 b! f/ d2 QMethod 042 N4 s! k" J* Q. W; M
=========
4 G/ e6 u5 I9 Q6 t8 o* f f$ x. `5 d6 z) Z$ \
Method identical to the preceding one except that it seeks the ID of SoftICE1 J1 _9 q- j" V9 b' n- e k
GFX VxD.4 a" a, ^7 [1 B4 @$ u7 O
* x, b: x) w, J* `/ V* R) K; I, d xor di,di9 ^' D( u" _& _5 d" V2 S. Y
mov es,di1 T% h$ N" I" u1 R! G" U3 S! y0 s( h3 E
mov ax, 1684h 3 j; I& l) R+ l! c
mov bx, 7a5Fh ; VxD ID of SIWVID
+ {4 ]5 ]/ s9 \& W! D4 F' P0 o7 z7 X2 _' g int 2fh% @/ D6 \3 j8 k& K
mov ax, es ; ES:DI -> VxD API entry point
9 X! i# @( o6 f9 _) ? add ax, di
5 P8 ? @: b! P5 o2 ~4 i6 y test ax,ax
. l" w' I$ y/ { jnz SoftICE_Detected. B- i( O' m- Z9 K3 _9 v5 k5 U
' _* C! ^' l: ~& f9 w__________________________________________________________________________
" f# M' [$ e3 b5 u- T5 U
# I; v! l+ G6 }" a% @5 Y
2 Y3 t$ f. X/ C6 h4 mMethod 051 S/ s( ^ ^, W2 M1 K, [+ K
=========
! y8 Z" y- e9 n% C; p0 |7 ^8 \1 m/ l
- E! @& }2 J3 {0 e8 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 ^& \' I7 F, c4 x, R# v, {debugger. It calls the int 41h, function 4Fh.
6 h- N6 {& V* i: U8 h2 q- z1 G* ~There are several alternatives.
5 Q7 {( U6 A1 P8 T. w: l
3 n+ q! ?. e V% e9 p9 F/ S6 b: T8 aThe following one is the simplest: h) J$ \* X8 F
8 a2 @ c/ [9 M! L8 E' D c mov ax,4fh
' W1 y% `7 J1 x int 41h
" j' n% H6 {5 ^7 o) @9 [1 G: w cmp ax, 0F3869 b5 c9 d7 {. q- e$ W4 q2 l$ Q( O) Q% X
jz SoftICE_detected4 a! Y' \, j+ Q( q G
4 D5 x6 Y, g/ e6 Y7 S1 x
. {3 Q) k/ p; r0 C
Next method as well as the following one are 2 examples from Stone's 8 }9 e3 a5 _0 s6 L$ }
"stn-wid.zip" (www.cracking.net):
$ d) T: u: |! g
" m! ^; E8 p5 s mov bx, cs
( y- g) B. y% Z lea dx, int41handler29 r8 z+ X6 e$ i+ d
xchg dx, es:[41h*4]! a) V2 T2 T( O
xchg bx, es:[41h*4+2]' f8 c+ k: a7 m2 R3 p
mov ax,4fh
i8 h* ]3 ^( u/ z int 41h
# N' ^/ M+ E3 ?' X% A xchg dx, es:[41h*4]
L8 v5 @& |5 g5 W6 R+ j xchg bx, es:[41h*4+2]# H, }- z T/ Z8 F8 y& Q
cmp ax, 0f386h
2 S4 p) X; I. u. E- q, g jz SoftICE_detected, T& k c& [/ Q- M' Y! ~) t" }0 K0 Q1 J
, T; U1 s9 A+ p" t2 }9 T' Uint41handler2 PROC
^$ Q1 F6 C( c+ Y3 Y2 |! V* v iret
" G; w& g- |" {int41handler2 ENDP
3 n7 b: G5 R% Z5 t& P L+ O9 C* o
9 Z8 y! b Z1 L, k. W3 \9 T( j+ X* e
_________________________________________________________________________3 T- q/ h8 `9 M: U
9 a$ y1 ^: h% H
' L' j' O1 n, [; ^+ E: E6 TMethod 06" `5 Y W2 J. w! i" G. z2 Q, W( C
=========0 }; h: D/ f& b" V9 B; g3 s! q/ X
- Y* F' m. G; q8 v9 r
% b0 ?( ~5 U K2 m2nd method similar to the preceding one but more difficult to detect:
! Q3 _( l, h: y2 \& d% z6 b" U# T8 x s2 M6 I7 _. N% C
0 {& w- g2 e) H% W+ uint41handler PROC9 {9 c$ M/ K7 o/ U
mov cl,al# v9 m; U' o# t. w5 w$ |
iret
* [% [0 W2 A4 b: Z$ G8 Rint41handler ENDP
8 w7 C) `& k6 ~% Z% Q* q/ P) r7 @6 O) k. Z4 ~! {+ L3 F
0 O, J! `1 T. d" h+ w xor ax,ax% E. x% |/ u# h* L& O( l
mov es,ax
. [2 T7 I. x! O+ c6 }' c/ }7 K mov bx, cs
7 S5 @1 v6 O9 {$ O lea dx, int41handler* }5 s( {6 r0 }2 w$ s- U. v, @
xchg dx, es:[41h*4]
: {; Q) s$ Z! T& {* [) I; W xchg bx, es:[41h*4+2]9 p4 x0 M/ K4 ?" T: V' i
in al, 40h) C6 F) B: o* Z Y, T1 [! O' e
xor cx,cx
. G, U. e( M1 }& u1 B' x% S# a int 41h
7 c. C, T( p0 ~. S" Y xchg dx, es:[41h*4]
* x6 i$ @* v: H. v5 K: Q xchg bx, es:[41h*4+2]2 E' t/ k0 L) A) X' C
cmp cl,al/ n Y/ ?6 I& K# P) l% w
jnz SoftICE_detected! ?! S- q( F& A' u% f
5 F4 y- Y0 ^) D$ O) ^: S x7 H+ S_________________________________________________________________________
0 F$ s. v1 t4 {
2 s! [) o _ C+ _; D8 eMethod 07
) i0 P" c! K6 V/ S" J. u( m=========0 ~/ ?3 A. s! i; R
3 O' l* u7 D n0 ^+ w: b* S& u5 _# a
Method of detection of the WinICE handler in the int68h (V86)/ N' i( N/ O `; Y" M+ y |( e
4 h" Q4 e* o' a mov ah,43h, a: V+ k& k. ?/ L3 q/ W
int 68h* {4 s& Z) Q2 L& Z, S. K, _9 Q
cmp ax,0F386h
0 d1 ^( N/ D; [4 {5 h b1 J jz SoftICE_Detected" u- Z) P4 M8 K
3 O* k7 M+ j5 h' g+ C# G. z1 k8 K$ ]% l3 z4 M8 f3 @. a6 B6 j
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 g5 b P3 ?& B7 t6 B
app like this:
) w/ U" n5 i) u6 A
+ b- o4 M+ ^% }. Q+ u$ _ BPX exec_int if ax==68
5 r7 B7 U, j2 x2 g; I (function called is located at byte ptr [ebp+1Dh] and client eip is
+ e, J3 G- H9 G- d' a/ m located at [ebp+48h] for 32Bit apps)
5 b" j# h0 C3 n6 ]" J$ c__________________________________________________________________________
7 h( w" R9 W/ `* E- a( `6 {7 z+ ^6 G# n
! ^$ e4 v6 O% x9 [8 uMethod 08; X3 ~) D: s) M$ f
=========
5 }& L' H- W5 |; p, v% [) z/ F7 Q2 z& F' K1 P L
It is not a method of detection of SoftICE but a possibility to crash the8 z3 H; _; r n; P8 q
system by intercepting int 01h and int 03h and redirecting them to another
( g L/ k$ z& z7 {% Croutine.
( Q7 Q. f/ ]$ ]6 Z/ y; ]) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, I: {& v5 v6 T2 |8 ito the new routine to execute (hangs computer...)" b7 R2 b( l% W L& g" ]6 d
% b/ d; H9 o( C mov ah, 25h5 w/ v/ t% b0 |
mov al, Int_Number (01h or 03h)2 a7 i+ ~) z! u( r0 A" [4 p
mov dx, offset New_Int_Routine% }+ N' H3 B# Z0 X6 G6 N& R: B
int 21h% T6 ~7 n1 e8 s. u; \- u
8 V1 O& s7 \0 x; C6 t0 l7 [__________________________________________________________________________
( N E8 v, F2 n0 {* t* t# l# ?* ~# X) c4 \1 S% X0 r
Method 09
) l6 ^- y' r: S7 d3 d=========7 I, ]9 m6 U3 \( f* U* |
8 [3 u+ }' c i$ r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% H6 z3 H' `7 o' ?! w" f* g7 H: L8 N Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
* R2 ?+ J) x5 t- U8 D5 U9 u, k& ^The Get_DDB service is used to determine whether or not a VxD is installed
9 E3 _7 ]- L: r, wfor the specified device and returns a Device Description Block (in ecx) for( j& p0 m, \3 X2 g' Z
that device if it is installed.
" [0 @3 O6 M: ^! w7 M. L/ M1 F+ z" E. ^% Z) u4 H$ p2 [
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID j6 A- H8 G# X. G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% u- {( q7 z% z' s! h' J3 R0 ?$ I VMMCall Get_DDB
% @1 x# Z% V& ~1 ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: `% y$ K" S5 `; Q
% X8 z# j$ M4 d
Note as well that you can easily detect this method with SoftICE:6 i7 e/ r- i. O% |, T! ?4 M# X# M9 w
bpx Get_DDB if ax==0202 || ax==7a5fh
8 b# J7 r. X3 g- }3 _: \+ Q
3 k) I6 P- Z/ k) I! B0 ^__________________________________________________________________________
5 W J, }; N: a" t! j$ K
+ W. `# x1 t* h, G- lMethod 10
( g# X. v9 M3 c8 X2 q4 W- R9 i=========
' r2 R) @0 f9 u5 I6 W; s7 `( \ n
7 `4 I9 z- S5 B=>Disable or clear breakpoints before using this feature. DO NOT trace with
7 t) z- e6 X u1 K% T/ | SoftICE while the option is enable!!
" @) J! F+ [; s' w+ X2 r
" h1 W7 i% l' n" o* g* DThis trick is very efficient:: p0 q9 R7 ]3 O
by checking the Debug Registers, you can detect if SoftICE is loaded5 k6 w7 U* O1 ~. E! n& l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# r2 n6 M3 i" m$ B4 j: K5 J8 `there are some memory breakpoints set (dr0 to dr3) simply by reading their. l7 [' f' N. T: r% e& ]
value (in ring0 only). Values can be manipulated and or changed as well% R8 V) g. [) K/ p" }
(clearing BPMs for instance)
5 d" B) x9 ]1 H$ _4 _* e
! { I) { o$ W5 T* a+ u; J__________________________________________________________________________
- t" \1 @2 q! s, ~! x9 o# J) q: C3 T7 p
Method 11. r- f4 K( Q# {
=========* l& v# i2 l4 W
" [3 O: I7 z( |& t Y5 B' t2 U
This method is most known as 'MeltICE' because it has been freely distributed6 _6 ?/ [4 p. R) `/ K! _: i
via www.winfiles.com. However it was first used by NuMega people to allow
# Y. W4 p& f% b. o4 w" sSymbol Loader to check if SoftICE was active or not (the code is located- k& M! e% o7 i# H5 c
inside nmtrans.dll).
% j* S6 f5 e" q; _8 F( h, J: U
5 \/ y m1 l7 @( p- ^% UThe way it works is very simple:0 ^5 p! _4 ]- a3 T! h' c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 b$ U' r* {6 K0 q& }4 |WinNT) with the CreateFileA API.% F/ v4 y( U8 ^* Y
) d5 h, k& z* X8 j$ U
Here is a sample (checking for 'SICE'):
8 ~/ ?) L, L% O3 U
! F0 Q" s# B7 `6 lBOOL IsSoftIce95Loaded()3 U+ [' f' i% K
{1 c3 n# p& Y+ X# w
HANDLE hFile; $ b0 g2 v7 l1 q" `( {
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 r4 S" i& C+ l
FILE_SHARE_READ | FILE_SHARE_WRITE,1 C- h5 S0 U0 r" J
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ }) y, X0 p, ]9 o+ x if( hFile != INVALID_HANDLE_VALUE )
5 K* \: l/ P4 W% j {
* ]; Z- Y% u% c! @ CloseHandle(hFile);
' d6 e; X4 @& d, m1 B; H return TRUE;8 ^# m1 k6 |/ ]' `! g8 o5 e
}
8 ~7 s% c2 D6 O, L return FALSE;
" [& `# [9 k: ?( x$ T/ _. u) f}
s* ^$ C% X8 O
3 a8 G! M- \' ?; C. d" H/ o$ JAlthough this trick calls the CreateFileA function, don't even expect to be8 a" O3 Z3 G. I( W8 l2 B6 J
able to intercept it by installing a IFS hook: it will not work, no way!
! F6 p4 K, w4 `' @0 X% t. TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ L& s7 c: G5 S7 G* D! P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& ~8 p" i5 B# _" v) K R; ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 Q% S8 F+ r" w& J7 h7 ?; N
field./ p1 _: T. W1 o9 L+ ?, P+ H
In fact, its purpose is not to load/unload VxDs but only to send a
' R- k0 A' }4 K5 |. PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* w% u3 c V4 G$ ] Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) h* l# B" u% nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
[( _1 z) v# E% H* U) H0 `, QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 O( {9 h0 K5 }# O9 Rits handle to be opened and then, will be detected.
( \3 r/ z( M8 }0 b- BYou can check that simply by hooking Winice.exe control proc entry point( `+ D' H E- R- v
while running MeltICE.
8 \+ ?/ g' n# ^6 Y: Z$ `& R. } M& A
$ A% a$ x9 U" D/ N$ g' _5 r+ v 00401067: push 00402025 ; \\.\SICE# w1 a" u" y( ]1 f3 F
0040106C: call CreateFileA' ~7 ]7 _- O" W; w) N6 U
00401071: cmp eax,-0012 H# H1 Z6 F$ G, Y
00401074: je 004010919 j& I5 @ Q" G/ R, l) Y6 c9 U
* ?2 e( c5 l% q' P) m. a* v: E* e6 i
6 ?+ }# J; q# {& c% X$ ?7 cThere could be hundreds of BPX you could use to detect this trick.
+ v: M& a0 B1 S-The most classical one is:
5 i. P% G8 M; g* ` BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 Q% t$ |5 m, X! h. U: [0 k *(esp->4+4)=='NTIC'9 P0 A8 {- ?" ?
1 s A& z. t5 N$ K7 H3 e
-The most exotic ones (could be very slooooow :-(
& T/ ]! J# O/ X0 J BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 B& D! u& b$ y! D
;will break 3 times :-(
- O! b! X5 P6 f- z5 w5 o# n3 Y- _' k6 @7 ~' _3 m$ @
-or (a bit) faster: + C7 a+ T8 ^3 O+ u. \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 t/ c/ M( H" p3 q2 n- ~3 z& V- U, Q% l: a+ r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ v( p; r+ f5 X ;will break 3 times :-(' ^3 n) l% Z" P& k+ u
# W) t, j9 T! N% b6 J9 v: j-Much faster:# a; M) C4 _1 m7 y
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' n: j* {1 T4 g/ @
) g3 ^* I" ?/ _7 F s6 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 C1 o( y1 ]4 ~: L' M Rfunction to do the same job:- U7 v3 w/ J5 x% D
) J9 _+ K+ y$ }& C6 ]! }
push 00 ; OF_READ
) P6 U6 ^ r t5 U+ y) U% d( ` mov eax,[00656634] ; '\\.\SICE',0; r5 C' t* b8 i- N, w. _! |
push eax" W. C7 O0 L+ S; u2 d: T
call KERNEL32!_lopen8 b1 X8 S& Z0 O
inc eax. ~% t6 t6 F0 V& F8 s8 F9 o
jnz 00650589 ; detected$ d1 F2 \0 C* I) Q. d' ~
push 00 ; OF_READ
6 t, B7 c. s+ @3 i mov eax,[00656638] ; '\\.\SICE'( h y: e2 d4 Z" j
push eax7 H0 p% J9 I' g V2 E
call KERNEL32!_lopen1 P2 P$ z3 l5 T- ?" ^
inc eax
1 F- r6 m: d5 X3 }. i& Q jz 006505ae ; not detected
$ t/ b8 C" v8 p9 R! q; l' ]0 b2 {: {' S Y' | c u5 Y
y) n, e7 o" C( a% B
__________________________________________________________________________' p" ^( t9 _) T' p
; ^% p% Y. ^/ H- }Method 127 z) G. o, w3 w) J
=========0 u: G+ Q8 E. d# W3 m
7 w8 E3 n4 m/ G. m4 M& R& V# ZThis trick is similar to int41h/4fh Debugger installation check (code 05
" x4 ]$ }! {, I& 06) but very limited because it's only available for Win95/98 (not NT)2 b' h9 b: y! B+ s6 q5 p; o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" T: c' g& ~7 ~; H7 N6 ]" t$ B, [2 `2 k, f2 u9 }8 I& @
push 0000004fh ; function 4fh% S. r2 P- N$ v2 S' E1 p$ S
push 002a002ah ; high word specifies which VxD (VWIN32)
1 p- Y( Q, F# d6 A3 B% m/ X1 ? ; low word specifies which service
* J! a4 O9 f6 ^! Q+ h% }$ j (VWIN32_Int41Dispatch)
! x, p. k$ `0 a call Kernel32!ORD_001 ; VxdCall8 u9 E: j+ H- N8 \7 Q' x" F. v
cmp ax, 0f386h ; magic number returned by system debuggers7 a* n' |3 Z+ X! A
jz SoftICE_detected
0 q3 B) w% o* O: q8 p2 W$ A0 ^2 M0 H0 e9 v2 F, f; c
Here again, several ways to detect it:
$ u- X7 q3 P7 C5 v( }4 m
/ y! @( m: \3 o8 B BPINT 41 if ax==4f
' e: O* J' x- r8 q* h# f
r k( R* a" P- D- G7 U3 O( \) W4 O* g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- K, U: d* Z; T! j/ A2 ^, e8 B2 ~3 Q4 N& N3 q9 H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; L8 F1 O0 [8 j; r" C3 }" `4 N: V. _5 r2 O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 t) `+ h# d! F
' L z0 \# b8 F7 E__________________________________________________________________________
9 F& t( S; M8 o9 Z, x
4 h5 s6 M# s1 ^0 @" u4 qMethod 13
1 X- W5 J2 l- ]=========
# w' p0 ?, k6 }- ?, _ {* K: J
; Y, f2 O5 Y6 ^Not a real method of detection, but a good way to know if SoftICE is
& Z$ P* o+ w. H! V3 Z( minstalled on a computer and to locate its installation directory.7 P, l+ z5 ~! \( [: i& h0 h
It is used by few softs which access the following registry keys (usually #2) :
/ h T p: D5 n/ R# }: c, ?# B6 \! q6 G! k8 ]) z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ]) T. t9 `; Q
\Uninstall\SoftICE1 x3 b) z ~$ l/ B1 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 M( \2 ~9 l% {2 G( _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 P+ v" r1 o9 W# e( y, c) K\App Paths\Loader32.Exe9 p: ~( \2 C- k5 c: @
0 b" W1 E& i# _
" X$ S' | y5 g) j: SNote that some nasty apps could then erase all files from SoftICE directory
0 g3 Q( @" i' b6 a0 T: r8 s(I faced that once :-(
3 f5 h' I7 l$ F+ t
- Q/ }9 I. o0 o6 G& EUseful breakpoint to detect it:% k+ \) v; \; E% |0 z* h7 d7 q
\! v) `1 |, W8 T( u6 Q0 t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 B& o8 L2 U$ [! o& n- O h& N! Y4 i( a5 a3 E. ^9 n# Y
__________________________________________________________________________# x' ^, P# v; f' S3 s) V: L# @
9 V+ Z1 q E4 C5 Q' l
8 a5 u- r o2 ^. U: r3 q5 ]: gMethod 14 : Q3 q4 X/ D; {$ i( ~1 W' s
=========' S* Y3 s% T' ~' q; I2 }! J
2 w6 V' i( c) v* p3 A% i, W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 O5 ?/ }" @8 y
is to determines whether a debugger is running on your system (ring0 only).
5 y( ?5 a2 F7 f. d: W& E/ j* S( Q- Z, z3 e
VMMCall Test_Debug_Installed
7 |) k7 Y5 m Q, Z! G; ^ je not_installed* E6 C% L8 t: s+ N% a
m8 a9 l" w. JThis service just checks a flag.
) ?+ h6 s! {/ Z2 l5 _- W</PRE></TD></TR></TBODY></TABLE> |