<TABLE width=500>
" r0 A8 m- q' g7 M4 z/ \% R5 K H6 g<TBODY>7 E# A2 s! j' r+ E8 w9 a. K# ^
<TR>9 }! j) }/ N7 R I
<TD><PRE>Method 01
' k7 H- `. Q9 x% h* w+ H=========
5 C+ ?) V2 E+ b+ V3 ?9 E8 T& t5 u+ p+ n+ q; {# w
This method of detection of SoftICE (as well as the following one) is
5 I6 f0 f- d4 I9 Zused by the majority of packers/encryptors found on Internet.0 }+ i) g5 T |1 e' A/ G" s: N
It seeks the signature of BoundsChecker in SoftICE Z7 X/ a+ ?0 ?9 Q5 \$ E( `
, t& j8 `0 W5 `
mov ebp, 04243484Bh ; 'BCHK'
8 l- N1 J9 X1 U$ S' M# D mov ax, 04h K6 F; \% j+ u, Y
int 3 ; j2 E5 q* N$ O
cmp al,4
5 @ d$ w; M% F4 H0 J, i: h jnz SoftICE_Detected* _ |4 U) e# X+ H/ n" ~
, m9 C/ {3 u4 Y9 S" ^% E. }) x
___________________________________________________________________________7 E# `1 h' H4 y& X
" T; Z5 v+ f' G0 r! l7 ^Method 02
6 J$ \ Q3 {& B& I; E. \: S=========
/ B( j$ M( G+ G
! r3 M |. t* G2 s4 |" mStill a method very much used (perhaps the most frequent one). It is used$ ]% F {+ l7 \. Z) P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 V9 o4 I7 {% N) e8 por execute SoftICE commands...
( P8 T9 J6 x8 s1 M' |, N/ bIt is also used to crash SoftICE and to force it to execute any commands* D' H7 X- G1 P3 g8 b# H" F
(HBOOT...) :-((
1 A; r: P5 O3 z1 m
) f3 g9 Z. Y7 O: B$ s$ ~; }& t: QHere is a quick description:
+ C y( b. [9 p( Z" u-AX = 0910h (Display string in SIce windows)
+ v, v) h8 I6 d" d+ U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) ~2 k/ T! |7 w r6 g2 s
-AX = 0912h (Get breakpoint infos)1 D& [3 d! {/ S) f, [3 C F m3 f
-AX = 0913h (Set Sice breakpoints)) J/ m* O+ ]+ X0 ^- y
-AX = 0914h (Remove SIce breakoints)
5 |$ M- b: o+ z" d+ V5 ]
% e' l9 K" r" w* YEach time you'll meet this trick, you'll see: c& l. ]/ h; a) m
-SI = 4647h0 ^4 c. h% s: S+ a
-DI = 4A4Dh: f. P1 ^6 y6 |+ T- S- W' h2 l6 L
Which are the 'magic values' used by SoftIce.
! E( G! Q: p& P+ K. z( b& XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 y7 X8 _5 o' v9 n8 l$ c
9 ~9 C% K" `" I: e0 l6 W# X& mHere is one example from the file "Haspinst.exe" which is the dongle HASP0 b" \% d8 j6 P, | F
Envelope utility use to protect DOS applications:2 i4 c, g5 U' q5 Y
" a( X% X7 S- z" k1 n
+ m& G8 ]! ~" m2 H; v
4C19:0095 MOV AX,0911 ; execute command.
) N5 c' e. x' g# T4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# ?0 z8 t6 p) e2 P4C19:009A MOV SI,4647 ; 1st magic value.
" l4 l, D) X/ y& B1 [1 j ^! _4C19:009D MOV DI,4A4D ; 2nd magic value.
~! ?# Q2 ~% _2 `. `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)" V7 B Y R7 v1 t- ]! n" X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- E' k3 _' s& \% m$ f9 V4C19:00A4 INC CX. `7 m8 w9 M+ E7 A0 e
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 N, K7 |+ h7 ]4C19:00A8 JB 0095 ; 6 different commands." d" L6 s) }( q H$ Q7 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- Q( j3 b. q6 K" C
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 n* L# o5 f z0 r- e( Z- ]' H
/ z- j$ E: d5 r, W
The program will execute 6 different SIce commands located at ds:dx, which
8 l4 v# A: C( i. v$ y2 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 U4 p& E* O1 n4 Y9 B( t% j
, A. G x) G) f m* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& s5 Z; F* e3 I% K) p___________________________________________________________________________0 H: D2 A1 ]5 ~9 P& q7 v
, D: v0 z$ X1 O* W; C
+ Z' i; T7 P# ?1 O
Method 03: C" W; T- X' F; |& k& E1 U
=========$ r) j4 b$ ]5 X, G* z4 j
8 }$ `+ ]/ |* j0 \' R! Q) P; S6 lLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ k2 a+ [: e7 C! E(API Get entry point): _0 _( o9 Z2 p5 s9 I) Z" k
* m2 r% w% l1 `( e8 f8 k: A
7 o6 |7 L6 c$ t0 l Q d0 o
xor di,di
$ P7 Z4 p0 R$ [4 d: g mov es,di
; Z! T0 s; X, ~5 g0 r3 j! y mov ax, 1684h - s$ l! M5 h: r: ?$ m" Y8 W/ X
mov bx, 0202h ; VxD ID of winice h, t o1 T! x2 ]2 I1 j
int 2Fh7 ]$ @6 @5 e4 ]
mov ax, es ; ES:DI -> VxD API entry point
- E& |. g) U, K/ ]; h9 n add ax, di
) P3 S2 u+ I8 T# ?# j4 f test ax,ax
! P' u( e& C- j9 Y jnz SoftICE_Detected# t# d1 C/ f0 `* Y
P) g1 D. Y3 \3 ^# r
___________________________________________________________________________
9 R* j4 w# ^5 l8 I+ E6 ~6 h4 r) \' z. @2 b2 ?
Method 04' B V* t! `8 Z) i h5 ?! E
=========2 r, l$ G$ I1 S- n9 Y
3 k$ E6 t) b4 e$ S4 L7 D3 zMethod identical to the preceding one except that it seeks the ID of SoftICE
0 Q$ ^6 L& c( T% ?" a. JGFX VxD.
0 H2 i6 }- H9 a, h0 s2 D: I6 b2 u8 B- E! Q2 ?
xor di,di$ L: t1 X4 f' Z4 R* O2 w* i
mov es,di
1 Z1 J8 d" o- D3 U mov ax, 1684h 1 @4 T: X- x; w5 `9 ]4 l
mov bx, 7a5Fh ; VxD ID of SIWVID' C1 q4 Y: y+ z1 B6 @
int 2fh) [. b& m$ P2 p5 Z7 L- D. l2 c
mov ax, es ; ES:DI -> VxD API entry point
! Q' T! I7 d& }; d add ax, di
. n# t! O; V6 @# b) v2 j test ax,ax9 S' U+ q. m2 y3 F5 p4 c
jnz SoftICE_Detected
/ n- \. e% `# Z, S) S- w. [) b9 p+ m U8 N- \ [ F
__________________________________________________________________________! y4 ]% c$ K* L& s
# O1 }% a# D7 i$ ^1 D, l N" j, U7 Q4 D* J8 G, K
Method 058 g& _! z8 s, e0 x
=========
" u: G: e5 L: B7 P, V5 c$ t5 i
1 r+ U c' D. I7 ~ lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% g% ?1 u. u/ c, ~% G7 {debugger. It calls the int 41h, function 4Fh.% ^6 r! ^0 M4 I7 s
There are several alternatives. - i) b+ T, M5 b/ Z9 d f
( ]6 R# y; ?% C! y; R+ FThe following one is the simplest:
4 q3 }; b, X7 G+ n- S8 N* ]0 k2 |, H3 }& O( m# R2 q: ^
mov ax,4fh/ Z+ F. f0 l! S" C, _" K. e+ R
int 41h% ^+ S4 r6 |; s
cmp ax, 0F3863 {5 g+ K$ F4 b- w# Q2 ]/ q
jz SoftICE_detected
4 e; D1 C. ?! e& n* |. Q0 n- r8 W/ @' F3 u( j6 ] e) G
# t; [: n. b5 b9 [2 sNext method as well as the following one are 2 examples from Stone's M) a# \9 ]+ _2 C
"stn-wid.zip" (www.cracking.net):
* Y6 b6 _6 r9 e9 u% W* H* H* e% z
mov bx, cs9 s6 w- q; @ W) Z& w
lea dx, int41handler2
% i2 i' L2 `* z P) k xchg dx, es:[41h*4]
) G. \, ?8 ]* h$ t5 n2 G* E xchg bx, es:[41h*4+2]
, R' N) n4 E; m k& N6 }) q+ I8 k mov ax,4fh V7 Z, I5 e1 W* z5 a/ j$ L. S
int 41h
. U1 C3 k9 V4 f9 |% O9 O: x xchg dx, es:[41h*4]) n* Y, N) F3 V; ~- |* ^; @
xchg bx, es:[41h*4+2]
7 F9 L5 Q+ c7 u* X! q+ `1 J% W cmp ax, 0f386h/ w% O& q: e& p, o
jz SoftICE_detected
8 g8 ~0 W5 q* j' F. P8 n
9 k8 m1 i& V" k" a8 r0 l) Rint41handler2 PROC+ ?" L. d. p; L" L
iret
C% s" |' E5 _int41handler2 ENDP" z8 P- k3 q+ T% d1 V4 s
6 c2 G5 W5 y' I5 X' I/ m& f/ V/ L0 j0 H4 a
_________________________________________________________________________* Z7 J5 X2 x9 Y1 o- X1 C
7 y T) h0 D1 }2 V; R6 H
- Y* B$ u" G$ s, K2 ~; e6 {, f
Method 06
- l8 L0 @( J9 ]7 B=========
5 s. r( z# x* k1 J, C/ N! {0 A% @/ s) } t8 s$ u) K* f3 V8 Y/ o4 V
0 c5 }) ~8 P$ j5 m* y2nd method similar to the preceding one but more difficult to detect:
3 u* C9 }% U$ o$ _2 x9 f" b
1 E: |3 v" Y; j- R! E; u, j# Z
. O* D# E% p. ~int41handler PROC
0 \: n3 V P t9 v% z) @# ]4 v mov cl,al: I) x, r* a. j* ?* }9 q: \
iret! f0 C: W1 p A% k" |( l! v
int41handler ENDP
! o' V4 o. E6 W% a, b- X$ ]# ^' I# i. J
7 G4 h2 P3 E' @+ y- y) b# V
xor ax,ax, p1 B/ Z' D+ n. O( b- _
mov es,ax4 L5 U* j+ v" o( P
mov bx, cs
3 O, [! k# W8 n# X( V lea dx, int41handler% I: u, [5 }7 D" N d0 c R! a( N
xchg dx, es:[41h*4]4 L: X+ V3 i% T# V4 T
xchg bx, es:[41h*4+2]
; E7 M: B2 T6 ?5 m1 i7 `; _ in al, 40h
( L t- S( y Z/ o$ m& R* t& r( R xor cx,cx
' u ~3 m# I- s; x# X8 }! k int 41h6 M* ?! B* Q. H
xchg dx, es:[41h*4]9 ]' E, o# v6 n$ \; V
xchg bx, es:[41h*4+2]
, I) F5 q# e5 u$ D cmp cl,al" u4 W' R, ?) y2 {% C* k: w' W! f0 T
jnz SoftICE_detected3 O- _" h/ W) m" V( s
- {" g) `, V7 @& O& b_________________________________________________________________________7 p# d: S& Q4 \# E! m" S
5 ?8 W0 Z. I8 G+ H
Method 07- J, d3 X H$ w* R) Z( e2 b
=========
6 b e1 L5 z2 v0 s+ D6 |8 @ H/ K9 K& ` \7 Y' P+ }- c& a
Method of detection of the WinICE handler in the int68h (V86)
7 B- o# f9 R- d% F$ t3 k5 O4 F, `% q6 |$ n' Z7 }" ], [0 O
mov ah,43h
2 Y. m: o! S8 W int 68h
L/ X* y* K, k& Y4 |" a) ^9 H, ? cmp ax,0F386h! E7 y' _, Z' o( u# P# T
jz SoftICE_Detected+ e ]& n/ f0 ?9 c* w) t2 q
/ \. W" v: s5 ?! S! p
: c( M) y* |- M+ z# e=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ ]5 b, t/ v/ Z6 D0 @2 z, _; G
app like this:
2 m. z! I1 E) m. h4 s1 A" ?+ U0 a2 P" `0 n
BPX exec_int if ax==68
5 M1 x5 K* W7 c( \0 ?* B (function called is located at byte ptr [ebp+1Dh] and client eip is
, t" l# L% B- r7 @ located at [ebp+48h] for 32Bit apps)6 Q' N( ?8 \7 @; q0 R
__________________________________________________________________________' w- G; o# q: j# Y7 S
- e' S& F7 t& k* r
( m! z* V1 D2 a* l5 }' K4 ^! G, P/ CMethod 085 j6 y- @# O' K% L4 j6 C4 {
=========" S1 e6 L, |% m! V
) L( p0 P4 l. g1 v. G4 m
It is not a method of detection of SoftICE but a possibility to crash the
* }$ }* Q: ^- k- ?system by intercepting int 01h and int 03h and redirecting them to another* |7 `; B( \; C) f2 y
routine.
" |7 m9 J3 D. a. GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* o, X- H, Y$ d
to the new routine to execute (hangs computer...)
6 G4 i6 u- X) r8 R! \1 A* N3 v
& p1 y6 n3 B' W1 ?0 l! _; F mov ah, 25h2 j2 {" f' o/ y+ r# G7 i' L
mov al, Int_Number (01h or 03h)
* B# _" u! |/ s! g7 N1 l" Y mov dx, offset New_Int_Routine) n$ P7 F9 x1 k2 A; j# M
int 21h$ W( ~8 R" P6 W5 g8 y. `
% r) j/ z* X* U__________________________________________________________________________
- s8 I9 \+ r3 W: t9 H% ?+ e, X$ `
% S% Y' r5 c/ FMethod 09. K- U5 Q3 ]: T0 M5 ^; X$ v+ u
=========0 B* W- ^8 W. [6 j( [% f8 m
2 d1 }! n6 l6 z, E/ QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: X8 e2 s: ~6 i, [2 S
performed in ring0 (VxD or a ring3 app using the VxdCall).( e. i- I6 x$ `" h2 B
The Get_DDB service is used to determine whether or not a VxD is installed
: |1 U. G* l6 V/ J2 l6 Rfor the specified device and returns a Device Description Block (in ecx) for
% k+ C! {$ C. V, mthat device if it is installed.
3 g; ?, _ E Y" {. G5 E' Z5 F3 G: H. p! u
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ b' X7 B9 o, N0 x0 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 e# y+ b0 W+ o5 _ C& @
VMMCall Get_DDB) D. q8 k# R0 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! K" v' A6 I0 D' H3 \7 o
# b( e# h! }! d6 F/ {1 h$ JNote as well that you can easily detect this method with SoftICE:
; P/ w4 L/ I9 _1 ?5 h bpx Get_DDB if ax==0202 || ax==7a5fh
: O* a3 W- |5 i5 J4 w" M Z1 Z* g2 F3 X* B/ A* k$ R* `6 J3 {
__________________________________________________________________________8 A+ K. Y) m1 t4 M( i+ r
' @2 p* [1 N9 u$ v* a5 ZMethod 10
, g3 u) m1 W) K r- z=========
" T. }+ V6 v6 S) c0 u! n
# {* t [; I4 ?" |) L=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 N$ Y, l; t, p1 e7 ~ SoftICE while the option is enable!!
- v( Y. S+ v. w3 H3 I/ U$ g+ ?$ W
This trick is very efficient:
0 x; {$ K$ {2 o' @& X, Uby checking the Debug Registers, you can detect if SoftICE is loaded
; D E7 P3 |" W0 f" J- \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 j2 B4 D: X' k2 X: J, ~# k, s
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 m* | e: Q5 N
value (in ring0 only). Values can be manipulated and or changed as well8 Y9 N9 O3 Y* x: i! b1 l% R$ G
(clearing BPMs for instance)
$ [3 |' S; I4 r
0 }/ b1 `0 L, s* a__________________________________________________________________________( S2 o, }' {9 X; a/ D1 d# q' ]; O# x
; v% z( w$ Y4 V) T7 l, dMethod 11
" U: h/ ^" u5 N1 [' b' o$ B=========
: W! n; W4 z, \' I2 a6 C2 {2 Y7 S# }' L$ N, z, x5 L
This method is most known as 'MeltICE' because it has been freely distributed8 h. W1 z1 J# z8 W
via www.winfiles.com. However it was first used by NuMega people to allow k& A" M) c* ?
Symbol Loader to check if SoftICE was active or not (the code is located
9 ^* n* H+ ?6 y" y: E" ~+ Winside nmtrans.dll).. Y% ` g3 s% t& C
) q: i9 A# J+ |$ I- G& k; Z9 y% N8 n
The way it works is very simple:% M* |2 A4 Q8 u1 u0 ~& N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for D1 ^0 c. `. i
WinNT) with the CreateFileA API.
* E6 p7 m2 w2 [* c% b0 b
2 @/ o* q/ U% a, h, `Here is a sample (checking for 'SICE'):
+ b# }9 @+ Y6 Y9 r/ h7 {/ c9 k' i5 j, h' h8 w
BOOL IsSoftIce95Loaded()% Z- G) Y5 ?* h* Z1 c$ k
{
* z) m( M/ I$ V. S2 B HANDLE hFile;
% _# [ ]! h, \0 j, Y, r5 c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 N6 W) x N& g- W/ m5 e
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 p+ O! V6 z0 x. o$ D* t! R. g T NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
v5 u% S) M, S+ C. @8 M: P- G" X if( hFile != INVALID_HANDLE_VALUE )
$ H. k( h3 h& u& ^8 S {
/ N% D* y( D; g CloseHandle(hFile);% z" r& Z8 M& f% l" ^. z# \/ i
return TRUE;) j" [0 r. a+ C$ }7 X
}5 l2 c9 Y' J3 E2 P' {' _; }
return FALSE;: R( q* \! {/ i: c D. l
}0 Q9 Y( k0 _9 y* |
6 R" u( C% Z6 Q4 O$ j
Although this trick calls the CreateFileA function, don't even expect to be
: A# W, Z/ H8 ^# N/ dable to intercept it by installing a IFS hook: it will not work, no way!" q/ _1 U: {# O! a& @, G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F e" ^* Y; G$ c- U: d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ i: d0 E' e! @# }and then browse the DDB list until it find the VxD and its DDB_Control_Proc. R: m: c! S& G1 |) E# I
field./ o7 B7 w2 e! F# Q0 r/ \% I
In fact, its purpose is not to load/unload VxDs but only to send a ' i2 x% S" r& T9 Q0 T' \3 O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" _& s2 L6 K+ O5 i7 p/ b0 K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( K# X4 X" H0 R. i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 Z) f' b8 f2 s. f+ N" H7 t
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) }9 @1 a& J# ~1 E5 Fits handle to be opened and then, will be detected.
4 C6 W. l1 ]: `6 JYou can check that simply by hooking Winice.exe control proc entry point
) n1 q) Q% d( q W' A0 Z+ lwhile running MeltICE.
( k! Q% t9 O, i! }9 y! ^: H* H/ C. C+ ?5 }
; R6 n3 S$ V- z: X 00401067: push 00402025 ; \\.\SICE, Q" [" P; W. Q, g* R6 s% P6 [
0040106C: call CreateFileA
/ N3 a8 `; Y% o' x- r$ M 00401071: cmp eax,-001
6 R/ m: j3 B2 C( @5 g 00401074: je 004010911 l) A+ ?% k# w3 h3 N
; f" f4 B2 }# n2 W% ?0 B$ r6 I
, Q+ A- } A2 x& tThere could be hundreds of BPX you could use to detect this trick.
" j% M# z: E3 A, B( c6 n-The most classical one is:$ J# y' [8 f* [- ? E6 q. C: ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 H$ G' I0 G. |6 w
*(esp->4+4)=='NTIC'
7 i! e; ~; K9 F4 t
$ g$ r- w$ ~1 W1 w-The most exotic ones (could be very slooooow :-(
" X3 W$ c3 v/ ] n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 d2 M5 Z- ?+ Z+ u2 x7 j ;will break 3 times :-(
, `! g" ]; P9 ]' ~4 Y# g9 @8 ]8 j3 j& y1 G! q; c8 c- U( S$ h
-or (a bit) faster: & e) G) `4 T" {7 T+ e2 l9 ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 m% p. x( e2 E1 N/ z8 U
5 M! P3 e6 C8 B# U/ N* N% }7 [! L8 v: v. O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 u: U6 o4 \, n$ ]8 L8 a) O( G ;will break 3 times :-(
" s, y1 ~4 V8 h8 R2 N2 r8 { V6 D, S9 Y. o# A- o' a6 b
-Much faster:
+ F1 s7 @) q$ V; |1 r BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* n+ I; Y8 b: a
5 A( A& s6 z. mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 N2 ]( q1 Q: ~
function to do the same job:1 ]2 ~0 C* c% ^, ~
% z5 F. q% }8 r1 e- W' G/ z; D
push 00 ; OF_READ \2 N8 w* C$ B" n) {/ R. u
mov eax,[00656634] ; '\\.\SICE',0; U3 d3 D9 O/ z5 _ W! Y
push eax
9 h. j* K% D+ r: S/ F call KERNEL32!_lopen. ~8 I8 g# \& J7 l! p! m) H; u
inc eax( T! _8 i6 }& N! V
jnz 00650589 ; detected& G- N+ M3 y' t2 @
push 00 ; OF_READ
# V' g! R' q/ k" x% Q$ f) T6 ^# E mov eax,[00656638] ; '\\.\SICE'' Q4 }# K! O% l# x
push eax
; Y' [, _+ ?& b- ~- j! ~1 H6 A call KERNEL32!_lopen' k- _0 s1 l) r0 \
inc eax& ?% s E! Y0 C1 j( @6 c; b3 ^- d
jz 006505ae ; not detected+ e/ u5 K$ N' Y6 q
' |( W' K- i, n! R( J( k ?0 O7 E" c& Q) \- E- E
__________________________________________________________________________
+ P: d: _" D( ~+ Q
4 _1 r& h0 ?# S9 s4 j1 DMethod 12, U& K3 g- x/ N V1 A, f, z
=========) n+ I' c5 I! S: i: ?1 ^) G# ?0 F
8 d: G' L a4 v/ t* N# m1 A! A
This trick is similar to int41h/4fh Debugger installation check (code 05& p% ^. B( |. a2 I. L1 w/ Q
& 06) but very limited because it's only available for Win95/98 (not NT)
# b9 j8 m( |- B" z% Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 x8 U3 ~* ?) O3 r" V4 }
# m* S# y/ Q# y push 0000004fh ; function 4fh
# O/ |4 p, @; d g$ Z push 002a002ah ; high word specifies which VxD (VWIN32)+ `& D2 [' O& Y- D2 u
; low word specifies which service- d5 k; k. ^1 Y- {# e( l. p
(VWIN32_Int41Dispatch)) l6 @) [3 k3 S/ o# {' d- g
call Kernel32!ORD_001 ; VxdCall
" J# `2 k$ r6 j0 T2 d! M cmp ax, 0f386h ; magic number returned by system debuggers
: m7 N% C) `3 Z7 @ jz SoftICE_detected9 G4 D+ T3 \8 n4 s* X) j
! [8 Y, @$ ?) U# f, t2 \
Here again, several ways to detect it:
: G8 T0 M: M9 B9 _- ?& ~" G1 E
/ ~- S; `4 Z5 H* M9 E6 Q BPINT 41 if ax==4f
% c% l8 z" u/ @! [, Y; v
o+ ]0 a/ ^ B& S* u, L% ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ s5 u( K* R$ `) d- {
4 Y6 ^+ P" Z! T; L+ t+ I
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ Z0 ^. }* ?" \" r; T
) f: R' t5 U) k1 h! V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- h. |0 r, D z" Q. m- T: I# |) [9 j/ z4 |. K3 [
__________________________________________________________________________
6 A; J9 u0 S/ Q8 u) l8 S
: V' y+ ]5 o. {" ?4 z/ p; dMethod 13
' ^ U9 M D( m- D2 h=========
% y/ B- G5 B5 ]4 g( I2 z
9 n$ ^3 h. @# E. {Not a real method of detection, but a good way to know if SoftICE is
8 v; H$ C, z+ V% j4 ginstalled on a computer and to locate its installation directory.
7 ^6 ~) b! _7 p% w( z* m) B- dIt is used by few softs which access the following registry keys (usually #2) :) u! ]% G( N- c! M
% b! w! O6 v/ ~3 J8 G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion s# p2 E' g! H0 G
\Uninstall\SoftICE& \; t6 Q3 M8 W/ ]- ?0 I K4 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* x" z9 t* ~/ E& T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- |4 Y: @. h d6 S9 C# j/ S\App Paths\Loader32.Exe
: T5 y" v" q& {$ G' W5 F. t
6 W* b0 \! y+ [" j9 L& R5 t% D! a f* D0 ?3 m1 Z& j
Note that some nasty apps could then erase all files from SoftICE directory$ q2 R% z. M! a& T: }8 W
(I faced that once :-(
( s9 x* t+ m$ p( @# I: b
" u. p8 I+ u+ a; t# m5 c1 |Useful breakpoint to detect it:
( K$ G3 r$ D4 F& E
3 q- C( F- a+ r2 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) n& e+ N2 \6 S% G0 c% ~! d" d# v8 E' I2 _2 y) x. |
__________________________________________________________________________
" h! O& k! G; @* v- t$ q! W) |, S( u9 O1 S. P4 D1 D7 Q
" r% @1 e: K% z9 _Method 14 6 v! m4 C0 z* c
=========
' V% W- ]1 d% Q7 R8 i9 d0 b' p9 X/ f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 t( x/ l- \2 Y5 h
is to determines whether a debugger is running on your system (ring0 only).% H5 O" O$ Q+ W8 P: G4 E0 w* Y% ~
$ a& Q+ ?" i) s: _9 ~! L( g VMMCall Test_Debug_Installed
9 J6 }/ y: I3 X x! y8 e je not_installed$ e/ \- K) l: j* b, g v0 }% t
5 {$ @) Q1 ]. [ |8 n; ?This service just checks a flag.
A9 L, w( }( E8 H' u</PRE></TD></TR></TBODY></TABLE> |