<TABLE width=500>
) m" J; f; d1 x9 K( m( ]" q0 R<TBODY>
) c8 e! y- w) ?; N. o. l. n3 ~! g<TR>
% i. V4 M( o$ K- Z4 R/ C# I4 f<TD><PRE>Method 01
. e6 n0 c K! q8 n: Q+ ]( f9 K4 o=========+ p B, L& Z: l! V& \- @4 X
$ v. ]& X0 N) l' ]& qThis method of detection of SoftICE (as well as the following one) is
6 e9 r. J) P0 w$ r7 B" hused by the majority of packers/encryptors found on Internet.3 S# c+ V* t$ j, w1 j) G+ `: i
It seeks the signature of BoundsChecker in SoftICE& j, u& @# O8 D. K/ p: q
5 o9 P3 Y2 k ?, }
mov ebp, 04243484Bh ; 'BCHK'
. }' T4 {4 t7 u mov ax, 04h L1 n+ m x1 l, z+ P; W) n
int 3
$ |+ d2 g5 u) N; I3 ]. g( u# J cmp al,4- y" }# [- ~- B/ ^' n
jnz SoftICE_Detected0 A7 T2 ^9 Z) m0 O0 m
+ c& d7 ]) I/ ]1 T6 V___________________________________________________________________________ x9 A* R3 v; V# e+ m+ t
$ k, @ h' `. C0 v6 e/ XMethod 02" z, t: N Z" @
=========
" z; r) ^. J2 k/ [$ W8 C: [1 W0 b3 g4 ~7 c" ]6 ?
Still a method very much used (perhaps the most frequent one). It is used2 _* `: b: y. q! J9 F) g& K4 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( f9 ~7 t$ r _! G2 t
or execute SoftICE commands...
' D: Q$ ] ]* ]' P( h; cIt is also used to crash SoftICE and to force it to execute any commands
1 E5 |- Y) g& Z- K, ](HBOOT...) :-(( 2 x# x/ S8 m$ y
+ h+ r3 |% V5 H/ C; P1 wHere is a quick description:, l, N: H1 T0 e' [; e/ L! g; i
-AX = 0910h (Display string in SIce windows)
7 @2 ] ]& B/ V6 u) V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. K6 N! ?( K3 }( o-AX = 0912h (Get breakpoint infos) [# K$ |/ H1 x1 w. u" Z8 j
-AX = 0913h (Set Sice breakpoints)
. D. f/ ]9 s4 F- Y-AX = 0914h (Remove SIce breakoints)9 I1 P- e n/ m6 M3 F: N7 {2 Y# V
0 D# \5 [4 A2 w* j2 MEach time you'll meet this trick, you'll see:' J) h) E% |4 }7 I
-SI = 4647h
; `/ W8 F8 w1 A2 @& G. P/ `. V-DI = 4A4Dh
: I( s$ g( e X5 [Which are the 'magic values' used by SoftIce.
, W1 u J& K0 G1 r. t F) X- }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* T9 A2 U' A1 K! t9 S
/ r/ n, _0 E* N3 @1 H8 P) THere is one example from the file "Haspinst.exe" which is the dongle HASP
& _& a( d2 K. }- K7 L( REnvelope utility use to protect DOS applications:
2 K2 Z! u3 D: `& I( D
& `5 F9 @! g" g, H9 r, x: a1 a3 a" c3 ^" v" ^4 G, l
4C19:0095 MOV AX,0911 ; execute command.
& ]/ Q9 p, g$ v) U% y. z4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 ~" b1 W# u1 q; P( g% o3 D$ S4C19:009A MOV SI,4647 ; 1st magic value.1 z o; |# G/ Z n6 p& \
4C19:009D MOV DI,4A4D ; 2nd magic value.$ D+ i5 }1 Q9 u& e# p0 t$ I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 q# v+ q! ?8 l o! |% ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" M0 ]7 L7 t0 n! i* ]; h2 s
4C19:00A4 INC CX
. {* F4 l# u" t; g0 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. P' m/ F* f- L" _& m$ O
4C19:00A8 JB 0095 ; 6 different commands.$ s- R+ n! e1 V3 d7 X* H- C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% j, A b) y7 u) P' b, }
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) p' }* P: r/ G8 J2 s
. Z' X# T5 s, c5 rThe program will execute 6 different SIce commands located at ds:dx, which
) A1 x0 |- E, H" jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% c0 d0 @4 K# w% V/ T" [
8 {3 q/ I' x8 t- l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) E& s+ _& z. z9 h___________________________________________________________________________. y2 K9 q G5 E0 i
: f% _2 U# X3 d- Y8 M0 g o, T: \( G; y6 M+ Q! J
Method 03
" I: X& q9 ^2 s" k8 ~=========
$ A8 }9 d8 ^1 ?! `2 T1 ~
2 J6 E+ C# ^2 W% gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) Y! w9 t. v+ N% {% k6 P(API Get entry point)
; U9 m1 G; s5 C W
/ Y! `' @* K' @5 M- V' e& x: W' E3 D
; U. D M9 S5 h9 a# l3 E; J% L xor di,di
/ H4 s# M6 r; Y, j mov es,di
: w0 ]" l+ N; P% O mov ax, 1684h 4 n K/ g" ?$ d4 g
mov bx, 0202h ; VxD ID of winice5 ~" e; C$ ?' Q6 }. u7 |3 x
int 2Fh
2 n b& _2 I* c! W. c: N& y mov ax, es ; ES:DI -> VxD API entry point
3 X& b$ l* S4 c( V( _9 W add ax, di2 l6 h) C5 L# S- Z
test ax,ax6 {- ~% m( v; A# V
jnz SoftICE_Detected
% c# m) [+ ~: z& e, U* x2 a3 R6 K# T6 `+ @' B4 V8 o5 [& x: `& O
___________________________________________________________________________& n2 }$ J% X2 H- }, y
! Q4 W0 h6 w6 R5 s K+ J
Method 049 K e- }% X9 ]9 b; Y. j" a
=========
: y& N; N" w b3 j/ W3 G! u+ n7 ^) s" \% C; A
Method identical to the preceding one except that it seeks the ID of SoftICE5 G" m) e5 Z. X! _
GFX VxD.* @& P( i, F& _. z. J* h
; Y* Z, o0 B6 d, ], K3 g+ ` xor di,di
6 z2 w- p+ _( A0 @. ~ mov es,di
+ |2 Q' N' O: n' T6 ?: O mov ax, 1684h ( w w6 ?- A; L# v
mov bx, 7a5Fh ; VxD ID of SIWVID
) g) V7 q+ S7 \' {* B; I int 2fh- ?" l4 Q: i( V( d
mov ax, es ; ES:DI -> VxD API entry point
1 b* n/ M$ s* d/ ~: }2 ^ add ax, di( v& T/ Z, }) F: u% R
test ax,ax
: E1 F D7 Z; |% T/ n jnz SoftICE_Detected
& @0 z0 ?* q3 @7 P# g) X' T. y. F; _2 [
__________________________________________________________________________8 u `) W9 N% L8 A% N
5 v6 R" Q# b3 n. K2 y- Z& \. ^( ?7 s
1 J7 C5 L8 Y0 o0 e; Z8 Q; oMethod 05
; Y( u4 u+ _% E4 `" i8 J2 {=========9 P' E) C$ `' J, q4 Q
) y, _4 P( D" s+ z, dMethod seeking the 'magic number' 0F386h returned (in ax) by all system- ~+ c j# ~ D8 U
debugger. It calls the int 41h, function 4Fh.3 W; G5 ]: {. U' j9 t7 [' n
There are several alternatives. 0 [% K) U2 A8 I# h2 K
1 q7 k! k- e8 W6 Y& `) e' d6 O, RThe following one is the simplest:
4 l5 ~5 O+ s- v0 v( p! r
6 W R2 ]2 q# x& Y1 e5 A' e mov ax,4fh5 F- b1 J% k- o% C) g
int 41h
: a v8 l! M0 f cmp ax, 0F3868 `9 X1 B: ]- H" ~) ^2 G4 Q; o4 F+ ?
jz SoftICE_detected
* d5 F6 `2 s) |1 x. ^
+ r; Y$ J# h! ^
5 w* E7 u# L6 \0 _+ dNext method as well as the following one are 2 examples from Stone's " H- T0 J* d+ H% E1 Q
"stn-wid.zip" (www.cracking.net):
/ }1 C( ^% h4 x5 [$ [$ z$ r) ~/ G6 f8 J9 J' c& K1 q9 m
mov bx, cs
; F* E! Z6 Q. X5 g lea dx, int41handler2
$ J d4 |. f9 U1 ]1 n% Q: p$ R xchg dx, es:[41h*4]
V3 j# z' C; @6 X5 K7 y R xchg bx, es:[41h*4+2]3 {; R. S- y% z7 Q7 ^, o0 Q
mov ax,4fh4 D& ]* L3 n2 j' E8 {+ B
int 41h
2 K2 F# M7 d+ E: @, V xchg dx, es:[41h*4]
( k7 x0 r$ R. W& y; k. Q, V, s xchg bx, es:[41h*4+2]
@5 @: r' i% j( @! j7 y+ s% {* W { cmp ax, 0f386h. K" h- v5 [' ~" ]8 M
jz SoftICE_detected
( U* T# W' z j0 p& B7 Q
; v3 H. R% C9 @9 ]: tint41handler2 PROC$ E, g7 K. o% n. H$ [7 z, D
iret
2 ^* F7 l5 i+ o% j2 fint41handler2 ENDP3 o2 h/ U+ N. H- b
7 a9 l* j' U( [! P# U4 G9 v4 ~6 `4 r
_________________________________________________________________________4 F2 y7 ^5 L1 w4 s) J5 ?# ?
; R5 a+ l0 }: W, u4 k
# D5 R+ C8 A& b+ F0 O( E
Method 067 A V) g% d- q K6 p* V* j7 Q
=========
9 ]& t# v7 T& l' n* T% D0 L; t: `# P6 ?: L1 V* Z/ ~
0 C' O3 ~& ^6 `: y2nd method similar to the preceding one but more difficult to detect:
2 ]& O( s$ i6 b" T2 D9 h1 v1 P m4 a
2 k- x9 I3 E9 M: e/ D! V# dint41handler PROC: K" }* R4 B, a& O9 T
mov cl,al1 _$ W8 ]$ S$ I2 r
iret
! C9 |) u) u. Vint41handler ENDP( w. R. W% t7 c/ P: R
! X/ G# x, L2 f/ K/ p) `( W
& e( o4 L& q: x3 Z" S7 I5 s xor ax,ax
# N; }4 |; N- d c mov es,ax3 `/ u! a9 }1 d" x
mov bx, cs. @2 `& \ g8 J$ p9 g0 Z" R
lea dx, int41handler) M$ f# g2 O) f0 N0 O
xchg dx, es:[41h*4]
9 r b: o4 _- t5 \+ G xchg bx, es:[41h*4+2]' T% d7 l( [* z/ D Y: j2 z
in al, 40h
i/ j% d- s$ Y9 m- f% t, l xor cx,cx
1 ]% c" F; T" U# s2 s( H) S4 P5 w int 41h
3 r. j. \ H( M V xchg dx, es:[41h*4]( {& s8 z. w0 \! h
xchg bx, es:[41h*4+2]& J7 d9 n* ]# q- J! v
cmp cl,al
/ i/ \' g9 F( X& Q2 ]" M9 a jnz SoftICE_detected
. E/ D) W: w* f3 o, L5 {; N& b" M& \) a/ M+ X# m) u3 J
_________________________________________________________________________4 V$ [+ |* h# q
4 @2 n( Y+ X& n" E0 N8 w0 e% s+ k: OMethod 07
; A; y; l" T% d1 D. i=========
5 B* E# I% c) q/ m# X/ O% k8 O
& D& _0 x r* Y+ _5 a, G' ~Method of detection of the WinICE handler in the int68h (V86)" {# }- R8 U$ ]) B( h$ X$ X
# b: `& X! r5 W# ]# L
mov ah,43h
, @7 F c5 |6 \0 j int 68h( H: A& N! [4 d3 [0 C6 d6 }
cmp ax,0F386h
' l5 }" d7 Z/ X8 z" F! ]0 | ~ jz SoftICE_Detected
) _" y2 H8 ~. U0 j( G1 w' W g/ ]: \. W$ W
) _1 ] G, i9 c; J) ^8 [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( ?9 K4 f% o( B! o* w# g app like this:( T) v. O! j1 i0 c, ]
6 y w2 s$ a" p5 V( u; {0 Y BPX exec_int if ax==68
) Q& A9 i% a! M$ R) u( C+ ]9 t1 n% { (function called is located at byte ptr [ebp+1Dh] and client eip is
0 T, N6 j; r8 H* y8 H located at [ebp+48h] for 32Bit apps)
8 ` L) [' Z! ^; y: u__________________________________________________________________________
7 W8 p5 w6 o3 w1 t% [. \; Z' P6 T; E" k
, X1 S9 I7 z. D/ X7 E
Method 088 L0 S8 W8 t" C7 j, o' ^
=========
, t# M" t5 ?, M, ?8 F
- U9 U, ]$ i8 a! OIt is not a method of detection of SoftICE but a possibility to crash the3 ~ X/ Q- O/ i2 I5 g: [
system by intercepting int 01h and int 03h and redirecting them to another
9 S% W4 G) p0 M5 j5 `routine.0 m% K, I& B5 o' M1 J" y! T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: m/ _3 a0 H+ f7 [( c5 ~to the new routine to execute (hangs computer...): ?% S1 N; D; R9 l
; [! s* F. n8 a, j mov ah, 25h
; \: A( v0 s) Z2 I9 u9 c( j mov al, Int_Number (01h or 03h)' X) z$ j* ?. ]- K/ f
mov dx, offset New_Int_Routine
) x& y! q& s/ d5 C int 21h
8 r& a* Y7 E$ ~+ s/ c5 }8 Y8 S& N" A6 X+ E" c( r
__________________________________________________________________________0 [& d" _5 S0 t' f; h; V/ E
9 ]0 x/ }- x* S3 c& `7 b
Method 09
1 Y0 }, t) Y. o' @5 V=========
0 d9 W2 n$ j3 }7 d6 R9 O
9 k/ P+ {4 l! X9 CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: H# r# G7 d+ o! j9 a
performed in ring0 (VxD or a ring3 app using the VxdCall).
! p7 k* e0 e% I B! c \! n: rThe Get_DDB service is used to determine whether or not a VxD is installed
, r& |8 ~; |3 G, E. ?/ m: H; Ffor the specified device and returns a Device Description Block (in ecx) for
; _" ]+ p5 z7 ^" H8 qthat device if it is installed.
% V9 ^6 v( u- B/ Y7 P1 y0 F5 T( r4 _) q# O! K d
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, T& v {5 @4 J: D% A# V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 b( O. M5 g' E3 c6 a) w3 w2 j VMMCall Get_DDB- W g/ O2 o4 U0 f7 k; j7 l0 A1 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- R, c1 b; d' X9 x! F. X" I; Z2 e+ ~
7 \7 d7 ~3 S* o6 Q- j& z. ?9 iNote as well that you can easily detect this method with SoftICE:" e$ ]+ E. U p- u: H, @2 Q! L
bpx Get_DDB if ax==0202 || ax==7a5fh
. j) C" o* D& w( o4 X4 U, @" M, e, Y
__________________________________________________________________________/ G5 h* a2 m' K" C
% P1 l- ~1 e+ T3 K F* K& W: @3 o
Method 103 s5 e! V" g' X: {
=========, r* l8 c P2 P2 h& \7 H
0 I' K1 m4 M9 b" K
=>Disable or clear breakpoints before using this feature. DO NOT trace with- y* a% |0 ? F
SoftICE while the option is enable!!
( y$ r; ]( c) t/ `9 W+ {6 ^8 G5 [6 B
This trick is very efficient:+ O1 W5 C$ U2 K1 t8 Q Z9 W; l# ~' z
by checking the Debug Registers, you can detect if SoftICE is loaded5 r2 R7 b$ M- S" ]8 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 y. O' m4 Y" |- _# D7 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: {2 u: S" }( svalue (in ring0 only). Values can be manipulated and or changed as well
, E4 M' K4 v8 G/ Q, S(clearing BPMs for instance)
/ W: E; {3 |% N$ L% E/ t% m4 e+ @5 r. T5 M% f; A1 Z
__________________________________________________________________________2 b( }0 W3 f$ y4 ^" }1 `0 v
( B0 b: S7 o( R2 h s
Method 114 u9 Y3 O3 W* L; j* B
=========0 g/ x+ C- Q4 H9 t2 p$ |% E9 ^
4 N! i. s! F2 w% |$ l/ j C! @This method is most known as 'MeltICE' because it has been freely distributed! F3 i( j9 D ?# w+ a f3 l+ A7 y% u
via www.winfiles.com. However it was first used by NuMega people to allow
( a% ~7 J- w" g! T5 {: {# z7 OSymbol Loader to check if SoftICE was active or not (the code is located
& h: H3 P! k/ _9 Kinside nmtrans.dll).4 T% ~+ x/ a6 q3 D
3 j9 m3 t* E0 a+ [
The way it works is very simple:, W1 I! v9 g8 i( Q4 W. ^8 L3 U; `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, j/ L$ T- s! W: R: G- T% F
WinNT) with the CreateFileA API.0 A5 |& d6 \+ Q
2 ~, I$ F: f7 a8 c1 E/ ^& |
Here is a sample (checking for 'SICE'):' s D3 G5 p; ^6 h
3 M& p/ z4 n0 ~BOOL IsSoftIce95Loaded() ~9 v0 _0 B: K" c+ {
{3 N$ C' h4 ]& }& F: M
HANDLE hFile; 5 N9 O0 ]7 x" x3 o V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; ^( M% s8 @* c; j: [" c/ y1 e FILE_SHARE_READ | FILE_SHARE_WRITE,
) k" I p& n9 F* X" ]% H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% M' T9 p8 c6 @0 h$ w1 ] if( hFile != INVALID_HANDLE_VALUE )6 V4 j. G8 h% g6 {: Z7 {+ f1 R& q* f
{
0 E9 s% B; y/ U: ^ ]/ L: J0 Z/ k2 ^ CloseHandle(hFile);. f: p: K) E7 d
return TRUE;% S3 r. h$ i# e( Y
}
* j) \8 G y f) e* c# p return FALSE;4 e) U, |: G* d+ l: @% b
}) }2 D. I% ]' Y8 f* P# Y# j" E" |
z3 V" O0 w1 Q- c: J, vAlthough this trick calls the CreateFileA function, don't even expect to be
4 c# x/ f- J* w# X" |1 W0 Kable to intercept it by installing a IFS hook: it will not work, no way!, P/ K7 `5 f/ I& Z0 N D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ j6 \) ]; {* [4 R i; t) lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ `2 n9 ?& D5 r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" X0 ^- D9 G" C' z9 Kfield.0 {" _( @8 [+ t( x1 n. B3 r' D$ F, f
In fact, its purpose is not to load/unload VxDs but only to send a 7 A, _9 u! [, k4 y p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" [0 `8 M5 |; G6 ?/ W3 B6 e+ \+ ~2 g6 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) M0 X1 R9 U, r& Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 S& V/ n% ~$ ]$ g. E3 Q) m% z
If the VxD is loaded, it will always clear eax and the Carry flag to allow# q9 c" d% }# k7 R
its handle to be opened and then, will be detected.
6 S% d8 A; A- {( KYou can check that simply by hooking Winice.exe control proc entry point9 b: z% c5 _( @! }
while running MeltICE.
$ m# g' a+ s+ J5 \, b, P0 D% f7 _6 B8 R1 B8 }
1 _% } Z; @$ W 00401067: push 00402025 ; \\.\SICE
3 Z. ~: C; o4 y 0040106C: call CreateFileA
3 `! }+ o: w* e 00401071: cmp eax,-001
* |1 ^5 Z0 J# o3 N4 s" Z 00401074: je 004010916 D% i: M3 j$ t& W" E
h: O c x X2 q
; q- l7 ^5 e0 v6 ~0 y7 r
There could be hundreds of BPX you could use to detect this trick. d0 f, U( H# @. @$ v* A
-The most classical one is:" ` | Y& N/ m3 \+ C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( G, X+ L+ V: h9 Q4 } *(esp->4+4)=='NTIC'+ {9 i7 A( x3 v& a. x& n1 ?
! \ u1 a) L8 S4 Z* A8 c-The most exotic ones (could be very slooooow :-(
) N1 T: R5 y$ W/ M BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 V# D; } v: B9 b* _! t1 u7 x+ Q. P
;will break 3 times :-(
& L. \( l* d! u
9 P+ D! |7 U, |8 g-or (a bit) faster:
0 ~5 v1 S% _* W& j) W; m% {( V BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 X. g% g3 z% x) g1 S' E7 k, o, O1 Z2 l- z; c1 n
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 Y0 u+ F5 M( C ;will break 3 times :-(
3 Z6 A' g! t/ f+ a; }4 L5 A- D: E
) L" A6 F7 G6 p. ?& T, t-Much faster:
) Y. o% u6 i3 @( D" U- c: p/ T2 A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'7 x9 J) a& L; A% {# j
4 \' g, w# U8 O: H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" O3 H5 l8 Q* M5 U; wfunction to do the same job:
8 b2 v; \3 e7 V7 a5 c! S7 [$ V: j" p- d+ \+ j) y
push 00 ; OF_READ) A# }- {- }' ]$ {
mov eax,[00656634] ; '\\.\SICE',0* b7 s1 g: w$ C* m; z+ ]* d
push eax) v* Z+ V5 {5 D& o" g/ H
call KERNEL32!_lopen2 C( w+ X) O* q6 ]! H# j3 G
inc eax- T( B9 x% U( R$ o0 E, u
jnz 00650589 ; detected
& y" K6 k: P, E. w4 M8 o! i: x t push 00 ; OF_READ
; |* v% {0 \: a- r* E, j mov eax,[00656638] ; '\\.\SICE'! h. f$ C! N! \9 x0 z- }2 H- b9 a
push eax
$ B8 z8 E+ {( O! r8 X. R5 J call KERNEL32!_lopen
. z: Z' C- [' h inc eax
; a& ~! _6 r) y6 y( ` jz 006505ae ; not detected
8 k7 d( g! Q9 C) X9 N/ [# \: D
; b3 p2 e" F4 M9 x
! A. |7 s* }) h! p _/ u) s__________________________________________________________________________' Z& Y2 E6 h' m* ]4 N L7 Y
& A8 ]: {7 V# ~! p- d/ z8 ]Method 126 r2 a5 a8 O% m' |& [
=========
0 Z6 f! Z d) q% K- o: I
. q' M4 P4 M; F/ JThis trick is similar to int41h/4fh Debugger installation check (code 05
1 S9 o* Y+ V9 e9 n: ]+ K& 06) but very limited because it's only available for Win95/98 (not NT): b+ F# |: Q, l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 Z+ x8 Q, r. I K) { B" D; s1 M% W+ Z- M
push 0000004fh ; function 4fh
: x# \+ A# a. b* Q! \5 o5 ` push 002a002ah ; high word specifies which VxD (VWIN32)
% |; K8 L8 Y( P5 z% @$ W$ g ; low word specifies which service: y' v" ~. r8 j$ M4 T0 [, ~' f
(VWIN32_Int41Dispatch), O; f. V' Y- U% x1 k" _. G' o/ t0 m
call Kernel32!ORD_001 ; VxdCall, }% i, R* Y ^9 r6 g0 D. E M
cmp ax, 0f386h ; magic number returned by system debuggers
$ y4 F3 I0 N0 _0 a) P jz SoftICE_detected
6 j8 e+ Q! x$ Z* C0 h# t' I
) M' i9 p& V5 Y5 \. c: x) SHere again, several ways to detect it:9 ~9 s: B% P, q
" m! V6 ^7 R! g7 I5 x: ?
BPINT 41 if ax==4f( T$ \# \% a7 C5 P5 E" F. p9 P, g
! c7 [- A4 C4 p, y0 H" x& L; i
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 p6 e$ P0 a, ^
! \5 Q) e! e6 S0 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" t5 T& C5 y; v* d
8 x+ K8 e \1 q+ R Z- b6 j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 L, v7 e4 ~+ O3 ]. Q' W R5 z$ m; u2 @3 K& c2 k5 U) ~
__________________________________________________________________________
5 k: }8 b! w+ D# h, C1 q6 E
2 j' Z! Q* ~( I: e! UMethod 13! k5 R1 w: z. z( u) K
=========5 G7 q0 Z6 H: u$ @8 k* r' |. R
0 M# i& N- \1 a# V+ ?Not a real method of detection, but a good way to know if SoftICE is
1 }& z$ O/ x/ g- V9 qinstalled on a computer and to locate its installation directory." n2 x. V8 I* z" f S, E: V
It is used by few softs which access the following registry keys (usually #2) :
3 d* s! V* s) {/ Q4 ]& c( O K* p+ x. G7 z- b# ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 ^' w& @1 o. E4 n6 W) f7 j
\Uninstall\SoftICE
6 e/ D {( i/ [" Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; o1 d1 V7 B' ~9 T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* x/ U7 E. \8 \
\App Paths\Loader32.Exe
& h0 ^2 U6 b6 d* X. h: h/ }' j0 J. p
1 V& T2 d) |# @
Note that some nasty apps could then erase all files from SoftICE directory
8 [/ ^7 h" W1 u/ h6 ](I faced that once :-(7 r; f+ g2 Y- f V1 S; ~
" D% A" h% [. J+ BUseful breakpoint to detect it:3 ^6 G2 s2 a4 A& Y7 j4 O# f
3 I8 ]3 p F7 U# ~/ ?8 S BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 R: o( d1 `& _) V5 P1 {
; m- u; } w+ E$ S; p__________________________________________________________________________
$ ` r0 m; _3 J3 T; w: k" h! ]& k5 K' R$ n; z
' i7 {" h& k) e0 u
Method 14
0 r5 y/ S6 ^7 F5 z' ]$ w J' X4 K1 r=========
$ W# T6 c2 v5 s" c8 p( s4 e8 }7 z; R+ _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 d: K, Z2 c7 k, l7 I% ?is to determines whether a debugger is running on your system (ring0 only).
% v1 w8 x6 x9 B, n) U- a* n6 e. ` k! k: W
VMMCall Test_Debug_Installed6 e" V/ b2 I) J: K5 j
je not_installed
4 ~. H- Y4 V# W* D0 o9 Q
. G5 }9 p2 V7 ~This service just checks a flag.
1 b, G: F# B/ ?4 p) H</PRE></TD></TR></TBODY></TABLE> |