<TABLE width=500>
2 i! k+ F% e! |<TBODY> _; w& L8 N+ j K" l. v
<TR>+ J; V G' H# T4 h* |$ C# @7 D+ I
<TD><PRE>Method 01 ' i, d( D! [* `1 j+ ^/ z, w
=========' l$ o+ O1 i0 Y( T
; J# O6 V/ h: A% y* V* J" Y `. W3 DThis method of detection of SoftICE (as well as the following one) is$ f$ l6 J+ f4 a7 D7 u1 D2 T6 V) O# ?: _
used by the majority of packers/encryptors found on Internet./ w+ P$ [9 y) Q9 C6 U
It seeks the signature of BoundsChecker in SoftICE
4 [; C- l7 F" Z5 e h8 \ M' C- k# T$ {* p' Q9 E" _* R7 C! t
mov ebp, 04243484Bh ; 'BCHK'
/ h# J4 p4 i1 L2 A& e3 r% B mov ax, 04h& \# Z1 v1 a% X+ ~
int 3 5 A3 F9 J( s+ V
cmp al,4
$ D. S8 G% X% E8 ^( H6 r" { jnz SoftICE_Detected
8 w" y- B. H$ B9 S5 D: B! _4 i3 ]2 z4 T; J- j
___________________________________________________________________________1 w! e9 {$ X! M o* D' G
& z3 W) l8 ^- o$ E7 a
Method 02, ?( w% K( C- u1 r' ^
=========
! h' [: J) }8 u1 U9 e
A& N' R2 Q3 G! v. k& m7 s4 dStill a method very much used (perhaps the most frequent one). It is used* L# }8 u- U" j- l; a4 p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 E# b* E l, q0 m; Y2 V
or execute SoftICE commands...& g+ i' e( q, M
It is also used to crash SoftICE and to force it to execute any commands
5 |, O5 v8 C1 [$ Z, g(HBOOT...) :-((
5 U4 A5 U# r5 J/ y7 h! m- H+ O3 E8 s# M, b6 e5 U) K
Here is a quick description:9 f9 M( Y; H0 \- o1 c$ v
-AX = 0910h (Display string in SIce windows)& t0 W# Q" ]! M d: m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; p# E6 m2 C2 [* I @% x) A' w-AX = 0912h (Get breakpoint infos)2 y9 f# A" \- F! A' I
-AX = 0913h (Set Sice breakpoints), L# b3 O4 N1 z& ?- Q0 q( W0 h" L
-AX = 0914h (Remove SIce breakoints)
) G' K# E5 D B# d9 o, C
* N7 N0 l1 P7 s6 Z; S& A! oEach time you'll meet this trick, you'll see:
' V4 V9 w0 E0 J( w6 s-SI = 4647h
4 J+ h# M" c- I-DI = 4A4Dh7 ?9 M# S+ |$ d
Which are the 'magic values' used by SoftIce.
) u, U3 k; u8 M8 O9 w3 R& T4 qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& P. k8 u5 p% o2 u- J! W/ V! _ ^- n
}0 m' Z% \, g: XHere is one example from the file "Haspinst.exe" which is the dongle HASP
) K! w3 v/ D+ B9 I p9 N% ZEnvelope utility use to protect DOS applications:
. A! W' L% U( w5 ^- b! [$ r7 {5 q' o% ^3 F# c( a( C
/ d: h/ l: |5 p- m5 P
4C19:0095 MOV AX,0911 ; execute command.
" [3 S, c& d. X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 n7 ~, f- c5 T/ B5 {( Z8 E' y
4C19:009A MOV SI,4647 ; 1st magic value.' V" }! f6 L9 r! }& f T
4C19:009D MOV DI,4A4D ; 2nd magic value.
- F, U5 D! J) J+ x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 F; {) B5 M$ y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 k! \2 A/ c1 ~- p# C" N4C19:00A4 INC CX6 V2 G- h# N! j8 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ K3 n( \$ s& t0 {+ q7 h
4C19:00A8 JB 0095 ; 6 different commands.
' x6 j1 q6 j0 `: f: d8 i3 L" c4C19:00AA JMP 0002 ; Bad_Guy jmp back., ]3 u) ~* Y4 M* ~3 F1 p! a
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) N' P5 H/ F! U0 O: _, c6 Y: j; y
" `1 A0 y8 x8 a! c' x% G, _0 k
The program will execute 6 different SIce commands located at ds:dx, which
) X8 K2 y% ?- d7 K' E- oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 v2 `/ n5 U, ~3 `! e0 Z( M) U
, m: H! o: C$ f9 z/ Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: y- D" q' @+ c ~; D
___________________________________________________________________________+ J. n$ m" ]* P; W
* P/ |! f, W* v% [7 S. b# [
4 d" a' d7 p; F- FMethod 030 }+ o3 \" o) ^! E: V4 {+ W9 b
=========) D- q: l$ h9 M+ e( \) C, D
& q3 O5 D. V6 @- J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 x' h* J! K3 I- s0 @1 f/ [) a(API Get entry point)
) X' l* M' c# t" p & l7 G( h2 R. k, ~ I/ W* d; |% x
8 \3 y8 }9 e5 s; Q' ]# V
xor di,di g' |0 F9 ]! U' U
mov es,di
. G$ i8 O; I& Y1 Q/ F$ l mov ax, 1684h 1 _4 Y" f8 |& r$ a5 T
mov bx, 0202h ; VxD ID of winice
: s9 q+ }3 O+ n1 w int 2Fh
. Y4 B2 V# b% m, _' Y7 \ mov ax, es ; ES:DI -> VxD API entry point! B3 q0 m! y4 g5 K7 M2 }( I
add ax, di8 m5 A* B: E5 \; C6 d- O; y
test ax,ax
1 b: o- h5 A8 E* e6 G jnz SoftICE_Detected' M4 G- K" }, Q" f$ k
/ V% v- k9 V% F) V
___________________________________________________________________________% G9 ~" O1 U3 K2 R2 F
S! S0 u( D, A) t! [1 BMethod 04
: w' I# S; ]9 E5 p9 y9 b8 m2 |1 y! s=========
" ?) o. {6 V" P4 x9 j
" I J( h3 k3 X5 C: F4 Q- CMethod identical to the preceding one except that it seeks the ID of SoftICE
7 }* q( ]' T X- A0 PGFX VxD.0 a7 q, o2 |, u% X
) g" M+ p" K8 y+ M7 i; H7 O. g6 z5 @ xor di,di
& n+ K; }: G$ a; Q mov es,di
8 M p8 x1 p0 u( n1 q mov ax, 1684h
* x+ R7 J l$ y+ N% A2 @ mov bx, 7a5Fh ; VxD ID of SIWVID
, A8 \/ u% [/ H: L: n int 2fh
$ C g$ Z" {" p9 F b7 T+ t mov ax, es ; ES:DI -> VxD API entry point
3 [: u" o) h7 }) n1 T add ax, di8 W2 H. G, _0 d( n4 Y
test ax,ax: N( U1 ^1 S; z7 q% z
jnz SoftICE_Detected
2 A5 P4 p, H6 i% ]& G' b9 }6 a, w2 m" ?$ j% O
__________________________________________________________________________+ g4 f7 A- e+ T* |
9 w. `8 ~1 m8 `
1 s2 a7 I, }, f& T( ~% G/ ~
Method 053 t: C7 r' M" g% \" q4 |& l
=========
- ?5 I( X% a* f: v. R; o5 W
4 E: B% H* O7 q. A) ?9 g% pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 C( `) q2 S* `4 ]! `3 }' Sdebugger. It calls the int 41h, function 4Fh.
1 f p3 ~0 C% V# u1 M2 {+ D2 g3 IThere are several alternatives. |" H( F; l, S
3 @, ]. b8 f# W" T, f5 h
The following one is the simplest:1 T: G3 v* w/ f2 J! l- {
- g% i8 }9 Q" u; H mov ax,4fh
' p) O6 K# M0 l* ?' l$ a int 41h5 d( R* n) Y! D! {
cmp ax, 0F386) x6 i* _; o9 x& }; R0 w
jz SoftICE_detected' }$ _& ^* K* q+ o+ z6 W" D; x
. s8 s; W1 \3 T0 h& z
5 ?2 h6 x0 b8 t& h
Next method as well as the following one are 2 examples from Stone's ! o% Z, g8 [, [) g2 q+ W
"stn-wid.zip" (www.cracking.net):
) \( P4 I9 l% Y: z$ a1 @1 u* r- T3 `; E5 k9 G1 U, V
mov bx, cs
' ~& C6 |$ t9 ` lea dx, int41handler29 f$ m2 x! a1 u6 M0 O! X j; Z' o* ^
xchg dx, es:[41h*4]
" [; O" E1 g/ y3 R2 l' C8 I4 D5 s xchg bx, es:[41h*4+2]
- j! b! C) }* R; |, a7 L1 O mov ax,4fh- U% A( |7 ~& n2 s% U! f
int 41h
8 i0 f0 f0 w) S xchg dx, es:[41h*4]
/ H: \. B$ W7 J* O) E$ w+ ] xchg bx, es:[41h*4+2]6 i" ?; I- w0 Z6 q; W0 n' z
cmp ax, 0f386h p) G: j7 d: C1 N: r" z+ g$ e1 d
jz SoftICE_detected
) r0 u% Q# X0 Q7 K0 R. L- e
' r6 M: G! e( |# L1 j4 u! ~int41handler2 PROC. |7 ]" e* K/ ]
iret
* b8 z% a! I. j; c3 S' gint41handler2 ENDP/ d# a5 |, _8 w+ c8 j7 b
; Q8 U6 E% R* x4 @, E
* R' \4 C+ o* A8 A* y
_________________________________________________________________________
0 M+ O' l# q& M' G! M l$ {/ v) A; k' s
; @: X- E; r. M4 H9 [Method 06* c4 y7 Y, s& c5 {5 p$ F
=========4 V/ _# g1 t( d& {
6 {: D" a: t6 C
7 x+ A% O$ R$ o% s+ N
2nd method similar to the preceding one but more difficult to detect:
" c+ h' d5 ?: c% C2 |% r5 Y B/ |/ x k5 C
L7 p/ g1 u \8 ~8 t! d+ sint41handler PROC: f6 N0 I3 D- _
mov cl,al3 _4 J" s! v6 E1 y, T5 |; N' }
iret0 [9 U6 f+ l" `8 u
int41handler ENDP
5 M& ]9 ~9 g/ o; F# z0 k" g& Y: X% _/ w6 m' \
/ }0 N' L9 @9 j( k3 L
xor ax,ax
% {4 \3 Y; i+ d& D: a. j9 F( o3 ` mov es,ax
' V+ e. X3 g0 K# x mov bx, cs
2 m3 V! j1 t4 t$ V3 w$ a3 A8 J lea dx, int41handler: c- ^8 U* s' G; u# x& ~
xchg dx, es:[41h*4]
m% u3 A' {$ o/ l* q$ {9 ^& t* y xchg bx, es:[41h*4+2]
$ h* i" [# ^2 [4 F+ k+ ~: W H in al, 40h
. L. R: h" `) s: F6 N: V2 u xor cx,cx! J1 Q k5 j C' s0 m g: w; h
int 41h, ]* g$ l/ P% w6 d ?; E5 D
xchg dx, es:[41h*4]
, x, j3 G- n7 @0 o xchg bx, es:[41h*4+2]. H. Y7 g. r! \2 A2 W5 ^
cmp cl,al7 J9 o5 d5 ?" ~) G6 S
jnz SoftICE_detected
( Y- A% Z9 P& v1 [! s4 E( V& U% p
- t- a) h& n3 E_________________________________________________________________________
8 n, T {# t; E, c$ U
, q7 O% v! b; J$ M2 WMethod 07! i2 t/ r3 u& O) { z. F+ k
=========
8 n5 p: d/ F; [
G; b; j0 `& Y2 X5 ~2 K; Y8 K3 n- zMethod of detection of the WinICE handler in the int68h (V86)
: c; \" } D% Z/ w! Y
1 W3 V: P" Q6 D8 r# j6 g6 j mov ah,43h H" J4 Q i8 r8 z- {
int 68h' M% v7 D9 i- Z% W( f2 b2 d
cmp ax,0F386h
/ M J# v7 R- T% [ jz SoftICE_Detected
' h) D# w& D' h4 d8 `& l# \( q. {: L0 O& K
2 G4 B3 { q& t8 H* H. ~ w. b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 c' C: C" W! M6 ?/ p1 \2 v' o app like this:
( o( \4 F2 V i( [* M1 {& H1 W, w- T9 d% k+ E: I
BPX exec_int if ax==68
7 o, I9 u8 K: n# t+ g- N (function called is located at byte ptr [ebp+1Dh] and client eip is J$ S9 n6 @+ R6 H$ O- u/ O
located at [ebp+48h] for 32Bit apps); I% [) z9 J$ V. x$ c
__________________________________________________________________________; }. i5 ^& k6 \5 {7 F
: t9 U5 L8 u+ S% S
" Y; a7 F2 H2 B& L+ D. D( @! {Method 08
* V; S0 u5 _$ d+ p! e$ F=========3 _' m `1 J! H) e- a
: P \& E6 k4 p& B3 ]. b. U9 EIt is not a method of detection of SoftICE but a possibility to crash the
?: D$ R# V/ Y" D, K3 b hsystem by intercepting int 01h and int 03h and redirecting them to another/ g1 y5 h8 E3 t% O: a& J! M' N6 s
routine.8 [/ Z4 t$ q( Y8 B5 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 T9 z% S8 C: }: }. Mto the new routine to execute (hangs computer...)
3 \) a" r% Y( t0 n6 {5 r/ ^$ u- ^
% w2 `) i/ `3 {' [$ o B4 ? mov ah, 25h
# Y8 d' u8 ^$ E9 J mov al, Int_Number (01h or 03h)
2 w% ~, E" Y% l% V mov dx, offset New_Int_Routine
6 b2 f d- {( e) E6 H% c' c5 U int 21h
; s- D( n: G+ ]+ ~4 x/ }. d9 i8 M
# l L- G, U/ H$ |. p6 h1 B__________________________________________________________________________
$ K$ K- p/ S5 x2 h% Z& r: s6 ^3 u0 F ^1 Z' z8 L
Method 09
8 L- _1 u0 W2 C+ C=========) s; z. F. ~- u. @9 K
0 L8 ^2 w4 P8 [4 c6 i! y3 p t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" {4 [6 r7 A7 Z) O a
performed in ring0 (VxD or a ring3 app using the VxdCall).
. {0 `7 h7 o+ q+ @The Get_DDB service is used to determine whether or not a VxD is installed- O( c! N5 _% k. k! u- h: D
for the specified device and returns a Device Description Block (in ecx) for% j' i9 W9 D$ F9 Q
that device if it is installed.
& v; m, m+ T) u8 t: _* f7 P1 z0 o+ l4 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: y8 }& L% B- J$ B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); V. G$ U4 }$ o, U0 y
VMMCall Get_DDB
% c9 B5 D& G( L( V1 T; W, U mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: z0 Y3 n) y0 s j! q
" |/ I, z* h6 \( j$ }Note as well that you can easily detect this method with SoftICE:
" @3 G* V0 O, j5 N" a8 @ bpx Get_DDB if ax==0202 || ax==7a5fh
) S" F A8 h$ ^1 a$ q! @$ t8 @5 I5 G I! y+ W3 T: c
__________________________________________________________________________
C* ?; }: ^+ l! J: E- d- r# P; f
Method 10% }% Y- t+ o; B5 K a* U
=========' {4 H) l9 y2 w* H3 y; v8 b
# n" Q/ e% V; B1 ]1 R: V7 e: C# K8 Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 c/ d9 A3 A; ~" b% X
SoftICE while the option is enable!!& z+ z9 q4 h* `8 V3 H9 v" Z
- n4 T! S8 K5 ^/ D; g& r! `' YThis trick is very efficient:+ {1 Z. P- X l
by checking the Debug Registers, you can detect if SoftICE is loaded
, r. G2 F% l5 h/ v6 l. D- V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" l5 e M2 f. v5 w$ athere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ C* c' x0 G0 P% Z7 ^7 ]$ ` Svalue (in ring0 only). Values can be manipulated and or changed as well* g2 f( n) y, T G- n1 I6 w- E: d
(clearing BPMs for instance)
# v0 [. Y+ H6 ]% d( w( h& z" Z) e4 L9 M; O9 h
__________________________________________________________________________
# J2 R5 P4 ]1 U- B* ?% z8 J: ]
. t8 Z. f1 P" n- R0 rMethod 11, [' d4 [# v3 w! A5 b \
=========
o. U/ A; F$ t1 g- b8 F5 L% n x, m& m
This method is most known as 'MeltICE' because it has been freely distributed
: [/ p* J, \: ~) G. o" s" G2 e Dvia www.winfiles.com. However it was first used by NuMega people to allow
z! P* ?8 q5 E) G$ PSymbol Loader to check if SoftICE was active or not (the code is located* I0 c A3 E. p, H/ {* ?. N
inside nmtrans.dll). @! L/ I; t5 L) B5 x5 z
1 w: E6 x- i+ ]9 `6 ]- S+ L
The way it works is very simple:
; p6 x5 F. `5 E, o; AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, M: E0 Y* t( [
WinNT) with the CreateFileA API.! R% w/ A6 u7 S& D& R. t6 i
0 }$ W) ?" k0 G' a9 W
Here is a sample (checking for 'SICE'):2 K) }, [: e2 d3 H9 {* ?( @
6 {/ F% l# ?$ b* U
BOOL IsSoftIce95Loaded()
7 g8 C! _, B& ]$ z{$ a4 S8 Z$ o8 v0 j$ k: r6 k+ l
HANDLE hFile; ! B; w/ W8 U w3 @' l! A. K: f( b
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 ]8 r' D1 ~- }; `( }5 D" e FILE_SHARE_READ | FILE_SHARE_WRITE,
1 c: [7 }) o# ^9 K; A i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- U! O9 o3 y& a if( hFile != INVALID_HANDLE_VALUE )+ _2 ^7 ?9 J4 I
{
( q F- g# Y0 \1 v CloseHandle(hFile);& k4 D0 q* k9 h9 W0 F+ @
return TRUE;5 f6 t! T# V. E. s" } W! _
}
5 r; W* E8 ^# i- _1 @0 j) s return FALSE;' S4 g7 Z+ y& ^3 h
}
* {6 i. Z2 E) M" c( D
2 T: D2 \( S; U) H$ Y" G4 G& e; VAlthough this trick calls the CreateFileA function, don't even expect to be8 E3 k g T: e; }* v6 q
able to intercept it by installing a IFS hook: it will not work, no way!0 D+ d$ u& c2 H4 y2 V2 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ c* [( U7 n( ~; C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( P& d; r% A3 A# Y5 x1 G& z5 I" hand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ o" \( }+ M; \ l7 H
field.
1 k+ K6 S! r: F& x: ^8 vIn fact, its purpose is not to load/unload VxDs but only to send a
( Z9 j& b4 |4 p9 _; SW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, @5 G) G& A1 n3 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- c) P) [1 U" Y* f- a9 ?4 Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. i3 M5 S( }8 _6 v) t& |1 [If the VxD is loaded, it will always clear eax and the Carry flag to allow
* @- [+ Y4 I7 I( H' k; Bits handle to be opened and then, will be detected.
5 _% R, o8 S8 R2 nYou can check that simply by hooking Winice.exe control proc entry point
, K d. H% R4 a2 ^% Rwhile running MeltICE.
* R. Q, } V7 p; m8 G8 T9 }" [+ k# n. i* E+ ]
9 S5 L1 ]6 l' w1 h
00401067: push 00402025 ; \\.\SICE
6 d4 ]2 g, q- o5 ^- H, f' W3 [7 u* p n 0040106C: call CreateFileA5 p/ I2 M) e% G& ^) r
00401071: cmp eax,-001
$ X' G& o. K/ W# l4 c# ~ 00401074: je 00401091' a! z1 P' n% t( [ }4 }1 [* B
1 i5 n& \# `/ b3 H
! G! u2 Q% |+ v( j& g
There could be hundreds of BPX you could use to detect this trick.+ F4 @3 O* k R! M
-The most classical one is:2 D" j* R8 r1 j! J5 a! B; v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
% l- [7 {) Z6 M: h2 }, J *(esp->4+4)=='NTIC'& P7 q1 |& F8 F: g3 s3 h: H" E6 w* y
9 u6 T2 L3 N% x* f. }; P
-The most exotic ones (could be very slooooow :-(
+ q& f. G6 s6 G+ Y' S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) i2 I+ j1 F) r& Q
;will break 3 times :-(9 d4 d' s+ o( P8 e* E* x+ G
& y( q, K j: D' D4 A" x-or (a bit) faster:
. i' R4 V; N$ e r2 ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; O5 ], j2 w5 U }: R& x# q9 ?
' X' b$ p' s" [" n! M BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 {% ~; t& J& C2 R9 g ;will break 3 times :-(! Y9 z p4 s6 ^( _
i5 Q! T! O0 |: w7 |-Much faster:
7 e2 n" M) H/ A; b BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 W. v+ H4 j$ r6 B: R
- u( {; C3 Y1 X5 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# X% G: k9 ]* X, Q! ~' {0 F
function to do the same job:' F: K; p- K) t
2 {, ]6 k9 \# X push 00 ; OF_READ
5 U6 @, ^) |: G- m1 L3 D mov eax,[00656634] ; '\\.\SICE',0& M7 [# ?$ v6 [" l: E
push eax+ t: T) I3 a8 R6 [9 h. h
call KERNEL32!_lopen
! S; ^. N8 `: L4 W' g inc eax
, J2 f* |) @3 k ~/ P3 S3 p jnz 00650589 ; detected! Y) w' ]9 J8 f5 n' \$ B7 i; G
push 00 ; OF_READ0 t6 d& d$ c0 N, @* Y
mov eax,[00656638] ; '\\.\SICE'9 O9 m3 \0 |7 j+ F9 Q2 |
push eax4 V% V% D; K c1 ?+ i0 G% F7 i
call KERNEL32!_lopen1 u" @. h- ^6 J- A2 _ M3 x2 |
inc eax
: d; p. T! P' U) i- l4 S jz 006505ae ; not detected
. A1 j! K; @; K4 w9 o+ E Z2 v# A: q# C
7 S' n# U; r) G, [% Q+ ~3 h; q; c
__________________________________________________________________________& P- t i8 _; w" I
: [: y& @2 \& R g9 K
Method 12
8 W/ D5 u" q; t$ d=========
. b5 P; O( v1 A7 F' R$ L0 ^0 q; S& N" u8 H T( v2 }
This trick is similar to int41h/4fh Debugger installation check (code 05; N& f3 M, M- u+ G# K
& 06) but very limited because it's only available for Win95/98 (not NT)
8 q1 e6 `& Z6 k# Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 q9 e$ ^) |& P& E; F" R% v
7 ]1 s, v' U8 f z) u1 o
push 0000004fh ; function 4fh7 {$ V3 ~5 v4 Q9 W7 Y' `( C
push 002a002ah ; high word specifies which VxD (VWIN32)
; |1 Q* K5 x* P( V! N1 j ; low word specifies which service
( e" y2 P1 t* a* ]( e: ^* f( x; u (VWIN32_Int41Dispatch)! j% {8 x+ C$ x
call Kernel32!ORD_001 ; VxdCall' g8 V& V( r3 H+ E
cmp ax, 0f386h ; magic number returned by system debuggers
& N: b) X# p/ V) E- j5 g4 y jz SoftICE_detected
% m0 T5 v& i1 S% G M3 C7 D9 S4 h4 g, [: t" }6 n4 c
Here again, several ways to detect it:9 d8 Z3 G, y7 r
* r$ ~1 s) ? ]# W1 D* Q6 L, i4 b# R
BPINT 41 if ax==4f
" s$ _+ \7 S# ]8 A# F* \( P6 ~& S2 E2 z6 b9 f+ ?6 v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ k! y3 r3 l6 d/ I1 T! Z4 {1 R
( ^ B4 V3 ^1 O9 v9 W* k9 S+ c, j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" B5 ^# a9 U) i9 r6 M
w! O: Y7 A& j6 c& D6 o4 I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 P* t: x/ M# i( t6 F
& Z' Y1 K2 c; g
__________________________________________________________________________
# ^# A7 G4 I6 W
2 `* R! e# x: T) vMethod 13+ `- Y! l ^( F: A) {) K. c9 T& z7 C
=========! F. q7 s1 j4 J% @
1 J# F# ^8 L9 r5 V0 R, wNot a real method of detection, but a good way to know if SoftICE is
+ H6 {& [+ X# P9 Uinstalled on a computer and to locate its installation directory.
) X5 o& L* M8 gIt is used by few softs which access the following registry keys (usually #2) :
4 ~! k3 b/ x' K% Y2 ]) b( x. a, _7 h- X5 M2 b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; u8 M# H" c- j
\Uninstall\SoftICE
! ?. x0 [. p6 x8 \2 ~+ q E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- Z7 _9 |( \ X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# J" Q: \1 P8 L/ d- _9 J7 |! Z2 Y\App Paths\Loader32.Exe
& ]* n5 W6 u+ z7 q+ F$ |7 K1 J
+ j. @# ^7 y h5 E B- F' y8 M8 n l! C9 k
Note that some nasty apps could then erase all files from SoftICE directory( g7 T+ j! [: }- b9 |7 P
(I faced that once :-(
2 f1 X( P5 [. D( U l8 T q1 O0 M* {2 }) l( @( `
Useful breakpoint to detect it:9 ?& W3 s; U: p! E! S* p
) `# T* a, b0 m2 T$ I. w5 {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 N; l! _7 r" [3 U5 g8 o
' ~# v0 Z1 ~3 ^) O
__________________________________________________________________________
* I. n; R8 x: g# b$ b; _0 }# {, {" m0 h1 O5 o6 |* a* T* d
9 n) G( J2 _$ c3 r
Method 14
- p5 T+ l$ d; S) r=========+ _0 B4 N; n& [% u
4 e* q6 ?# w* P, Z- I% l, ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 R9 ~: N8 X& n* v! c' \is to determines whether a debugger is running on your system (ring0 only).# C- ]9 I# ?# m
6 B, B- ^+ S1 E4 o; N2 b! y VMMCall Test_Debug_Installed
1 w! T1 s1 Q D, @! F, P je not_installed+ \( |7 w. S' U: h7 x
0 _, P. `8 e3 T
This service just checks a flag.3 u3 k6 ]7 S, w. ^
</PRE></TD></TR></TBODY></TABLE> |