<TABLE width=500>7 S/ w- B) u% {
<TBODY>1 M( x9 R: q! ~. X
<TR>
( K. V! e1 g9 j7 q/ D* @<TD><PRE>Method 01
' I; _, g: D0 e4 r; C. }# e=========
3 h* y- R" f! _% ?, J* M+ _. b5 _
' F3 D5 g- I+ Z* hThis method of detection of SoftICE (as well as the following one) is5 Z% j* @! x4 T
used by the majority of packers/encryptors found on Internet.
) S# P r8 X0 lIt seeks the signature of BoundsChecker in SoftICE
6 D% }/ {! S- m- q3 \) Q3 g" `7 u% _
mov ebp, 04243484Bh ; 'BCHK'3 T5 c- K6 L G, B7 J' I4 n3 T
mov ax, 04h0 w' v! ~1 e+ x! C
int 3
9 @0 i, x! {7 }$ X cmp al,4
e2 O4 j9 c( v jnz SoftICE_Detected
6 F3 R' a5 M( Y; e9 N( }
`" Z* e% \6 F, h' U U2 J0 Z" K4 u___________________________________________________________________________; G" E- ]8 d( P3 N
' `% c* w3 C1 q- A& E# \9 TMethod 027 E9 {5 ]& i2 k; b( v: N
=========$ y5 E1 `) O+ F3 g
( p- M# W- j7 G- s: g7 P9 i
Still a method very much used (perhaps the most frequent one). It is used8 t' _* `( r) L4 {- R/ P; D( Z( M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 {- b# K3 M# x# Q/ ?( u: C
or execute SoftICE commands...* V/ @+ N; P* S# l; B
It is also used to crash SoftICE and to force it to execute any commands! @: I. Y2 q! k5 n3 u4 {
(HBOOT...) :-(( 0 }, N6 ?6 b" Y7 i9 s+ k
2 s3 s5 F% c/ ?! ?: s; M! L" zHere is a quick description:
6 [1 ~; v W+ V, w-AX = 0910h (Display string in SIce windows)
' i- Y; y9 C: ~7 J/ a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ M# j7 |( @0 h- R-AX = 0912h (Get breakpoint infos)
% j6 O; }* A2 k* d-AX = 0913h (Set Sice breakpoints)
& I/ w: o. C) z; m c- E+ `* W7 b$ S-AX = 0914h (Remove SIce breakoints)
' F/ b& G2 b' g8 p( f" b7 h( E! Y' w m
Each time you'll meet this trick, you'll see:
0 t6 Y; R9 x% x3 ^9 O-SI = 4647h4 _& i4 T3 Z4 D; Q
-DI = 4A4Dh/ @7 a: B6 a H, f" j) H! H
Which are the 'magic values' used by SoftIce.
# a6 P/ U& i6 j. n4 ~. EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 E; V0 J" [, s* y
8 r9 E+ Q% S1 i: \# AHere is one example from the file "Haspinst.exe" which is the dongle HASP9 Y4 b1 ^" u4 {( F+ q+ k+ b# `. p, h9 W; c
Envelope utility use to protect DOS applications:
& {: N+ f/ B: r+ ?+ v
( K( J2 N- i9 k, W- I) v
5 ]1 v5 A7 B; D+ `/ n4C19:0095 MOV AX,0911 ; execute command./ t) ~1 H' z, w' z6 _' g+ l
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! n$ C/ N9 z6 [. Y' B; W9 z& e, p
4C19:009A MOV SI,4647 ; 1st magic value.
) }5 j9 s% T, Z4C19:009D MOV DI,4A4D ; 2nd magic value.1 H: K- a$ {$ v7 @$ E" l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) |$ e- H! K0 {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" A" u4 T3 A! K* ~5 n r! K/ T
4C19:00A4 INC CX
& B3 B# w' S ?0 {1 _/ r: ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
8 u+ y/ l5 I: F# s0 k4C19:00A8 JB 0095 ; 6 different commands.8 H# n: B" U- Y# S9 h. }3 N) q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* w# S9 N3 m0 m2 n, @; h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
. g* C8 g$ A9 Y' w6 @* I/ Y7 q( d; M
; Z! k& L! O8 ^8 E* u# a7 M+ OThe program will execute 6 different SIce commands located at ds:dx, which
2 g+ N% f& T b- s5 D; J2 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: W% A% i! u4 L) T* S
( U* V% ?2 V) R! x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 e8 r7 G/ M) ~7 [4 V4 ?___________________________________________________________________________, w; Y& _1 I" k) g3 s9 X
* @" m$ e3 T& S- O
8 f8 e) ^: k* z& h5 YMethod 03( w6 R) r) \" X4 o* l
=========" J2 \1 V4 T' x+ V3 H' h1 w
% k! K# T3 Q1 ] C5 ?( b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; X( C6 g- P# P+ R6 x
(API Get entry point)
& M" s5 u- ~9 l ) N. _ |7 T0 S3 I5 J
& t! _4 {, C4 U% @! H; `& X
xor di,di# `5 p/ n; X7 N/ r
mov es,di' S3 q+ D3 Y$ f5 p, l; u1 h* }* ~
mov ax, 1684h
" P) b% V- F& ]8 h6 ?4 e V mov bx, 0202h ; VxD ID of winice+ k1 q( n; B/ ^$ [4 S
int 2Fh
2 z' z9 W5 A! |3 L4 t+ ` mov ax, es ; ES:DI -> VxD API entry point5 g5 r9 `5 Z6 w; L- g, f- `9 V
add ax, di
8 J- U% ]; j$ T1 T* ?7 U test ax,ax
8 F) w& M( |% _# {5 S& i jnz SoftICE_Detected# r p G* s# E& ^. D0 }+ l3 _" D
7 {$ E' Y( I" P" r0 Z
___________________________________________________________________________- ]) F% Y3 _: _, o1 F' R; q
' O8 q; H! b$ K! x+ @9 j0 R
Method 04+ K7 K) {! u' s g+ [! R
=========
+ q, |1 p2 X5 i, Y) W7 y+ V3 Y2 s
" O: z1 d+ p1 p* o; t0 k, lMethod identical to the preceding one except that it seeks the ID of SoftICE
5 ? I3 c$ H4 Y/ F; Z3 UGFX VxD.
6 t9 h- r) A9 H: R7 A- r6 k& U) N5 y& ^: f2 [2 H" {
xor di,di# R' G' G; [1 N
mov es,di' c' m7 [$ _8 V! ^% m7 q. M
mov ax, 1684h + G1 C4 U9 Y) M `/ x
mov bx, 7a5Fh ; VxD ID of SIWVID
" L0 I5 s M7 c int 2fh
# g) \2 M9 [2 {7 L, x$ {' Y P1 S mov ax, es ; ES:DI -> VxD API entry point% `6 k& s2 |. k* V- b
add ax, di
" @. z! _% i- {0 w) { test ax,ax
3 }" f3 ?0 D. r jnz SoftICE_Detected3 a/ l% J" {$ x" Q$ H- n: t9 i
1 j; y6 V. E# G# j5 ]__________________________________________________________________________
7 X3 x. J' d0 `; A: e( Y6 \
" s! U# s) K k* w5 Q
1 r7 @: {3 r* Y5 G. QMethod 05: k* S2 k5 a& f! ?( h6 f! {" W& s4 u
=========( P6 H) p1 h4 R
6 W* ?/ ~+ M6 s3 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 p1 M% ^& _) N; p2 i
debugger. It calls the int 41h, function 4Fh.
/ P0 ~2 u% `( i6 EThere are several alternatives.
' P o6 P) @6 n, Y" D) n( m: L. F* d! {! m$ B
The following one is the simplest:
7 N" W$ x: l9 B$ r7 E$ p- k( @, \2 z3 u1 s5 Q
mov ax,4fh
" n7 C; i, L0 Y4 q6 f int 41h
& F2 p8 `; y6 R: I7 }9 j% v8 f2 ~4 ~ cmp ax, 0F3865 `7 p7 v; f7 ]( }. w, l9 E; w
jz SoftICE_detected) C3 d6 m O* M
! S* P* U% n# N8 K( C2 t
! N$ k4 v. F; n1 G3 z% R3 S9 r0 ENext method as well as the following one are 2 examples from Stone's
- i3 o) i O' L G"stn-wid.zip" (www.cracking.net):
8 p' R2 ^0 f/ ]( V) C0 B, E
' W7 |5 }- }# q: \) { mov bx, cs
) B6 c8 x* c* | b# ?/ u lea dx, int41handler2/ P J. b B+ X
xchg dx, es:[41h*4]
6 o& R, w5 ~9 W1 `5 j5 Q4 p3 F xchg bx, es:[41h*4+2]7 ?& S) u" f! W' d i5 o/ m" v
mov ax,4fh
- `/ x% F7 ^2 N" F* n. L, u int 41h
' h Y0 n% c' j xchg dx, es:[41h*4]
4 Q( u% k0 P' S5 u xchg bx, es:[41h*4+2]
0 i# n( V, R- [* L cmp ax, 0f386h& W$ ^8 j/ {# [9 j4 _, Z
jz SoftICE_detected4 p; Q1 @: D: k$ q7 x. y' @4 z
: v3 R% j4 Z, J0 }+ i
int41handler2 PROC
; b1 T g9 I' K# J- ?1 @# i iret) X: c' O' m& o* @& p+ b
int41handler2 ENDP/ e4 R5 V t8 G# [4 a; g: v3 `
$ C1 G4 v) c$ u
3 Y8 y5 ]0 X0 ]' Q+ S2 ~/ `( Y5 ^
_________________________________________________________________________9 { m: s' }8 P
, z' v% H* K4 U4 b e" P T) e; P: z0 o0 i+ X
Method 06
. c" V( G) e5 `! F Y4 H=========
7 f3 ]* I+ z6 L3 `
% s- ?1 ?2 F9 s* u- G% V
# P! Y: }$ d' x8 I* C7 J5 ]+ B/ ~2nd method similar to the preceding one but more difficult to detect:% t) j; L1 z) k/ P
0 c( _' J; D- y$ X
1 J3 C$ S }$ C- ^+ h; tint41handler PROC
, ]/ c v6 t( Q9 o1 D8 r f2 D mov cl,al9 V0 C' E8 b0 J
iret; u3 `. {# X( r r4 ]2 \- G
int41handler ENDP; C& x* Q0 b2 `3 _
e/ U) H" c1 a4 b( n% V1 Q
4 u* `* s, h- ~1 H
xor ax,ax
x% o! D0 U4 X$ |3 G mov es,ax
9 L/ p: n2 ?3 N4 q9 b mov bx, cs
/ V; R& V" v$ F T( @ lea dx, int41handler
+ G' T- z+ A7 M* ]# {2 U# @( V! ~7 m xchg dx, es:[41h*4]
* j& Z) H4 c& n2 E xchg bx, es:[41h*4+2]* e3 _1 m. D. {: l, h
in al, 40h
; r1 T& t" B# S6 i/ S3 ]* v Y; _ n4 h xor cx,cx: V( h5 O/ h+ [, \# e% k
int 41h1 `$ _; U- F0 h
xchg dx, es:[41h*4]' w" n# [ K+ e5 ]4 E F
xchg bx, es:[41h*4+2]8 U, n1 R& t% L3 G/ ^4 t0 }! ]
cmp cl,al+ Z+ r, _1 \# H: C9 f
jnz SoftICE_detected
0 l& ?% V) N7 Q! x! m5 B/ s0 o) N
9 ]" [2 [6 j9 o- O+ o_________________________________________________________________________2 n8 v: U, X* \: x1 o
" i8 J& n3 X u, _Method 07
: @2 b+ M Q: }( ^4 G( [6 F) F' f" Y=========
5 L# o3 r0 @9 f) ^! l3 w6 B, ]# O# f, Z5 N5 T0 _
Method of detection of the WinICE handler in the int68h (V86)4 e! _# T7 A! Z5 Z5 b
1 q+ K! c& W6 p n6 j/ `% ]
mov ah,43h
8 c, u* X' g3 b! S- k int 68h. [2 R" K9 X) O& Y& ~8 \
cmp ax,0F386h5 M# |, d/ v% v; h) U) _# O1 I+ I
jz SoftICE_Detected$ o3 w; U8 l& s* r" ]8 N
$ D" I8 w+ h2 b* V9 D) E1 Y) u6 p! j0 R2 g6 T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, |# f" }! X' U. ]
app like this:8 T! A' \8 l& c+ r: p
: e, G$ @* x# A' `2 V. X5 }/ n
BPX exec_int if ax==68! m6 X) w9 ^6 U7 e+ u/ c
(function called is located at byte ptr [ebp+1Dh] and client eip is3 B1 ~! K# ^7 V
located at [ebp+48h] for 32Bit apps)# H/ Y% }/ B" P% O4 c
__________________________________________________________________________
2 D: ~- e) t: e$ T1 M: t' H4 O6 g( C6 o& h& O
) g2 @! O& @% Z- G" ]. I, t. z
Method 083 E5 l7 {5 O* E5 O7 p+ _ c
=========( K; t% B# u! I# X( l
L4 E2 _: Y0 c8 ^! s' ]# eIt is not a method of detection of SoftICE but a possibility to crash the
. C) a. }8 X7 X+ q& m/ fsystem by intercepting int 01h and int 03h and redirecting them to another% t9 j# K2 X* t! i4 w5 S, @7 ^9 x
routine.
2 i1 c# |! w& t$ ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, Y& V8 s& ^" ^6 Wto the new routine to execute (hangs computer...)5 |/ d. Q8 R% J, h; i; U
! Q0 l5 T5 _% f K1 ?% ^3 Z" y
mov ah, 25h/ z8 f7 m( u! i
mov al, Int_Number (01h or 03h)
* D- B+ H! b5 C" P mov dx, offset New_Int_Routine
. {: A9 K; G; ~( Y int 21h
! Z$ @2 i5 y+ q- M1 m' H0 x4 j# ^6 h' R
__________________________________________________________________________
% R, s2 t2 D4 @& f& J, W. _* x8 Q4 z' P( F
Method 09
0 W5 ^4 g" }" x+ {6 o% f& f=========
+ V0 q; ~. u/ X
7 L8 @0 e0 J: C0 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 i! b3 @9 w: S. X& ^/ jperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 Y. Y2 ]8 k8 ?( d. y& b2 }- L6 k9 p- QThe Get_DDB service is used to determine whether or not a VxD is installed
5 M8 ^$ P* Y7 F8 C& Ifor the specified device and returns a Device Description Block (in ecx) for
" D5 U7 V: t2 L& Hthat device if it is installed.
0 V0 l' L; m1 x: I0 }; n9 Y% `" j1 j K9 `; o5 P8 x7 `
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
R# [0 l! {0 Y1 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 w: u$ }2 T) r# u! C VMMCall Get_DDB
0 N1 ~5 r6 U3 o( Y5 ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 I4 B0 b* O) Q" w
* ^( B1 Y2 K7 I5 V1 a: {Note as well that you can easily detect this method with SoftICE:& D4 }" @! @& e7 U4 u$ b; M
bpx Get_DDB if ax==0202 || ax==7a5fh
) x) i9 n. h$ h! E" I& L! y! y6 t: K3 w! g, X# o
__________________________________________________________________________
3 x& F; _1 Q$ m- a8 L5 U$ ?$ v% i. e r: ^2 B$ ^
Method 10
6 b: K0 W: }4 C' a+ D e=========
; X4 q9 l: l# ^0 ?; y( B3 P% Q x7 z1 O& ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 J/ s. Q. J) ^) `& U SoftICE while the option is enable!!" A' ?: P" @2 D5 U d
2 ]8 s' X" v3 B! I. |; H0 M
This trick is very efficient:" f2 o# p P1 `( Y: N3 Y- s9 |
by checking the Debug Registers, you can detect if SoftICE is loaded2 p" C0 g! D! S/ R X# I; D+ |. @& F$ A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: g3 O! e- C5 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their# d/ L1 A- U0 ]! r- g
value (in ring0 only). Values can be manipulated and or changed as well" W \3 i* m8 K) n6 P1 x: g2 A/ ?9 h
(clearing BPMs for instance)
/ y$ ^0 ^5 Y. g9 T7 q/ v8 d K, ^
j( ]& G4 u$ z W( x' d8 V__________________________________________________________________________9 c; l1 S' }, T. f) B2 ^5 `
! d& ]( `( a1 z/ LMethod 112 m& G# l3 {0 d
=========
9 ^! s7 S0 p$ g' r3 r7 B+ D1 x
5 P* y! z% s9 d6 T6 yThis method is most known as 'MeltICE' because it has been freely distributed4 e4 j S [2 O N- q0 q8 |
via www.winfiles.com. However it was first used by NuMega people to allow
5 { X3 m. r/ X7 ZSymbol Loader to check if SoftICE was active or not (the code is located
* g7 r, j7 k0 n6 Einside nmtrans.dll).
. \ W5 @7 [- D# |& B# a9 d0 u( w3 z2 Z/ [* I
The way it works is very simple:
, ?' a5 b! A$ ~% w% KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# `( s: l2 G j: vWinNT) with the CreateFileA API.
4 E$ Z7 b! W8 u
0 i1 F7 I; p6 ~: Y( wHere is a sample (checking for 'SICE'):4 P8 |/ m n5 s* L I
$ }' l) I9 _( ]BOOL IsSoftIce95Loaded()# |* ]8 c* L! D! L A6 k3 T
{
2 y# F) P5 G1 z HANDLE hFile;
4 Y% o7 J) h6 u% k5 o y0 j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* [& r5 s; I/ Y3 B v1 _- X5 S9 ~7 Z
FILE_SHARE_READ | FILE_SHARE_WRITE,6 N0 S( O( \3 T/ ^9 s3 S) j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 R5 F# K5 z5 A5 E0 q if( hFile != INVALID_HANDLE_VALUE )
7 d3 V1 p1 a. ?2 u9 S. g {
* z) n1 V- X; W- u: e& S$ ~: w: s* a CloseHandle(hFile);5 X% q+ A0 e% R8 ^" T/ `( `
return TRUE;
1 W V7 T' i+ a f }
( x3 J8 f$ Y3 f" o% m" x return FALSE;; J* r$ C" ~7 _& c* Q, }1 K
}2 n+ |% l! m! g; P8 [
* k/ M8 O, d+ j% a1 cAlthough this trick calls the CreateFileA function, don't even expect to be- Z# `6 `4 S M! @+ `" u
able to intercept it by installing a IFS hook: it will not work, no way!
' `. H( g4 H: z& G. m# H! @9 @" ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F# h; [! O7 G( }" P6 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& T0 d8 K. h' T2 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ r9 S `$ Z0 G
field.
5 A( U! ^; @) G& }* G& T) O( LIn fact, its purpose is not to load/unload VxDs but only to send a ; ^+ H; j, o2 R5 U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' a; g3 q; J( z* ?$ F* d6 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: F$ o) B2 y" k' a9 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).. J# @7 W! f# H6 e/ I6 l$ }3 b; `8 N; J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, @9 P) N3 ?+ ^% D9 M' s% Tits handle to be opened and then, will be detected.8 C- i3 p) j) e2 _
You can check that simply by hooking Winice.exe control proc entry point
/ i9 z% ~( ^+ B R* P0 qwhile running MeltICE.' ?" x: [# _9 g1 }2 U) a d+ }! c
$ ^+ i7 H% s* W0 g( N4 p. [5 S* n, t% e1 N8 p q5 {8 A
00401067: push 00402025 ; \\.\SICE
3 V0 c0 _; a& o 0040106C: call CreateFileA8 U. R& E; R; Q/ ^) G& [8 a
00401071: cmp eax,-0012 c5 j8 q& H& i2 K
00401074: je 00401091* u3 s, J6 O$ ~) t1 h0 _
6 B& J) y* E! B3 s% Z1 {: [" [8 S* E: b/ z% M0 W, C& A9 e; |5 q% B$ N& X5 j9 g
There could be hundreds of BPX you could use to detect this trick.
4 ~" g x- |2 S5 T& C: Y( ~4 [+ q-The most classical one is:- h5 E4 v! h' z+ z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- M1 K; F1 k+ e+ h( G7 f' Y$ u; ~4 A
*(esp->4+4)=='NTIC'2 x2 \& y1 l* s( b \. U% M
7 Q- T" j0 f( _" C7 D-The most exotic ones (could be very slooooow :-(
4 q2 ?; [. N0 t# k+ Y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 S4 _* }9 p- _* m
;will break 3 times :-(. t: R- j" F5 V* j9 H
1 S# {. ^+ O! P7 a# R0 O, E-or (a bit) faster:
3 ?* ]) f- u* Y! _! P, V3 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 D, V# h u3 I9 Y" V H; d- M2 p8 `& w
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % ~$ O. u ~; B+ A9 N: N
;will break 3 times :-(
X" _, l2 o; c3 _( S( v
1 [+ S A( A8 s! D9 w& b-Much faster: B, b" L+ _) [& J
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- H0 O/ v" Z# e( ?( u6 @4 m
2 ?2 f8 x2 f' \9 M8 @$ N7 K! ^) rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) @- _. N# o" r* ?. v+ f2 F# ]- k/ d% @function to do the same job:
9 R, r/ }; N: m1 C; Z5 \# T: V' |/ R
push 00 ; OF_READ0 Y! p1 F; P. j o8 X# d
mov eax,[00656634] ; '\\.\SICE',0. m- q+ J3 k" I) ^4 ?% U0 {. F
push eax
P( |/ N V) y8 J call KERNEL32!_lopen
9 L& R7 ~/ ~9 l inc eax
' x; }0 t$ M. Z' U6 H' \7 C jnz 00650589 ; detected
) R2 o5 S7 o1 a1 k push 00 ; OF_READ9 q& C' A8 Y6 {: j
mov eax,[00656638] ; '\\.\SICE'! N% ~$ E2 b) l/ d7 _: {# f- j2 ?
push eax
! }* l2 w! ~! ^+ i call KERNEL32!_lopen9 k6 c8 ?) T4 Z0 h
inc eax
7 m" Q* ~, l8 b jz 006505ae ; not detected
* [/ Y* F; w) v0 Q w4 T3 Y/ c! K: Y" Q( i$ n7 ~3 b
& |7 G* [& N0 ~* P3 k) l
__________________________________________________________________________
& e# h" i% B) }4 \: L: D" E( E s+ B% f: W+ | Y
Method 12
2 d: N0 Z$ M6 @2 F3 g=========
7 A1 ^$ c# A. u8 `3 [4 b$ @+ L' w7 n: B/ G7 ^4 d
This trick is similar to int41h/4fh Debugger installation check (code 056 G: q( G/ Z- l6 i
& 06) but very limited because it's only available for Win95/98 (not NT)
: g$ x2 o# i5 q, ~1 J( G I4 x; [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: |% T7 z# [ K) Y) T7 {
. `6 H1 P: S! X# Q$ g4 Q: B3 A
push 0000004fh ; function 4fh# L1 {. j3 T% @; R
push 002a002ah ; high word specifies which VxD (VWIN32)! u- A9 |( w6 ^
; low word specifies which service
3 C: w; Z* o$ b" o (VWIN32_Int41Dispatch)
" z0 J; t! c2 E3 x0 v call Kernel32!ORD_001 ; VxdCall
! c# G0 P4 u$ O$ Y cmp ax, 0f386h ; magic number returned by system debuggers0 R4 p/ }. \+ c, S( \. K
jz SoftICE_detected: t6 Q Z4 f9 ~; h+ }
9 a2 q$ |1 B/ o3 j) V6 u% QHere again, several ways to detect it:& m! \& N, Z3 v$ i8 |5 ^
1 h8 B, F- }4 @, h BPINT 41 if ax==4f9 l, X/ H8 C; k5 K- E
% D" \, p/ B3 ]( p: e3 O BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: e' H" b% F! ?2 y4 b8 t; b( M: I3 Q+ [! t2 J8 p& ]+ C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 ?' z. `; h- _5 A- i
& H$ x' {+ ?5 _: }1 O! w: A7 `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!8 u- M* ?) N& o* E7 _; h1 R
; T+ G% G8 Z7 u__________________________________________________________________________$ [- B6 O6 |' P, S) J
, V1 c$ {& y* j2 o# Q* W2 K- O9 [Method 13; q/ E R+ U; x7 @; [
=========2 M, B; `0 Q* a2 w. d/ B1 O( B
2 v4 f( u5 n4 S; ONot a real method of detection, but a good way to know if SoftICE is
/ g& h; N% T+ Q9 |- Tinstalled on a computer and to locate its installation directory.1 k1 J2 L7 y) y6 ]( h
It is used by few softs which access the following registry keys (usually #2) :1 {# Q5 W. l# k' m. y! E: `
7 R8 V& n: E' e! l: x' R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; N+ L _+ ]5 x8 q+ M# C
\Uninstall\SoftICE
' z A6 A4 `8 }0 m2 N4 R/ S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) r \; a6 A$ k8 J$ N1 J. F/ q9 f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' |( T0 W4 O3 X7 F/ r
\App Paths\Loader32.Exe/ J& Y2 ]* W- _
! }: C E3 C# t
0 H3 e H% N+ {- Y! oNote that some nasty apps could then erase all files from SoftICE directory
; M6 B4 L+ L4 E+ `(I faced that once :-(
5 E4 n$ M5 ]: i( c* q; s
( N% O0 A; l! S, I. e9 z& AUseful breakpoint to detect it:
8 b! M* f0 K, I1 V7 ?
6 O" B3 H- a# b0 H3 A6 p, B5 c BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( b, n+ v# h l! a
6 X) E" B8 @: K6 c__________________________________________________________________________# d3 ^& h9 U% J" u$ @
+ R O0 J6 t1 J4 J# ~' ?, V8 \
Method 14 & C( P o8 y2 n5 j, A! t
=========1 u* a4 f j6 P/ X3 }; Y
( \ {1 w$ v2 X/ s ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; K( J8 l) Z4 G1 _0 Wis to determines whether a debugger is running on your system (ring0 only).1 q: ~4 |2 d0 M6 T, c% c9 O" E
d0 L9 g' s+ \" V
VMMCall Test_Debug_Installed
+ l1 ^3 D$ h. x* P! w( b6 ^ je not_installed
) Z8 X# h& }+ D8 n" m; ^3 [+ \: O/ f( l& }6 ?' o6 l$ k) j) m
This service just checks a flag.- F i& \% \9 d2 _" y7 |; c$ ?
</PRE></TD></TR></TBODY></TABLE> |