<TABLE width=500>
; o4 u7 h, B% \' _, y<TBODY>4 c8 }6 O% c$ K# o$ p0 z5 I: ?+ R, j2 |
<TR>
+ u l8 }, p& j- r<TD><PRE>Method 01 + }1 l4 M- O8 {! Z: b
=========
/ \4 |& @' T; ^. I3 @0 R; R
# B* I& l% l& {( q" E( y+ {; l+ _% jThis method of detection of SoftICE (as well as the following one) is
, t0 p0 l& b1 Pused by the majority of packers/encryptors found on Internet.5 ?) E: Q2 S$ j. H0 S
It seeks the signature of BoundsChecker in SoftICE
7 s% a1 m2 S+ C% S. i) s& u* c+ X5 ]# b- X
mov ebp, 04243484Bh ; 'BCHK'
2 I. Q( ^+ c) P5 A' m9 l mov ax, 04h! Y3 K8 g) ^3 Y: e) o; F9 V' Q$ Q
int 3
2 H! U' s- {6 C; Q1 P6 E cmp al,49 q, ~. }4 o! ]2 {2 N0 g: a6 n
jnz SoftICE_Detected
5 g* b( b) c* G! M# i7 R* M" N$ {
# F( ~5 q7 t$ d* L% U___________________________________________________________________________
4 G2 B& R" U3 T c7 j- Y. @$ V3 ^" M
Method 02) @* `. F1 K0 T& T
=========7 p% D }) ~( R4 A$ q
" w) k4 g9 i: ~* a4 `1 ^9 q" k
Still a method very much used (perhaps the most frequent one). It is used
# ^1 e# x5 X+ x& G, Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( P" ~ A( a* R/ j! o- Sor execute SoftICE commands...
, X# R$ c6 t# O1 b5 U$ dIt is also used to crash SoftICE and to force it to execute any commands
: P# F; w8 c5 k) ^% v0 Q( h(HBOOT...) :-(( ' B2 W$ K% ~( w* C7 C5 T
5 Z( c7 j+ @" y: Z
Here is a quick description:
; e5 [! k' |( @8 f& V4 a# P) k-AX = 0910h (Display string in SIce windows)
; Y. s2 D% G3 e" {' m/ T2 {! M-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: w8 i, l/ z; ]-AX = 0912h (Get breakpoint infos), k/ \" d- [) R) U1 }
-AX = 0913h (Set Sice breakpoints)9 s% S9 Y0 P3 M2 [" X6 e
-AX = 0914h (Remove SIce breakoints)) X' W( [2 h1 l' a. n! T( L8 R; d4 \
1 B% ]! ?4 ^! v; F
Each time you'll meet this trick, you'll see:
* B+ i9 ~. {2 Q# t- Z( b# C" E-SI = 4647h* z4 D& q& K9 M! N# c
-DI = 4A4Dh
8 f" d+ V- c% o0 ~9 HWhich are the 'magic values' used by SoftIce. F/ N+ m( z$ D# E3 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ E+ }4 s4 |2 v' i
. t( B4 {7 q+ ]% l: { vHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ I& @1 p9 I" J; u7 n* w% B7 cEnvelope utility use to protect DOS applications:# W$ a' B' o8 f% j5 N& J0 u
1 d* e* S8 m! l# g2 ]
" _7 h1 n0 z3 s0 ~4C19:0095 MOV AX,0911 ; execute command.3 ^5 L1 T: v7 }2 ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ Q" Z- Q- x8 l
4C19:009A MOV SI,4647 ; 1st magic value.
# n5 V+ ~ `; m$ y! A. M# I) H5 y4C19:009D MOV DI,4A4D ; 2nd magic value./ B; M0 p _; H7 d8 e5 K0 B
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), C r0 k; D, r; y3 Y m+ \5 o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( J7 _+ S( p$ P8 K' P. S; q
4C19:00A4 INC CX
6 e. F( k: S8 G( K! `/ @$ J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, f$ c, y# U e! |& s
4C19:00A8 JB 0095 ; 6 different commands.
* d; t5 |; Z' {9 `; |$ J" O4C19:00AA JMP 0002 ; Bad_Guy jmp back.( S% P- c; s' m& `& r/ x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 Z, [/ B2 A) {% u; o
1 \ I1 L$ `7 D* Z# Q+ Y
The program will execute 6 different SIce commands located at ds:dx, which
V6 M+ r' C7 D# ]' u) Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 h$ U6 y% n0 p1 E
. y- O R9 M( d, t/ O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 A: L" C$ v9 q6 C
___________________________________________________________________________
9 i9 W( @! B6 G& v0 `: R& o V2 A$ D5 N& [( I
$ N( t- Q# ]* G- g$ P7 h
Method 035 M0 ?8 u5 T: W3 y" p- v1 @
=========
# w* ^; H5 c) Y w* m1 g- g; S2 C$ k; M0 w) H' ]- J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. W4 b3 W& d* `1 _% e7 F0 y
(API Get entry point)
8 C/ t0 p8 V6 c3 `
; |' B4 g' ~. r& I$ U4 T: q0 p: X& p0 L' Z
% S9 ~& Q/ I: @5 h' A- ` xor di,di
( M, T2 r8 W( b( q9 } mov es,di1 U- _0 h% Z" [
mov ax, 1684h
8 E. ~7 x& L0 o mov bx, 0202h ; VxD ID of winice
7 B' n( E: O- F8 C. V int 2Fh
0 f# e' ^3 S$ E" Y+ \2 i: Y* \ mov ax, es ; ES:DI -> VxD API entry point9 `1 n/ p0 F- E# q
add ax, di- v1 o4 J6 m& _. D
test ax,ax
, R* w n3 b5 G/ t4 W+ ? jnz SoftICE_Detected7 w0 |! ]* f* L) X" l+ d
2 l/ |) W' i+ s% t0 Z, X n___________________________________________________________________________5 I8 h3 o) `/ U, G; m+ _! j
8 H; q) l: _% c& t+ Q( s. C+ ^# w
Method 04 w' k* l$ A% p# c1 F+ u
=========
# U, }/ s2 G1 m2 t# _$ K0 e& X
+ l- ^. e: u/ S- tMethod identical to the preceding one except that it seeks the ID of SoftICE
\& t/ L6 {& {GFX VxD.
$ O& }0 o. y7 |6 ^
8 S" O; {/ v5 C3 {9 n. J' P xor di,di
4 u; Q0 Y3 w2 W mov es,di: [; V, a2 q0 T6 u
mov ax, 1684h * U! C, s0 M9 ~
mov bx, 7a5Fh ; VxD ID of SIWVID: j" j8 s g# d1 M
int 2fh
7 m* i% Z0 s9 i* B mov ax, es ; ES:DI -> VxD API entry point! \4 H! b' J1 f0 _% O+ N& [
add ax, di3 B1 R; O7 u: a9 L% S
test ax,ax5 _* Y6 L2 b, c" q) t, g+ Y* {
jnz SoftICE_Detected, f q8 K+ D7 G
$ T5 h' B& P! L! u+ \9 j__________________________________________________________________________
5 T- E* E& ]1 ~1 i2 W. N; `
* ~/ [2 X" }, Y5 Y6 G0 w* k2 j: O! B3 M! H8 \+ J% g
Method 058 D7 ^9 ~- o# T+ m0 n* k
=========! l* M3 g% O; N# ?
5 x! z$ S! W7 i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- L( p" D- ^+ E2 edebugger. It calls the int 41h, function 4Fh.
% G3 _/ B5 E. c' E6 P' wThere are several alternatives.
# L+ l8 q0 k- }0 ^! a
% B% W1 Z/ l5 C; ?+ G PThe following one is the simplest:
# B# ]) n/ F; R" r$ j
; M( d5 Z9 ?* `0 {; I4 Q5 D/ c mov ax,4fh9 S! X- a# ]% z
int 41h
* L1 L6 ^" ?! C6 S0 P; Y, U5 v1 x$ l cmp ax, 0F386; y7 h$ A0 n' p' |
jz SoftICE_detected
$ O m# x( p3 f; K. K# [
3 d- R- H" r2 i6 J! @0 M: K; Y6 x$ f, {6 O1 ^$ N( E' ]9 W5 M
Next method as well as the following one are 2 examples from Stone's
- X6 m1 d2 N! L" d"stn-wid.zip" (www.cracking.net):, ]; h1 U/ Z1 E) m/ l
3 V1 V& e8 J# s- n. c X9 W
mov bx, cs6 D# w4 D# w6 f
lea dx, int41handler2
) A0 b7 v- Z6 a' s xchg dx, es:[41h*4]
4 f) W1 F6 j9 V: O# U xchg bx, es:[41h*4+2]' }, b+ \" i6 t
mov ax,4fh1 {4 O7 ^- j: F1 y
int 41h0 h9 {' _# c( b3 ~2 K
xchg dx, es:[41h*4]
/ s/ t- G' y0 n* N: N$ Y4 F xchg bx, es:[41h*4+2]+ ?/ F; s( r% w$ g7 ^* c7 P
cmp ax, 0f386h4 L* C, j9 a% f$ Y& ^$ N
jz SoftICE_detected! @' p5 X1 G5 M2 C$ u& u
, e" o3 u, c. f5 T. {int41handler2 PROC0 _/ Q# l; ]; a2 }
iret
, W* b; d' R0 I& S9 K/ aint41handler2 ENDP
$ K# _% m6 S" R+ n: F1 D
$ ]0 R' [& m/ h4 y. y' @* K7 u# s+ W4 l( y
_________________________________________________________________________, X3 H$ T" X7 S: x) f' N
7 R5 h0 E( H( ~) A: g: f0 I; _7 R, ~! Q+ _ I
Method 06
* P+ w l, Y7 X: r) V( ~1 E2 n: r=========
( q4 S7 N( P1 x, e# h9 d% d+ g9 o# }- Q: [- Q2 G7 d$ d0 Y
: ~! Z5 ?5 `9 K+ j& Y2nd method similar to the preceding one but more difficult to detect:0 c3 L) p0 Y' p; w6 F5 y n+ f
: \9 d! {4 w. r$ _2 e: ?2 P3 N2 M
$ z0 ~ R5 u) Q$ `8 y# ?: Lint41handler PROC! m1 d/ i* X( h
mov cl,al# W& m: P* J% K, R# T6 T! A4 }4 B
iret
p# _; U2 S' P* Bint41handler ENDP6 e# y6 o" ^5 ^0 d( V' Y. r
$ _9 B9 F& `0 F J2 `* x* k% g( I
$ b8 ]) [0 W1 C! A4 e4 K. U xor ax,ax
! ?/ t0 q8 t9 w3 ?/ w6 ]/ t mov es,ax$ d+ C! E8 k0 e# d
mov bx, cs, a' E" L& b* q2 A4 f
lea dx, int41handler4 ~7 Z& N' R* l, y
xchg dx, es:[41h*4]& [) c7 E6 M- o& q0 a
xchg bx, es:[41h*4+2]
5 L6 [4 j2 w9 x' t in al, 40h V- @- X; B( d# R) d6 I% W
xor cx,cx# N/ z8 z1 ]3 B' O
int 41h
; V1 \; m+ h2 q+ V xchg dx, es:[41h*4]
$ ~: J* U- N% \/ ?+ z6 P* ^* W* s xchg bx, es:[41h*4+2]4 U3 I5 W, c1 I- U# q j
cmp cl,al$ A6 \4 E) ], g7 m' E _9 h' S
jnz SoftICE_detected0 w% V% @; s) `. z% g
( c- ~' A7 B- n0 n% ^% \1 \
_________________________________________________________________________
: k7 w2 R0 ~* V; q- m) c) F# |/ T% P8 X* U2 g; [7 n3 J8 V% |5 ]+ A
Method 07" L E# l* ^% n: n& Z+ @/ t
=========
/ m6 C2 s8 v* m7 h6 t" b H* s
7 T) n4 K7 d2 bMethod of detection of the WinICE handler in the int68h (V86)# u* l2 {: B) Q6 v' }1 q- n
0 @* ]! t4 C; T- K! u5 x& i2 c
mov ah,43h9 A( q% G( [ ^4 D4 R) q Y, Q# ^1 h
int 68h2 {* `' m) i2 W3 ?1 s8 k" v e
cmp ax,0F386h
& _- `1 d3 B7 B! s' O' i jz SoftICE_Detected* ^* w; K4 A! {
, i- O* y+ l: \
0 s# |4 W2 O) @; m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& a4 @) d* B2 Y/ f8 K0 O! Q
app like this:: d8 V) Q# `( x, A. v/ X* q I2 ^
1 p, t# c% i" s' L' @" H
BPX exec_int if ax==68
3 s0 [! C: a; K3 h- ^) e$ X (function called is located at byte ptr [ebp+1Dh] and client eip is
. c B3 `3 W+ L! ^% U! l0 S2 I located at [ebp+48h] for 32Bit apps)) l# S) j" o# g1 J) ]; n
__________________________________________________________________________! E: E' m1 y2 E
# l' {/ h) t7 |) G( F
2 _. p4 t5 y- o6 g% Q, A* }Method 08
& s* V/ O$ d- g8 P. m7 o9 `=========4 C$ x5 D) z+ e# y( m* P
$ b8 e9 A$ I4 P- {& V
It is not a method of detection of SoftICE but a possibility to crash the
. o+ o3 I- r2 l$ r! rsystem by intercepting int 01h and int 03h and redirecting them to another
$ W& ^' ]. M B! xroutine.
) K/ T6 Y/ E' d- Q# J& WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ D; [" T9 @' r3 j
to the new routine to execute (hangs computer...)* C5 G* l; o+ S+ |: J% w9 V
& o' `" @% C3 V. ^* R# g. f' q9 T
mov ah, 25h
) A, J1 q& b8 m! o% w) V mov al, Int_Number (01h or 03h)
2 E' w9 o7 L' `# Y/ h9 W mov dx, offset New_Int_Routine/ ]# U: d& c) ~$ i
int 21h" @8 e! e, s# s* v9 w
8 G7 k0 l# n4 a" K# H. T__________________________________________________________________________
' |% d$ y% x& D+ V1 B6 s: C8 _3 J/ L: [' f$ ?( Q8 ~$ u
Method 09
* `4 U4 S7 j, V2 J, I=========- K5 ^2 Q+ }* G; z% L2 v4 `/ s
# _8 x% K% R0 s! r& P/ F9 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% ~( P6 B5 \& I* U* m; d% o
performed in ring0 (VxD or a ring3 app using the VxdCall).( v1 |4 s @1 E1 ]( H7 L* A: `, y
The Get_DDB service is used to determine whether or not a VxD is installed' `8 e* q/ ]7 f1 e
for the specified device and returns a Device Description Block (in ecx) for( Y* g/ F; l) C4 U
that device if it is installed.- b( u4 ~6 Q" \
! m T2 H- `( x+ ~& u mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 x/ I& a: Z- |% E mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, O* K' a: t) k& m& D+ m VMMCall Get_DDB
$ }8 Q n3 Q# M1 y$ Z mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 v% e* C) G/ U# E
% w" Q% C: r' I' yNote as well that you can easily detect this method with SoftICE:
9 G8 l: D% v2 S- n$ y bpx Get_DDB if ax==0202 || ax==7a5fh
. k( A' R/ L8 o T5 B* ~7 e, E; G7 \( d6 J4 g# j1 X
__________________________________________________________________________3 @: J5 m% t7 Q$ [8 L8 z+ |
' F3 |& B8 I( b" w3 ~ NMethod 10
3 Q7 |9 Q' w& s3 m3 I=========; a+ Q2 ^7 s* ~) i4 [
3 b' o. I( [( H _1 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: G+ t0 }* |9 W1 T$ }2 ~. H SoftICE while the option is enable!!
% A: |# T$ w9 B4 u6 k# ]# k0 P' Y5 N+ C$ E0 P' Y& {' j7 ^; a
This trick is very efficient:
$ a& c/ z- U# c9 M5 Z3 ^2 g/ F. bby checking the Debug Registers, you can detect if SoftICE is loaded
1 I1 y8 X. _& l5 G4 {4 H+ Z: F" W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ]* y8 v: N) c# C" w
there are some memory breakpoints set (dr0 to dr3) simply by reading their! ~. R+ ]1 q# \9 A/ G6 o
value (in ring0 only). Values can be manipulated and or changed as well
& n: A' P' |2 j3 s9 P, E/ B2 I. u+ v4 A(clearing BPMs for instance) n" d5 q$ A+ T- H K. L
; v$ e: X1 `- I+ o, R; R" Y) v__________________________________________________________________________/ c3 n4 u3 a* e
3 S& @" U7 o( _. VMethod 11# O8 O! C9 S! {) z' U
=========
8 J. U; a- J1 e9 p* h) r* [$ B2 F1 d
h8 P% j) A8 `$ TThis method is most known as 'MeltICE' because it has been freely distributed+ M* Z$ t8 ?% n
via www.winfiles.com. However it was first used by NuMega people to allow5 R& p* ?. `/ Z
Symbol Loader to check if SoftICE was active or not (the code is located8 v% a/ l% V9 Y- q Y
inside nmtrans.dll).
/ k4 s% O- ]+ m) d7 v% D2 N: Z- e4 b k
The way it works is very simple:9 _ t' y* E6 H I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" T: K# F+ B, y' {3 n( o
WinNT) with the CreateFileA API.
V% }9 M( x( l( U* V! P
! G) ?& L; D: v# p- wHere is a sample (checking for 'SICE'):
1 g2 S& T4 s D" S" B$ z9 m6 i; A8 x1 T* |6 D4 V2 i5 _+ M+ Z
BOOL IsSoftIce95Loaded()2 W: f* k; P$ R2 p: y) K1 s
{
. \3 {& Z* c& ? HANDLE hFile; , F% v ^% Q2 R8 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- n# ?+ Q1 p; c/ x FILE_SHARE_READ | FILE_SHARE_WRITE,
) L8 b; g. n8 s& B7 Z( d2 A NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 `+ u' P0 k W3 Z9 A7 P- U6 C if( hFile != INVALID_HANDLE_VALUE )$ P! k3 L; a1 Z5 S5 m6 b) J' [2 c' L
{
2 h/ t( F! [3 b6 ]& F; f CloseHandle(hFile);: E2 V) m: e* _, o) [/ v
return TRUE;
% t5 E1 M5 w, A9 t8 e" W: ?. _ }
8 _) p0 g. D5 Q return FALSE;4 ~7 V$ p5 ]0 d3 w; V: e3 ~
}
7 R8 o. W( r5 P" f2 v
Z5 D$ S0 F; v8 n8 I& h2 OAlthough this trick calls the CreateFileA function, don't even expect to be
- {0 k" q. [/ i3 Xable to intercept it by installing a IFS hook: it will not work, no way!
@5 S: y8 w1 H: M$ v& M/ }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% R6 {: C& z- Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( P7 p% [9 q+ |7 L) c! J- Land then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 q# T* I( z6 }/ ?+ b& J- pfield.) C2 Y8 F' |- Q
In fact, its purpose is not to load/unload VxDs but only to send a ! y. P; ~: l% A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* o9 x: g9 B6 S$ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 j* o/ n5 X0 M" Z% W$ F, k( O+ ~4 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).* @0 p0 S! ]% X- m, L2 l5 d" ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ [0 |* I6 E3 ~- K* {8 B* [
its handle to be opened and then, will be detected." T# L: I- y% ~; ?6 x* G, t' l
You can check that simply by hooking Winice.exe control proc entry point9 Y# i3 J4 ~! k% T
while running MeltICE.
& C7 [7 Y& I2 h: ?4 D5 u9 X8 D& K: `
& i2 ]5 r0 Q& R
00401067: push 00402025 ; \\.\SICE
4 P9 D% v& n' e 0040106C: call CreateFileA
3 S, J! `3 o, U: s2 i# G- U* w 00401071: cmp eax,-001
$ n5 U; t" n9 f1 z( { 00401074: je 00401091( H+ O( t" v1 U
' T, M! l8 L3 u6 l& F% M- j- `, I% y5 j7 Q- h' W. j0 N/ e0 f
There could be hundreds of BPX you could use to detect this trick.
! n- _6 w' x7 G. w+ S-The most classical one is:
5 ^& d2 l8 \; Y( y/ c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- l" z' s0 C- ^$ R
*(esp->4+4)=='NTIC'$ T$ d0 m3 L9 \- E
% x/ l+ }5 |9 r' z$ K( O- J-The most exotic ones (could be very slooooow :-(3 D1 T: w8 L3 T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' |: B( x# N( j$ @. W ;will break 3 times :-(
! K3 s1 ]" S s6 B+ c2 w" y7 f
$ C5 ?5 C7 V5 L `' D-or (a bit) faster:
* ^( P/ Z% b! ~& o& L8 F8 ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& |- S- v2 k! e, i, z/ S
9 w: {7 }6 K. w/ a* g' H( K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% w# f( o/ S- [5 b# y" q ;will break 3 times :-(: L% l; _& Z. b+ m) z L
% x+ Q- t* g- N" m6 H) f& B; { Y
-Much faster:; D# ]/ T% I# J6 H/ g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" N1 ?8 P* m9 q" o" ?
$ h" _! x5 m. gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 v V4 ?; x% a; w& J7 D7 bfunction to do the same job:, @# b, c4 w1 ]+ g: e! C# ~; l
2 e3 D' c b5 d2 P" m1 b" J push 00 ; OF_READ+ \3 E) q4 {: D+ q! ^6 g
mov eax,[00656634] ; '\\.\SICE',0
4 Q& C7 s% l" T. s; G push eax7 c4 F4 O. z0 L4 F' ~- Y6 _
call KERNEL32!_lopen
. U. W1 C7 r8 ?" x+ Q inc eax, } D8 i6 } I8 \4 n
jnz 00650589 ; detected+ w: f: c) l7 B3 D8 k
push 00 ; OF_READ" P& V7 ~3 \ D
mov eax,[00656638] ; '\\.\SICE'2 z0 u* o" A% o* j4 X
push eax
/ R" M1 o- T* g7 n) T call KERNEL32!_lopen
3 b( A S( c* m7 f! b8 j% |9 ^ inc eax- U9 t# I% O* S2 k: }
jz 006505ae ; not detected
9 q8 G- P1 H, ~. J) V+ Y( {
8 d+ l1 m3 ]1 k: y9 D# b4 y8 R1 Z% C, w- g5 \. {0 ?- T
__________________________________________________________________________
2 |6 X# N& X A: H6 h; K$ [! Q- X6 @7 p% O+ @7 m/ O3 q; G; J
Method 12
" Y6 s6 e+ B* @- h=========
# F, a6 P: I1 K
$ b5 v6 x* e; i5 GThis trick is similar to int41h/4fh Debugger installation check (code 05
* C' t( a" @2 o( ?- o7 B. P e1 u& 06) but very limited because it's only available for Win95/98 (not NT)
9 [) Y' \6 f5 z2 }( Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ~8 q% T& G4 v" `' e$ `! ?, j
* z) |* H. M/ h, h* G push 0000004fh ; function 4fh
1 }( ?8 }- m$ H$ U+ E8 z$ \5 p push 002a002ah ; high word specifies which VxD (VWIN32)3 _9 o/ s" t5 r
; low word specifies which service. F7 P0 Y$ `3 E7 k* _
(VWIN32_Int41Dispatch)) X' D# `1 U( s+ z3 A
call Kernel32!ORD_001 ; VxdCall
- Y2 S$ b# d# \9 j cmp ax, 0f386h ; magic number returned by system debuggers: k5 R4 P- `; B# ~9 j
jz SoftICE_detected4 u7 u% f8 P) }! E- o1 S
; h7 y; r6 Y* [4 D* t4 z. P
Here again, several ways to detect it:* s3 a& h E% z$ Y+ G1 `3 y! x- @
6 Y+ G! a+ c8 {
BPINT 41 if ax==4f I+ h2 h9 S4 J C1 b$ ^$ N
8 W/ o* \3 D& a" T/ u* @% d8 F
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one T* G' ^7 q" D/ Q3 ^6 H
g& ?/ S: k( t2 q: y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) } Z/ j d' \$ v/ A% |. a" H0 M, B0 F2 ?) O6 Y7 L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ d' W6 X S& T! c% g
2 k: M1 v* C/ |! ?% K+ P__________________________________________________________________________8 C* u9 ]- p1 z) X
" |5 v5 O" @; U, k
Method 136 c' g( s( T0 D6 Z# a
=========
. L' l( P/ x: |( ?: _
6 K' x- ]4 c5 O& Q; }# k) BNot a real method of detection, but a good way to know if SoftICE is- a) j8 R3 f; P4 J* v; W5 ~+ }
installed on a computer and to locate its installation directory.
. c8 s" C' @2 i8 f' `It is used by few softs which access the following registry keys (usually #2) :5 t6 }- K/ v5 G6 h1 N% L
+ e9 m# m. I0 K. E2 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* j' c R* a p0 ^
\Uninstall\SoftICE
' N) U t z! y& A" C% M4 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 F& ?2 M' \" o( \8 ]; M: b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 H& m2 o% n# S G\App Paths\Loader32.Exe; C5 k. j) Q) _( T' J
& B: @! S/ g7 y0 }( _5 o! T9 r+ I
1 f# _1 ?# ~' Q# `3 ^Note that some nasty apps could then erase all files from SoftICE directory
5 G- g, c- a( m( \(I faced that once :-(; \5 q6 m7 R! O- D. `
$ H# ]2 z; y) T6 d5 y
Useful breakpoint to detect it:. W4 u, N, I! S& t' Q& t5 v
3 o/ K2 e' @' i9 j4 l
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# | e% k' K1 n9 @; U# s1 Y1 r* q. ^" u0 @- C$ E
__________________________________________________________________________# [0 Z9 w, ~1 x2 @1 e
& `9 O# l; k0 p# K9 \2 @5 p0 _/ z0 x; @7 E
Method 14 $ ^$ D" N: ^- ?2 `: Z6 V# Y" W
=========
& A v5 ^% B* |- q! d, l# x+ a8 p2 e0 c" D9 p, B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 |( p! e/ j( C1 i
is to determines whether a debugger is running on your system (ring0 only).
6 P9 E, U$ K( S- ^; G, b9 K1 l) P5 c" k2 V% D% F* T
VMMCall Test_Debug_Installed2 |7 _1 J9 \* Q
je not_installed
; Z/ X# x5 ^5 y+ V2 |" e( Z" V! D6 P
9 L' a; M! e8 G2 G! a+ l& jThis service just checks a flag.
5 G/ H. Z1 \5 Q. i* h$ ?/ _</PRE></TD></TR></TBODY></TABLE> |