<TABLE width=500>
4 r9 Z$ w5 F$ c7 f; r/ B<TBODY>; B3 l( y8 N+ m3 q. j
<TR>
. j$ g* P; F( R2 p, P0 x/ x8 p<TD><PRE>Method 01 4 M4 Z8 S. A7 ?4 k0 N. v& r
=========
6 r; Z# I+ ?. } k4 L- T% F
5 i. `( n7 `. d8 `/ t7 K3 NThis method of detection of SoftICE (as well as the following one) is% o2 Y4 T/ s- U& l
used by the majority of packers/encryptors found on Internet.: Y8 \- O3 X+ G: x
It seeks the signature of BoundsChecker in SoftICE3 ^# x' O! y5 N, r) r- F$ v4 r! y
1 A- r% `# T; Z0 A
mov ebp, 04243484Bh ; 'BCHK'
" a; l. T( w2 L: H mov ax, 04h
/ Z: R5 ^, i6 e0 f. A% ` g5 j int 3 % Q# q+ Y% \5 l7 ]
cmp al,4
3 X+ g6 a0 a1 R* p$ a jnz SoftICE_Detected9 A! x% j% a* U: g
! y) x& M# ?/ \, F" j9 r! K4 J
___________________________________________________________________________1 G; [3 i: O& G- V% l# _2 M- ~
8 A1 k: Y, t: f. l# o }
Method 02
* V5 z! [; Z3 M. h=========, T8 ?. R) V+ K- S$ I
, v3 ^0 q5 M1 D4 qStill a method very much used (perhaps the most frequent one). It is used: J% P' B P; X* O6 ~% a. {4 y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" { @4 H# _1 O1 s$ Hor execute SoftICE commands...: c( G+ y- ]5 g0 ?; n2 X9 C
It is also used to crash SoftICE and to force it to execute any commands# w! k$ A1 z7 W! K8 U% Q% l% Z$ O
(HBOOT...) :-((
/ w* b8 E$ ~9 S3 |" T) k# d' }7 M7 _" Q2 H
Here is a quick description:
% X% K! \- I& _5 _-AX = 0910h (Display string in SIce windows) I9 B8 ]- W8 r1 E' Q7 X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
. }% R: Y/ k6 {; e* X `1 r" \* ^-AX = 0912h (Get breakpoint infos). z F4 J1 P+ v$ R
-AX = 0913h (Set Sice breakpoints)
; z" y/ |5 F2 w* @" b0 X-AX = 0914h (Remove SIce breakoints)8 Q$ z% k+ h4 t
( n$ V \6 N8 Z" o9 h
Each time you'll meet this trick, you'll see:
o& L7 I* R! ^-SI = 4647h
3 `6 h8 o1 D8 q4 t6 B2 v! A-DI = 4A4Dh F& j3 Y( ~) q7 \; _0 w
Which are the 'magic values' used by SoftIce.# j! n( }: Q1 ]/ A6 a# l# E8 Q( A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 ^' Y; y( G0 d0 s: L D
( F6 Y0 W' u% h0 hHere is one example from the file "Haspinst.exe" which is the dongle HASP- a l. `& e: G: w9 H
Envelope utility use to protect DOS applications:
; x$ t/ A7 ?6 A1 J z; `. _
0 y3 J# @$ [7 c2 D6 U5 k U
- A3 h! \" |& s8 ^, S# q4C19:0095 MOV AX,0911 ; execute command., q7 p* ^/ m' c& j$ W1 K! |
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 L" `+ Y. m+ Z* X9 t. d& d
4C19:009A MOV SI,4647 ; 1st magic value.
5 B1 T6 F' I$ c* E2 S$ X4C19:009D MOV DI,4A4D ; 2nd magic value.0 `: D/ E$ p0 f6 G% ?9 D. ~5 y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 Y& D* ^' m" D6 w. A: Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
% _0 N) X- D/ u, J9 z3 r! W$ z4C19:00A4 INC CX
- l# r1 l, D+ q6 u4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" G* ~, G8 W) ^( v
4C19:00A8 JB 0095 ; 6 different commands.9 n6 M8 Y$ J2 o" S) `! M" i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Y. P( I9 ?9 @- \( {0 H
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
a9 M% x! v! O; t; O) H( x, ^+ _" |5 _( \2 g
The program will execute 6 different SIce commands located at ds:dx, which: s7 ]5 ?" M3 w7 v# ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. Y( X7 F7 \1 l Z' ?- F% J& ^
2 A: P4 B) Y2 P: p9 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# v3 S) }( n& u- ]% w b3 E0 |
___________________________________________________________________________
4 [& I, A4 w; Y: Q6 m e/ w
. y/ q, M: }% b; x) v0 q+ q" Q0 Z: p$ X2 J3 F
Method 03
* ]* Q- O1 r: e0 N; I4 f8 R& @=========2 O% M+ H* n" M+ j8 X# v
- z' h: \+ R- r1 q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 z) t% X* r ^, M" J2 n(API Get entry point)1 T2 Z( T0 F. X
7 [8 R8 |8 T4 q. ]! V' ^7 }
^9 m* Q( R/ L8 k2 T9 M xor di,di6 |+ E" h( `5 e
mov es,di
8 Z- [0 G5 v( X( L mov ax, 1684h 6 c* E" a! v+ d9 Y9 ^+ {; d. `
mov bx, 0202h ; VxD ID of winice6 B" f3 o; U" _% x6 J! @# Z& A
int 2Fh' M- F: K& r5 q& t4 \. j
mov ax, es ; ES:DI -> VxD API entry point+ b* F2 M& V( l4 k; j9 E
add ax, di6 R. s, M/ a- g2 b$ \2 f
test ax,ax0 o9 q( N( ^1 t
jnz SoftICE_Detected
, H( L: M5 H, j: D
* b4 @$ I2 @* w: h% f' `# h( T. ~6 a___________________________________________________________________________1 f5 E# M6 n9 H% S
2 C5 j9 C9 t) a% C' R# _. k6 ^+ U. y& |Method 048 |6 H8 z8 u6 V. W1 ?4 i& y5 z8 k
=========
4 Y6 a1 t* i `0 G8 y0 s7 g; @# K* O6 Z5 ]6 L0 s
Method identical to the preceding one except that it seeks the ID of SoftICE
/ @% r) O9 X1 e, b, P2 lGFX VxD.# U1 a. l9 C. f- o- i
) g: i$ u7 W4 @" o& ~4 v xor di,di
# H# F, i0 } F7 b8 Y9 V mov es,di
6 R+ `8 t- O" a4 v- i mov ax, 1684h
8 ~+ p/ [3 Q& ^6 _- u: K4 D, [2 r mov bx, 7a5Fh ; VxD ID of SIWVID6 b4 G1 n, V& ?& h; j) z
int 2fh D" Y4 X7 }) H4 L4 g( H, h8 [, V
mov ax, es ; ES:DI -> VxD API entry point
% ~- x# ^/ Y$ y6 L! |8 j. z add ax, di
1 v& v/ O. a `: V* N2 ^/ ]+ p test ax,ax7 J) o/ @; m) K. I5 q: ?3 v
jnz SoftICE_Detected
7 b; H; f! _; ?3 c) S4 j' ]0 {1 J
4 z' t" Q- @9 E) |& y A0 N. ?__________________________________________________________________________
. p3 G4 M# [) ]5 g: T6 @: u# _, n. n+ U: i
9 ~' M0 z( S6 X9 `1 [
Method 05
" X0 c. R8 c! s6 E5 `5 G4 T' ?=========
8 \# i7 q; K3 a) }* R# H3 x) h1 h" O: ] W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# a/ L( Z7 r8 P! b" d) Zdebugger. It calls the int 41h, function 4Fh.
$ C) ?4 A c' z X/ |There are several alternatives. 2 p' x, Y7 F! w
5 a% `- M6 W6 |2 a0 W& m
The following one is the simplest:
6 u9 F; c+ M* X8 Q& d1 n2 K# V/ v, K
mov ax,4fh
' B+ x: y8 Z6 A1 w Z" Y% Y int 41h
; o2 k4 Z& r) P4 |3 E cmp ax, 0F386! h4 b/ _. O# \) |
jz SoftICE_detected2 m' _ R: W% q5 I) f0 p6 i
( [ F5 F6 j: s2 ?1 G1 Z3 |5 m) V8 y3 \& j
Next method as well as the following one are 2 examples from Stone's
) o9 P/ e5 ?. B6 O"stn-wid.zip" (www.cracking.net):6 c: i% t: U9 u1 y5 v, S1 D
. Y* _ Q' w- b6 m# J# | mov bx, cs" ?$ ~) D W9 F0 D/ L
lea dx, int41handler22 i d1 q$ l2 C( ^
xchg dx, es:[41h*4]/ N; k5 x; k* c; t, G
xchg bx, es:[41h*4+2]) p: ^. V6 J% N
mov ax,4fh1 O7 j: a& P1 d1 z- B
int 41h v7 J4 W9 ^" `7 v, J+ ?) \% Z
xchg dx, es:[41h*4]
- X4 M l* s; w$ k: ^1 J xchg bx, es:[41h*4+2]
/ j7 v' g- z4 m( N$ v' ^ cmp ax, 0f386h9 u: C1 q M k
jz SoftICE_detected
& c! \, a! F4 `' ^+ z5 w
! B) I4 S3 i1 Y# ^9 w. W. q5 Kint41handler2 PROC
2 k, K) V3 F8 m* w5 e5 B iret
6 Q( P- t0 [! P n1 f4 A: j9 G- \int41handler2 ENDP+ R& e4 b& @3 u9 K% q2 O) N
: x: d- q# ]1 G- J, Y
5 |( G0 J1 t! d" |0 F/ K3 ^5 Q. N_________________________________________________________________________
: I1 c5 s. G x! F
3 p6 k: \1 p& W( R& {* \+ r- J! C
Method 06
# \, G% F. v7 P3 g$ J6 n1 k- @6 D5 r=========$ T& u x2 _' \3 B2 `
`& a8 T# c' n% L/ x
" j% B( O. Q4 o9 z) i) v5 m2nd method similar to the preceding one but more difficult to detect:
& }/ I6 |) n2 R& b4 ~5 G3 Q6 y# p0 s {( g! x) @9 A2 i8 L
! ~" r. ?) x, `. Z3 v' n
int41handler PROC/ g& _9 ]7 I, _
mov cl,al. X- R; ^" \( s* k$ p3 @" c$ d
iret
" c1 V* f3 x. k1 S/ e" gint41handler ENDP
6 {- Q& ], X# T7 r, q+ Z" {. Y6 W" m4 x
% F* b) V2 F# ?5 a9 O/ b4 @
xor ax,ax
2 k5 B" n; M9 T$ T1 X8 i mov es,ax
2 W2 C7 c% e/ B% v/ J, s: { mov bx, cs9 K1 t4 u* Z: g
lea dx, int41handler) B6 u8 q! K% l. F: V4 K! N2 P) d7 ^3 j
xchg dx, es:[41h*4] I5 C; a. F5 j, l' ~' D: J
xchg bx, es:[41h*4+2]% D6 I4 w; G9 u1 k
in al, 40h6 p/ z, ^/ H" v8 {! f5 e
xor cx,cx
" ]- Z) B+ p6 d% ?& R int 41h
: } Y. U$ ?: n/ m& n* g. L xchg dx, es:[41h*4]
' p% C) B f& t9 Z9 \ xchg bx, es:[41h*4+2]
) @4 w$ h A2 ^1 R; Z* j W9 Z5 { cmp cl,al
8 c6 t) ?, b! A1 k8 D" D" | jnz SoftICE_detected
1 [( b4 Z! T1 z! @- D2 F6 z# I( \& B/ z
_________________________________________________________________________+ b( \1 S. l1 L2 [( t
- }- P! h9 V h
Method 07+ M$ K4 \# c7 c4 f" h
=========) X/ o; `+ {& U8 ^0 h7 `0 o
; l7 v3 W$ V# E- {
Method of detection of the WinICE handler in the int68h (V86)
2 }5 d9 E3 r5 f& M# k R0 F1 u- V" k
/ V8 m6 \8 t# w' Y% k; D mov ah,43h
5 x: a- F7 Z- B+ a, q% N int 68h
# ^4 M4 L6 S; k& Q3 G. { cmp ax,0F386h
0 D- Z$ Z. _; T5 z jz SoftICE_Detected
2 S2 O6 E G. K. n7 u. Z: Q3 ~, [0 Q& N4 n9 {$ e
9 Z- G1 |' n# Q. N: a
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& O: v+ D) j9 O/ z8 ~, z4 y app like this:
, c9 V3 E3 `3 z! ^+ n& _
+ z, N6 z$ k' z ~/ X" n e BPX exec_int if ax==68
+ B+ z0 \* ]! H5 ~ v5 Q (function called is located at byte ptr [ebp+1Dh] and client eip is. F) C* K$ K" e; N& p
located at [ebp+48h] for 32Bit apps)* B4 P4 L! O; b" f. h0 H
__________________________________________________________________________0 j0 B' k2 n9 Y# [5 o
" [/ j* x X* N6 M) g: F' s# N) q' O3 |7 I4 j# ]$ E D
Method 089 P& P- }* L) X3 t
=========
; V9 Z: S6 b* k9 W# ]! ?1 e- _, { L' l( T
It is not a method of detection of SoftICE but a possibility to crash the% B% f/ p" L* U: e! f
system by intercepting int 01h and int 03h and redirecting them to another5 i3 }/ ?4 _, ?( m# T
routine.! E; Q9 C6 G, k5 @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* Z- D8 ]) q, D
to the new routine to execute (hangs computer...)
$ m" b: I- }0 h; \. H/ ]7 @2 z; T* h6 y/ H9 N
mov ah, 25h; X8 o; G) {# r. ?( L# \
mov al, Int_Number (01h or 03h)
7 z+ w! N/ z, i mov dx, offset New_Int_Routine' v& N+ P8 d$ q! m
int 21h
3 d0 K1 A' [8 t8 m# ?/ D/ ~& }: n$ f( P) y, n* U& @: B
__________________________________________________________________________
9 U, ]6 N q9 _; Z v' b. g. D4 |3 K- Z' p
Method 09
( ]$ S* f& Z# @=========
" E% F+ y9 O$ \. @8 q& C# y+ j8 P0 f+ T' d- G- J. l0 _1 A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 F2 c8 e. y% D. o5 Y% G, s1 }
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ j% ^! C9 I/ y- xThe Get_DDB service is used to determine whether or not a VxD is installed% a: B, o8 y- T$ o' W
for the specified device and returns a Device Description Block (in ecx) for
* x2 @) G! |* u p/ ^& V& a9 F. Dthat device if it is installed.! K. z1 y: B$ t9 |
* s9 V- U8 J7 d* | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% K* m. `7 m1 z. B% H* R0 j8 h) B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 [9 y3 a( ?8 \# c3 n
VMMCall Get_DDB( z/ n8 y1 ?1 [6 _& s z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 ]" ^# g2 Z# W$ @+ H2 i8 ^) E6 \! S/ V
Note as well that you can easily detect this method with SoftICE:/ v2 d5 N2 E+ O
bpx Get_DDB if ax==0202 || ax==7a5fh1 h! f, \" r! x Z3 n" [9 F0 j
! e& u K4 \2 t
__________________________________________________________________________: t1 v, o1 ~4 o/ a9 o" g
+ {# O( B8 b _3 YMethod 10
" l4 A# Y" J' X3 T! X. [2 F=========6 {8 M# l& _3 o+ e: { B" |
' C- d( U' Z s' N% s, Z- f- r8 N=>Disable or clear breakpoints before using this feature. DO NOT trace with
; C" j6 Q! h- _) |* l* V, Y/ F SoftICE while the option is enable!!
, p1 S" V7 w& g
. ^8 z4 t% \6 Z `. CThis trick is very efficient:2 {! n+ N4 B! w2 l; j; a
by checking the Debug Registers, you can detect if SoftICE is loaded) e8 x) H1 L( T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 @0 ?7 A" e/ m2 }1 R. X) p H* Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" ], f. R# F- ?$ S0 U" Cvalue (in ring0 only). Values can be manipulated and or changed as well9 k6 o3 m$ J, X$ q" b: ~) y- r
(clearing BPMs for instance)) X7 B) y5 M5 B& x0 B6 x7 @
0 p1 q9 B7 U7 \__________________________________________________________________________
( c$ O' D% _3 U' n" _5 d+ ]' M6 }' d* s# K" l
Method 111 [; V1 G( b8 u, k
=========. F- Y+ m/ Z: T3 l
, i- W( R+ Q2 K3 F+ X* |' c# tThis method is most known as 'MeltICE' because it has been freely distributed4 l2 ]6 X: w) B; k, u3 X: d8 n# Y
via www.winfiles.com. However it was first used by NuMega people to allow
( \& r3 J$ D8 Q* U5 c7 D' vSymbol Loader to check if SoftICE was active or not (the code is located
% T R ?' t; x% `3 ?6 iinside nmtrans.dll).
/ `, U; E6 P9 L# Y% S) H F
. d( c, |6 Q* Y3 R) q# v1 \* Y2 yThe way it works is very simple:# T4 f6 M7 z9 _' a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ W# [' _& Q/ rWinNT) with the CreateFileA API.) z1 I, O7 m4 `
" \7 _/ M4 C9 L
Here is a sample (checking for 'SICE'):
$ ?5 R! e: [, g/ T& E" z7 X
1 n7 q3 D( [! r JBOOL IsSoftIce95Loaded()
: x3 G8 }( M7 `+ Y1 w4 K$ l. y# W{1 z! \4 ^* T! }% h
HANDLE hFile;
0 q9 N4 e# y B- c- ]! t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," V& H+ _, J: _% l" |
FILE_SHARE_READ | FILE_SHARE_WRITE,: c8 n6 H! n4 \) S1 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- m6 y2 Z. X5 k* f- \
if( hFile != INVALID_HANDLE_VALUE )
& ]2 J: f' L1 k* S {4 J, Q( c2 }8 }2 E1 \
CloseHandle(hFile);
6 b' f. q) f, }4 o% \ return TRUE;
( `' _: }" Z7 T; z: m, ^ }
! _! m1 V9 b. ]7 k5 W return FALSE;
" K& t) K7 g! M! @" {# e}! L F0 l2 c& o( ^/ r; c& w2 T! J
$ V2 f, e& D3 k) z5 ?- Q
Although this trick calls the CreateFileA function, don't even expect to be( P+ w: n2 S( W; K0 E
able to intercept it by installing a IFS hook: it will not work, no way!$ T u& `. |0 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 v* v8 [8 v8 S4 A. u- n& G# C$ _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 Q: \# t2 E) I# \4 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ o+ z6 }- r. J0 k) Zfield.% H" `% Y! G- Y6 v7 G! _
In fact, its purpose is not to load/unload VxDs but only to send a
4 z$ N+ C" E* w6 w% xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 e m& t# T0 ]4 Q' f; |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 |+ ]# Q( g& g. Z5 B% p dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 w* @! v- p/ {0 K9 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ [, z; W# O" H- z% Y5 g
its handle to be opened and then, will be detected.
3 [& D, b8 Y& jYou can check that simply by hooking Winice.exe control proc entry point: u$ t0 n: g3 W4 R" R
while running MeltICE.
5 `- ~+ w: F) N% N2 j2 j1 H' N+ [; s$ f9 t" M6 G' \
8 N5 v' `' t! s" p ?+ w7 N
00401067: push 00402025 ; \\.\SICE3 C$ o7 `8 h9 M1 L1 x) x' o
0040106C: call CreateFileA
3 l) X5 i/ `. _/ y 00401071: cmp eax,-001# }& \7 D" I+ G2 h! d& w
00401074: je 00401091) f9 n- G6 A0 ]/ g8 S" \
/ z( i% H* h1 r3 w# k3 K* u9 M% ~ z$ Z; ~4 S- q
There could be hundreds of BPX you could use to detect this trick.
$ ] h U' _& L) u-The most classical one is:
: W; p/ q0 J5 ~: z& \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||) ?- Q& v- _ i4 O( U
*(esp->4+4)=='NTIC'
( T1 f) Z$ Y' J& T4 j# j N9 y1 k- w5 [* b- F) }+ U6 }) O, ^
-The most exotic ones (could be very slooooow :-(
" B& G) \0 q% r4 Z2 w4 v9 p: w } BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 V; a# ? ~, S2 V4 E- R, U' J2 e
;will break 3 times :-(9 j, j) l2 @1 ]9 {' L0 E- V
% v. r# Z- j- w% v( H/ Y
-or (a bit) faster: 0 K$ U/ I6 D$ `, t6 @
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% U6 B7 F) j& W- ^" |! b9 @
' H) w6 G1 Q" @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 f; h e' U" y2 A
;will break 3 times :-(7 Z( {% q& ?0 I2 N# P8 U7 O8 l
! k% A, |" I \9 \- H% T/ C3 g-Much faster:
+ B) U+ j' Q$ K# @, [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' _' l% M! p. C5 K
8 \7 V: w" o K6 L. B2 S: f E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. U) ]: D2 }! @+ n3 f! Ifunction to do the same job:: Y- S+ k' B3 E% p! J
[* g; p1 M: `( q, j. x6 p6 J
push 00 ; OF_READ! W4 P& P8 N' h j
mov eax,[00656634] ; '\\.\SICE',07 V4 H; N, {7 a- j. j7 j
push eax2 f2 T$ g" Y! C' X) I7 _
call KERNEL32!_lopen
! G6 z: Q9 `+ H% O3 ?# J inc eax
; {1 T* n& @/ C) t' Q jnz 00650589 ; detected# c# J& V8 P6 l" Q. m
push 00 ; OF_READ: M* S! @2 B4 j- v5 v0 X' z
mov eax,[00656638] ; '\\.\SICE'
" @( N$ i: \/ ]# f" |3 M0 q1 d push eax" ]: W% { F7 z# a7 \
call KERNEL32!_lopen
! h/ p4 j8 @2 N; i: J inc eax
2 ]& [+ ~( F" t. l8 w3 D jz 006505ae ; not detected
% D1 v1 r0 _. O7 b d9 m+ Y& u: w- B h
6 Z9 Y4 K5 G' J3 Z2 T, h$ X__________________________________________________________________________6 x" i6 m3 \9 M# _" P
5 n, K2 x; Q/ P
Method 12) K+ S/ H& R$ y/ V4 }: `1 \- h$ W
=========
: p0 L' F, t0 W0 W0 q7 t# p) t) I( a/ q7 }" |
This trick is similar to int41h/4fh Debugger installation check (code 056 `+ |) S( ?+ }2 P
& 06) but very limited because it's only available for Win95/98 (not NT)
" O2 T1 i) [5 y. @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& Y& G6 z9 \& W; T# w$ a
) q" x; h( s+ U+ L. W$ w push 0000004fh ; function 4fh( R6 G' ^" ]9 ~9 I9 \7 L. P
push 002a002ah ; high word specifies which VxD (VWIN32)
3 T5 L2 G. Y4 M ; low word specifies which service% m5 [7 L# `3 v. q/ N2 z
(VWIN32_Int41Dispatch), k6 `$ j8 {" B/ x z0 U
call Kernel32!ORD_001 ; VxdCall
" ]- L- S! B7 L1 z' n+ h( M: I3 K cmp ax, 0f386h ; magic number returned by system debuggers+ }# Y7 C* {$ [+ Q: m. }
jz SoftICE_detected
9 o* [3 m. R! l. q; D) m
0 W7 T0 `( J7 T6 m4 {Here again, several ways to detect it:
- ^7 r0 S# T* V D! Y4 [- U' r8 k9 a9 O3 ]/ p/ \! a
BPINT 41 if ax==4f
# i$ t: n$ Q; Y {. u! j
2 Q. s( e& |, i( o' d BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 [: U% S! w# s8 x0 D# V8 ^* S& J
' |9 W# |$ m3 B: M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 Y, t1 U0 ~! m9 }! N' p2 r6 |" O) U* u. p% E8 ~! l/ b
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: ]0 J# O4 k" P3 ]
* _; _% v3 i" |# C__________________________________________________________________________
% [9 X4 x5 t2 D7 g, C" W( g: |9 [" {# n7 P/ j8 J* [# \
Method 13
5 O, E" f9 t. b" U, ~: |$ T=========/ l, y/ ?, b* ?
4 r7 Y1 K6 w5 q0 n6 K% zNot a real method of detection, but a good way to know if SoftICE is
2 ]) ^8 m0 m2 |( binstalled on a computer and to locate its installation directory.& o/ u' I5 K2 v. g/ u1 E
It is used by few softs which access the following registry keys (usually #2) :' \! P5 Z1 ~4 c2 \
) i7 v* k% d5 F% W% f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 A m: @! v( B2 R+ G# a
\Uninstall\SoftICE
4 ~. h7 v* M* G- ~2 Z; }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) V, W; v' E! @ W' m, P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# B8 ^, n& H% I/ Y+ N\App Paths\Loader32.Exe
7 g. W5 [! ]( o8 H3 e& B9 Q4 a8 }+ r; @" x
0 ~2 T- b" O' `7 Z' KNote that some nasty apps could then erase all files from SoftICE directory$ K/ W; d, s# G
(I faced that once :-(
& i: i! Y' c* ^+ X4 w9 K: A( ^) |, o v; Y% b! Q
Useful breakpoint to detect it:
' u; Q$ a0 `7 I$ y6 K% Q
/ t( y) t/ V1 C$ \$ q& w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ n2 I7 u* c0 c4 S7 w2 j; w
6 H' q0 T" V$ d__________________________________________________________________________% r& t. q( W8 z0 O0 K# w# J2 v+ L$ d b
$ D9 y2 [; i: X9 |7 p
, H5 S! y# z) VMethod 14 6 D0 e2 U* c# b; R; T1 D! f* G
=========
" U' L4 `5 l: U+ M% U* G( }- K3 m; [0 _: ^% t* W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. Y" S% K, w5 ]' V" h' ^# b7 h
is to determines whether a debugger is running on your system (ring0 only).
, p3 h) a! l6 N
+ L' y3 B4 r8 N3 ? VMMCall Test_Debug_Installed
+ A# e" X: X4 L+ T! I; d je not_installed
' G0 F) Z; V0 ]
) B) D# _( `5 C7 D9 t! w8 b$ kThis service just checks a flag.6 K. C# j; G' g
</PRE></TD></TR></TBODY></TABLE> |