<TABLE width=500> J, a1 b& ~! }3 A
<TBODY>
2 Z; g4 W; d7 M& B3 U5 V1 K( L8 f& x<TR># j3 q; x$ G! s7 [* M0 K
<TD><PRE>Method 01
* F3 s# d; W" S5 R3 y; ^=========
7 b& @( G% G- t! d
5 C& Y- U7 p& O! y! M9 KThis method of detection of SoftICE (as well as the following one) is! r9 q. L( w2 h% _4 O: a3 z# _
used by the majority of packers/encryptors found on Internet.
7 L; o1 a, A0 V3 LIt seeks the signature of BoundsChecker in SoftICE
- b! i- Q2 k/ V: e3 j# g
; I3 t; D/ R' c& g9 M8 ~8 } mov ebp, 04243484Bh ; 'BCHK'2 X7 m: ?! e& G$ D/ a# G
mov ax, 04h
$ f( b5 B3 E$ o4 u! L* i int 3
9 R, W# Q K5 Q o cmp al,4. N* N( U5 n) ?8 h+ X |
jnz SoftICE_Detected
/ l. r; U; C7 @( K5 L3 z6 x
4 T2 w; B& u6 W7 A2 a___________________________________________________________________________
3 i( L5 f0 g# e7 f R! r% L3 [4 d; T) B9 y, K f6 Z
Method 028 k& c0 A8 Z5 P( B7 @
=========
' m1 i: H5 e! I4 L3 R8 e9 o4 j/ C6 b
Still a method very much used (perhaps the most frequent one). It is used j( R6 { O8 y6 u- F& o8 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 Y1 U% i6 Z! e) O( R3 ]or execute SoftICE commands...0 ~9 ~. F' Y: _$ `. o
It is also used to crash SoftICE and to force it to execute any commands
1 y3 J! ?0 i% ]1 } }(HBOOT...) :-((
4 h2 b4 i8 r+ z, E& G3 T0 [. D; M) `
$ v" ^9 V3 S4 c( ~Here is a quick description:
! y! d' ?+ h+ H3 t/ |-AX = 0910h (Display string in SIce windows)
: m! _" \- g; x# ~& P% Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 b8 J6 B$ j, I
-AX = 0912h (Get breakpoint infos)
" {8 |6 X4 T, B; ^; D6 d! T3 O! G-AX = 0913h (Set Sice breakpoints)
4 L0 N" H' T/ a( e" w9 J-AX = 0914h (Remove SIce breakoints)
; b- O c) k! s# M0 v9 O1 G4 W! x% h5 G% J
Each time you'll meet this trick, you'll see:7 x6 E4 p4 ~+ F2 J G
-SI = 4647h8 S+ w5 y' B! b0 @4 C6 m5 Y+ l
-DI = 4A4Dh
2 t5 ^5 X0 F- {! N9 X" g; j6 P! @& oWhich are the 'magic values' used by SoftIce.
- f/ F5 _5 H! }- Z! pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ r9 q" B3 R/ ?) C1 [8 ]6 V6 X
j9 F/ g: j! {$ b8 V: S( x
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 G* _% u$ T6 W4 }) o, P2 I& H/ g
Envelope utility use to protect DOS applications:
. U. o; g. L# z4 S( K* v/ a$ S/ J; b/ V6 t/ @7 j
3 p, z; {. K$ k3 O1 b$ v4C19:0095 MOV AX,0911 ; execute command.7 N% E1 |2 R( h: B
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) N. t. `2 z1 d8 p
4C19:009A MOV SI,4647 ; 1st magic value.% x" _2 `/ w, B R1 R. @" I
4C19:009D MOV DI,4A4D ; 2nd magic value.0 K, R) l2 ~& j. @# q6 r: j/ F
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 j) P% G: C! Y/ c, ?
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: c' E* m+ H# F4C19:00A4 INC CX
: B; k. K, q! ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- ]& L, d! x) H# ^# J* H
4C19:00A8 JB 0095 ; 6 different commands.
3 t, F! ?. {; }4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 D5 ?& j8 }+ n3 c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: e. l5 }% K' B/ c: o! { @
S: t7 f8 M( K' L7 eThe program will execute 6 different SIce commands located at ds:dx, which% ?: W e3 y/ T3 P5 i' |3 h$ t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 C. B5 U! I7 q4 G; B7 T4 B
S5 P( [: M$ H+ D- ^' ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 u- `1 i5 J# V6 J1 W% B$ ^
___________________________________________________________________________8 n0 [* `* i: V+ [0 E5 u' @
h$ p6 O1 U t
: }( y* b; ]4 o9 {: k) dMethod 03
" f3 @7 `1 n, t. j=========. A' b* U8 P* O |; T6 F; i$ r
! U; ]% z! e9 n: ?8 U3 h H/ `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! j- P, w4 X& }6 a4 ]8 E! ~
(API Get entry point)
; I5 x8 k7 P& q, x
, _0 |% Q- q2 Q$ z3 k* W. c( s% t! ?/ t. `: S {' L8 N
xor di,di/ B- O4 O: s. c9 s0 C1 f
mov es,di
" q# ?4 [ Q1 k* E# Q; \ mov ax, 1684h
- B7 a; q9 q8 n. k( y3 A* e mov bx, 0202h ; VxD ID of winice
4 R7 l) O6 T6 K2 a; E! B int 2Fh
v8 t* R; Z/ g3 g3 ? mov ax, es ; ES:DI -> VxD API entry point
' g3 [: ?- c& D% L( m5 x2 P; L add ax, di
& a6 W7 T( c! a8 k9 ? test ax,ax; q# |% r: m5 G" W
jnz SoftICE_Detected/ V8 ?% O4 Y) J: f2 j5 v# N: F0 i/ u+ ~
4 T& v& |0 Y: B9 j+ V% `! [___________________________________________________________________________
3 S" K9 C9 _+ @1 Z+ [* j. n
6 }0 d& `% e+ R$ F, Q& w6 |Method 04
6 c7 N( M* k+ u) C5 R3 C2 {=========
% ]! P2 e: F* u; w: H0 Z/ _. ~9 l& i+ M) q
Method identical to the preceding one except that it seeks the ID of SoftICE
3 p: \( A8 g$ z/ Q0 AGFX VxD." S8 }' R6 T4 P1 b/ g" [$ w
: k: ~( o8 X& }9 q2 F' W" l7 `
xor di,di
- P+ u# F% @' x! D# P mov es,di2 H( Y% C2 [, V1 J* n9 W) f' K
mov ax, 1684h 3 w. P. H% U% {& j: ~" E. T) U3 L
mov bx, 7a5Fh ; VxD ID of SIWVID
: w6 I) O% x! F) a B int 2fh
]' x; e6 b' I5 } mov ax, es ; ES:DI -> VxD API entry point/ r& J7 E) R3 H# i$ O+ U
add ax, di
4 U v- m7 \4 p+ [" f test ax,ax+ ~$ y. g+ }5 P$ c, S; M4 Z# F0 ?
jnz SoftICE_Detected3 }3 f3 |4 H& i4 C5 l
3 {7 `1 c2 B5 q- B+ Y/ d__________________________________________________________________________! o+ k H1 ]# S
4 M( h5 ~, e4 t _3 W i! P; ^
6 Z7 v$ k% {6 Q% M9 V
Method 05
, Y" {9 [2 C% n9 H% d8 F. ]+ {=========
) r) B) V% ] ?; Q6 z1 R9 R+ J7 m* R w1 S. U6 b+ d4 _# s/ R0 \: I ~8 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system s! }. d7 d2 M
debugger. It calls the int 41h, function 4Fh.' i3 o! B# U" o" n
There are several alternatives.
' R& C8 `+ `6 e5 J- g
! [* s" I# t; \# U6 XThe following one is the simplest:0 I2 _7 B4 _/ Q$ O1 O4 i' `5 e
% x/ }+ W$ n8 n$ S' D mov ax,4fh
' m: g) x' Q: \! o! r6 c6 `' P% e int 41h& o1 `/ U2 t2 j* r' \7 T% K
cmp ax, 0F3861 ?& P Z+ J+ m# r
jz SoftICE_detected5 G. _. S( n# j- L, H/ [
3 ?6 ?+ p% _% v
* D; n6 P/ B6 `0 i' T5 X( o
Next method as well as the following one are 2 examples from Stone's % b5 W6 M1 x& f& F( R
"stn-wid.zip" (www.cracking.net):5 m8 M# Z; h6 G$ @
% g; y0 u2 O- I mov bx, cs
6 J* @: o7 a5 f& w* C+ x: h% C lea dx, int41handler2) i9 k% q8 }' e* T6 l" x p
xchg dx, es:[41h*4]
- e+ r6 W% D- e xchg bx, es:[41h*4+2]; R; V; `) V5 T; `' q. U8 E1 [* O9 w( N$ u
mov ax,4fh( D- ?; A x6 i- m9 y+ d, H, n
int 41h
4 B; e0 j7 Z3 Y C4 o xchg dx, es:[41h*4]7 H# C- P) P: _; n$ m6 L
xchg bx, es:[41h*4+2]2 W% k! y8 M7 c3 J
cmp ax, 0f386h
+ ~) f7 x1 v. a/ t8 \ jz SoftICE_detected
* `2 m- b$ x2 k' B1 m
) e: v. N& }( Vint41handler2 PROC
7 N. n$ ^/ I1 r4 l, K7 D4 f* g iret
$ _. J. Z6 \3 gint41handler2 ENDP
0 r% D& w% Y5 A# v* r# e1 j) k# b/ Z* u% k, P
. r7 V) B0 f, W
_________________________________________________________________________& b9 \: l8 [7 A- U" ~
1 B" e5 B( O3 u( ]( z
) Q1 S+ m% H0 K0 D8 z X5 [/ _
Method 06! T) D) `6 P/ }+ M6 h
=========
0 O3 f& a. F# }
5 I2 D" J4 L) @: a6 u
( V# }$ \% _8 V) s+ q* o2nd method similar to the preceding one but more difficult to detect:% {# c$ E2 h6 x) v- E9 b; q7 E
* D2 ]% |- A3 V
7 E1 S n) S7 R# Yint41handler PROC
2 d! y) y# Y; c; x1 x9 Z" S |7 w mov cl,al! \1 h H+ L5 f: R) \0 X: l( p8 G
iret
0 E6 V; ?: S/ B _4 Z! N& qint41handler ENDP
L1 O1 T7 s! U
6 j2 _; C: I2 @( o( ^& t3 f8 F' y( b
xor ax,ax
d# `* m! }7 k6 e. x$ |. S mov es,ax
5 Y5 k: q. L8 D mov bx, cs/ Z6 Z4 b3 w7 A, u6 C
lea dx, int41handler
* F- {. l& f* L* J! ~ xchg dx, es:[41h*4]
" X/ p0 i1 w% K& ]2 ~ xchg bx, es:[41h*4+2]+ J4 r0 w& a- S. ^4 {; Q
in al, 40h
$ t" r, x2 S( n- P( Z$ W% D xor cx,cx
8 I. R. n1 P+ F9 w3 F int 41h
, I1 C+ Z f9 V$ r# H \% W xchg dx, es:[41h*4]# V% ^' A# ^ z3 J6 B
xchg bx, es:[41h*4+2]
& ~0 q5 l8 @- K cmp cl,al+ x1 u4 X J( Q* {
jnz SoftICE_detected
+ n4 o, F2 P; ]+ H& H" n$ m$ E( Z5 @ o+ F
_________________________________________________________________________
# l1 l: {' i9 H/ ^) X! U; T4 s6 g6 ]5 _8 c
Method 07
. B: _ ^3 H( ~/ T3 ?2 F3 n=========
3 a# d5 @2 u$ v j; @$ m) X2 Q. V1 o
" T" e6 t$ T, y6 l1 x U( SMethod of detection of the WinICE handler in the int68h (V86)
$ l* H8 @3 e$ j5 }7 T8 d( @, Z9 d$ {1 i( Y: x4 O: D& I
mov ah,43h9 q1 Q% G; R+ b; b" ?, K. V$ d0 W: C0 x
int 68h
; ^9 x1 D/ s% H+ D3 M7 e1 w cmp ax,0F386h
) q$ B8 e/ [. k2 } y$ U0 R8 c jz SoftICE_Detected
9 G8 }8 [4 q1 b k6 g8 `) n" P: H8 a9 H6 Y. ?( s
3 O! Q5 L, G3 L3 I=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! @( w6 v5 O$ @+ X# C8 X app like this:+ a% x0 e6 }- R' o5 c
/ k) u/ l& \) {3 R6 M, q4 h
BPX exec_int if ax==68- F. m: _1 d2 r1 @4 _* h
(function called is located at byte ptr [ebp+1Dh] and client eip is h5 g% x( F2 q4 k7 `5 [" X
located at [ebp+48h] for 32Bit apps)
4 S$ t& J: J% k' t5 u__________________________________________________________________________
0 P* n# o7 B5 ]; u4 ~
6 |* N$ l! M1 |0 Y/ P2 C( @; D0 D3 C- Z" `$ {
Method 08
+ h2 D% j, }) I/ O5 p5 S+ J=========$ m; {1 M; Q g
& C* L8 s1 {1 s* l3 V9 F
It is not a method of detection of SoftICE but a possibility to crash the; W1 d: a& y( t3 y7 Y# v& r* d$ m) n
system by intercepting int 01h and int 03h and redirecting them to another6 n k" x0 ~' t- O3 W+ u
routine.
4 q3 K6 q6 g- F! s6 G: l' M! [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& q. ^/ G( l; _2 X; ito the new routine to execute (hangs computer...)3 q/ a% z, [! \# e- w
% u6 o2 N* J& b- K* c" _4 u3 C# c
mov ah, 25h
0 T# ]& S, W; ]' D) b mov al, Int_Number (01h or 03h)+ N' K0 i* I. k! J+ q: V
mov dx, offset New_Int_Routine" A0 W1 }( G. G, V5 Q- k+ Z
int 21h
9 F1 y( `: m+ |- M: _) V( O1 k4 a3 T( ]
__________________________________________________________________________
/ i4 j9 s+ ], K3 h3 l
$ N/ P7 v& \, x8 eMethod 09
$ O. |5 r$ Q- W: j=========
8 h( f9 v; t3 D4 F4 K9 }! A- V# e# _/ e# k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& H4 y6 {5 |0 F
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 A% v1 i: E, |, M/ C6 b0 a& b# ?The Get_DDB service is used to determine whether or not a VxD is installed
' w3 y% q$ m4 H" ^+ |for the specified device and returns a Device Description Block (in ecx) for
* o6 S( v1 P- d+ Dthat device if it is installed.. o4 o' V' Z, Y6 e6 f8 N
2 l; {9 |& c- g/ [ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 @# @& p6 c; p6 A0 O0 x7 l* l3 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ z% o$ }' W' k2 U3 y5 d VMMCall Get_DDB
( Z/ g- n! [- y, F/ ~. B5 g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. j8 @% |# R# n. N- I+ w7 G8 B' K! A6 n" w; N
Note as well that you can easily detect this method with SoftICE:2 ~6 w2 r3 j _& z2 {) C
bpx Get_DDB if ax==0202 || ax==7a5fh, @( i) ]0 K6 M7 O
* f) [+ j# `0 |2 |
__________________________________________________________________________" z( o& x9 N( }$ U L
" n9 c6 }$ ?9 M1 G* @/ uMethod 10: e4 z5 ?- W' v- M
=========, ]/ R! S( `4 t% Y! C! @
, d( i6 ^6 R& ~% [4 F
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: }7 E& @ {" L SoftICE while the option is enable!!' \" S! O- Q0 e3 C7 r
: ^ O% r" O% C/ _5 E
This trick is very efficient:
@( Z& J1 h1 P9 M, E. ]0 N: fby checking the Debug Registers, you can detect if SoftICE is loaded
3 Z1 f1 r5 r0 L) j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; x0 q C. G5 Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
# v# O D8 O+ K: wvalue (in ring0 only). Values can be manipulated and or changed as well
* ~4 [1 R: W) K, V, E7 {7 l(clearing BPMs for instance)
, s8 R7 X3 \0 }
) [# @& V% B" ^4 `! g6 z; o__________________________________________________________________________* ~2 U" C+ ?+ }8 r' S
+ m M; g# o6 h5 r+ a: G7 ?7 \7 C
Method 11
; D. p* }; j* V, f8 N6 P3 F% _=========5 d' @: K" U% o6 B
" g( m* R: J0 p* O* X
This method is most known as 'MeltICE' because it has been freely distributed
0 _" t. c+ @3 G# ovia www.winfiles.com. However it was first used by NuMega people to allow
5 J9 b% L+ d% }# J3 eSymbol Loader to check if SoftICE was active or not (the code is located7 a$ P7 l A- @1 U6 E) w
inside nmtrans.dll).4 U1 c# O2 p2 ~# s3 Z
/ `0 e" g7 Z' l+ H
The way it works is very simple:, u, V/ s! F4 s0 l. i: Y8 O% o! g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ o! J- ]; z8 I6 e
WinNT) with the CreateFileA API.% I" B, x: a* i
# ?$ c( `8 H+ G9 z8 ^7 n9 ^. b" V
Here is a sample (checking for 'SICE'):
O' O; G" t1 s i7 S% r6 B6 \+ v! S$ q% l$ Y% u P9 H" Y
BOOL IsSoftIce95Loaded()
0 \6 P4 `/ }" y4 F/ ?! H$ U5 `{7 u. Y, I* h u( b s+ J% p; w
HANDLE hFile; , ^5 s1 V" d9 l4 T
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Y7 e$ \& t2 O, |1 T2 {# D FILE_SHARE_READ | FILE_SHARE_WRITE,
' W# ~" h0 J4 ?' C0 q+ z( a NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ w$ _2 L& R& F$ I! R! t+ q2 E v1 b9 | if( hFile != INVALID_HANDLE_VALUE )
1 M( ^) a; T5 L& J) R6 ?' ~; p; y {4 ^( c, o( a+ u$ p$ s4 D; T
CloseHandle(hFile);
( y$ D1 {( f0 j7 ] return TRUE;
1 v8 u5 ?# J" ~1 w: Q) { }
3 A8 C5 Z$ Z7 \$ b7 S return FALSE;
5 `7 u+ Y! e- c1 b2 ?! x: p; t0 f5 G: j}- @/ S4 K; n( D. m: O* ^8 Z
- k" n& S; C, J. f$ uAlthough this trick calls the CreateFileA function, don't even expect to be8 n1 v& Y P6 y# W
able to intercept it by installing a IFS hook: it will not work, no way!3 R" y* n' Q# g6 D8 \3 s( k7 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 {1 e* n( A: a) w: ^& b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# [/ Y5 W+ }0 Z0 e# z( i! f$ Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 P/ B. `8 z/ \3 }9 z# x7 h: Efield.* ^' H. |4 q: Q
In fact, its purpose is not to load/unload VxDs but only to send a 0 O7 ~/ n e$ Y7 m# m. c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 I' Q' x* R* F0 V$ T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 Y4 w6 g" z! D* v/ gto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 w( g& e3 p K& h. k8 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow% e) |: }( H4 s6 X$ Q! R
its handle to be opened and then, will be detected.4 H/ Y" {8 U3 m4 E4 U! r
You can check that simply by hooking Winice.exe control proc entry point1 e; T9 k% I+ b9 j
while running MeltICE.
% B: X' q, S* t, t
- J2 q- |5 J4 O$ x# }, @3 x" [- B
00401067: push 00402025 ; \\.\SICE
) }$ t) d7 g- t" D 0040106C: call CreateFileA7 \' @+ h- x5 i4 ~
00401071: cmp eax,-001% w, p" I9 z9 Y) D8 w; _% `
00401074: je 00401091
5 b' l8 a# u9 T1 r9 w. Z1 e9 O* | \
1 ?6 f. X# x; T* |There could be hundreds of BPX you could use to detect this trick.& g+ K1 K' q, N; g
-The most classical one is:- l D+ g. d' b( x; K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 w/ _9 W4 |) p0 x" Y
*(esp->4+4)=='NTIC'
+ ^) ^8 K/ W8 x# L- X2 a7 ]* i4 D- U
-The most exotic ones (could be very slooooow :-(
Z) E% _; d$ E: W' Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ Y' I9 t! a1 l; N1 O8 g
;will break 3 times :-(
( ]1 E G& x! T& B, B3 J- l8 {
# s6 _' c; J8 B, W-or (a bit) faster:
% r' `$ M) C' \# p BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 n- f, [1 T- x6 X
' t: ]$ L' P" k5 \" [4 ~ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ M8 ]1 h/ E, \7 T3 R ;will break 3 times :-( u- w/ v1 I$ C' C8 O0 K+ L) y, {# o
2 Y( o) q" q- ~# |; i
-Much faster:
# y9 L" j& O I" A( l BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; J" w8 E; j! x) g' a
( M: y+ z8 B- b H' I: uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: x& F5 _. m+ q8 E# {! ~. u3 S+ {
function to do the same job:
( s7 t& a3 [$ ~6 n D
" O' ?% _8 [- S1 b push 00 ; OF_READ! L; ~ f0 G0 A# ]9 r8 G+ k1 \0 J
mov eax,[00656634] ; '\\.\SICE',0
: ?, Z" c& {% e8 f" t3 Z3 u push eax
- Q& y2 O5 _% q call KERNEL32!_lopen
w2 }" s5 A/ H* c2 H inc eax
4 V5 C8 K' ~) b6 ^ jnz 00650589 ; detected
: K) Q) @3 o d push 00 ; OF_READ
2 N- b5 W8 Z) U; W mov eax,[00656638] ; '\\.\SICE'* ^/ m5 N& o% E: G9 i, H5 @5 ~
push eax9 L9 U: K! V+ ]1 H9 X; E3 Z! E
call KERNEL32!_lopen
+ I- V4 t4 n$ U& ]8 M# v' N inc eax
" @* D0 e4 Z, Z, V% S2 |1 ^ jz 006505ae ; not detected L! T' h9 c+ S) _/ F. S2 E
. }. s& `( [. m+ o9 w. v$ ]1 ?
! ~1 L7 s$ z* ]8 [__________________________________________________________________________# q% d8 r1 k% R
! f3 g! C: J7 h- y W
Method 12
2 w" e. |9 K' @- ]' H=========
$ k2 j9 R" p) d1 ^
' @. C5 b4 ~" I: v4 MThis trick is similar to int41h/4fh Debugger installation check (code 05
$ J3 ~( W3 s, K& 06) but very limited because it's only available for Win95/98 (not NT)# B4 X9 ^) z0 ]9 I) o. v* e' p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; @% t! h/ Z4 C5 |" u
/ m! ~) ? w1 w, D( u push 0000004fh ; function 4fh. n% K3 r( S$ Q7 j- B0 R- n. z. ?
push 002a002ah ; high word specifies which VxD (VWIN32)
1 D. }. j( i% n' X9 @0 ? ; low word specifies which service
8 |, m/ g3 \+ }* P, T7 N1 h (VWIN32_Int41Dispatch)' V3 A( L& t' C, I% Z
call Kernel32!ORD_001 ; VxdCall
8 \/ X9 N5 C% B" }( t# c0 Z; d cmp ax, 0f386h ; magic number returned by system debuggers
3 y# ^0 a7 d/ s6 `* i) m jz SoftICE_detected
3 ~* K0 S a( `: c4 j% Z5 P6 A |
Here again, several ways to detect it:
' \, W& l- _) E, U% q5 {4 S/ U, y" a9 L& n
BPINT 41 if ax==4f
( u: t2 ?6 ?6 |7 y, V
" r; i8 X, J/ z$ m8 O5 L0 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 E. }. p. x. j
! k$ E! L, |! Y$ y3 S
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ J5 a, M- l. B# b" \0 ^& G
" p# j) `2 H; `+ m3 Y3 S( e. M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 H3 N7 o# [& U5 G
- {- \3 x; k4 M8 `
__________________________________________________________________________& e" k1 X: z" T
, ^! r2 ?5 l2 F+ R
Method 13
/ J, v ~0 Z- \2 |2 m- x=========
6 L/ E( ~" \) m8 U! F5 ?* H2 {! D7 \( d2 n
Not a real method of detection, but a good way to know if SoftICE is4 t" x: h7 W& M! h6 ]8 V- Y+ L* b: F6 u
installed on a computer and to locate its installation directory.
0 a- ~9 `9 R+ sIt is used by few softs which access the following registry keys (usually #2) :' g; O5 X% j Y2 E9 y
: W& A( L1 O8 X% C6 b9 `; @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- [& I: B- Y# W/ q) W\Uninstall\SoftICE
6 M' z3 }: Q0 W- I; F8 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 q7 V- i2 w( ?; Y! M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( H: \- V! E# N: i. a\App Paths\Loader32.Exe' _1 b7 R8 z' l. |( P
1 q8 u- r) d, _$ J/ C; Q
. R. S" i9 W8 M( ENote that some nasty apps could then erase all files from SoftICE directory# j" C: o6 [& o6 ~- p
(I faced that once :-(3 Y& N. `) y, V7 c5 J2 ~7 V* h, I
7 j! [- T# d! k4 G+ l' N" ~$ JUseful breakpoint to detect it:
7 z$ g g, N. }6 v2 f9 W; @4 l0 c" w; Q7 }& n r/ }2 b! @; L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: l9 z! H" I& d- \5 \$ W( {' e) w
__________________________________________________________________________
) [( ?* T$ k# R
5 j+ h- j) }9 w; |2 m: T4 B# P# ^. M2 u/ c: r( F
Method 14 9 Y' \- k1 r- u3 J; V
=========
" @! e% Z( @- M+ s7 V* }! }
* _8 ~5 J+ K, x6 p! J: xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" E& Z( M- K: W `; U6 @/ Uis to determines whether a debugger is running on your system (ring0 only).( |0 `$ q* r! u) @# Z5 A
6 c G2 }% `0 {2 _6 r" @) a: f4 P
VMMCall Test_Debug_Installed
8 Q$ v6 o$ w, p( @2 `* o& W3 _2 N je not_installed
7 P8 k) w7 D5 v' E! g( T+ c( K2 ]3 }1 N. O7 G: q- @
This service just checks a flag.
+ _8 `* V3 ]* \</PRE></TD></TR></TBODY></TABLE> |