<TABLE width=500>
4 i& Z: x1 m( z& T0 ~5 D! s<TBODY>
' @1 V* I$ v; Z2 g/ v<TR>+ X8 s9 X% i' w' p" x
<TD><PRE>Method 01 ! l7 S' E+ e' G
=========
& v6 S W G" Y$ X" V, O5 i$ n5 q( x8 Q' r
This method of detection of SoftICE (as well as the following one) is3 h- J3 Q% @$ p# @% U
used by the majority of packers/encryptors found on Internet.7 f. x) W% e: m4 q: E0 Q& o8 a* p0 u
It seeks the signature of BoundsChecker in SoftICE
+ v* t4 U& q3 b9 I
3 w; T- M: s- ]( Q) j mov ebp, 04243484Bh ; 'BCHK'
0 J7 a& o( b3 ^0 [, _ mov ax, 04h
$ N4 d$ ~" _- i% h. P0 [$ d. Z" U int 3 $ t" w7 D l" T
cmp al,48 m: `9 k" p9 k% s# g, e
jnz SoftICE_Detected
; V" b V$ _( c* C( _* R& I" I, E: z; z" [1 L2 X% f
___________________________________________________________________________) z ?$ ~. D+ Z4 {
0 g) j) u# \ c- L- t
Method 02. c: |) q2 l' X2 u! z
=========) T( w/ F( v# `0 r4 d6 _' p9 W1 x$ s' Y+ v
6 N7 x" f; e) V
Still a method very much used (perhaps the most frequent one). It is used- }) s# u3 W) W: R4 e) {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 u. }! H% e# A }6 H) z# W; Q2 gor execute SoftICE commands...
* t' d5 \1 t% k' L5 t$ g6 ~* LIt is also used to crash SoftICE and to force it to execute any commands. N' ]) @# `' `- A& K4 m
(HBOOT...) :-(( l0 D) r& u4 w) M: N4 D) ]3 D+ P
3 r- ]+ d9 [+ c- G& R" h
Here is a quick description:
7 e0 U! o4 L# E4 m- _* f+ N) L. d1 ~! U% x-AX = 0910h (Display string in SIce windows)8 _; i0 O& v& _0 z& a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 _& H/ {5 i: L-AX = 0912h (Get breakpoint infos)
4 E9 v6 O) t+ A5 }6 M' e-AX = 0913h (Set Sice breakpoints)( s% J! w2 C- C3 w2 `2 W% ]' E+ u$ _
-AX = 0914h (Remove SIce breakoints)$ k) X7 ~+ [) S) Q: g
- d$ E/ c; u) i8 g- J
Each time you'll meet this trick, you'll see:1 k- W6 _, {; D9 }* X2 [
-SI = 4647h
* \# m8 P/ V/ X% j) q, H# w-DI = 4A4Dh8 a4 k4 n! e+ k# a
Which are the 'magic values' used by SoftIce.3 P) i$ r! m: F% N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& ` S7 ~* W6 b, X# X. O
: \* V0 f ^$ B3 }Here is one example from the file "Haspinst.exe" which is the dongle HASP
) |$ D9 [! L2 V8 M7 yEnvelope utility use to protect DOS applications:
5 Q2 X, r- V. Z A3 U) z' s5 G, \
1 s3 n2 R; a1 r# }) T2 u T, M! N. Y! ?
4C19:0095 MOV AX,0911 ; execute command.
+ C( @ l" v6 y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
c2 Q" g- }0 K, ]9 v9 u* R4C19:009A MOV SI,4647 ; 1st magic value.' D0 W/ @, w+ K' i
4C19:009D MOV DI,4A4D ; 2nd magic value.
' _( l0 n5 p* b! e. n; b4 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 L, f0 k* C5 ~3 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& d) S6 M0 l7 L' ~4C19:00A4 INC CX9 E3 x& E5 b ], J5 |& a- [
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 o/ M$ F/ S+ i
4C19:00A8 JB 0095 ; 6 different commands.
A5 v7 H" p" m: s- b# e/ i4C19:00AA JMP 0002 ; Bad_Guy jmp back.! b" I T! N% W) s( a2 X# z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- e' L0 r5 S2 H
6 L9 @# S+ I! X! W& G" jThe program will execute 6 different SIce commands located at ds:dx, which
/ m$ i- F% K3 o) Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) h6 @$ F/ I5 V' ]8 v
9 R: f4 y" Z/ I) F: X/ m/ u' ~% L3 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 W0 z) r0 K1 |9 M* V- @* n$ j___________________________________________________________________________, ^) Q4 Y4 j6 k: {# D' b
; N, d8 q6 I5 r/ t7 r7 C* C4 l
" R2 h1 S y' R8 K
Method 03/ Z9 S$ k4 w1 u: Y$ J- A3 w% o% \/ S
=========7 [0 A# m& p. t" J' v
4 H2 i5 j! q" i/ O5 x- M
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& Q6 |4 B0 T! ~3 n8 \
(API Get entry point). r# f- F3 O3 Q+ P$ q' N
0 \- J1 i) R p( ?- T6 a
4 R5 Y2 H3 W& X$ L, Z, g/ K xor di,di! q i" j; w* \$ Q+ }* L
mov es,di) s4 w9 ^# e& u& Q" h4 v0 V
mov ax, 1684h
/ y c) X: W( O( @$ \1 w8 A mov bx, 0202h ; VxD ID of winice
?' O9 l) U8 k int 2Fh; V9 R x j6 X
mov ax, es ; ES:DI -> VxD API entry point$ q# o' v! r0 V# [
add ax, di+ y' _6 S' w2 e/ G5 Z
test ax,ax$ K$ x# y8 {4 I0 J
jnz SoftICE_Detected, ~) |; I7 b! x$ b
4 v1 ?+ l) l) l3 `5 }___________________________________________________________________________
/ t+ D4 Y; {" C& k9 k- Z6 o4 t$ H+ M: y' H; g3 X
Method 04
3 [4 y( R$ q; ^3 @7 h=========9 L7 s. ^% q$ y8 t2 H8 m" M
6 b- h! a C; H) ]3 h5 hMethod identical to the preceding one except that it seeks the ID of SoftICE$ V6 w; n( b3 A e. O% a0 h! Z
GFX VxD.
% w! O8 o- X! ?9 d6 O7 v3 }+ g; F& ~2 Y
xor di,di
/ t% F. `# E5 G! z `" I. S0 u mov es,di+ z( S7 g7 o, D3 u
mov ax, 1684h 7 G, p/ e4 M) u1 W2 E
mov bx, 7a5Fh ; VxD ID of SIWVID
) a/ F3 y# L( L# Q$ ?" e5 t7 p int 2fh
# e0 k. w3 p. Q P1 M$ j mov ax, es ; ES:DI -> VxD API entry point
9 T% ~1 `' r, { add ax, di" g$ { v+ P8 k, b
test ax,ax
. v5 c) y; I. y1 H. E jnz SoftICE_Detected& @- b1 o. J. ]6 Q6 k
* {8 I% E8 b% R4 n& F2 k__________________________________________________________________________
# _, U* v2 s* U' t) R/ X9 m
: ^% M5 W$ `6 U2 H* l
0 Q# t2 c) I. WMethod 05
6 v* Y& Z5 j- O1 `' n# y y* s8 z/ H=========
& `3 t3 e# [; T
; L$ L; h3 F" t( m) q: ]; AMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! c: d4 K6 ~8 Gdebugger. It calls the int 41h, function 4Fh.
5 w+ N2 F) \+ d' ^There are several alternatives. + N( x3 b' O6 V1 P" b* F, @
! p; ^8 j- H" I/ ?" r6 Y
The following one is the simplest:
- X5 g$ r9 k$ K5 ^4 K' |6 ^6 U. s0 o, Y6 h/ C; C
mov ax,4fh R. c- Q4 h$ l0 q; t; @
int 41h
3 v3 B0 R7 r! a" a cmp ax, 0F386& j' d) J! C& {, T; ~6 |
jz SoftICE_detected
# m& \& P, d% a, L+ s2 k, ]. k2 q" A$ p. Q
" U& Z6 o7 S* Y+ r6 t9 L
Next method as well as the following one are 2 examples from Stone's . A5 }- h# Y9 K0 p- P; ]
"stn-wid.zip" (www.cracking.net):1 E, q$ f0 r% e/ S/ W# G0 O# \
( n; Y: s4 b8 r: q% G8 f) Z mov bx, cs
8 O3 @# u5 b* h1 B6 H5 ` lea dx, int41handler2- n p" P# W; Z5 B& z
xchg dx, es:[41h*4]
' x" n2 v6 T: Q$ l xchg bx, es:[41h*4+2]/ I4 a! C, [ Y$ p
mov ax,4fh
# }2 I7 d0 l. r5 q. k+ z( {: e int 41h
- b7 g# n. z) Z! f0 s* z xchg dx, es:[41h*4]1 \( H9 ~ {2 I, c# D
xchg bx, es:[41h*4+2]
4 }: y% c& V2 z) q. a3 C, V* f+ J cmp ax, 0f386h6 X+ I; C+ B( f$ \- i) h
jz SoftICE_detected* U7 D: k+ `, w+ U0 `5 G
. k( D( z0 |# j N$ p2 z* {int41handler2 PROC3 G, [7 l9 y- H: J0 m
iret8 b: G2 u0 G$ i( o6 i3 v. I
int41handler2 ENDP
D: H% I- y# u0 K" C; }* @) ?" l: y! D ~- Y
! k! |" I6 x" z- ?& s5 ?_________________________________________________________________________9 n; z0 Q1 R z1 X
, ^* W( P5 Q# `( C: f$ c1 `
- I+ X7 _$ x$ w; R- Q# H( r9 mMethod 06
5 r8 X0 Z f9 M=========
$ e/ ?: i6 s3 i% L6 e' K: `
4 d8 z3 v+ d% ]( {7 O9 G8 y
% K+ P; f7 K9 P' [, g2nd method similar to the preceding one but more difficult to detect:) M' G5 R* v( |1 `. o3 c0 ]* g9 R
/ t/ H5 H0 ~1 `" r( O# b2 Y4 j4 J; b1 n; R2 n
int41handler PROC
9 i: x" `, w( ~ v mov cl,al5 Q7 J6 M% e @6 {8 S
iret+ j8 o2 e8 \2 n+ p
int41handler ENDP/ E, h' {7 G, |1 a
$ |) V. R( h8 y2 s3 J/ y
5 I& _& f2 R0 @9 q, N
xor ax,ax
9 Z5 k6 L4 D; b6 m mov es,ax% E( S8 @; d3 B* F
mov bx, cs
( f+ i2 c1 Z4 h1 h lea dx, int41handler5 f; Q1 u4 i- n" ]$ I( K! V, D% k
xchg dx, es:[41h*4] ~8 j; t. k0 r% [; _; |/ m, O/ J" Q
xchg bx, es:[41h*4+2]1 s `$ m2 }& e# L, l
in al, 40h7 o1 B3 @- \! F; ^5 j5 M
xor cx,cx: _# A; d+ g5 q/ E! s
int 41h
8 I4 N( N C! A xchg dx, es:[41h*4]
, t0 ~( k7 x9 \ xchg bx, es:[41h*4+2]) [6 d7 R1 I5 ~- B$ q
cmp cl,al
8 T' }- y( ` b" Y jnz SoftICE_detected
6 D2 O8 ~# y) m' P
' K* |" V* _. @) Z( L- }_________________________________________________________________________7 q! w$ _$ [6 X5 x
9 @# x/ a0 N1 `4 SMethod 07
( d: E, }9 S/ ~9 K5 [=========
- H1 `1 k% w2 d ]
7 s g0 c5 C* z+ hMethod of detection of the WinICE handler in the int68h (V86)% i e& F- B& L
z* i: m9 m S. U8 |/ X mov ah,43h
; O" _' ^3 o0 c7 K int 68h
9 h0 f, z/ N& T$ e; h0 r( G; ] cmp ax,0F386h
; x8 U. v/ r* n- |& N1 A jz SoftICE_Detected
* V5 |" o8 X& O0 S1 [( B9 P4 t. f* v q. Y1 q. P
; q4 M. T: i* u# p- n, \" b) c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 n- v# y' \, t% r+ e" S% }) X app like this:3 _8 ?0 @2 p; h+ _8 d
, I7 _2 G# T8 X0 N BPX exec_int if ax==68
b% O# z& u- o' d9 A (function called is located at byte ptr [ebp+1Dh] and client eip is+ d! W5 G$ O$ N% V
located at [ebp+48h] for 32Bit apps)1 ]- n8 s% s4 C8 k6 h5 U; l( G6 z. `, X
__________________________________________________________________________2 {( Q7 p- t1 `$ |( i
' M: F) P9 a6 }7 i
- r) ~2 _9 _% {6 W
Method 08# x4 J! D* k& S* h+ n
=========! Z8 z4 |$ x% w' a. H8 d
! k F$ E6 j; N0 k3 m. o
It is not a method of detection of SoftICE but a possibility to crash the
4 G4 X6 g/ d3 ~3 i* d% F Hsystem by intercepting int 01h and int 03h and redirecting them to another0 ?" v$ [# W/ c% ]: H+ ?2 ?
routine.
i3 g( }+ F) w% f4 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 K8 j/ O, E; Q' u/ K' v# Q
to the new routine to execute (hangs computer...)- `! R4 `+ d' h0 i2 v
. n" T$ I- R* Y: {3 H
mov ah, 25h+ v* q. S2 q" t6 k+ z# h
mov al, Int_Number (01h or 03h)
7 c( R& Y- ?4 U. }+ ^. Y mov dx, offset New_Int_Routine
3 m* k7 I; Y @. I0 B0 H9 f1 f int 21h! j% c: \( y9 a6 N' `- ~
, T" l- C* K& U$ l7 W9 ?3 q* [2 r
__________________________________________________________________________
1 @" y" [, s' |/ h
6 ?; z. T/ K ]: ]5 ?0 nMethod 09' x* l2 r- T" o. ^5 s; T
=========/ H) o0 p% H! ?3 ]3 a _
4 [* N# w9 u3 n7 O% u( D6 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: ^, b) R4 J8 B0 V6 T+ C5 Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ q: S& ?1 `/ k) vThe Get_DDB service is used to determine whether or not a VxD is installed
9 e, E% \% z1 N: e! L. lfor the specified device and returns a Device Description Block (in ecx) for
! {% D ?' z6 T7 E7 P) jthat device if it is installed.
& s, ]5 T0 D$ I& s
4 s& P) s) k4 f3 n2 M mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 m" t ~( G/ v: K d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 s) y# R5 Q; R+ m* y1 m9 j9 G8 F VMMCall Get_DDB
1 l5 Q+ p6 `& n! j7 I+ T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 E. S8 i+ a" d) s1 P5 p9 i/ h1 G$ y% _/ D, B# ^
Note as well that you can easily detect this method with SoftICE:0 O" g+ {& @. W. E
bpx Get_DDB if ax==0202 || ax==7a5fh
4 Y& l" S" x( K* m4 t! d: k" x1 X2 \' c0 w, _6 v: l, E
__________________________________________________________________________
% \. C* A+ C1 W* x$ C$ z
7 ^0 W1 r% o6 k+ |Method 10
. i) y. B* a# Q& B% _/ g=========
( w- u, F4 w Y* ]& B
) [3 e1 B/ o3 A6 `& R; X! b=>Disable or clear breakpoints before using this feature. DO NOT trace with
! L; Z4 K9 l; Q5 f4 n SoftICE while the option is enable!!
1 p* J0 X4 T& U5 I3 [" S# F; w: j0 \5 |. j I/ j% a
This trick is very efficient:6 o& b6 A' U6 _6 u$ P' S) G
by checking the Debug Registers, you can detect if SoftICE is loaded1 D- Q+ |7 g* G) U; |! b7 e/ J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: ?3 n n6 {$ t4 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
- L' a7 B" w3 Ivalue (in ring0 only). Values can be manipulated and or changed as well5 f2 C9 r$ T, V; H- |% e) I! ?; f5 M
(clearing BPMs for instance)7 t: Y6 c3 o7 m+ R: }
: x- Y& ]6 K$ o; D, r; z
__________________________________________________________________________
& D) C5 h: Y+ s% }( c% B% Z7 K& m7 d* L2 t, |* R
Method 119 }( ?! @+ d8 p" ]
=========
& @: Y$ }' L: J8 ~
+ p9 E9 R" ]/ v+ K GThis method is most known as 'MeltICE' because it has been freely distributed
, k. s9 \6 u0 ]! Tvia www.winfiles.com. However it was first used by NuMega people to allow- @7 ~9 V8 h4 v/ y: d
Symbol Loader to check if SoftICE was active or not (the code is located
6 l E' D* ~* V% y" H0 b+ y+ Kinside nmtrans.dll).
( A$ _. h- S/ O1 o: v
) [6 c& x0 S7 {3 q7 O5 f* W/ T- K) CThe way it works is very simple: E1 T8 q( x! }; R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. x5 A; ?( Y& p
WinNT) with the CreateFileA API.
+ p' G8 ^6 }5 Z# Y
$ X0 q% v' y0 f/ b1 U1 gHere is a sample (checking for 'SICE'):% V6 S6 A# m G7 M5 V& h
( L( e! R5 p* ]" M7 S9 `1 P
BOOL IsSoftIce95Loaded()+ D* }. D0 ?3 _# U$ @# @4 ^7 G/ C) }( e
{+ }& S: Q0 ~ ~& m
HANDLE hFile;
+ Y% P K8 Z4 x0 H( q5 ]! ?) I hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& v3 |4 `3 Z8 ?+ w' ]0 e, Y0 L
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 h& S* u, }# K7 {: _# z NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 E$ E& u% i3 A- g: z; N8 K3 Q' v- S
if( hFile != INVALID_HANDLE_VALUE )+ q, f+ L2 D( L7 z; o4 j% t/ L
{- j' [( m. w8 y; t
CloseHandle(hFile);4 c1 ?4 u7 r9 O1 q% A1 Z1 a# C
return TRUE;# q' @, j: q) T) L5 A
}
6 `9 [9 {, b n2 K% k, D' { return FALSE;# A# X) J* A ^4 u0 r
}( c& x2 z1 o3 P+ h* j* d7 B; t- O
7 q8 m0 U* R' n
Although this trick calls the CreateFileA function, don't even expect to be
* Y/ [/ L9 p3 bable to intercept it by installing a IFS hook: it will not work, no way!9 }9 U+ G( ?3 t( K' D2 y: Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ _- y" }2 h8 x* ~4 i" Y Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
]8 q q% H- C/ U2 m# Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" v! c. h1 }4 |. O3 E1 mfield.4 l1 R0 N: T2 S( B. b7 F( r* m
In fact, its purpose is not to load/unload VxDs but only to send a ; K; U6 H2 d. E6 _2 [1 G j& [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 O. ^5 w* b7 t7 c/ h& p) ]* hto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ H n: Y# ?; |5 a7 f5 r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 I5 ^& `/ D7 s0 {, `If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 p! R# K) w# | k s2 |& uits handle to be opened and then, will be detected.
4 b% x! q/ G% l/ @& rYou can check that simply by hooking Winice.exe control proc entry point
( q* F/ L V! ~& W3 cwhile running MeltICE.+ h* L1 u' s# \- `; k$ K
% i" k9 X$ V7 y2 _" b1 q) R% T" d. {; m! a8 f" t6 [/ V
00401067: push 00402025 ; \\.\SICE
% t9 `# f7 Z9 e! D7 V8 G 0040106C: call CreateFileA/ `, f) r) E* G, D& [5 g0 d
00401071: cmp eax,-001
$ O+ M$ p: ?$ ]; ?5 B$ U6 E 00401074: je 00401091
4 R$ A0 V2 H. O5 h( z$ C+ c- X Y6 X) m. ~! k
7 m! ~( C& p$ u* c0 R. ?! L2 BThere could be hundreds of BPX you could use to detect this trick.: z5 q8 @7 u W h& t# I2 A3 k
-The most classical one is:6 h* Y8 x4 h4 L& a) c
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- ^3 s4 l+ C3 O5 y$ U/ O
*(esp->4+4)=='NTIC'
8 i) g' L7 {2 c+ b$ z9 y/ U- K& S
" U8 {4 W# d9 e( L0 J-The most exotic ones (could be very slooooow :-(
/ q& O8 x, F) ^4 |( r* @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + q1 J! m. s, C
;will break 3 times :-(
5 F+ D/ N' y1 K0 F1 \
, J' v* o+ Q' R$ z' b-or (a bit) faster: 7 l1 }6 f& g) L2 m- l+ n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 b. s# `3 [& b
- z) L+ A+ Z6 Z! l4 }+ L5 t6 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' A* @3 I, o$ K2 }6 w- v" F% r ;will break 3 times :-(7 K# R* z5 V7 G% B$ O- @
" E, h0 r% X3 B: W5 q5 w$ s-Much faster:' {/ x- k6 p$ \/ l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ y: @$ \4 [- r% a
2 ^1 }; \5 n+ t8 v2 X, Y: v+ n' iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 v0 g- {' F' d1 X6 u ?
function to do the same job:
0 v M6 c$ v. R0 O
" c7 L8 j. Z5 V. H0 C- k push 00 ; OF_READ
, _/ a* C2 ^; L7 X- Y mov eax,[00656634] ; '\\.\SICE',0
6 y, C4 A+ j: q+ _4 r7 {9 D7 g; D push eax! H) P* A1 \. S& j7 B* V! P
call KERNEL32!_lopen
0 @5 s& k8 i+ V' d inc eax) R0 d8 h, u" r: c+ x
jnz 00650589 ; detected% S! U ^5 V8 i7 s6 c' P( k2 T' E
push 00 ; OF_READ* g b7 z* L* b
mov eax,[00656638] ; '\\.\SICE'
0 t) ?- P# X% [; @9 U8 [4 J push eax. [2 M/ R# e, ~
call KERNEL32!_lopen2 ~. u& b2 R+ y1 @
inc eax
9 `. |6 S1 X- r9 N4 l _6 j* m# j7 f jz 006505ae ; not detected# f2 P4 O0 e0 d. Q
# L; X8 ]& l4 y6 G* C7 `& f2 a
6 O. w' m/ _; J3 `" j* m2 E$ n__________________________________________________________________________/ q: b) ]$ g) M
& n* Y o2 M+ p5 A z4 _* V
Method 12
8 }# x5 \. M. }: E=========8 \$ e# h ~. f3 V* N
L" d; x. _* G$ Q- a
This trick is similar to int41h/4fh Debugger installation check (code 05+ _+ w& Q4 X, i# D
& 06) but very limited because it's only available for Win95/98 (not NT)7 n9 D, c W& o9 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: e1 C6 h X0 F1 _) P" g, [* g5 b1 O& k! \
push 0000004fh ; function 4fh
6 v. h8 J8 k7 H; G2 @4 G! g push 002a002ah ; high word specifies which VxD (VWIN32)0 B1 c+ b* ~4 P: B" T' P
; low word specifies which service
6 ]% d8 R! C4 e0 C1 b- z. \! @, Q (VWIN32_Int41Dispatch)
. Z$ k8 C6 M8 R: c. c9 M% M call Kernel32!ORD_001 ; VxdCall
9 ~+ ?/ }3 q: C+ } cmp ax, 0f386h ; magic number returned by system debuggers) B7 o4 j. ^; O/ d# G" E
jz SoftICE_detected, o- X2 K& H5 i4 \3 i! P' ?8 E% U
1 y6 Z, N! U0 {* y- M" d. F$ b' aHere again, several ways to detect it:
9 `$ T2 {6 [8 D& ] T3 W
9 o3 j/ o4 b: v# K! Z8 L BPINT 41 if ax==4f
9 C. m. h8 s4 t0 ^- H" J
' g9 |! |# s1 j* B& i0 u9 X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" z5 l4 v2 ^$ a/ ]1 K% {$ L4 d4 P7 f0 o' F8 J0 a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! V1 g9 I; k1 O. E" I3 Z# H% ^1 l1 i ?8 |) m. ?# k+ H
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!+ O% q$ _ L, u6 R5 y4 e; _/ `
- h3 @# H. U6 q9 m+ w5 x& R# p* M__________________________________________________________________________7 U; W; a& W. U& ]+ T" j8 m
, q W$ e3 E' F+ O A: x5 h! xMethod 13* e a3 v% c8 R* E6 x3 r+ k" s
========= k; ]! l( @7 i3 I
( S& l! o, A6 S: @8 @7 P- S' }Not a real method of detection, but a good way to know if SoftICE is
) ?, I* i( Q& u# _installed on a computer and to locate its installation directory.
" P! e2 F* l5 @; W7 r0 Z+ p8 j( C$ |It is used by few softs which access the following registry keys (usually #2) :
$ Y K- x K" n) n7 C* y, }. i) W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( x) r/ d+ [0 R# m2 B3 [: `6 e\Uninstall\SoftICE
^8 R0 d5 {* ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' e+ K; z: Z' I. Z9 f' `. y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# H# A! M+ H8 S" Q$ w! L
\App Paths\Loader32.Exe2 p+ L$ P6 `9 C" h* J' }& S
9 }$ _3 @9 |9 E4 L8 p
, m3 G: C0 C n' e( \% N) t5 r4 k' @. VNote that some nasty apps could then erase all files from SoftICE directory A8 d0 H( P' ]9 d" [! i& J$ u
(I faced that once :-(: e+ I) F% _% a! F2 o& N- o
+ }' c- J7 @4 f0 I; k' U$ TUseful breakpoint to detect it:
0 i, m- X8 f2 L3 s- c$ Y/ C# |, L# ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' ?9 @2 x9 V$ W Q3 G9 `% v
7 M" P& {6 Q' a: V! R__________________________________________________________________________
5 ^ k# n9 u) x4 }% k- |+ I
% B+ E! g1 d. o
S, |2 h7 X9 h& r2 P- BMethod 14
$ {( \6 K* v6 e( h=========
$ ]( `, L8 d6 U" l7 Q$ P% { Y3 L
0 Z, t8 r7 M6 H" K, tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 J$ h+ P8 r: N+ o; H& `7 tis to determines whether a debugger is running on your system (ring0 only).
: z) S# a( F( R! b5 e4 z& B" n
p5 G0 c- A5 H- S& E VMMCall Test_Debug_Installed
/ u- Q6 m) X, ^' I8 M% |- G je not_installed0 b. h1 k4 U ^" q* y
6 ^$ k- v; q6 f eThis service just checks a flag.0 P. @' L3 Y, h
</PRE></TD></TR></TBODY></TABLE> |