<TABLE width=500>
5 O& E6 R. m3 o<TBODY>: S$ J/ w- [# l; O" N
<TR>
$ {9 C8 k7 I* T3 C3 d2 L' s<TD><PRE>Method 01 . A7 r( C* V/ U C
=========! a- U' b+ b6 r3 w! t$ L
! ^5 R% `3 {- p# X
This method of detection of SoftICE (as well as the following one) is
9 ^( ~" B* g. C3 D- m; Zused by the majority of packers/encryptors found on Internet.& s ?' ~+ H# ]* Q# m
It seeks the signature of BoundsChecker in SoftICE
H+ ^( F3 o2 H1 ~! `. {+ H) d: D$ l3 {9 g7 E% C% g$ H
mov ebp, 04243484Bh ; 'BCHK'2 D% P$ v7 J( H, u) a
mov ax, 04h$ K; h+ j# l' X3 c" L8 m1 E
int 3 9 u7 t# }' t$ r' L# T" A. G- c! ?
cmp al,4
! v3 t" v, ^% x1 F6 i* u+ h jnz SoftICE_Detected
) b* @; |* n' T* N) _( Z. T3 \. [( l/ j4 q
___________________________________________________________________________
4 i8 j- Y }* E& t# F9 m1 [' O5 Q7 Q/ Q. a) ]1 y! c
Method 02; V7 y( J/ t5 [: }. s0 `
=========
" _, w# ^) F. v0 x3 h
6 [! X6 v% M6 Y: _Still a method very much used (perhaps the most frequent one). It is used" ?! w4 c7 g R }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ L0 [4 R: [ A0 r# V/ q' p' p
or execute SoftICE commands...
6 l) p% y9 |( |/ B: cIt is also used to crash SoftICE and to force it to execute any commands
% ?% J* ?5 H. G h0 D# @(HBOOT...) :-(( O8 z# o$ F2 g, u; }# T6 h
+ h4 {+ T+ e) ?) @3 R; \5 iHere is a quick description:
- B. A2 _; W! e t" i! N-AX = 0910h (Display string in SIce windows)
' \) b. i: @3 \# D9 z3 P* Z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 C5 Y! C8 M5 i* C4 O. i-AX = 0912h (Get breakpoint infos)
: P+ m, {+ T$ e, X% i-AX = 0913h (Set Sice breakpoints)
% d, N8 \9 I' |-AX = 0914h (Remove SIce breakoints)2 @( g3 C6 V5 p3 N% t. a; E
" }8 \" S: L) ]9 A( W1 _# E# _0 m6 UEach time you'll meet this trick, you'll see:* C& i" f7 F' v: S
-SI = 4647h8 z; w9 E# A+ g ^% |3 R
-DI = 4A4Dh4 I+ y; G& g* N! K) b, t$ G' x- d5 g
Which are the 'magic values' used by SoftIce., D& \3 N, H! K' T. ?
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., W6 b4 R" _/ ]# P
/ z$ }: V# d2 ^, ^0 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
, |" y; Y0 `9 HEnvelope utility use to protect DOS applications:; w2 W- b9 N& k ]1 e, b' S
9 \* Z' E- ^% N4 `( [
l- r# r6 U: F8 K) E6 C4C19:0095 MOV AX,0911 ; execute command.
7 [9 y# V9 |' w' [! L1 C5 s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( b" D# F5 s. ]! h) R4C19:009A MOV SI,4647 ; 1st magic value.% B" W& V+ R \7 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.3 Q) E. V, j7 E3 D5 g5 Z, n" k+ i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
. f" U, Y% K; z6 c4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! l7 ?2 O+ f3 Z) M2 g- z
4C19:00A4 INC CX" W6 N2 @! \1 ~% D5 I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 L7 Y* Y, {' ~+ m
4C19:00A8 JB 0095 ; 6 different commands.' o' a E. f, R$ z6 N) T. J2 y5 u5 e
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( ]6 n2 O+ @" K! S' L( G/ H; j4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 B) a! n7 N( _" b" ?7 g; V" \, [ c, Y; E* b, @' e0 r1 P
The program will execute 6 different SIce commands located at ds:dx, which
/ l4 l, K1 K, ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 ^- Z1 t; M: p3 y3 j1 l
# `6 t0 w- l4 q: `0 U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ |) }% s* p5 O/ i: p! ~___________________________________________________________________________3 k0 Z/ v; v5 O( Y0 l: F# n
" ^9 c* U! g6 }9 n3 I0 k- v
# D v; q1 x7 Y* I! V- BMethod 03
8 D5 ^* q! E" ~2 ^) ~% l6 a=========. n2 p. \: @- X; e
4 H5 t# A# c0 J6 J% fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 f* X2 D8 C j. O% v- ?" o
(API Get entry point)/ @- k+ J ~9 J' D' r n
8 p# f9 r9 g. [7 T; P! A! a5 v8 u' Z- w& P& L
xor di,di7 T8 Y, M. X- \3 p s9 H
mov es,di
; d( C, u% w! R9 h" L7 o3 f mov ax, 1684h * c% F* M6 D$ Z# z' k. \6 m9 B' H: G# l
mov bx, 0202h ; VxD ID of winice
& K- E4 o5 |. v9 Q: {' h Q7 l int 2Fh( u: E$ H1 D- \$ b+ R3 Q" _
mov ax, es ; ES:DI -> VxD API entry point2 B( |/ L1 R0 n; w; X* V0 I5 b
add ax, di
0 J+ D4 `3 g) E+ C test ax,ax
7 P# ?5 u; x! b0 d# H3 m+ ^ jnz SoftICE_Detected
% n. j8 T- v# [1 A- l8 ^( B6 F
___________________________________________________________________________
$ ]1 y! b6 i' j& O8 r! s3 h
* o0 E0 c% r Y0 U8 F' ]3 s! R; K( b. lMethod 04
v8 N1 {# Y- \3 W6 i! a=========
" [4 O; b4 s, l8 p6 z" H) O% I5 f/ u! U9 W
Method identical to the preceding one except that it seeks the ID of SoftICE
1 o4 \5 B0 ?7 ?* I5 ]# x8 g& r; QGFX VxD.+ y8 d h! z& T- v, d Z/ u
! E: ?" `, d0 m+ E7 p4 L" B
xor di,di5 `) @, Q$ K8 C: W; M% w
mov es,di/ }" l) W# G0 ]! u+ z9 s
mov ax, 1684h
8 l7 j4 u$ g( Y mov bx, 7a5Fh ; VxD ID of SIWVID, F7 Z# A2 v& [( j1 f4 K1 S5 J
int 2fh
, j& \8 t# `$ q# C* s7 ^ mov ax, es ; ES:DI -> VxD API entry point" S' [% z1 K& K7 b L" r E
add ax, di
2 M7 J& t0 s0 y- e) \4 P test ax,ax
* O, U( b' T; h" F+ j jnz SoftICE_Detected
5 J' ` [9 Y( d8 N& ^
" ~9 h; G- @& A! `5 l! c4 L__________________________________________________________________________
! z0 s# ^% H+ `* a2 Z8 k. f. j& E) }3 v8 C
1 n, ?3 D/ l) A+ P& b1 K* ^% ]
Method 05
. a# ^. g2 o7 @- g; S( }=========& j6 V/ m& q9 D6 [
D, R8 P# {5 M8 Q# o8 {* uMethod seeking the 'magic number' 0F386h returned (in ax) by all system" h: f# V3 j5 y9 [
debugger. It calls the int 41h, function 4Fh.4 k# z$ Y# [% @: C/ [
There are several alternatives. 9 g/ T- |( v1 ?) O+ \
5 }- e- ]0 v6 `
The following one is the simplest:* u C3 P+ i1 k& p) ?5 E5 N
" d9 w) [8 K8 m" s) B% B, r
mov ax,4fh
4 ~, c% |; h! C int 41h
" {' Z7 a- \2 ? cmp ax, 0F386" j d+ d) u' @: ]* B- s7 o! Q
jz SoftICE_detected* p: J" F4 g/ y1 }
* j2 ]$ j7 `9 y0 m
, S0 {" o& w" p6 @7 cNext method as well as the following one are 2 examples from Stone's
4 a6 F9 i! I* a4 b& `) ~* b"stn-wid.zip" (www.cracking.net):
* |# E0 O2 d' r0 t2 d( U/ ?
9 @1 t6 M' `: [* ?+ J+ \ mov bx, cs
; n8 {+ w) Y. w9 f; Q1 Q4 u# O) l lea dx, int41handler2
+ e- s! Z4 N+ G8 m1 z% L1 o' u xchg dx, es:[41h*4]0 `9 T# |. d1 N
xchg bx, es:[41h*4+2]+ h0 ?$ [ r5 {
mov ax,4fh
, @, Z, h$ [& _5 C& L int 41h
/ F L: x6 r! @- t7 t xchg dx, es:[41h*4]2 _* l6 N# u' R8 T# ]4 K
xchg bx, es:[41h*4+2]
/ y+ e' R7 B9 s: O' J1 X cmp ax, 0f386h
; }- O3 c& Z0 m' c jz SoftICE_detected, {* B# Z+ l7 i) e- W
# {, B3 u6 b# U) q, m7 W/ q! K- [
int41handler2 PROC, ]7 S) Z4 [2 M/ ], ~% U+ S1 \
iret
# r) n. E$ B% ^int41handler2 ENDP& C, T1 E2 O$ S
; c1 q1 Q' Y% }% ]: r# \" S
4 m S" q; P: \. L_________________________________________________________________________
7 ]5 f/ Y: ^8 m, U" @2 A Z5 S
' E1 Q" X% g# L) j, \; E& `
& H b( }, j# uMethod 06! Y/ I, d. A% W* t8 @
=========
/ F; D& ]4 _( L; |; D) Y. I5 r/ W0 q7 R' f+ q2 b# g
6 a0 b1 R( }$ ]! ]/ U2nd method similar to the preceding one but more difficult to detect:) Z, Y3 q3 {" N* A1 q
% I+ s3 L3 ~: d) F
) v) p) |( J! n4 W: wint41handler PROC, t* H+ D3 k% t1 L% L, o2 Z
mov cl,al+ N, n5 P$ ?* a5 }1 ^
iret
8 q Q' a% `$ k" O2 P$ g+ a- L9 dint41handler ENDP9 F& ~9 s# s/ [1 ~, T* v+ |: f+ x1 C4 F* i
( X6 n/ G7 `2 y; s* x+ n4 i* Y6 O! l
xor ax,ax
! e+ t1 s p6 ]( v mov es,ax0 A1 [6 A0 G& l, |
mov bx, cs
" \, e2 ?- x! A9 b9 p+ u r) G lea dx, int41handler
/ L' A0 T6 [4 q" u+ i/ V3 f xchg dx, es:[41h*4]
3 E6 M9 o4 o7 K; Z8 v, D; d- R3 ^ xchg bx, es:[41h*4+2]/ f4 H+ E" v& d9 ^* `
in al, 40h
, L# o& N( \5 m, y xor cx,cx/ ^) }, O( u" f
int 41h; s5 B: I8 T0 @9 t: n, ?3 B
xchg dx, es:[41h*4]* }' k' c. Z7 R p/ L5 v8 S
xchg bx, es:[41h*4+2]9 d) b4 U% L' x# Z0 z
cmp cl,al' s' ~ L8 i5 |& B
jnz SoftICE_detected
; w, Z. l% E) y
' ?% w( ?7 G! a- a, l_________________________________________________________________________( F. v- V, S9 S2 \/ ^
1 v+ r5 j7 x; |, o3 |$ P- q
Method 07
: I/ @+ f. W: l; Z+ x5 H. E=========
. j& s m# A2 l6 O( Z- G8 [% K0 Q! v
Method of detection of the WinICE handler in the int68h (V86)
/ ^7 ?$ `( f9 j9 q
& G D, |; b1 M6 ]& Q mov ah,43h8 @8 t, W* I" r o) Y
int 68h
' y; n4 E6 {- l6 T' l+ ^ cmp ax,0F386h
k2 K q& M$ R) E jz SoftICE_Detected, f, h% B; L5 p
# T' V {/ y; ^2 ?
H. D; k0 y" S" K) V0 \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- i6 ?5 G$ R" Q* r8 a7 Z app like this:5 R: p2 R( O' e. J7 r5 K0 G
. k+ j4 [7 \1 r4 n
BPX exec_int if ax==68" Z2 I P& c7 S3 [( y7 W# q8 |
(function called is located at byte ptr [ebp+1Dh] and client eip is$ R% E+ U, c, S
located at [ebp+48h] for 32Bit apps)5 C; S5 X' b/ N, F$ P& L: S
__________________________________________________________________________4 I0 b+ N1 k+ W0 Y( R. L8 k
* M# ~6 [# {1 a: @
: V" G7 c1 c& vMethod 08' ]+ W# x6 \7 {
=========
% P: c6 C8 D1 G+ E( p3 N
/ H1 X3 a: V9 p) F5 k/ vIt is not a method of detection of SoftICE but a possibility to crash the% p2 p; g- a- S, d" M
system by intercepting int 01h and int 03h and redirecting them to another
n# R$ f& y. f! Y+ t8 [routine.4 \7 N3 O9 p% k4 L0 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 C8 x! H+ F% {: ^; V
to the new routine to execute (hangs computer...)
( a# X) w8 `4 R1 H9 y, T* K! h; ~* b! p
mov ah, 25h
# o: B1 \" S% o! ^" k! R, l mov al, Int_Number (01h or 03h)
5 z; ^' s- I0 `7 S& u; A( L mov dx, offset New_Int_Routine
; b3 ]8 ?, `$ h* k% q+ } int 21h5 Q1 T. `* u- `& ~
. P! e. L- |1 _- W
__________________________________________________________________________" s, t: B1 c9 d9 T
1 Y6 F. p0 `& e' g
Method 09, u; H" ?8 d, B6 s' f P2 q8 r
=========
" W y% m: K) S G2 N! u: Y+ \/ Y9 A. U+ g: |! G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% l5 w Q' Y! O9 A8 @) ^5 v$ Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 P1 ~# ?* ?; x) I& h$ [: Z" dThe Get_DDB service is used to determine whether or not a VxD is installed2 f6 J0 y2 n/ t: [
for the specified device and returns a Device Description Block (in ecx) for! B1 l. K4 E/ J; W
that device if it is installed.
; v; J( q7 [4 Q" ]
. g. R8 u# `3 w# ] P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, R9 L' j+ Y: H4 e8 u
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 l, i6 M% `+ V& S/ A9 c VMMCall Get_DDB
. I9 w2 r, Z# B7 m/ o/ d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* v: m5 v6 y c! a' I6 ?5 @' E* t/ C) p- M2 i# p6 s
Note as well that you can easily detect this method with SoftICE:7 t7 Y6 j) w% S1 |& C+ f
bpx Get_DDB if ax==0202 || ax==7a5fh
4 b- ~. q0 g8 ]* \* v5 I, G5 g$ L( @8 U& \9 R9 G& U
__________________________________________________________________________
! [7 }: }# F& y# m6 O! _+ P" a( ^+ u+ E3 v& |- V! V, R' C" g; L+ w$ f( l
Method 10
4 y# l9 ]6 a2 t+ Q; H4 a=========
9 b) k, ^1 B ]8 G' W1 ^8 z6 p$ c6 O# [: ?1 [7 W; x
=>Disable or clear breakpoints before using this feature. DO NOT trace with' D: _& Q% q2 k7 h. B/ J; l* B$ U
SoftICE while the option is enable!!
9 i6 Z. p5 @1 \. F7 N" a7 w! a# Y: d9 F
This trick is very efficient:& x0 a, n3 J _' G' e
by checking the Debug Registers, you can detect if SoftICE is loaded4 C6 W( p7 u1 I: U! \% i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 K0 ^ F5 F8 L9 i# Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: s( H2 X4 S/ c. y1 W4 A; dvalue (in ring0 only). Values can be manipulated and or changed as well
1 A% v. {& `' p/ r(clearing BPMs for instance)
& d7 {9 o& L7 P6 y( G' l& I
( a, [1 V8 w! I- Q ___________________________________________________________________________
& T2 S1 W) S |& u0 ~2 K3 n0 J X2 v) B5 I* p, Y( y4 C
Method 11; ]; M* d) e9 u: E! T
=========9 x4 i6 g3 g% d: R
/ A, _1 Y- a% h2 q" o7 kThis method is most known as 'MeltICE' because it has been freely distributed8 S6 b" A3 k8 ^. c) J/ q
via www.winfiles.com. However it was first used by NuMega people to allow
. f. u% f* D I0 w: {8 _$ ESymbol Loader to check if SoftICE was active or not (the code is located( {. L* j2 x* D; J
inside nmtrans.dll)." O" M+ S0 _. L& \1 ?
1 V; c) f% Y! D8 D- [: V- B! v' [
The way it works is very simple:( ` x9 U1 l G; e2 M2 i' c3 O+ K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, |: b: L# n. D! @ ?$ x" O
WinNT) with the CreateFileA API.
; l$ W3 H- u( n, |5 y
2 x* M( H% f- g$ I( dHere is a sample (checking for 'SICE'):
& R+ s: c6 }, h Z. y
3 w* p+ z- N/ c$ j1 d/ s' v* dBOOL IsSoftIce95Loaded()2 w) C: q3 Q' Q U
{1 M" C L8 C9 L& S
HANDLE hFile;
4 \* Z- ~5 u6 R9 \7 y+ ]; p+ X hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; J) d# Q; d& G- o8 ]$ A2 E* C FILE_SHARE_READ | FILE_SHARE_WRITE,
+ @$ X" y- I0 P4 ~9 n NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. A, s. p) z, H! |& K3 K* D q if( hFile != INVALID_HANDLE_VALUE )
- X/ F, x: `6 Z; G1 |1 ~* B9 X {. N9 f [$ N5 ?" M, a
CloseHandle(hFile);
: s( Y. @9 b0 \; j" J) V return TRUE;
! J6 a- [8 B# z }% N4 l( d8 `8 d- i5 k
return FALSE;7 C* N6 [$ S0 q+ R) x/ D6 j+ I
}! ]- N0 }9 y5 n. r& z
9 e c/ Q* f. q, M
Although this trick calls the CreateFileA function, don't even expect to be
8 \' l( r/ M( C( C+ t V5 ?) dable to intercept it by installing a IFS hook: it will not work, no way!
# V: f5 b9 ?% R2 K' R& q3 FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- Z( s# g# c( E T: F. `" z2 @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 i( @8 v9 C: f' ]' s. H; o2 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ }9 Z' H% j: A$ g, @$ A5 | d+ D" kfield./ P- S- ]' h! M: R, `+ t, I# @. n$ t0 u
In fact, its purpose is not to load/unload VxDs but only to send a 4 q3 ]9 V1 o/ B' ^& f0 J( L& P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): j/ G( e+ G. _5 P3 C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ q, P' o- z) g6 K$ V! Q' n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% @; `7 C4 j) c! K* \
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( f0 T- h$ i# n" ]* o lits handle to be opened and then, will be detected.! i1 N+ g; {+ H3 E) B$ C* q
You can check that simply by hooking Winice.exe control proc entry point. ]3 |! D5 w2 e) Q. k; X2 o
while running MeltICE.
* H( E8 y+ S K/ B8 K: [. z
: z I b0 K+ L7 i% j, t& s! m# j1 M3 v6 @% b; D4 L* Y7 P* W
00401067: push 00402025 ; \\.\SICE
& ~0 b) K5 E1 n1 z( J" l7 S 0040106C: call CreateFileA# U ^( G& V6 c* z
00401071: cmp eax,-001
" O2 h" `' {# g6 K3 c% ] 00401074: je 00401091) c8 Z+ H8 |, j. j" m i$ }4 g+ V) _
7 |1 m* t+ S3 T* o& M
$ Q1 d3 y6 ^2 lThere could be hundreds of BPX you could use to detect this trick.' K0 G7 [ L, ^4 m) _# P
-The most classical one is:- x* j% Z! M. H& L a C8 c8 `
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 [8 W; e8 h, O$ ]5 b, a4 g
*(esp->4+4)=='NTIC'
" K7 u& f' q/ |& C7 O
# U. ]5 s# \# I( `/ P' D-The most exotic ones (could be very slooooow :-(1 G! @2 P9 w! {7 f( d X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 n8 z* v; V* X4 i& ^, C ;will break 3 times :-(
6 N6 p/ a( N/ F0 l9 N0 l( A! `2 l7 {3 V; S% O8 Q6 j4 B
-or (a bit) faster:
/ p, V+ D1 D! |+ x* ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 k4 h2 x7 Q0 i5 w, [) w3 ]2 u! U
# f( ^% O" `, b N3 p P0 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( x7 A' {0 T. V: M$ Q8 b! x
;will break 3 times :-(
+ B* u8 W. O! R+ }" E$ ]; c$ T, o1 t
-Much faster:2 x& O" c' f l0 N
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" I3 T# b, N- Z6 H
0 R0 O( C9 s& g) A$ s8 n4 Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ m; A' i9 q7 l- S9 @2 ^1 lfunction to do the same job:% Y* [! @+ t; w) J0 j! c7 t6 |
0 p! C0 c* {9 b% j) [- |
push 00 ; OF_READ
( P" O# ?' F* K) F; K3 k) B mov eax,[00656634] ; '\\.\SICE',09 Q5 \: H6 y% _2 C. y4 \( N. ?
push eax
6 ~" X1 z+ P; n! Y call KERNEL32!_lopen4 V( m( B9 A, V2 _" _( `
inc eax
5 O! s3 v( `: `* o3 t6 X9 k jnz 00650589 ; detected
2 s7 a. Y( `' s) E3 q push 00 ; OF_READ* H! j1 W: [# [* F0 H5 Z1 j
mov eax,[00656638] ; '\\.\SICE'
: E- { a3 @0 h+ O; H push eax Y& C' U: ~; Y$ c, l5 G) j
call KERNEL32!_lopen
2 \0 O& j9 l: u3 y7 O0 b. L inc eax4 J$ O& @3 ?9 Y$ t: V2 L
jz 006505ae ; not detected
1 F) t0 c+ o$ e. N
7 Y+ Y8 ^2 `( y; N2 B$ F
, y: v4 G4 R. i5 e* d__________________________________________________________________________
2 E1 S# J4 E7 x5 v5 D# v+ x9 W
$ e5 n# x! a( J, Z% k) o' \9 xMethod 12
, _: z2 f" r% k6 f6 H* ]% d" K=========5 Y6 y, S) Y% i$ J
. C5 T4 y% D* E3 d+ @This trick is similar to int41h/4fh Debugger installation check (code 05
' ?. M" Z& I) O8 C2 M J& 06) but very limited because it's only available for Win95/98 (not NT)4 ?/ J& P5 `3 k/ e# S- ~% {, l U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* S" Y* `% ~; O, j3 B' q
) P1 C6 M7 |# J push 0000004fh ; function 4fh" _" ~4 F1 z9 o4 n( N
push 002a002ah ; high word specifies which VxD (VWIN32) I, z, q0 K6 s
; low word specifies which service" k) I. a r$ O# m( ^& J' D
(VWIN32_Int41Dispatch)
+ B4 A. E! f: q" i call Kernel32!ORD_001 ; VxdCall
. T( M8 C, B# G7 j8 `+ R cmp ax, 0f386h ; magic number returned by system debuggers
( J" L; Y0 k# K+ p- K& _ jz SoftICE_detected7 ^! g: h J, `5 N2 L
5 V3 V( z- v6 z7 ]Here again, several ways to detect it:
1 J/ a2 b+ u7 `. \9 L% g+ ]
; R1 `5 C- v4 y1 V* B4 ^ BPINT 41 if ax==4f
; e' c# C) f% e6 @! r* \4 {9 A$ k
' i* S# U; d% D5 \- S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) K3 P. W( @ U
& v# I* P! q# S6 Z k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; R7 E4 }+ O+ w& z
8 Q5 V- [' v, U _4 ]' g5 ?7 L BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. ?; x0 I) e0 {" _
7 k' I, F- e- ^# W% i2 e__________________________________________________________________________
R' ?0 i' i$ I* Y
3 ~" D6 B* h' I3 `6 i/ jMethod 13
* q% S: z2 {; c& q$ j/ s; ~9 p=========1 X2 q5 E- K+ }
$ U0 Q4 Q1 E3 V: g yNot a real method of detection, but a good way to know if SoftICE is
3 O$ T* Z$ @" u6 [7 _installed on a computer and to locate its installation directory.
j- \: {% r( v( r! fIt is used by few softs which access the following registry keys (usually #2) :
- j6 B+ {$ O7 M, k" K, y: ]' `( g% l! p% Z+ P0 a+ P; W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" J6 b6 |) w) s
\Uninstall\SoftICE- u# Z% J, B9 b0 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( k6 c8 f8 n/ r& C" M; E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% P' Y. i: q$ v5 h ]\App Paths\Loader32.Exe: d: \4 S# h: s0 {% I. }( E
% n5 a6 V! P% @# D" `; a: s: D) Q6 K+ w& _5 v& C& j
Note that some nasty apps could then erase all files from SoftICE directory
1 N$ V6 M N' m. l# g(I faced that once :-(: F8 f. {( g# o/ n: T9 b3 f
T: k9 F& r& `1 j5 yUseful breakpoint to detect it:
; Z9 _7 O" @ M, V0 F' O# f6 c1 U+ q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 [& z, `$ a9 T& a
1 ~ b; P5 f" B. L) D: d__________________________________________________________________________4 x6 |8 {+ q1 e( o
1 W. ]1 ?' O5 D. N
. R$ e9 e N* J1 j* ^& h9 L0 tMethod 14
+ n% d9 ]8 h! {7 D# [=========
9 N9 i) ]' X8 F {: M- j) [
' @* W1 t/ y, w5 M; HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ~1 ]1 z; }! y& @/ i/ r0 Qis to determines whether a debugger is running on your system (ring0 only).
: y0 f7 @$ |3 k: \) z! R! Z
7 J, ^& K, @8 Y+ C" [2 s1 g VMMCall Test_Debug_Installed
1 ^& L& h z+ Z2 }3 v& z- ^8 [ f# l je not_installed+ p& @& v9 b- l* {
% [2 C& t% A8 n; {7 Y0 p
This service just checks a flag.
2 n6 _1 ~) M+ t</PRE></TD></TR></TBODY></TABLE> |