<TABLE width=500>) p7 B! A9 t/ {8 ?; O
<TBODY>
7 X! k* z+ ]# z6 T$ Y" I3 o<TR>
0 P/ Y" D; X2 U: i7 h<TD><PRE>Method 01 ; ?2 S6 [8 _ {5 u( m
=========# o* J& H7 F% c- _: W+ z
/ |, G9 r- t( Y% h; |This method of detection of SoftICE (as well as the following one) is
1 K$ [7 i' I0 Z. I: [/ }! rused by the majority of packers/encryptors found on Internet.
/ O+ w% }: Q' f" P5 r0 RIt seeks the signature of BoundsChecker in SoftICE6 g: h+ p; f" }. _9 ]6 r
. F$ c. B. E; K( L mov ebp, 04243484Bh ; 'BCHK'4 k0 c% \- L! o' Y: Z
mov ax, 04h
- |$ l( I8 y' t% ~0 D int 3 # v A0 e) a! Y! w* V: j w* c
cmp al,4
o& c Q* F. \/ o( l jnz SoftICE_Detected
# E) i6 T8 t, E5 i" F6 e9 W8 M4 r" a) B7 y. U
___________________________________________________________________________
/ L [/ U3 W% r: H
9 g9 D6 u" A0 ]% ]( q. lMethod 02
$ J# u5 Y1 L/ A! [. J) P=========
4 p' j3 O: b7 P9 u
! w( ]. M o4 H8 WStill a method very much used (perhaps the most frequent one). It is used
% o0 j0 ^1 y7 q) H7 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 f4 _( t8 E1 x& wor execute SoftICE commands.... n& q8 \/ G( a2 U- N( }6 d
It is also used to crash SoftICE and to force it to execute any commands
3 \% f# Y8 R3 _) f6 ?) V3 i* c(HBOOT...) :-(( 9 R# C7 y5 K" [# h0 i4 p7 ?
7 ?) f* M$ }0 M' `! p% F
Here is a quick description:
% g. A' R1 d' p5 G4 t0 R-AX = 0910h (Display string in SIce windows)
' y2 e, k7 e6 u-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' x0 |2 \3 d- m2 x$ }; `-AX = 0912h (Get breakpoint infos)- M% t b. ~% K! c+ r( {
-AX = 0913h (Set Sice breakpoints)
" K/ o: u4 X9 A/ ~7 T-AX = 0914h (Remove SIce breakoints)4 _$ U' @) U3 Q4 J1 ]
& B( O' d M( {) V0 c* `& OEach time you'll meet this trick, you'll see:
1 U9 n/ A& a2 d-SI = 4647h4 e7 y3 c1 [2 \, H$ B1 c5 r
-DI = 4A4Dh
2 F& _3 t# e3 H5 y& MWhich are the 'magic values' used by SoftIce.( m. b) K7 U/ \" j! m: i1 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ^ Y3 `" u5 U5 y* d/ j
p! q& x; w7 K. r2 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP- f! |( o' K! j- G9 V5 [$ w
Envelope utility use to protect DOS applications:3 C- ?" h9 B L
; `' K, U; _3 `; F+ ]
9 I- [& E$ ], A" J) k* f
4C19:0095 MOV AX,0911 ; execute command.
8 k$ N! t/ V8 v- s# z( K0 r( M7 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).) {( I& X6 N' ?' [* t
4C19:009A MOV SI,4647 ; 1st magic value.+ v+ H1 H* B i: _
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 `6 z, R- @+ a2 z8 g4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% ?7 d9 t7 ?/ \# B4 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( y1 q+ L' L2 d' D4C19:00A4 INC CX! c/ q* J% ]4 s( P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute. j7 v- ?% B) {3 ?+ X: i% S
4C19:00A8 JB 0095 ; 6 different commands.
* T' z2 {8 L5 g$ x5 Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 ]# [1 Q% i# I$ V+ i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- i2 A+ Y8 ^1 y/ ^3 l
; e3 {9 A/ }. n) h4 m! SThe program will execute 6 different SIce commands located at ds:dx, which) |* |. ?' w6 [% G% z% L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT. l0 U& e9 Y) h: E" R
, v+ P* o4 X8 }- Z7 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ C6 _4 ]$ K, Z$ s' A
___________________________________________________________________________, H' O( k) W5 V
, m& |1 ?9 x- I0 f7 n! ^- J! s, o* Q A# y6 `4 i. h; Q
Method 03, D# Y& J& Q! b, Q
=========: j5 N: M7 p$ g9 [9 b
( p6 \6 _% |" M) H8 ]* b, hLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 i5 W/ }! k5 f/ Z- V(API Get entry point)
% o/ r3 ^: _) c, y+ m
6 T+ N5 g" U, _. j _# c0 `
/ h' B) _! G0 X2 q9 T( r xor di,di
e& K* K0 D3 O% P: O& x4 q mov es,di! X3 N4 J% E# F5 s) s# ^( L
mov ax, 1684h
5 f1 |" l" a+ v: ~6 E2 I; Q( ` mov bx, 0202h ; VxD ID of winice! M+ ]- y; I* F2 F
int 2Fh
- D5 @( L& O8 ~4 O# Y9 d: u8 {. ~ mov ax, es ; ES:DI -> VxD API entry point7 ~) R6 u8 d) Z2 J
add ax, di
3 e% C" A; j/ t; L test ax,ax" F& u0 ?% W$ G* }3 A7 H1 ?
jnz SoftICE_Detected0 D E% D; o+ y
& ~# L% t4 F2 r
___________________________________________________________________________. Q% \% e# W- y% W- p. J
y; F) T) U# o8 pMethod 04
; u* R2 _. {8 B$ Y. p/ g=========
( U6 I6 k: m: t4 x* ~4 ~' T0 {7 v$ Q. s, B1 p$ |' {
Method identical to the preceding one except that it seeks the ID of SoftICE9 F0 W& K7 U/ [+ w' M
GFX VxD.
; U9 j4 c7 A2 j e1 a6 Q& ~
5 E4 T& H/ A1 \& O) O s w xor di,di
6 t% c8 F* Q0 ^0 t+ S+ O2 f mov es,di' p9 Z4 s& w7 Z( x& X
mov ax, 1684h
- G6 Y0 S- q. L4 R mov bx, 7a5Fh ; VxD ID of SIWVID
) ]9 g( @! C' @+ {( p int 2fh$ y! u3 t4 Q/ {* Q
mov ax, es ; ES:DI -> VxD API entry point$ i$ `6 m ^1 q2 }
add ax, di
& R; y9 P% Z W( d) G, r3 N* d/ u test ax,ax
1 U9 D# s2 ?8 \5 A5 ?% k; n C jnz SoftICE_Detected' |2 M, w7 X% G# t
0 Y X M5 D' P- u
__________________________________________________________________________1 k- Q3 `9 M% n$ e" q) c b
0 Y8 M( }! z8 P4 C0 U1 c" f
9 \5 k) p! M1 c9 Z+ U6 a7 GMethod 056 \4 `0 `' F* S5 |
=========
9 U! x9 ~# E. o( j, ]/ j8 h0 d
' m) J4 @4 e& Q, `* o( yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 J2 ?) D( \$ \- m0 hdebugger. It calls the int 41h, function 4Fh.
8 f/ o9 R- V$ ?8 s7 ^6 F! Y- nThere are several alternatives. 1 _7 Z/ Y9 g$ |7 T) P
! Y9 h: X7 \: T. g
The following one is the simplest:, \! }- F6 ~! Z |( W' O# \
% U4 l- N2 W9 p# }+ g( r mov ax,4fh
6 P, ]. F6 j% H4 c int 41h
7 l/ ?4 s3 M1 n& O* f# w cmp ax, 0F386' P7 {& U r* s
jz SoftICE_detected
; V! p5 x$ I7 F7 n5 B7 S
& r! s, k1 G* N l! f. u2 n$ }2 ]
# r% d, j$ e5 p8 u: T2 H; UNext method as well as the following one are 2 examples from Stone's
7 y' W R2 v' l+ c3 a; q3 }+ d/ X"stn-wid.zip" (www.cracking.net):
& T. S2 \+ G# b# W' ~
; a. t3 r: r0 Y, ^( _0 ?7 \ mov bx, cs' h2 s- q# a1 s4 s/ J
lea dx, int41handler2! s6 p0 b6 i9 X6 U
xchg dx, es:[41h*4]/ ]: h( H: S2 c" c4 ^4 _
xchg bx, es:[41h*4+2]
7 q' I( B# q' q* j8 z mov ax,4fh
4 @* A3 C9 }0 Z" f int 41h
6 o o! v( k' } xchg dx, es:[41h*4]$ N, S+ |; r! k, H! \
xchg bx, es:[41h*4+2] U* x( B3 n& v& U+ k% L! Y) L
cmp ax, 0f386h
; j1 a3 q8 G+ `% ? jz SoftICE_detected! h; @9 Y: B, h! T/ ~
% x5 R. g% }7 ~. G/ Q b/ x4 Cint41handler2 PROC
! j% }+ w0 r2 F0 p3 m8 ~1 s iret' F9 \5 X# g# I8 M& a2 X: l
int41handler2 ENDP. y0 A' g8 a5 l2 X8 o: n
: w3 ~0 J( b; k; q9 ? U
' _) ]% Z/ Q) R' o. U6 p_________________________________________________________________________+ T9 J* q1 e# c# L5 {$ i
2 U6 t1 E4 Z4 m9 _8 ]
) s4 H: y8 s& J' VMethod 06( b2 j! h) G( B' i
=========
- H8 z' G# X' {2 p: s4 P& K1 ^* K9 T3 d$ G/ o
3 r* t: K! C' }. M9 b2nd method similar to the preceding one but more difficult to detect:
E" A5 N5 t' A# L- q8 U' X8 T+ w [2 Q/ O/ H1 U* W* W$ ~# t
5 S# X- x3 }+ O) z- k( ~7 F7 o2 A/ R
int41handler PROC' F. D% a5 e. Y( {( M* D
mov cl,al
* `% g: j: ]- R+ I iret
! K* A: z) l# h% M" r7 C6 [5 Xint41handler ENDP7 P/ y9 Q9 o! c6 j/ g
# q* \$ A1 B! C3 D6 c4 C l& O. M9 ]2 o9 c' z1 v7 w
xor ax,ax
1 d1 _1 |! J7 D& R mov es,ax
( t, l9 @2 K$ i2 L mov bx, cs: ~+ X2 y( p$ c; I/ ^# B: N: s
lea dx, int41handler* g8 B( n/ m/ }. d! B
xchg dx, es:[41h*4]
# D) C$ G, @+ Q( W3 b! m xchg bx, es:[41h*4+2]
5 ?. N6 J8 F7 B: r in al, 40h w. u/ ^( G% T8 J2 v& ^6 _
xor cx,cx T( z3 ?9 i1 s& E
int 41h
0 c5 A! U5 h8 `2 [ A xchg dx, es:[41h*4]
, f3 L% b& A4 \) L( H3 ? xchg bx, es:[41h*4+2]
$ B- k. G& Z0 ?% q7 y& V. _+ m: r cmp cl,al! Z! r+ _+ n4 ]' H, v% @
jnz SoftICE_detected. f0 s& }4 @) {8 q9 j7 l% r8 M" e
$ [2 o }6 H* Y; Y, \
_________________________________________________________________________
* k9 i/ P$ E, ?% A2 n0 R* Z+ d' A. ^+ Y
Method 07% V3 ~, I+ T, Z+ Q. a- _
=========" v, z4 S. F7 M) y. B. `. K
5 ^# o3 x* A6 z) PMethod of detection of the WinICE handler in the int68h (V86)6 _- [" h. _7 V7 {2 k
( G8 T+ h0 G- Q+ q% A! k mov ah,43h+ n) J+ d8 z7 R: |
int 68h/ p4 P3 |- J6 z) j
cmp ax,0F386h
# W! J4 O$ v! C, Q& R; X, a jz SoftICE_Detected4 U# {. L/ ?3 o" k* x
: y! F& F$ T- @6 F" r/ \3 v6 \ p! {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! {" l) E+ k+ J I! T0 }+ Q. K app like this:
% j# g) V' O5 y; n) Z/ g* [& |, O! f4 z
+ l0 U# i! p" o# J, C5 O0 }( q BPX exec_int if ax==68
# w/ r5 B; e2 t) E' c3 H8 [ (function called is located at byte ptr [ebp+1Dh] and client eip is
* S3 _: z4 b2 c- y0 C, A located at [ebp+48h] for 32Bit apps)
r2 }* ]* s" F6 N__________________________________________________________________________
7 d6 h7 S3 e; b# ~$ ^
$ R* S6 y+ d K; K/ `* h$ `, q f% P" V" {" @6 l0 ^ H
Method 08$ d* a1 D! i; _0 B a9 l
=========/ H/ C; N# B1 v% ?- \
" s' c" }7 ]# K1 s G) `
It is not a method of detection of SoftICE but a possibility to crash the: |9 C" Y6 |' j! C' o: s
system by intercepting int 01h and int 03h and redirecting them to another
6 p7 r, b `1 Z5 `; }routine.
# G& [+ z: @4 y% N/ f/ O' R. t. C7 t! Y! PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 ]2 Q' H/ [8 i3 W0 H# m
to the new routine to execute (hangs computer...)
2 D/ u! l# N: X7 X. W* X3 z, b0 D8 f+ a: x
mov ah, 25h
1 b4 c: ?2 C0 J+ e mov al, Int_Number (01h or 03h)
+ w" e+ F: }) l# J1 n mov dx, offset New_Int_Routine
% P5 r$ X2 ? Y0 V+ ?# V6 `9 [ int 21h
0 r/ }: M h8 G6 C- A! C
4 F# m# m$ G2 i! r$ N3 F* S- r__________________________________________________________________________ D6 m1 Q, k" h* z
. H# ?* g$ X/ A
Method 09' }% A/ i5 Y7 F) X4 f
=========. {" z3 Y* b* {) g: Q
# @! M2 @3 K& l7 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- U. D5 @8 O/ H) t, l$ w
performed in ring0 (VxD or a ring3 app using the VxdCall).
! P9 J: v/ C1 J! eThe Get_DDB service is used to determine whether or not a VxD is installed; ?0 [! }! p4 s% [. o) Y$ N
for the specified device and returns a Device Description Block (in ecx) for+ H7 @ k7 E8 a) P: w. @' o: x
that device if it is installed.) \$ w2 q; M8 n5 q& J9 _% E2 ^# e
# R$ ]6 \9 M6 o* V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; f8 y/ g* S& Z2 K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 B' E. I0 I& Y4 P! g& l+ ?& S
VMMCall Get_DDB1 ] M; ]! x/ c% f6 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" a: q+ q( a6 L% {* K( A0 n
! q+ N& ~7 }; ?. W. T! }
Note as well that you can easily detect this method with SoftICE:) |7 G' F& d( j; ~
bpx Get_DDB if ax==0202 || ax==7a5fh: I6 M$ ?" M2 p! ^) W7 l
6 w- m$ ~5 w9 s- G* l9 H( y
__________________________________________________________________________2 H4 p0 m: h6 w+ R: i: q3 S
9 t# a- W* U1 F1 s6 [Method 102 B- X/ z' R' |' E' w) B- T8 E
=========
& U3 e) X" A1 w& Q" [ l z0 _
6 _0 U% A' _- L: n# ?=>Disable or clear breakpoints before using this feature. DO NOT trace with' T" @ l& D& C
SoftICE while the option is enable!!* N9 s, X( A% L1 B; X
' C: r$ G- E$ ?0 m7 m3 @5 [This trick is very efficient:# ^. `+ y1 S* Y! v1 I
by checking the Debug Registers, you can detect if SoftICE is loaded) V, X. E: _; Q% V7 ?# J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ w/ \, r3 z2 k# Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
. r" N: Q* _( N0 M$ |' {value (in ring0 only). Values can be manipulated and or changed as well8 o& U" J+ D( T) U+ Z ]
(clearing BPMs for instance)
3 ~; C& }* ^; b3 p
/ O( x) v* ]# }__________________________________________________________________________. l' e1 `6 {' K+ n+ L: L9 H- K
6 z9 W' a3 z5 b4 b) r$ SMethod 11
7 C; v" i' M1 w9 e0 u=========
" G! z3 N( {1 {1 k9 W/ C/ W2 e. A' C% ]/ G! k! X& |
This method is most known as 'MeltICE' because it has been freely distributed2 g. Q. D3 Y- l4 @- z* f2 W
via www.winfiles.com. However it was first used by NuMega people to allow
1 V9 g. N% y& W& K6 d2 I/ R/ \Symbol Loader to check if SoftICE was active or not (the code is located
5 R# q, z* G2 Y8 q( yinside nmtrans.dll).' k0 @+ K' v: H( y& ^2 i7 j1 C
& g- u; o) R6 m. |2 ^; I3 O+ FThe way it works is very simple:# M# d I; F4 M5 N; b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" o0 y% p/ g4 \3 KWinNT) with the CreateFileA API." k' ]- ?8 m g3 {
+ H) q( T. @7 Q" y2 _) b2 ^Here is a sample (checking for 'SICE'):
5 e+ O; ^# O5 Z" h- V: v" ?# f0 }+ R4 d/ E
BOOL IsSoftIce95Loaded(), P. b C% A6 N9 o& P( p7 Z' a' m
{/ q. ]. r* Z0 A6 K0 s) Z
HANDLE hFile;
9 @, \! b4 m1 S: t8 k; {& e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; A+ h4 R8 G+ h$ F/ p
FILE_SHARE_READ | FILE_SHARE_WRITE,
* d0 t) E' L. Y) B) Q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; ]) N4 s2 ^0 t. q: @8 l; N6 @
if( hFile != INVALID_HANDLE_VALUE )1 }+ u l1 Z6 I1 X" N$ M. r
{
0 c6 m' a! }! P* j. d" p! k9 s CloseHandle(hFile);: h7 d% H j5 e6 S
return TRUE;4 H" u/ v/ a, Q9 i' x
}0 H/ H# B* w+ ^3 P/ ^( U
return FALSE;
; {* B' j( j+ H" w& S}
. P5 s: v& U+ s# M: M, H1 a' x: k0 m% I' b; {, x6 K& T
Although this trick calls the CreateFileA function, don't even expect to be+ e, Z) q+ T! r( t
able to intercept it by installing a IFS hook: it will not work, no way!9 T0 b$ C F1 `9 l8 N. h4 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ?, |: m, F, c( m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& R2 b( N1 L4 Z, j4 F6 H, Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) Y6 D0 }2 V) {# E! qfield.3 M8 ?0 _% M+ l3 {* G
In fact, its purpose is not to load/unload VxDs but only to send a * W9 G0 ~$ |9 b8 A" b( j5 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* V5 p% r1 v5 u: q2 s/ n# f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 v: H4 ]0 Y3 `1 ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 B' k& ?; p9 w# R3 I7 {% y! l/ q5 s! D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) N/ q* @9 F$ m7 v+ U2 Yits handle to be opened and then, will be detected.% i' ]6 O% O$ k5 `% A
You can check that simply by hooking Winice.exe control proc entry point
4 x7 c. G' ^3 ~! ]. L2 K* ]while running MeltICE.
9 t' D0 g T, {7 x0 z- M6 x \
! L( n0 B) R6 v& c6 L( U# i1 J
5 N m( @$ w3 X 00401067: push 00402025 ; \\.\SICE
8 |9 W& s) _0 P 0040106C: call CreateFileA# F, B" u. A; d6 \, ?: `/ P' _+ t
00401071: cmp eax,-0010 P* c) k( H/ Y0 _, p( W' B
00401074: je 00401091
8 ~( o, z6 Q$ d& t+ J2 u& [2 w+ y, R$ f( Y4 w
& Y+ ~0 s7 X) h8 a! |3 o% ?3 nThere could be hundreds of BPX you could use to detect this trick.
3 w/ H! h4 f8 H# z+ e! h-The most classical one is:: A* o* D6 \' d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) Z4 `* k" o. O7 D' \: N1 P *(esp->4+4)=='NTIC'2 V+ X6 {+ z6 L
4 p+ J2 Q2 S( y
-The most exotic ones (could be very slooooow :-(6 ^) o0 F8 G; H" H* m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 u* c( w, b4 ]1 g- Y- m3 c$ i; ~6 U
;will break 3 times :-(
- |3 U+ R! Q0 v* k- s
6 C) W$ c8 b8 g-or (a bit) faster:
+ A. Z3 n/ M, i' i4 n: S BPINT 30 if (*edi=='SICE' || *edi=='SIWV') H/ X" \$ {! m; E$ U; z
: {# T( f+ o, v i0 e. ~
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# P( f0 s) W( U: N ;will break 3 times :-(2 s s0 J7 V9 y; E# Z, ]
/ K$ T# ~9 z. a% z$ H9 `; @
-Much faster:
7 P0 t; h* \% P- D6 g7 q5 \0 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& R$ y& m t) R- m, o, v) p; ]3 U' w1 M6 d+ t8 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 P1 p# G) B+ Y+ e0 r1 U4 Ofunction to do the same job:
/ ^, t1 _! R0 T( P% H8 a8 D" m$ l3 Q4 \+ j6 m+ N+ _: E0 s
push 00 ; OF_READ+ D# v2 k! K9 S% _! x: e
mov eax,[00656634] ; '\\.\SICE',0' I$ a! }5 i# z" t( o. M
push eax% q8 ?1 ]* Z' R
call KERNEL32!_lopen
" Z* g& n% H7 _- z inc eax/ J$ i6 R; \. g+ {. u
jnz 00650589 ; detected6 k7 ^6 l1 K9 s- n8 o4 x) l
push 00 ; OF_READ) J3 G$ a" h$ n- S4 a
mov eax,[00656638] ; '\\.\SICE'( P4 Y* e- ~5 M% V5 K! `' v
push eax
2 T8 p& t5 h$ i2 | call KERNEL32!_lopen
( i: S* X6 s; {+ n( b inc eax& p- j {8 n% s. {) a' j b x2 p6 O
jz 006505ae ; not detected
. G9 G0 {) E4 W) r' b5 C
1 _, W( [6 P' _, w
/ `" k! {, E/ Z3 N__________________________________________________________________________( M' \( r$ ?0 z ?% ~
( t" i1 W8 ^( h- V5 ?: l* YMethod 12
0 s3 ^$ Q w1 n0 O2 }=========
; c: y( h1 X* r3 M& d
4 s8 k. K& [' o) _+ B* gThis trick is similar to int41h/4fh Debugger installation check (code 05
6 R: `: a' K0 c1 T& H1 v& 06) but very limited because it's only available for Win95/98 (not NT)8 C7 W0 l4 F* B5 V; }+ {; l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ A& K! Z% J" v M7 P d+ K
6 E. O) d8 r1 l$ o9 o
push 0000004fh ; function 4fh1 s$ k+ ^# A4 {6 l* v" a, T
push 002a002ah ; high word specifies which VxD (VWIN32)
* ^: O7 ^$ ^0 E o ; low word specifies which service
; J8 D9 M" m9 d (VWIN32_Int41Dispatch); P6 P ?; ^: p" s; N& Q% W2 x" P: D
call Kernel32!ORD_001 ; VxdCall
P. \0 k0 M1 m; Z ~1 E6 Y cmp ax, 0f386h ; magic number returned by system debuggers
) N6 j5 j8 t D6 N( i$ } jz SoftICE_detected- _/ n0 v0 K5 h; }% x2 o, n% j% c6 W
$ z) Z. w( y9 a) a" s# `+ K
Here again, several ways to detect it:
: l) a3 W( r) e3 I& Z1 E8 \5 ~* H/ T( n$ U0 ~) m W
BPINT 41 if ax==4f$ L: N/ Y+ I3 @9 C+ d2 n4 t
$ j) ~$ R8 ]$ w. O" m$ M" Y; b8 [ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 l3 `6 P V8 u
& A. b! g8 x" A+ H8 a! C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* b* O0 Y9 R& q' E; d
+ ^- W+ m. G9 k, h6 Q8 K5 L8 |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, X& L/ b+ N" g2 d `9 G
& H6 j9 w- G) ]% f0 Z+ c
__________________________________________________________________________# i' }! H( Z; b- Q/ q
$ d- P# h& Y9 }8 H: H
Method 13
2 m9 A: g* E y0 t4 }) L( N=========. T' H' e8 F' O; h1 Z- P
. f( B' b3 I0 g7 C6 e' T8 PNot a real method of detection, but a good way to know if SoftICE is
3 k% f1 @( x4 @# V4 F/ pinstalled on a computer and to locate its installation directory.
" W9 e, M8 L/ `. o, @! W' ?It is used by few softs which access the following registry keys (usually #2) :0 h% X5 ^0 r% s0 u
/ c+ G+ k. M6 j! ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 F. l0 ?4 G: G) y8 [% q, m\Uninstall\SoftICE" L' D1 Q; A9 j; k2 ~4 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# t7 K( e3 A- @- c; P. o; H+ p L2 a S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 Y3 ~4 `: O8 i8 M
\App Paths\Loader32.Exe( U* h3 ?. B$ L& }, s( h
0 b8 k* w% t% M- w
+ D/ E. s# l+ z9 u- c( D7 n7 jNote that some nasty apps could then erase all files from SoftICE directory
& f7 G Q U6 q- E(I faced that once :-(
# V0 k3 I. X' ~$ \$ w+ I/ K4 A \# N5 Z$ m9 i
Useful breakpoint to detect it:* G" o( Q1 L# P8 d5 r5 {" A1 ^
! U! l( r8 g) h7 c9 n1 E( A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 l4 k9 a2 b1 Q1 r" B
8 M: @1 d5 t! H0 i
__________________________________________________________________________9 o$ E2 z5 u1 s1 ^, q2 ~
- q7 e/ _3 x3 [7 n7 ^" P
. |1 H3 J" f0 o xMethod 14 0 M' Q4 l7 @& W& U5 ?- I
=========9 [: g3 H9 _$ m/ d+ R
( ~6 F8 r4 X( x# C- Y5 M. V1 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ T0 E% U8 f; h2 D6 i+ h
is to determines whether a debugger is running on your system (ring0 only).4 j% W; ]* c* [, M n! A; Q
% t6 |! N$ ~0 N/ p( y VMMCall Test_Debug_Installed
0 |' r- ]0 h* G: e* } je not_installed# r! j1 ?. @8 @, n w( z) j1 W
( q! `' }+ z. E/ s
This service just checks a flag.
9 h; q3 T8 `7 V r! J0 m" N7 x</PRE></TD></TR></TBODY></TABLE> |