<TABLE width=500>
) k6 L3 N- z' {, w& L# V# F<TBODY>
; y' C0 ?, X, \# {2 H<TR>9 ~% S6 h( w: y U. t# C
<TD><PRE>Method 01 + D v, k2 N# {. j" {0 D8 \/ ?
=========
1 v0 o9 @! J7 j3 C1 V6 G* k6 O5 ^ n1 `1 m: `# i2 P
This method of detection of SoftICE (as well as the following one) is7 D+ f6 o- J0 I8 l
used by the majority of packers/encryptors found on Internet.
) u3 H2 h. d4 g% KIt seeks the signature of BoundsChecker in SoftICE
; ~9 W; v% F3 M8 N+ ^; ` Z; X; P$ g! j; r: y8 H
mov ebp, 04243484Bh ; 'BCHK'8 s% A6 J4 F; {) m% D
mov ax, 04h
9 ^, z5 n! F) B ]$ @$ ~ int 3
3 ~) |* _7 u, O, f; L' Z; f2 ]0 P cmp al,4
) _ W$ R Q* Z' N9 Q jnz SoftICE_Detected' }( Z! ~, P9 `5 z6 ?+ Y) V3 J8 b
& b! ]* Y# J; Y) |' K3 [6 L. x
___________________________________________________________________________* ]* ?1 H$ M2 w# ~* z& E L
+ [5 ?' N U# H0 p8 ]Method 02; }: Z9 ^: e8 Z. S
=========) c" c0 V0 F% b5 f& W$ {
- _4 i3 u, F) oStill a method very much used (perhaps the most frequent one). It is used
$ ~3 V; h4 G7 o7 V. S1 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 ]. [ x9 z, m- |, o; ?9 r
or execute SoftICE commands...
! O* Z, R5 E ]6 LIt is also used to crash SoftICE and to force it to execute any commands
] ]" ^" V T& ^. h(HBOOT...) :-((
; P+ `0 F* c" d
+ t% {0 z, t- b! P5 k& y+ ZHere is a quick description:3 f& [% c5 i9 B9 ~7 u1 P
-AX = 0910h (Display string in SIce windows)
2 X' R5 f. o. L; y K! g% {; T* p6 O% o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
^) M- ?* m! U; W4 b- {0 l-AX = 0912h (Get breakpoint infos)
1 g! B6 Z* K, h: j' t-AX = 0913h (Set Sice breakpoints)
5 S! ]( b5 H' L A-AX = 0914h (Remove SIce breakoints); \; t+ e v" c: b3 o3 S
1 R! U: T2 i- |# o$ e1 ?! u m# n0 w
Each time you'll meet this trick, you'll see:8 q0 j3 u2 |3 t* y
-SI = 4647h2 m6 R; C8 H' }; V% r% D
-DI = 4A4Dh1 j, [& o& o( T& @% H( X7 `
Which are the 'magic values' used by SoftIce.
0 X0 ^+ {5 i' ?2 F. M i) JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 a5 s; M8 {* l4 v' I* o0 k, E V0 W* H( K, [, Q: G0 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP- V; O6 F5 u" z$ }
Envelope utility use to protect DOS applications:
9 F: |$ B( H; B
$ k$ O4 f3 y* l* T) R' ?0 v; a/ R; b
4C19:0095 MOV AX,0911 ; execute command.
2 v/ c" B) J2 N- ^7 P4 O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( u. O% y1 ^6 a4C19:009A MOV SI,4647 ; 1st magic value.
/ m* @8 x5 T: W$ B1 d4C19:009D MOV DI,4A4D ; 2nd magic value.
/ h+ T! l" F' I2 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 w5 ^- w, s+ o, D9 L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" U' u) M# `1 i# |, R5 g" M
4C19:00A4 INC CX
, i) h$ O5 N7 [7 p* @! E" v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 M0 y" e/ T- P; ^
4C19:00A8 JB 0095 ; 6 different commands.3 }( J5 h" F" [+ X( P7 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
Y" q& @* f n; e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)3 }0 c. d# N) G/ y
* M. `3 K. p$ Y' G) V- sThe program will execute 6 different SIce commands located at ds:dx, which
' l# }! w; A8 h$ zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, N" s/ `/ w9 }5 ^ [+ g* }" V& I/ @8 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. M- _ {4 c6 k& {. V___________________________________________________________________________5 F/ v* D4 @8 d6 W& w# K
2 p$ J. d7 {6 e x2 m* I# G# Y
4 u! T# G7 Y1 Q6 w% T
Method 03
6 `1 {$ K! K4 y) \0 P7 d% p=========6 U: \6 q2 O" P
" \: Z+ q& F. K/ D" y8 W# YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h( H5 z) [1 J( x& D/ O
(API Get entry point)
8 B5 K; w, u3 a% V
* c u# s7 O% L& e- E/ s% V" N7 Q# P- W: [& r
xor di,di
! G/ y- Z$ [% v% F ~5 ?4 l mov es,di" U6 A% G2 F+ j" ]
mov ax, 1684h 6 |% `9 M* X3 ?* A3 P3 o7 j
mov bx, 0202h ; VxD ID of winice
# [9 F. P' l, p5 S' C( d5 n int 2Fh
@! G" {5 G- J( H1 H. A4 W mov ax, es ; ES:DI -> VxD API entry point- k: T7 Q* Q5 C% p
add ax, di+ `& E' k) M7 F: @; q! H
test ax,ax/ w* |# U6 w7 e& h& K
jnz SoftICE_Detected0 J) k% f+ ~; A: I
- i) {, `# H e) x___________________________________________________________________________
! i5 E; I8 K7 b# f7 G) R% I3 g- x0 j6 ^6 X( j5 k! H
Method 04) M8 ^$ p7 s2 `
=========
( f3 X( C( `4 @4 R3 g- e% _3 M/ t/ b: X2 \% D) e1 A/ R7 H1 m) y) }8 V
Method identical to the preceding one except that it seeks the ID of SoftICE
: J- H' a& h9 E$ E7 lGFX VxD.6 }3 _% v. M& h
3 o! |, g% N$ ?8 q# x% s+ B xor di,di
8 X. ~3 S# x( u5 F/ u9 w: e mov es,di5 l7 e; s# S R7 P1 N% R- _
mov ax, 1684h
( q4 V' u2 B8 B mov bx, 7a5Fh ; VxD ID of SIWVID3 Q! X/ k6 A. s! d z3 O
int 2fh2 X# J- d5 |% o( z& X3 H8 p4 ]
mov ax, es ; ES:DI -> VxD API entry point2 a; A2 S3 ]: K7 o6 o, }2 @8 O5 r: k
add ax, di
J T3 s4 d! Q0 N2 b, r9 i0 Y test ax,ax6 j+ [" R! ?8 }1 {' @
jnz SoftICE_Detected8 ?! e2 C, z' D- k% n& M1 y
' H0 N0 x7 S% P7 c$ U u) e; T__________________________________________________________________________
0 U- @5 Z' X+ |( ?0 J0 U8 F/ E, r2 |. b1 p7 x7 O5 M
# G. J& g8 q6 F' R, q ]Method 05
2 B8 Q% q1 l+ L# U7 ?4 i=========
8 }; }' ?: _& N4 O( j2 `
/ M& C( M# u6 [2 W* gMethod seeking the 'magic number' 0F386h returned (in ax) by all system; D& U" g9 E# B7 n8 p
debugger. It calls the int 41h, function 4Fh.
+ U: g2 R3 g% nThere are several alternatives.
! Z1 G+ E" p8 H8 P* ], S
9 l* [, D- `8 B" F4 o- h* QThe following one is the simplest:
: G1 m3 O: h( |: y' V2 \! i- x T9 q) L2 [6 a
mov ax,4fh
. L5 x9 N0 Z: a; d+ B2 I+ ]/ b int 41h
+ ^& i0 ~3 I Z0 M0 ]. d) ` cmp ax, 0F3867 w0 x, h7 h5 t- C) X8 ~# B& C
jz SoftICE_detected
+ s6 g* W5 R, i; C- t. x4 m8 `4 C0 p
# D' R; q1 n/ \4 nNext method as well as the following one are 2 examples from Stone's 9 a4 s' W c# V# U" u2 n# Z
"stn-wid.zip" (www.cracking.net):% O7 D0 c, ?/ P( i0 g- M
. X7 H6 e1 a6 k* e( q/ P mov bx, cs# [/ |* j: h0 K9 K' J2 J
lea dx, int41handler22 Y1 z! k" m8 S: _
xchg dx, es:[41h*4]
2 |6 v. E+ |( S9 Q' @3 h0 H0 e U* O xchg bx, es:[41h*4+2]
; G: R) W' i: P2 Z9 J% { mov ax,4fh# J h0 h0 i& N1 g# ]2 n4 Y
int 41h9 j. W; Z: c$ n- p1 A
xchg dx, es:[41h*4]; Z1 R9 |, ~! I' ]6 f8 H) Y
xchg bx, es:[41h*4+2]9 T$ |) v4 i R/ `! c! [4 s
cmp ax, 0f386h1 @5 o+ _" G* `+ n9 J3 g8 ~+ i* }
jz SoftICE_detected
) f. m* V3 [" c) `. t
: p2 j8 `0 s E" p1 y$ A& M4 s1 ^int41handler2 PROC
; Q3 `& ~: ~3 d. C iret
8 U5 N3 j0 Z+ B' y: E1 L. yint41handler2 ENDP, @8 m- _5 G4 F8 e" t) ^' q
& g7 d3 l9 u* J! y5 a: B5 [2 ~# ~. `! T. ?' _
_________________________________________________________________________& Y$ o0 P5 U; `$ T
( C, K# A% h' `) c" c4 X4 P
2 T5 I" `/ R+ z2 PMethod 06' S3 C# z5 @* d8 x8 \4 `3 f: R
=========3 S$ @8 H2 F6 O6 r3 z
( H9 W# F( }1 t/ O; e, O
) w( }! B( N! X2nd method similar to the preceding one but more difficult to detect:% _3 P% ~& r! h+ y
" J& Z: B5 L' i! J9 P1 w. S
" F: j& V( Z% k t! [int41handler PROC
C* e/ V* D' ~ mov cl,al
8 Q. ?9 ?" G5 x# X! L; V iret
/ X, z) m" x! A- \int41handler ENDP; x& k! t0 i# T: \3 [8 k+ j( S
( c4 r- @1 V/ R2 J( T" d' ~! @; b4 j. f
xor ax,ax
* J" g$ n! Y0 |8 j3 k8 y- L. x mov es,ax
% C$ G/ W* B H$ ~ mov bx, cs( G/ T" C6 v2 b9 a6 ~# X7 v( z t
lea dx, int41handler V& ^+ e3 `" ^6 Z i
xchg dx, es:[41h*4]: G. H9 b& y/ n: G) H
xchg bx, es:[41h*4+2]
; n" T- f# ^, P2 U in al, 40h
( t' e7 G- K( k, W7 E1 K& j xor cx,cx/ B- G9 O% B/ z
int 41h
7 I4 I/ J5 x( X xchg dx, es:[41h*4]
& Z9 _# S4 S- g+ ]2 |5 |) D xchg bx, es:[41h*4+2]" u2 ^7 K9 h6 q5 y1 z2 U( k" ]
cmp cl,al
* Z' f. [& q; h7 ?- P; x jnz SoftICE_detected
: ]1 T1 F" l% Q7 W9 H* P( ^. }: S: {; z3 N6 H" `5 _) D% t; ~# h
_________________________________________________________________________& m: T0 R; n2 B% Y6 ?
& }/ r+ V# [ b
Method 07
' o. P5 D/ k5 I/ \5 T9 ?=========3 m( f' F1 x; Y7 X
( Q5 r) Q4 N% u, H! YMethod of detection of the WinICE handler in the int68h (V86)" \) E, ?$ f. p3 F8 s
- z3 T4 s& h7 G
mov ah,43h
: i/ m; v* G9 s6 e2 T! Q int 68h
3 E% A) @$ [4 h' [* ] cmp ax,0F386h
$ l; ^) j3 ?, A( i5 |8 v& K- m jz SoftICE_Detected
2 x3 l( {/ }4 r: p6 a! Q6 m3 Q5 O9 ~* i
" j. S! m' `# m/ K; o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 N/ i7 r& G. l; p2 W. i
app like this:* P2 O7 L; f, ?+ b: E+ p2 f
" O7 ~5 f/ M) V. y BPX exec_int if ax==68( @4 X$ `# S( ^
(function called is located at byte ptr [ebp+1Dh] and client eip is$ L" X0 j7 T$ R& i; U
located at [ebp+48h] for 32Bit apps)
. A: Z8 \. ?7 c+ j2 p( W__________________________________________________________________________
) N. I1 P; ?8 ` {
$ O/ }' ^! ], ], J/ Q5 y. W$ E' C9 _) v" ~$ K9 `
Method 08
# c5 l F* @' n; q' X$ j=========. T8 g/ R" u) h- e
0 C$ M2 s9 V, p% G0 b( T- n
It is not a method of detection of SoftICE but a possibility to crash the
. P: R0 l9 u1 h& y3 F: p6 esystem by intercepting int 01h and int 03h and redirecting them to another9 n' |- D# |( Q% }. c% O
routine., k0 W6 q1 Q, i& t. ]) O+ D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# G- k, S7 C ]2 ?to the new routine to execute (hangs computer...)
7 S7 s/ O* B/ W0 N: {! N2 _+ D
0 z, ]/ C' x% m- f( p y3 q+ _ mov ah, 25h2 H% ]/ Z7 p6 m) y& w
mov al, Int_Number (01h or 03h)
) X( N* Y4 Z/ I2 q mov dx, offset New_Int_Routine
+ l7 i" M, `' X6 a& E" F int 21h1 R& H3 g- [3 W0 R/ z; ^" q. E$ O
- e/ t( d# E0 m- }6 e__________________________________________________________________________! S7 L0 t% S5 F: s5 a
: ~3 |5 |% B ^6 n! O! e
Method 09
, M* ~% K3 w M0 |=========; B- D6 Z# a( b0 W
% I/ Z0 _( R6 k$ ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 c7 K; ^4 b' W S' e. j( _
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 e8 @- R z" M1 b! hThe Get_DDB service is used to determine whether or not a VxD is installed: |1 k: h- B1 f
for the specified device and returns a Device Description Block (in ecx) for
6 h- `* p8 c4 fthat device if it is installed.- [7 B# b: l! x: ?4 h
8 ?: b4 ~7 C2 O5 X# z' X1 F
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 T/ W, o+ C5 F. j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% j$ t5 b4 [- [/ b. x+ |
VMMCall Get_DDB7 F- p3 E5 @: I+ g" r
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, y9 \2 Q/ ~; e, K8 d9 D: {2 ~
" K7 Y. E! U& f1 ^5 n
Note as well that you can easily detect this method with SoftICE:6 o o1 a" h+ Z# Z1 I$ M- H( |
bpx Get_DDB if ax==0202 || ax==7a5fh$ |9 X9 p' _; Q. G' \8 Q
0 G- i+ N$ g. l& H P4 X__________________________________________________________________________
8 t8 j- `& F; @3 h' U% m/ Y4 d) @5 ]* _' l& b, P( x; i
Method 10
8 m3 u | [: p* O* ^, S=========6 ~! U6 v7 q/ N
5 b' M( d D. F; h7 \
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 V' I2 Z# d. F9 \+ ^ SoftICE while the option is enable!!
3 F# W- \. e! z* x) g% h: C
) _5 R9 ?: J0 [* ^- Y2 MThis trick is very efficient:8 i \. J) h6 x3 t$ K
by checking the Debug Registers, you can detect if SoftICE is loaded
1 J$ P9 V% V- | E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ E; [7 S6 v g" v* ]0 q Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their# ? ^. d/ t' o, K6 J B7 ?: X
value (in ring0 only). Values can be manipulated and or changed as well
' H4 t! J' m- |! J4 L6 [3 }# j(clearing BPMs for instance)
0 h) v7 T9 r) G1 Z/ u) Q) O& a% a3 G- U* n; |% s- J
__________________________________________________________________________
. r" O( i ]' z8 b6 G; o ~$ d3 U' [
Method 11
" I% I {1 g: V7 G; X( C7 q& B=========2 @5 Z5 E$ Y# H+ q- S1 ~+ W
+ s. |5 W/ T6 e x- V, c
This method is most known as 'MeltICE' because it has been freely distributed6 o6 J8 i: N6 {, ?/ ^5 F
via www.winfiles.com. However it was first used by NuMega people to allow
% \1 @ R, P' e5 F2 _Symbol Loader to check if SoftICE was active or not (the code is located$ ^ O+ w+ {. W! F1 a. s
inside nmtrans.dll).5 n% L. m: a3 s% ~4 z9 a9 o. R9 [
; [2 e3 w8 w: Q0 j6 w
The way it works is very simple:6 G- T+ a5 W# W2 `. X0 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 k6 O$ P, l% ]6 `4 T0 Q: D# p
WinNT) with the CreateFileA API.
F, H5 D4 E9 U1 X% V1 N+ ^; {) C* {# C" F/ I9 N' y
Here is a sample (checking for 'SICE'):5 B1 P5 V/ l/ [# l: s4 y/ V0 s5 l: y1 b+ B
1 T% u3 t1 M. J: q" q1 IBOOL IsSoftIce95Loaded()
# e$ J5 j2 D, u% k( k{+ d' I) i$ l6 Z' R1 D
HANDLE hFile; * ~6 g7 B! i+ }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) _4 A7 A$ q1 T, y- x1 i+ ~
FILE_SHARE_READ | FILE_SHARE_WRITE,5 a& `: a4 f' Q& m0 [2 n/ |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 O. P4 T ]# O* O: F6 C/ ^& \
if( hFile != INVALID_HANDLE_VALUE )( z2 f/ T* n6 n# w
{
' g% W- ^0 T* J7 H- x9 Z3 y CloseHandle(hFile);
% N; E7 M) X5 j& t return TRUE;
5 N! U. ]0 m5 n! [ }3 V3 o2 N" |( c! Z, o: y
return FALSE;9 Z5 g$ {) C' @9 G# T- m
}" a+ k- t H" L5 W3 d: G
+ C( ^/ f- Y4 L+ X/ e3 j& l" |; @8 ]Although this trick calls the CreateFileA function, don't even expect to be9 M! F1 I4 Q( V) ~& ^6 u3 j
able to intercept it by installing a IFS hook: it will not work, no way!6 @$ Y/ s7 a. E0 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; y7 k' ~' x5 Z) H9 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! J% t4 g# ~2 u& z( U0 e: Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: T: A/ \$ W0 kfield.
2 T4 ]) f3 i [: @In fact, its purpose is not to load/unload VxDs but only to send a + _4 R$ `% g3 V; y7 }( j3 L7 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 M4 z0 e$ g ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; [9 l% Q! O8 u! w6 r7 H4 uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; o8 f& O4 Z4 N8 D. X) E( ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 C2 M6 W( j8 |8 U8 H; E5 g; Lits handle to be opened and then, will be detected.) g9 i* E$ U2 S/ k( l2 a
You can check that simply by hooking Winice.exe control proc entry point) S% ?( G! j# C6 y% K8 `6 \6 [
while running MeltICE.6 k3 Y. t1 Z% f( `9 R3 u
d/ K# g3 R# M, i/ d/ u5 n- D, A9 S3 y) z1 e/ z$ H0 X3 e/ o8 P9 H
00401067: push 00402025 ; \\.\SICE
+ X: y& q4 r6 t( d0 P" Q9 n 0040106C: call CreateFileA# f, a) |' W' f1 |: m/ Y1 P+ p
00401071: cmp eax,-0017 l. P4 [! u6 ?6 y0 ?. }
00401074: je 00401091& D, I0 z% n2 }/ K1 n8 g% _
6 n; N3 E" N7 t1 i8 j
% C' j/ X) S7 [+ G- b& A
There could be hundreds of BPX you could use to detect this trick.
) c* e# z7 S7 z-The most classical one is:1 r* K( K) B+ j R6 H
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 U7 R j# C8 O Z6 Q. s *(esp->4+4)=='NTIC'
- \$ p# r! i/ a, J$ h$ M( r( C6 j7 f8 O- g& n) r1 v/ I% T/ p) R
-The most exotic ones (could be very slooooow :-(+ u, S7 y7 o" F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 8 P8 Q/ {2 E+ V/ ?2 H% M1 @4 g! ~
;will break 3 times :-(
3 e) i" b8 O2 j7 g' i2 t ]7 q1 Z, z
-or (a bit) faster: - M/ {+ D- p; F0 H
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 V7 F- ?. Q& d1 F7 J
) Z" r& g& T% Y5 G" ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' . v) b: U+ C( [4 j& _6 S& w
;will break 3 times :-(
/ G6 }5 G9 c0 o2 [2 ^! Z I8 ^/ m2 y. r8 N( R' O
-Much faster:
/ J, F. F8 h+ o/ Y& H2 O/ F BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 L* l( R; c; Z8 d$ F% U; o" k+ o6 M! o( b1 A S l1 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! `# D( A- B. B
function to do the same job:1 S7 c8 E7 W' ^- e4 F
* j" S- A: x+ E* F8 d
push 00 ; OF_READ
: d W, p% c( `3 D mov eax,[00656634] ; '\\.\SICE',00 \ y8 i. ?. v6 a% Q2 \1 V
push eax2 @* V- X2 i W( m5 ~" Z
call KERNEL32!_lopen3 B( P" y- z Q8 f
inc eax3 r0 H, Y, {" O' H& @6 P
jnz 00650589 ; detected/ g+ O9 y4 A6 u, B
push 00 ; OF_READ
1 m( q4 D/ r1 Q# g% ~( j mov eax,[00656638] ; '\\.\SICE'
/ e# b j8 A7 B5 R7 Q) n! ~0 l push eax
5 e* ]9 D* ^2 Z' f" o call KERNEL32!_lopen7 n9 F' }' p6 i' e1 u4 B$ W
inc eax
I$ z$ _4 i9 ~- N2 y jz 006505ae ; not detected
% ]) W6 d Y9 g3 I' e* F$ i9 }% X' E4 `0 m+ j" S8 Q
5 b' Q3 q- M" M
__________________________________________________________________________* r+ X, q6 G: y/ @
/ H. ]6 l0 ]) tMethod 12
) Y( o0 H3 ?, a* f& I9 Z; E$ Y=========
2 O3 V4 H' y6 K- \ a# D
9 K; A' m5 A+ V' P( I7 JThis trick is similar to int41h/4fh Debugger installation check (code 05( z% h' h- Q/ @4 e* S
& 06) but very limited because it's only available for Win95/98 (not NT) ]. v2 L, J' r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 o* e. ?" o2 |' U- _ w
: D! Y3 ~2 i' [2 Y push 0000004fh ; function 4fh& ?' m' c" i0 S$ X+ `9 v
push 002a002ah ; high word specifies which VxD (VWIN32)
+ p$ z. F E8 n; D ] ; low word specifies which service
" v, u4 j/ ~! J) N: M (VWIN32_Int41Dispatch)
9 _$ D, ^ b, t6 T% h8 d call Kernel32!ORD_001 ; VxdCall
. z) }- i5 P) N7 v/ \) u cmp ax, 0f386h ; magic number returned by system debuggers
& G6 s- A% O4 \; j' B8 t& I# n jz SoftICE_detected# G. Q& ~1 ?7 R1 Q% [
* z; g. t) k) A2 v9 G% y, o# `
Here again, several ways to detect it:2 R" f4 _; b: `5 |
* F! ]0 R, u) A7 W BPINT 41 if ax==4f
3 M( ?0 X% v0 R" Y6 C" U
1 s: r7 S% b M# q7 m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 [, h! U: }- a
8 }6 ]/ }1 _$ _ [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" q6 O* _9 g4 r# d7 w4 j
( {* a, S% S$ q/ E! j3 k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 F8 q9 t0 v, J+ p3 D: O5 U- z% W
9 ~) H* k' J3 k; z__________________________________________________________________________, i5 b, L5 X4 [5 v
5 ~/ a' \5 N7 K* E8 \Method 13. [# ^, F6 h$ J. a5 H
=========
2 T( s; t5 ~' o; `$ [
% F/ O0 S' o$ v1 L6 O9 T1 tNot a real method of detection, but a good way to know if SoftICE is
F( |! C! I% r. F- ?installed on a computer and to locate its installation directory.
3 L6 F# {! t: d; _; v0 dIt is used by few softs which access the following registry keys (usually #2) :
; G3 v2 Y v/ `; c* w9 s0 x
9 F; S! N) M! v: Y4 a; o# R* V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: s. y2 v' m. \! u; s) Z
\Uninstall\SoftICE9 R# l9 m# g& S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 W, y0 |8 t0 ^& ]* e! R- S: d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
q, a' e+ R6 w+ w& p\App Paths\Loader32.Exe( |, j' f- Y! h
( a; j0 C, X- b5 A# W
( T* y5 s1 L4 d" p
Note that some nasty apps could then erase all files from SoftICE directory+ U/ H1 h# X1 v& a: K6 e- o
(I faced that once :-(% R; o- K, W* X5 t
7 |' p6 W/ A! Z$ v7 }. L6 ?Useful breakpoint to detect it:: F) R; }' P( ?( w k; N$ m* [$ f
% A" \+ N' J; M" k' b- J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 k0 H2 F; }( }
2 |+ M8 h/ ^: t" K" O2 @" x
__________________________________________________________________________
5 C& Q9 ?5 Y% }- t0 R9 V. q9 E. `
a8 i7 Q3 Q2 \$ v: h' w2 Q6 K1 I% G# M
Method 14 9 Y. n. h; p5 ^& t3 L9 D4 N, V& N1 l, b
========= S6 ~( f# Z3 }- a" y
Q8 b" V+ E. L. B" r% c) u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# {) r# d. K! p
is to determines whether a debugger is running on your system (ring0 only).& o! K/ R: A2 |' ?. q1 v( Z
! H [& [6 N* O" F- |: [ VMMCall Test_Debug_Installed
5 _9 Z4 |5 x! a: ~1 i+ Z6 J; \3 D je not_installed8 Q% |) _2 n3 ^
: J; e7 v1 l x0 Z) [% Q% G$ o7 ~$ w- X
This service just checks a flag.; G: ~& b+ s/ b) _# o- S
</PRE></TD></TR></TBODY></TABLE> |