<TABLE width=500>
# c& _: x8 S% L% F<TBODY>! z n' @3 i6 ]/ t" @7 t$ N, r
<TR>; _! Z9 v( `: |' j
<TD><PRE>Method 01
7 H& e s+ l0 y/ A4 Y* D! ^=========' l7 h) R& N+ P$ q" k$ d! L& A7 D
: Z: H6 A* L( @; R
This method of detection of SoftICE (as well as the following one) is
, S$ R. e% N u+ u4 m7 J( t6 ^. w! }used by the majority of packers/encryptors found on Internet.& B4 D4 q+ o$ [7 t. x' k# E
It seeks the signature of BoundsChecker in SoftICE
+ O |4 V( ~! }* W- N
3 {6 P, s) @$ R" j& N+ P8 b mov ebp, 04243484Bh ; 'BCHK'( ]; x+ Z1 b. k( X
mov ax, 04h
' w7 b8 A X! p) [ int 3
0 n- z8 L& @/ t2 O, `% y6 ~+ U cmp al,4
Z3 N8 K/ j9 J3 R1 H; e jnz SoftICE_Detected
0 R( }; Y! A4 @9 M. ~4 B4 I! ^* h- ?2 P. j. c: o0 `
___________________________________________________________________________) H. u+ N5 Q, I" a b
& ]* g% T; {5 c' v5 _+ kMethod 026 V4 W* N4 J$ M$ m. [0 ?
=========, @! k8 `* O" x& \
5 d& U+ o$ V* h, E, U
Still a method very much used (perhaps the most frequent one). It is used
' Y, j; o+ H' }8 z* oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. _7 k. {# }4 F/ v) ]" B
or execute SoftICE commands...
O# e0 Y- r8 e, ]$ yIt is also used to crash SoftICE and to force it to execute any commands- w8 Z0 J1 H7 {" r
(HBOOT...) :-(( ( u3 r# C0 Q5 I" r% `
7 @/ f- ]- B/ \; | @ z: ^
Here is a quick description:
, D& P$ B3 f$ l-AX = 0910h (Display string in SIce windows)
* { P8 N; I9 I+ X- [1 e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( ]! j6 P9 p: A* B-AX = 0912h (Get breakpoint infos)
5 y! v$ t& t9 V h. x-AX = 0913h (Set Sice breakpoints)3 E4 ^; i: {& t$ }( {3 L; }5 e
-AX = 0914h (Remove SIce breakoints)' m" D0 k5 V" B- e) s3 t5 s
8 U+ x m& v' O2 q& PEach time you'll meet this trick, you'll see:. q2 E, C: f. N2 s$ K l# k
-SI = 4647h
& v5 p; l z) S-DI = 4A4Dh
- G) E4 H/ m9 I/ hWhich are the 'magic values' used by SoftIce." |2 ~' s4 p! ]% A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- L" D, ^: Q7 F
8 `2 H4 k/ _6 _9 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 [$ q7 K% E6 qEnvelope utility use to protect DOS applications:; n. _2 R! ^6 C, }* u; p, Z
% c2 p6 y7 S" C, {& D( ?" j
, Y: ?( _, X& o, e
4C19:0095 MOV AX,0911 ; execute command.
, r2 `& k5 j+ c/ J1 W4 ]) X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).1 ]# [7 _# m. R) \0 Z3 |/ x7 I; _
4C19:009A MOV SI,4647 ; 1st magic value.& K6 t! o# O: H7 | i2 W( F
4C19:009D MOV DI,4A4D ; 2nd magic value.
B, u1 e& ]1 }6 W" h: x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# l1 U. a$ g6 m5 x( b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( O# A; _1 J8 ~9 m0 w# F4C19:00A4 INC CX
1 G3 m$ w7 g% N! }' I0 i4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ _3 a) D2 ^4 _ W4 B4 x0 A4C19:00A8 JB 0095 ; 6 different commands.
' S# X! f3 S$ q7 F4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 s" |% |' w6 |% E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 a! G7 k' @, H+ `. I" u# @9 ^4 n3 _6 i1 T4 y6 E1 W
The program will execute 6 different SIce commands located at ds:dx, which/ O7 a8 W# i& j. {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. D" T3 }8 ~. ]
5 b6 a: p) p6 [+ U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& x! |; j4 M T$ ?! v: y4 l
___________________________________________________________________________
U9 H9 C5 p9 r& c- m
/ U" a" L% M: y O8 }
- K$ K* g; x2 Z: Y. f4 tMethod 03% n+ Y; s1 L) @# k, p1 p2 q
=========+ u2 Y/ V0 C1 |4 L: I- [
# g* M) {& q, ]8 R ?. P; H4 `# G& Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" \4 S' Z1 N) O' g
(API Get entry point)! L" T, h! E M! ]
6 }. A5 v) S$ L7 h* L& |$ m1 b0 t r6 |2 U7 d& a6 i
xor di,di
( s' c, m7 x7 c% d7 Y9 R mov es,di0 @: U8 ^0 Z1 u% F; }* M
mov ax, 1684h
% N( v( ~ }) d3 d r' i4 E! _2 a mov bx, 0202h ; VxD ID of winice X0 z# Y0 [- B2 \8 s
int 2Fh
4 X! f( B5 ?/ F* a, M8 h1 M% M mov ax, es ; ES:DI -> VxD API entry point# { i0 ~3 V3 C
add ax, di
' O$ `" P8 S' R, q! a test ax,ax
C( {1 e% i ]* R jnz SoftICE_Detected
& v' d# U1 g U/ o- }( m( O
# b7 ^% j; X6 ~" {- A# p2 q5 Y___________________________________________________________________________& h; u2 B4 V C# V5 ?
% k8 Q5 l+ W7 ~
Method 04
% U+ T; y3 a! t4 R B=========3 ~7 S8 L5 `6 X& C
}% Z; n% o& U( HMethod identical to the preceding one except that it seeks the ID of SoftICE
* @& v& ]2 Q! r- x& n$ e* XGFX VxD.5 @& k* p' f( A2 r/ n
9 i6 K% `3 Y" e) \
xor di,di4 M4 J* y5 A: N5 u
mov es,di
7 }3 R2 H8 j' }9 ?& J0 x+ \- F7 J mov ax, 1684h
9 `% J' x6 n4 o1 j% u. t mov bx, 7a5Fh ; VxD ID of SIWVID
4 X4 \/ o5 W. @+ T int 2fh6 Q5 N. ^* V8 b9 O: x8 p6 `- ^- Q' J
mov ax, es ; ES:DI -> VxD API entry point/ Y" ]+ K4 R+ C; p4 q% T8 R- |
add ax, di2 {* w9 l7 s& \8 ~
test ax,ax
- Q6 }3 b$ j9 t7 ` jnz SoftICE_Detected
0 B2 `, ~4 C; n7 k# N( l+ G/ ^/ b4 X* X L5 F# y2 S i
__________________________________________________________________________
# E4 h& o- o8 m% v# @% i1 ]6 I9 N1 c& v) ~5 K
" V; Q# Q5 s1 r* x/ ^Method 052 s& G7 P' N4 m9 u V
=========
- h0 o, b5 r5 B* [0 M7 U, m$ ]8 B$ k$ r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 ?0 _( d. Z& w8 c G# `" {debugger. It calls the int 41h, function 4Fh.
3 @. f; t& {: n6 |' ^5 GThere are several alternatives. 6 t5 N& _* z! Y% k, n
& ]) o* U; D+ `: s" r- w9 m7 D
The following one is the simplest:( A6 q ]5 [7 N, Q: x
7 V8 B' {: L& x! y6 a0 | mov ax,4fh# w" Y7 J7 y4 J4 q# c
int 41h9 e6 H1 c: d! F8 \/ h5 v: d; r9 e
cmp ax, 0F386
; g% E5 J# n6 N% D jz SoftICE_detected
8 l# i \% e5 s6 z" {( E0 j! p& X- ]. ]8 ^
: I0 f+ A+ `$ e0 L+ F; O/ rNext method as well as the following one are 2 examples from Stone's 9 w+ |& @1 ?8 `/ K" p+ K" F
"stn-wid.zip" (www.cracking.net):( g7 l9 _' j6 W! A
& y2 \6 u( g g! V; M1 q
mov bx, cs
, V+ q& F$ _6 u7 B: c lea dx, int41handler26 s L5 ?/ C: r
xchg dx, es:[41h*4]' w8 z/ t4 X1 o/ q8 v% X$ T4 O8 S/ V
xchg bx, es:[41h*4+2]2 A- [0 H9 t" X, k8 A
mov ax,4fh3 \2 Z- ]' u; y/ ]3 K
int 41h4 \( q- T* p# k3 T- r4 H/ \4 x- h
xchg dx, es:[41h*4]7 N* }' B. \' q
xchg bx, es:[41h*4+2]
% j6 S2 _! \3 r/ l# O cmp ax, 0f386h
( F8 U* v0 p' O jz SoftICE_detected. s0 d7 n* V( f' S8 Y9 Y" W* n
# X7 y5 ]5 o0 K7 r- y% L, Y1 g" a- A
int41handler2 PROC$ W t0 w8 p* k; Y3 b! r! Q0 |- q5 u: I
iret
2 b; w: }- R/ wint41handler2 ENDP" K. Q8 C4 q) F% p; {# p
2 C$ H v! S: }/ y$ R
8 y @6 N3 W1 D0 f& k; R_________________________________________________________________________
1 t* g# ]% ?- o: u
9 `% M$ c. h5 x! Q t; {3 v8 f `8 j& j- G# H
Method 06& d: ^# W) I9 A! K! Y* R
=========
) S* o6 \0 o- k) H) N: W, D3 B4 V: `
" E! { O. G5 |( @/ y; H7 m3 f) X) Y }& r
2nd method similar to the preceding one but more difficult to detect:
' \8 b% {0 x, c, x: c: ]+ T* C( D/ i9 O! \$ q& n' J
( \6 Z* q! j* c q) O1 eint41handler PROC
7 D/ Q1 g, L7 V# u# y* v3 w mov cl,al
0 H; ] F/ Z9 U# d' s) Y3 o; E4 { iret- d: U: h' R$ n
int41handler ENDP
: c% D( W& k( A0 |3 |
0 r$ ]9 A: R6 }1 n# T) c
) u4 c2 l2 n4 w6 L$ X/ b2 T xor ax,ax
. K, o# L# n# |9 `0 X2 o6 b mov es,ax+ {3 _ F4 p, l% M% x% L
mov bx, cs( c: D3 U# d+ U5 C
lea dx, int41handler
. R3 T% s5 J$ q ^ xchg dx, es:[41h*4]1 Q/ k5 h& G2 N
xchg bx, es:[41h*4+2]* V' w( \# s" k; R
in al, 40h
* y2 d7 |* d& n xor cx,cx
2 c3 ^9 w) z* f2 U& i" ~ int 41h
% l7 R2 v2 k; q* J xchg dx, es:[41h*4]
# w0 A& W7 _+ C. G% W# M xchg bx, es:[41h*4+2]
. h U2 n, F+ N cmp cl,al
; q4 a) O/ K) f3 D4 D: l* i! F jnz SoftICE_detected
; }3 u' F1 U0 I# i9 h1 K4 {; R
g& O1 r1 u) w_________________________________________________________________________
9 B. r+ [/ i. y2 s) `$ [
, R5 [/ w& a0 TMethod 07# Z! g% l+ S5 i; }$ ]" z" H* t
=========
4 c# G, P L+ I b! x2 w- H2 J2 ^$ i! [! `
Method of detection of the WinICE handler in the int68h (V86)) P5 t, y3 A, O0 u5 ]% W; w- m1 a
2 Y8 D5 [% ^& _, @. c9 r& z4 m( s
mov ah,43h7 a* c( C, S" D" @
int 68h* ^. S0 _6 ]' y$ |# [, P
cmp ax,0F386h
6 a0 \- U5 a G jz SoftICE_Detected, q; S0 i: t- _4 k
! X G5 d7 n; V$ a* {
" L1 _4 e1 d# D' U+ N7 l7 U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 \( U& \4 F p app like this:" H" t& a T& h- }
\1 A+ Y& [9 Q0 S, s" I) c
BPX exec_int if ax==68* _( s/ n! c( Y1 z
(function called is located at byte ptr [ebp+1Dh] and client eip is3 S& a- \8 k3 A0 U: ]; G
located at [ebp+48h] for 32Bit apps). \( D( B( x% v
__________________________________________________________________________. B1 W9 M/ f$ y( }& P' {
& c/ x; h6 ~* E
& G3 u8 f' E5 z+ [& x$ k1 V& P, |
Method 08
^8 q& |6 y0 ~3 y% q8 {1 E=========' g1 \$ M# N. w. @; ]& `' s R1 \8 `
2 V& u6 Y4 U' i; YIt is not a method of detection of SoftICE but a possibility to crash the
9 {% U+ B8 i! j8 I& S" `2 k, Rsystem by intercepting int 01h and int 03h and redirecting them to another* ]. c* l+ l0 _# g+ c7 ^# K
routine.
6 j' W) g- v3 q7 u, A7 y& vIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 \" H3 H G: `to the new routine to execute (hangs computer...)/ w% S0 \- y* u2 A
' g, Z+ d2 ~# \2 a' j* r3 W5 {
mov ah, 25h/ u& r9 h5 c2 A) i" _) v
mov al, Int_Number (01h or 03h)' f& T; T4 _" P$ E Q1 e
mov dx, offset New_Int_Routine. ]/ T% [- g9 e m0 U. E* p
int 21h# [7 c8 N8 T# N
1 n7 _& e. k* z" i9 m0 A& o3 ___________________________________________________________________________& n% Y) n7 J! c* W9 ]
/ Y& k) N4 s D% w' R
Method 09
' G* \9 H, V( @* e=========* `- j/ ?8 u3 m& r9 \
; O6 ~2 Y( B) H& I: ?+ O
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; n6 z5 F' b) C/ Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 ?! M1 i/ d/ `The Get_DDB service is used to determine whether or not a VxD is installed) _" k; k# l0 K: M! m8 J
for the specified device and returns a Device Description Block (in ecx) for
! c0 j6 M2 P# Y( ~$ _! s! Mthat device if it is installed.
6 w$ v9 r6 }2 H2 } q3 X$ z
1 I; r" \, i& K! Y' _7 f+ ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' ^ Q) ]6 [: e; R. d mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 k. L- f6 h. c! O8 i6 ] VMMCall Get_DDB
t% R1 p# y! g' s) K" L3 n7 D mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 j2 q. J! W7 N5 s- x, O: Q s# A d& o. j- K7 G! ~& d9 h1 @% M6 U
Note as well that you can easily detect this method with SoftICE:
5 |+ p3 N8 ~, O6 n7 J" U( {5 x0 L bpx Get_DDB if ax==0202 || ax==7a5fh r3 k" F. x# n8 ^3 `3 `
8 {2 L- M0 _$ J4 \+ N- x8 W
__________________________________________________________________________- E# C. J: A) ~/ h' t
" D `, W! h/ M3 R- w7 `
Method 10
- V% }9 Y5 H3 s! K" i1 j+ x1 d=========% r- t" F9 x" b% d4 {4 Y: X
) }. M2 b( w! {/ o/ D5 p# U1 p
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ r/ M/ h9 r2 m7 r% L
SoftICE while the option is enable!!: i& e# _! A! w9 @
. P( U5 x- K1 K, N6 `This trick is very efficient:! y" c+ S! S* \+ H( b! E
by checking the Debug Registers, you can detect if SoftICE is loaded z* g6 i/ o" ]) K7 Q( G# _8 f$ V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G& a, L8 H/ Y$ i( r, \9 B6 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! I2 e: ?/ t0 _, u9 m! }/ u. }value (in ring0 only). Values can be manipulated and or changed as well
/ ?4 X. D& ` M, P. o, b) B! z9 ]$ F(clearing BPMs for instance)1 S+ g' A( [# @# m$ b1 f
$ _& r4 w2 C! j7 _
__________________________________________________________________________
6 A2 F1 Q, U, ?5 q$ f
9 k, ]2 M" A* o! t" pMethod 11/ T7 b4 [. W3 c* Y$ D
=========. ?2 l" T& R' B4 g
$ r2 F" q: h( cThis method is most known as 'MeltICE' because it has been freely distributed
" ?; p: Y7 J, }6 Z5 I, Y9 ?2 nvia www.winfiles.com. However it was first used by NuMega people to allow G+ R4 X$ u$ X; Q
Symbol Loader to check if SoftICE was active or not (the code is located. z6 `* H5 M+ _. h( k$ Y# F! M1 ^- r
inside nmtrans.dll).! h8 n# @1 `* E# `3 w
, x0 b. ^7 e# e \$ h* P
The way it works is very simple:& |7 }0 ]" s+ p' Y, Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! }! f. ?* C6 g' f! K+ S. t. hWinNT) with the CreateFileA API.% m! b# c+ I4 i& @2 Q J
, v" ~+ E( C v0 W! D% i/ PHere is a sample (checking for 'SICE'):
& U5 T7 a% b" a' F! y
1 b, m. C, q/ F3 aBOOL IsSoftIce95Loaded()
0 ^) G9 b* z1 ?. L& y4 U' S{+ T8 D) Z. n5 O) o. u
HANDLE hFile; & P- m5 m H2 s# N) T+ h$ D
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* [, ]" L) \: L5 g# i2 z/ M
FILE_SHARE_READ | FILE_SHARE_WRITE,
0 @: D( u7 U2 Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 f t7 s* \. ]; R/ ?- q if( hFile != INVALID_HANDLE_VALUE ) ^) W; q/ w4 j( L- z
{
# Q, f2 P D0 r7 l1 P5 U% l CloseHandle(hFile);4 {" b- p3 I! I( V; U5 V
return TRUE;% I6 ?0 R9 k* s4 V/ Z. R
}4 }& G; Q4 j# [! X3 T; d, v+ ^# x
return FALSE;! j$ |6 h: Y% ^+ Z8 T
}
6 c$ R2 F' ]# }. R9 l# j5 A9 N1 D4 S; n1 d' ~0 f
Although this trick calls the CreateFileA function, don't even expect to be
& b; K1 i c% T, C. Xable to intercept it by installing a IFS hook: it will not work, no way!9 H6 e1 h( ?, x W* F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
Q) D; N( F8 d9 f# ~1 z3 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 s9 I! B3 K3 U2 p% j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 y& M, Q) _* ~, W: s+ @field.( b/ g! P+ g7 f2 x
In fact, its purpose is not to load/unload VxDs but only to send a
; A. u6 U/ F/ r- G# I$ Z7 \7 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" F9 J" s" |! S5 ^# c" H( Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try& R1 }" ~3 ^8 v4 H& d/ I
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ N# f- g: ]+ | l6 `6 y
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 m3 G2 ~3 O: R
its handle to be opened and then, will be detected.
" G% r3 H" r# C0 \; CYou can check that simply by hooking Winice.exe control proc entry point9 f6 ^5 l$ H6 b* P8 x
while running MeltICE.+ j- J) m: }0 h7 [
8 J4 Z, E5 i$ z& U
/ w z- e! D) v0 @
00401067: push 00402025 ; \\.\SICE
9 Q$ g/ G! X; ~$ Q6 V! K; [7 [ 0040106C: call CreateFileA
# P5 Z$ G6 f7 ~3 g( f9 R: [1 c 00401071: cmp eax,-001# ]% d4 d" ~+ W( E
00401074: je 00401091
% y5 [* l8 ?4 b: L
7 r! b7 z# @+ r# B5 k* @9 [4 p& Y7 N, r% _: m5 z% c0 F
There could be hundreds of BPX you could use to detect this trick.
1 V1 u& R& ]8 [-The most classical one is:
; |2 S8 o2 u/ ~2 q7 U* d8 t' W1 S' Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ _ u ~- f! p8 h: b7 M$ A4 O
*(esp->4+4)=='NTIC'
1 t2 ]" r6 X1 Z6 F4 Y
* z3 M! z- j$ ]- I- A. x: }-The most exotic ones (could be very slooooow :-(/ @* s& W% C7 i, N
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , z/ \- L! `, z1 k
;will break 3 times :-(
) T' r# k6 P! V8 d5 j- y( N( V
5 o( M% |3 _3 P% D* U+ }/ B-or (a bit) faster:
9 S% x# v0 Q! d4 e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 n! A5 @3 r5 T# a
7 X9 }( n0 @5 w- k; E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! R+ \+ [2 e) Z4 e, w0 ]1 T
;will break 3 times :-(
' R2 R( m c- o$ g& W* T4 }, x9 o3 f( a5 n$ d9 A1 _
-Much faster:( H( |2 b) V& a5 E4 t# @& X. Y! ?
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 j" @) U9 h9 U( b3 e# z0 H* d& i' G" c$ I" y: B& l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; {7 ^! b: }$ I2 d2 K2 P
function to do the same job:8 I: j# Q' V$ z1 P- g
; G/ E$ C8 G* R" z' E! z2 G0 ^! T
push 00 ; OF_READ
4 |/ n/ J7 g% o% {7 ^/ d; S+ Q# @- v mov eax,[00656634] ; '\\.\SICE',08 Y6 Y6 i" x1 }* b1 l4 p6 |7 P
push eax
% Z9 v% f' c [# }6 c- i. ?3 w! V call KERNEL32!_lopen* r% n* u2 X; X T8 p# N
inc eax
- N2 M ~5 e, p& {, {0 i' g' ` jnz 00650589 ; detected
! f. l% _3 Z0 |5 i1 o9 _, h( D push 00 ; OF_READ/ u% ~( b: W% d5 l# C# I6 u* e' w
mov eax,[00656638] ; '\\.\SICE'
, b1 x7 D2 s4 @1 ]+ d! X( b+ m push eax
5 \! ^" k2 y* x3 O( t" c1 `& w' g call KERNEL32!_lopen2 X' V: G& f' W# }
inc eax
: ?& I4 F W0 D5 y ^* ] jz 006505ae ; not detected
; n# g) o+ b0 s0 W
5 k( u+ Y2 f3 q( r% q( q4 F
1 t: F b& f r2 S__________________________________________________________________________
, Z2 Z6 M# Y1 R4 Y; ^4 |
6 l8 K2 u. w3 g5 V! nMethod 128 s6 R; }7 r* Y: Y9 q6 O7 e
=========# d, L& V0 L: t1 E9 t9 d% y
0 u0 T& M4 m+ A/ a8 i+ Q/ C ^
This trick is similar to int41h/4fh Debugger installation check (code 05
6 w. {& p* F; b {, u" w d. Q& 06) but very limited because it's only available for Win95/98 (not NT)
! H9 \8 \4 s: b( N) c, Z+ M/ Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& c3 Q+ E4 V$ y5 V4 m0 F, p( p ]. |- ?2 F
push 0000004fh ; function 4fh
8 [# z3 O& D7 b2 J/ e. y$ e: E push 002a002ah ; high word specifies which VxD (VWIN32)
6 g0 R/ \* ]2 }2 x% {" D0 b5 _: O ; low word specifies which service! I6 i1 D9 x0 q& [& k
(VWIN32_Int41Dispatch)
/ L3 j- W! |$ i call Kernel32!ORD_001 ; VxdCall+ J: x" Z& @5 m/ `3 E5 s! h
cmp ax, 0f386h ; magic number returned by system debuggers
4 ^) c' @* m/ O5 t: z6 F jz SoftICE_detected
) k2 [- y: V9 F- t0 p- ^7 q
* q8 {: \8 i) \3 MHere again, several ways to detect it:
2 h& B: ]. m0 ], |, c/ P" V" n. R
BPINT 41 if ax==4f6 d7 g3 |' b8 t8 @) S% y+ m
8 o z$ H' [" k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ _. J; Q4 U" [: n5 Q9 H- x/ r
, ?$ V6 a0 @8 u BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. M7 O* W1 }$ h# }9 }2 u
% O& }- U9 s9 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 ?2 ^! v- E# u% P. M
( T9 G( |% t, U e1 R+ S8 |6 v4 n
__________________________________________________________________________% X/ F; j4 ?* s& T7 ~
& Q/ ^7 @$ q. \. q! y+ b
Method 13& N6 K9 C- w6 \7 H0 T
=========
7 f3 o2 ]; T# C# g8 W c# A: Z
4 \3 R% k' \2 `Not a real method of detection, but a good way to know if SoftICE is0 H5 W; `0 V: X( B8 j f
installed on a computer and to locate its installation directory.1 t9 S% e: P U% V1 w+ N( I$ p
It is used by few softs which access the following registry keys (usually #2) :
3 m. V; h- }: ^0 _; G& e% x# W7 v' p. B' e' |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 F' F" z3 o- t) w# ~ e' ~\Uninstall\SoftICE$ {' K4 a! k. _2 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* r" \0 |8 \8 ?( h8 W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; _ ?# H B( K3 v- A\App Paths\Loader32.Exe
: T) C0 Y9 i1 ~ m) S
4 r: X c# R( m3 _2 w/ ^6 x
2 [/ v! o2 {9 ~- f( D* N3 [Note that some nasty apps could then erase all files from SoftICE directory
9 b5 V% T% l( O) i% ^' ]; r. w8 I(I faced that once :-() F5 W* g6 @, `( x+ R8 H
' W+ m6 j, _" F V1 W+ [3 hUseful breakpoint to detect it:
& H7 ?! m1 J* [" l4 E$ O
( f! n0 S7 [' F BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; K: D. L2 H( {2 ?" D) s$ P% w9 z- E( `$ l/ R
__________________________________________________________________________: v, x A$ V( m8 s+ m# }
5 }5 I& V! Q* ~
9 Y: F+ K, U* n, DMethod 14
% F' Z) q, t5 l6 e$ H) ?=========: b* v( w3 l( T' _1 u- A- F- k2 x
2 p! G: P# v) u1 f" {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
F# ]9 k" r) d# sis to determines whether a debugger is running on your system (ring0 only)./ `+ A2 D. ^8 \/ F- }" g& M
# h5 }+ |! ?3 ^' y VMMCall Test_Debug_Installed
. D0 e$ `0 C. {4 ~# E je not_installed- D: @+ c) y7 J( v$ p8 i( t4 o
6 T5 ^! F9 v( m! v* zThis service just checks a flag.
4 S2 @: x; \6 T4 U7 \</PRE></TD></TR></TBODY></TABLE> |