<TABLE width=500>
! v" e1 e( F/ q( S* B<TBODY>
3 S( ]- N$ P5 k' o) H8 s6 [<TR>
0 }2 h) m6 W3 w/ H! Z j( Y) x7 A<TD><PRE>Method 01 5 \/ ~5 B. @4 R- o2 {. i) W; p Q
=========
. d) f- |1 @0 { H
9 a5 H" G! q2 e( IThis method of detection of SoftICE (as well as the following one) is# \# U1 O4 d9 Y8 L- B% u
used by the majority of packers/encryptors found on Internet.0 @% x; N# N. _1 v
It seeks the signature of BoundsChecker in SoftICE ]. Q& W6 U" z, f/ t
/ k. j+ w' M n0 C# A7 ] mov ebp, 04243484Bh ; 'BCHK'. v" [, E/ r3 l) p) I
mov ax, 04h
; l; g; j9 r2 P2 q6 D; K# g5 F int 3
' A5 c8 ^) {5 N c4 s cmp al,42 @, l" }, d! u* }0 Y* t4 N! k7 A' V
jnz SoftICE_Detected
9 h" U0 B4 ]- L2 c7 |1 g* q% _: l. ]" K
___________________________________________________________________________
+ o8 i0 S8 E! Q. L% {4 m7 o
0 O& s: C' i3 m$ @Method 02
4 ~. ? f: X+ L=========
: m8 X# L* j3 P0 @
' C$ W a) L9 U8 {0 L" d9 @ P6 pStill a method very much used (perhaps the most frequent one). It is used+ u# c6 o% E, a9 Q- Q: w& c' ^/ `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 v7 p9 ]# u7 ?- Cor execute SoftICE commands...1 V6 l& D& I! G- E: V4 [; b
It is also used to crash SoftICE and to force it to execute any commands7 f7 z8 ^* p' ^" a5 @
(HBOOT...) :-((
4 d: v1 `9 ~; L3 G2 ~3 t2 ^1 g5 \! r" Z t. k
Here is a quick description:2 d2 H% s9 Z4 m$ \" M3 O! I
-AX = 0910h (Display string in SIce windows)& K0 [$ f+ c! U4 d& k
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 {. B8 y5 f7 T/ C6 j* t5 [& v-AX = 0912h (Get breakpoint infos). \, b, e; m; D, t9 Q4 S
-AX = 0913h (Set Sice breakpoints)
0 [: k8 Y i" ?-AX = 0914h (Remove SIce breakoints)
7 w) \4 Z6 E7 t( G
/ X% f% O5 s, c/ T; a: wEach time you'll meet this trick, you'll see:
9 Z; m# K- c& l& T-SI = 4647h, W2 y7 `& X! ^7 a1 a
-DI = 4A4Dh
. x' z8 G8 C# e/ l9 y* IWhich are the 'magic values' used by SoftIce.% ^( v5 }% ~! A; a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, a( i, ^' J/ C1 a7 N6 q3 b) E' o+ `& D, B5 }
Here is one example from the file "Haspinst.exe" which is the dongle HASP! ` B; B2 f k* D, B$ O
Envelope utility use to protect DOS applications:
9 ?) ]- ^/ ~$ U# F0 A. ~
3 a5 w( t* _1 W7 p8 p8 l" _' }9 W& b0 Y6 n( `
4C19:0095 MOV AX,0911 ; execute command.' C% v3 z# i: k' h" W$ S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; ]) y( v6 _6 p/ |) {! A7 t4C19:009A MOV SI,4647 ; 1st magic value." w9 D/ T- ?! [* k4 j
4C19:009D MOV DI,4A4D ; 2nd magic value.* M# O) S2 }& ]/ K9 t) |1 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 z$ r4 Z1 |+ @2 r( E4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* p7 C1 a- c, k$ n! E' V
4C19:00A4 INC CX7 V& ^* _4 W4 M( }) N# a
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" ^# x2 @. r$ r! l; S
4C19:00A8 JB 0095 ; 6 different commands.
! A, f. ~, Y7 _( Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 Q- q) X0 s1 ^3 e Q; n$ B H9 h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 g% H8 y1 S% X( j* B1 U5 y# i a4 g& ~( c! w
The program will execute 6 different SIce commands located at ds:dx, which
1 O, |( o+ e+ S7 J3 e, m+ ^are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 v( Q; q0 a% U7 F( S
% e, p( s# X5 Q5 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Z+ B+ V o5 R" |: @
___________________________________________________________________________
& F# e! b% ^9 x; e9 _( d% f
+ j8 s: i& d7 H' s, v$ S9 o( s7 @( m" {& y+ @+ Y% n; M* F' s) ]/ r
Method 03/ J% ^4 l% i; F
=========8 _' `: x: U# i& X
4 n* a1 p2 a+ K0 R- q9 W' @
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 c6 D; `5 W4 D$ j(API Get entry point)
7 c2 E) n: m5 c - G6 F4 Z3 a5 H* a
+ @6 G- V6 ?* E$ X% b$ W
xor di,di, m! B, Q" `8 l3 c3 U
mov es,di
k) x) E, ?% H* ]% n* J! T* \. Q6 A mov ax, 1684h
7 R/ _! v" D) _, u" P( N# r q: l mov bx, 0202h ; VxD ID of winice
c& c( x* t2 p, j; ] int 2Fh
0 R% z: Z7 R5 F s mov ax, es ; ES:DI -> VxD API entry point
% c; T# C8 o( G add ax, di
6 U8 X+ [% G- K6 m! d. j: l9 f% Y7 q `/ X test ax,ax. o: C% \" t9 S. e5 o3 ^ a
jnz SoftICE_Detected9 s' ]' w* F" N1 v. r# X7 G |
' k) d' S: F o8 t0 o* j
___________________________________________________________________________$ g" I7 e# J+ J( i$ c# }( s, ]: Z
. h* x$ d& G1 [4 U; y3 M
Method 04
: Z# z& M8 x6 z=========: l; }2 y; G/ Y4 C
% S7 u! E. T) N4 i9 Q0 C4 c1 I
Method identical to the preceding one except that it seeks the ID of SoftICE
u7 J1 S+ z7 [* a$ dGFX VxD.
& Z8 I9 n" p; A. Q! a% y/ v% p+ _: `
! M, }2 I# E: k( W1 E7 A. X+ D xor di,di
, k4 J. i6 X2 b4 j1 i mov es,di5 _1 t& r" L) r: J& X. d
mov ax, 1684h
' G6 b& W# P. h( f mov bx, 7a5Fh ; VxD ID of SIWVID" y3 z* y6 J- V- o8 ~( h5 q
int 2fh8 J! s5 u+ |4 G- \' \! u
mov ax, es ; ES:DI -> VxD API entry point6 `* O7 |3 S+ ~1 P( B [% R
add ax, di5 ^# N+ w. y, z6 m3 S8 Z# `' T
test ax,ax
9 i% F5 j+ P+ t- o! A" n8 w! Q jnz SoftICE_Detected
% b& p* E) f j
) o4 J [; s: J& [__________________________________________________________________________6 t6 }8 }& r, \
3 I* D# f) V5 f9 u" }5 c$ o
/ b/ j+ W$ D: kMethod 05( y, y8 j9 g! R$ h6 s
=========
5 J8 ~8 y3 b' u4 g0 q& F& \& [
& O- V9 E6 d. \4 [& VMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 G6 q+ ~; t R9 P
debugger. It calls the int 41h, function 4Fh.1 ?) Y3 Z' L9 l. r) s, m2 \2 F8 m" X
There are several alternatives.
( k5 O( m k5 i% o. s/ P4 L2 ~& ]0 Y
The following one is the simplest:$ D! o& F$ f! ]( p2 Y. B' A
1 G n3 P4 Y) N! v
mov ax,4fh
0 e6 V# i8 W! f$ S) _# X8 g int 41h/ U9 n. y. W& _- ?: [$ w
cmp ax, 0F386
' O4 h" n4 Y P7 O, L, [+ f jz SoftICE_detected
( Q7 ]1 {/ ?* f- E* H
* [; D9 N0 m5 v* ~& o4 R8 ~4 l! C8 V$ a+ p, \" C6 U+ M
Next method as well as the following one are 2 examples from Stone's
* `" N$ d5 y( |5 {+ E"stn-wid.zip" (www.cracking.net):
/ O& ?& R( f' e: W
& r( t, H7 V; d3 z mov bx, cs
9 p% d/ I. J$ x# ^ S" ?& c lea dx, int41handler28 \& t$ \% J, M( I3 l
xchg dx, es:[41h*4]
# h$ B! T! R/ q) H- K6 u xchg bx, es:[41h*4+2]7 m7 S4 R3 L! h3 y, N9 [* w u% R
mov ax,4fh5 ^$ W6 T* Z3 u$ I3 S0 E/ V& m
int 41h4 L! @8 Q" [8 e* B, a
xchg dx, es:[41h*4]* R5 I+ i* C6 N L# c7 K, L
xchg bx, es:[41h*4+2]
8 B O) a4 d* R" i cmp ax, 0f386h i- x- @2 W% n1 A, T
jz SoftICE_detected
% R" |5 V2 c& r4 F6 m5 X8 x5 P1 S
int41handler2 PROC3 E- c, l7 F6 |; I
iret* T: O+ b5 |$ e9 b4 A! h* V
int41handler2 ENDP7 N6 P6 P Q0 Z# \8 K/ j/ n* Z
% q, {/ B1 \$ Z5 D( `% ]. F# o! L- Z# m3 _9 ]2 u8 ]+ \
_________________________________________________________________________6 D7 B( J& W- }4 Y
K+ r" W9 J3 g I
& R/ W$ y x7 Y8 }' q3 a' dMethod 06
% f: D! o) a. V* J, T=========
5 j- D) I5 v! f$ I5 p1 T% w3 k$ B6 b1 @) T: y
% Z5 ]8 B" R) b! z; @; E2nd method similar to the preceding one but more difficult to detect:
: h: z6 Q! B9 U* o3 O m% Q2 V
. f" c3 X# q W) r" A3 p/ B# D7 e' V% L, p7 |3 c
int41handler PROC! B/ F. i. n O8 {+ H# F# r
mov cl,al* C8 m3 r8 \8 W( Q8 i
iret
- V0 r. T4 o% h4 B+ L" ?8 Hint41handler ENDP
8 E4 M, a* {, E+ b4 e; g
% V( z7 {$ b, c9 l9 e1 d
' r3 z6 `( @2 U xor ax,ax
+ @1 s+ p% p' l, [; b! N% V( H( }, i mov es,ax
7 n1 X# |6 L1 i9 x. D mov bx, cs
) \7 `- } g2 K$ ]0 x( j lea dx, int41handler1 F# e% Q8 G, @4 E- L
xchg dx, es:[41h*4]
$ B# }7 W0 f: ~ xchg bx, es:[41h*4+2]/ m$ }9 {: n* @
in al, 40h7 P- x/ S; k% m( }" w" P; R8 I5 w+ Q
xor cx,cx7 @$ |" |3 }5 E
int 41h) Q8 O: t! v' M! A: O
xchg dx, es:[41h*4]
0 V H( z( i8 z xchg bx, es:[41h*4+2]
/ D4 |+ K1 O5 ]! r# p! U cmp cl,al; b1 C$ v& _2 L7 K0 _% X: o
jnz SoftICE_detected1 n. I+ [" x. H6 \8 ?
( i& Q% y+ J! F* w) |, W5 R
_________________________________________________________________________2 x+ }5 E! T2 ?' w6 |
. H x) z1 W2 ~- n5 e
Method 07
% j# d) ~% b$ K4 m9 O7 O=========1 U9 x4 b5 O. H0 V" s$ ^) T
5 p) z! h. P. H+ c2 FMethod of detection of the WinICE handler in the int68h (V86)
6 \* d/ X4 m7 c0 r' G# O+ M {
( S' O P9 B5 r' L8 [ mov ah,43h$ K$ V) |: d( \# A% ^7 P
int 68h
# n/ V9 k3 d& S7 L/ B* n0 M cmp ax,0F386h3 K1 s! S7 G' g. M& E6 Z* N
jz SoftICE_Detected& H2 C# t* e# E# H2 [1 u _
! {+ ]1 @# \( ~9 f& b' @) U4 W0 D! D( J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: v! y0 K& j6 c. L: B7 c
app like this:& b0 j4 Q! N+ K" A4 O9 M
$ J- ^3 A8 Y6 Q
BPX exec_int if ax==68
' s+ h, Z; E6 [1 ? (function called is located at byte ptr [ebp+1Dh] and client eip is3 ?$ ?4 l9 W0 @% q0 B! b- T* ?
located at [ebp+48h] for 32Bit apps)
2 T! |% U8 L- p- r$ j__________________________________________________________________________4 G' v6 \* N1 O% k$ D' L
# p2 O! V( _& o3 d6 A6 p6 b9 V0 U5 D
" o) i( c2 B$ K! l( z; aMethod 08
& D Z6 [" o. k: F, f$ T& k$ ]=========
* |3 y2 Q4 }( P6 l2 [0 ?2 U# P! z |8 E* p. C( u; o( v
It is not a method of detection of SoftICE but a possibility to crash the
% {' c/ v: K Y5 @. m4 h- d8 |system by intercepting int 01h and int 03h and redirecting them to another
, g+ g7 |5 ~3 b$ B, [routine.
5 p$ Q, F$ R3 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! P* w/ p; C. @$ o0 Jto the new routine to execute (hangs computer...)
6 m9 u+ l7 R4 q
e5 l5 q5 N! X: { mov ah, 25h6 M5 Q$ M7 P% h& L- r f3 x4 i
mov al, Int_Number (01h or 03h)
! k" e9 \( N; j mov dx, offset New_Int_Routine
/ U2 j, {9 @( v int 21h- D: k5 t6 X5 N& K& x
* L, S# p0 i2 B5 U$ ?__________________________________________________________________________* ~3 \5 ~; _: V) \' h
' I# y; i; M, H3 X; L/ [- F8 v \! v; YMethod 09) d9 `% ^3 b+ @. d
=========. `) z& v% l* W, w i. `3 X
! [/ g: A9 L. D8 z' f8 F& o. l5 Q Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. O* K5 k' x( x" n& gperformed in ring0 (VxD or a ring3 app using the VxdCall).
. X5 [4 l y. C% VThe Get_DDB service is used to determine whether or not a VxD is installed v5 c& C' j+ j1 \4 }2 U
for the specified device and returns a Device Description Block (in ecx) for0 I5 ?1 U$ f' R
that device if it is installed.8 w; S4 s6 J; V/ s- u4 Y$ ~0 [
5 `6 Q- J0 r' ^) ?7 |- {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 `/ N( P7 G" ?! b4 V2 K& E" N& z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 I Y3 e h- v7 | VMMCall Get_DDB5 S" s% S& j% F! ]+ j1 L; y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
T6 r8 m8 f% s( s6 @: ?1 v$ V' S
7 a' z' ^% {0 ]: pNote as well that you can easily detect this method with SoftICE:
0 m$ [$ o# M3 U5 p8 J bpx Get_DDB if ax==0202 || ax==7a5fh
" T; O8 U5 |! z$ x s1 [0 q' ]6 | f% ~1 m
__________________________________________________________________________5 Q1 ?5 @* @+ A. h u4 o) o
# [' |- E; I4 w: w4 `8 \' A+ F; J
Method 10
0 b0 _& ?9 Z a- I7 e=========" E& f# n ?6 [, y
7 f1 k/ J! ]7 x" l2 F/ i, h
=>Disable or clear breakpoints before using this feature. DO NOT trace with' k. X; @3 [+ N+ f( j& Y7 p
SoftICE while the option is enable!!5 A! y& A, @7 X% ]
# G8 x0 T8 T3 m6 j. k
This trick is very efficient:
/ N# W- O, U2 i% x2 c+ u# l7 bby checking the Debug Registers, you can detect if SoftICE is loaded
3 {; j; ?% p$ W5 M4 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& F4 Q1 F7 m/ E/ k% u" a3 F0 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 a! g0 L) G$ p, qvalue (in ring0 only). Values can be manipulated and or changed as well, T8 p% ]# l5 G+ V2 O9 v/ z
(clearing BPMs for instance)5 u( K! g) Z# G5 J# d! u
% f7 G1 W, |; t! @+ f
__________________________________________________________________________
) w3 a; g3 y2 M, q& [9 x1 S0 b0 @3 I6 J @2 r
Method 11
% z8 P. [$ P9 X& i! h=========# p1 K" r. f( D
! U/ U( t6 ^, d* K6 P" R( jThis method is most known as 'MeltICE' because it has been freely distributed
7 h% U4 c6 q1 J; }via www.winfiles.com. However it was first used by NuMega people to allow/ g2 c9 s) x2 q4 c
Symbol Loader to check if SoftICE was active or not (the code is located. t4 C- [- n- H Y
inside nmtrans.dll).
1 r1 M( D" N- w7 j5 \$ _- |) ^* W( @5 ^" `) X e
The way it works is very simple:
4 L9 M6 R& i: R% w! G+ R c: b+ AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for o( t0 O5 B: ^0 b, F4 @$ `, j
WinNT) with the CreateFileA API.
+ n8 G' f6 |' v+ @% W9 T7 g
) R x3 R" g+ x% `* h) `7 Z: EHere is a sample (checking for 'SICE'):
1 E( r9 v o9 L- c+ U+ ^3 J/ F
' v2 [+ C2 \ o9 |8 Q4 n2 QBOOL IsSoftIce95Loaded()' f6 T } _5 b! f6 M, c8 n0 j3 k: M- K
{8 p& `3 @$ x {4 G4 ]2 c; D" V
HANDLE hFile; % I- w% ?- u4 n6 I( X" y
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) T) z+ _( B+ S6 S" v
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 ]* p6 T2 h* `- L& q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! c5 ^) Q- a3 c9 R
if( hFile != INVALID_HANDLE_VALUE )
; |' z% N# ]" N" u' R& u4 u& Z9 k {% ]' f h/ A" [
CloseHandle(hFile);8 o C/ R/ ?7 |5 T+ |# e2 x5 [2 U
return TRUE; p+ F: k3 x5 W: N4 y/ q3 i. l6 U
}
# H% [) A. u. t4 R5 R! J return FALSE;
4 e( d) @& U! ?0 S" r0 Q6 ^}5 ~- r$ T1 ?2 C1 w/ z3 }5 d
. E" _+ v& N e* `0 N
Although this trick calls the CreateFileA function, don't even expect to be
; W5 L# o5 _5 C. c6 Oable to intercept it by installing a IFS hook: it will not work, no way!# U. Y$ u7 o6 e' f3 x9 G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" m, _4 I6 Y9 G9 A T- V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 C' x4 v- T1 x+ K* N# c) e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( l& o. i( d F% X0 W6 c* y
field.
. d- O4 w; Z5 A- |- G, a7 MIn fact, its purpose is not to load/unload VxDs but only to send a
. e/ F& X4 s- Q8 ]# w1 }1 FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), _, a+ n% n: q3 b! }# Q# x- H3 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 D n. K% i3 i) ?2 Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).& @' S: [" A; ?7 L0 }( |
If the VxD is loaded, it will always clear eax and the Carry flag to allow% U8 p5 K! K* [! \* L- v. w
its handle to be opened and then, will be detected.2 A- a8 Q+ d. }4 W) }
You can check that simply by hooking Winice.exe control proc entry point+ `6 {' R( n3 [1 ^1 O: Q
while running MeltICE.
) i2 `0 W+ X7 k" S6 j7 F( i# f5 w( C
& Y3 `" t+ |5 a. d0 _; I U9 W! q
8 w }" M7 t9 F& L8 p) j" B 00401067: push 00402025 ; \\.\SICE
8 O* x6 I3 T" m' [ 0040106C: call CreateFileA
' U7 [0 b2 q0 _' N4 N 00401071: cmp eax,-001
- V Z [! M. W% k' `+ h 00401074: je 00401091! [6 r6 B7 e; h8 v! `& N$ u: ?
/ o4 q( p9 z/ \" A1 B
: Z8 q0 i6 X0 A" [: {There could be hundreds of BPX you could use to detect this trick.- |, Q7 `) b9 N: T
-The most classical one is:! |$ q+ e4 @" g* ` i7 T7 u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 `; R! F3 Z+ m6 j( G% a/ G
*(esp->4+4)=='NTIC'
6 s4 g3 D% J' A! J3 n7 o$ @7 U7 z+ v- N# O
-The most exotic ones (could be very slooooow :-(
5 E: s, G) l8 v$ B4 b7 Q7 ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' Q: d: g0 I1 y% y! e( A ;will break 3 times :-(
$ ]7 B! v3 Y9 W9 Y
1 f/ [- D' Y e( O: W-or (a bit) faster:
( r- m! g" W) i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 _. C- }- _" B& V- A
1 x& U4 q. B% V. t N
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 Q, p' j# r$ Z7 q: B; i4 X ;will break 3 times :-(+ }& U. \. y" C: [, U s
, R! R2 O+ Q1 H% D$ ?
-Much faster:
2 \1 g& k: C6 [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% d) X. ?) O' }2 E( E
0 k( b- W# O9 Q8 X+ t! i: ?% w/ WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 j$ }8 T0 K' M# A
function to do the same job:! {/ ?# g4 ]2 ~
7 q: }/ m: N" P6 j( o
push 00 ; OF_READ% q) _5 |7 d% W$ W: o
mov eax,[00656634] ; '\\.\SICE',0, V' }" f+ f0 h0 A! o( t- G
push eax6 [# n# J2 d! }- J+ B; E
call KERNEL32!_lopen
! Z* H0 |7 N* T- C5 G- D/ f. M inc eax4 f2 u: ?0 w# w W
jnz 00650589 ; detected
9 k. O' F! X; _9 U push 00 ; OF_READ3 ]2 Y: B( c) Y9 x. O; e
mov eax,[00656638] ; '\\.\SICE'1 n& g/ O4 y9 ^. D; G- M& E
push eax$ c; `3 l8 K$ z
call KERNEL32!_lopen
" Y( V5 G. ^& h; Q" r% y inc eax
7 K6 W q. S2 Y3 ~ jz 006505ae ; not detected. V* a6 W. _) Z' N
2 ^) t2 s, p0 f2 a b3 w2 l
( X+ e* {1 B7 L0 ^- z__________________________________________________________________________
9 U3 k+ R9 h' J4 O0 N# v7 ~5 E4 O; W( G0 J! P, |* J f( ~7 Y: A
Method 126 C4 B! j- Q8 A
=========, B n; C! K D; P" h2 t: }
/ `" B/ p( `* B/ n# H9 r0 e+ l. m2 vThis trick is similar to int41h/4fh Debugger installation check (code 05+ Q }% B) I2 ?& y
& 06) but very limited because it's only available for Win95/98 (not NT)
: v, F3 V* h4 {: d- Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) a% {* v! S5 I! @7 B X. M: n% U7 A
6 c5 a2 l) e. r+ g: @0 ^3 v$ @ push 0000004fh ; function 4fh# L$ N" [) Q; q6 ]
push 002a002ah ; high word specifies which VxD (VWIN32)9 q0 a1 o, w! T1 r
; low word specifies which service/ e& { D; n& R) P
(VWIN32_Int41Dispatch)
# o0 [, X$ R- Y. L8 }7 l9 x call Kernel32!ORD_001 ; VxdCall! V- S; k, j" o# M$ j
cmp ax, 0f386h ; magic number returned by system debuggers+ j. c0 z" Z6 e. Q
jz SoftICE_detected
2 ^; [4 f# ~$ _6 |' H. [* |4 s$ `3 c# T! i& _8 I) N) w
Here again, several ways to detect it:
) N6 }$ }( D }+ d1 z; X1 `/ D% U# K. k( Y( o3 G" S3 q
BPINT 41 if ax==4f9 N: t) W* }/ \& X7 T$ `$ B, W
1 |2 r3 |7 |3 ~5 [
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. }; B" Y3 R; _8 s+ E7 o& G
% V4 l8 j% T, o' W0 W o BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# I t$ ?5 R3 l V' v; F! Y G% z, B) q
3 S& X1 u* |$ J, O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* |6 i9 b( t) I# x
7 u- R [3 `% w c: U__________________________________________________________________________
0 H. \7 x) a' D; a& L. \' x! C: @5 Q& }, G$ o+ a% e6 ?3 m9 g- ]/ x
Method 131 i6 w" P0 q- q" y8 l
=========
* {! s4 i2 y" z# _8 }# z r9 C* @; X& y, I
Not a real method of detection, but a good way to know if SoftICE is
% h. B2 |' p& ^installed on a computer and to locate its installation directory.
2 U* ?% |! Q6 ?& l5 @It is used by few softs which access the following registry keys (usually #2) :4 Z! X1 k0 q& k3 x6 Q1 l R
+ K1 e- E5 y, _. C J5 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 l! A( n, S; b\Uninstall\SoftICE
, Y1 e( ~1 {% y) t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( C2 i d, Q! d+ e+ K' X-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. s$ ?; r6 U" c+ U1 `' b, h" i
\App Paths\Loader32.Exe/ o5 t5 U, _+ o& t& Q
( c* j3 h+ u( f8 S3 u7 k8 L* ~
* m, y4 Y! u3 R: P" S' }Note that some nasty apps could then erase all files from SoftICE directory
3 Z; f* p: j3 K! s; \: S: f(I faced that once :-(9 ]. N2 ?( I$ ^
: j7 m: y; C6 A# {# T" A3 RUseful breakpoint to detect it:
) t; g" f: k0 w" i; x! r
2 a( j7 y) }) ^; F3 w0 q8 `6 r2 b+ \- r BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 p5 p4 Q! F7 K' O, z/ [$ I6 k- t+ e$ [# _8 _5 B
__________________________________________________________________________
1 ]/ b6 w6 r0 N$ ]5 G5 Y- T- _
$ h( m& [, X; H% j% Z3 Q% f& h( z" x
0 K7 t, E3 A1 c8 S: K9 c: G2 MMethod 14
2 I. R# o2 E; E0 E=========
1 ?+ E x7 {5 e: r" s
5 G) r- K! T: q: O" P8 `6 j$ `# eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 ?- p$ t/ Q& ^4 t- ^# P
is to determines whether a debugger is running on your system (ring0 only).' ^' c) c. x( u) y% g
- O1 _5 y9 m: n |0 P8 Q VMMCall Test_Debug_Installed
1 M3 o/ T S- P6 |/ `/ v je not_installed
" ~! } I& ^) }5 H! p/ ~" ]) H& _! y! u+ f; S; \) t1 R. }
This service just checks a flag.
. t) E, b# k7 z- \& _</PRE></TD></TR></TBODY></TABLE> |