<TABLE width=500>- E1 Z5 U I/ @* v9 T
<TBODY>
7 T( A/ D6 _$ W7 o, |<TR>
) b6 r/ \' B3 K1 a! R+ {<TD><PRE>Method 01
9 |; ?9 d( I7 U/ A: y0 y# F6 [=========
8 X" J& t3 I5 J# \' r8 {# x y8 [; p
y& X2 ?+ N5 p! Q( sThis method of detection of SoftICE (as well as the following one) is
/ I3 @ t8 M$ Vused by the majority of packers/encryptors found on Internet.7 ~0 `# d0 S- N9 s
It seeks the signature of BoundsChecker in SoftICE
) B& Z4 G; s- Z( ^: J4 I+ ~. n
0 I4 K1 u2 O }3 Y. Q- E/ X mov ebp, 04243484Bh ; 'BCHK': P+ t ^4 F( V6 J/ M" C$ A
mov ax, 04h" ~/ P1 }* O1 k4 P# ~
int 3
* z. W* V5 J6 ]3 n cmp al,4" g% y, P( H" p* A/ h! y
jnz SoftICE_Detected# f. o" _$ U7 p8 k' I- p
( R$ _5 @" }1 R' ]
___________________________________________________________________________" p% Z6 y u1 s1 z
; U5 G. F n: f n& ?" h+ _Method 02+ H/ t- u# U0 P, }/ i& u! E9 }
=========$ {5 r8 @) ^0 m: z$ |0 H: v2 ~
; b2 k. o( K0 f9 Q
Still a method very much used (perhaps the most frequent one). It is used
# y( Q6 ?% D* @ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. }7 Q8 s, T7 S+ b; M/ q2 V4 Q2 f
or execute SoftICE commands...# M3 [3 N' L2 p |9 V% @& }
It is also used to crash SoftICE and to force it to execute any commands
n$ m# h/ b8 r' g5 W(HBOOT...) :-((
- E" X& T/ @) l h& _0 `6 T8 @( Q4 t. `/ A# S) o$ Q* k- {3 M
Here is a quick description:( c: H. c9 p" O; ~- b* U
-AX = 0910h (Display string in SIce windows)
7 B+ O/ C% h. i, p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)9 y4 B Y4 ^8 v! e: p! X0 X
-AX = 0912h (Get breakpoint infos); K5 Z/ b3 @) S
-AX = 0913h (Set Sice breakpoints)
4 G* U5 m9 _8 K$ ]. ?. M% m% t) ]/ o-AX = 0914h (Remove SIce breakoints)) B& @2 O0 n( I5 b, X/ w) `3 R
5 Y- \$ h1 y2 x6 A; D2 h; k8 v: B# VEach time you'll meet this trick, you'll see:
7 U; g4 v7 Y! D* }-SI = 4647h
' e. x8 P* N# S$ L. g+ k-DI = 4A4Dh0 B+ X8 s$ Y3 Z; K( f
Which are the 'magic values' used by SoftIce.$ n, ?; b8 H* P) A5 |: j" B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# D, q5 V. X( S
, a* C4 w( W! W* L
Here is one example from the file "Haspinst.exe" which is the dongle HASP A! {" k- W' s$ ?
Envelope utility use to protect DOS applications:
0 u" l) S, ^2 I& z
7 Q% A8 D- l. N& |. a
2 N; |8 [6 K$ W& r9 V' E4C19:0095 MOV AX,0911 ; execute command.# d) a' A! O' H/ o+ Y$ y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* N& T+ ~8 Y1 \1 v# m- L6 I4C19:009A MOV SI,4647 ; 1st magic value.$ a2 W4 h/ W3 n0 b, w% l Y9 d
4C19:009D MOV DI,4A4D ; 2nd magic value.' l% ~; i2 ]6 |, X4 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 e4 {0 k1 y2 E0 a
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute [4 ^# y/ A* ?* I# b
4C19:00A4 INC CX
/ X" Y" _) j0 V8 A) p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; b) Y" J& D/ w0 [# J- k4C19:00A8 JB 0095 ; 6 different commands.
, [, Z$ ?/ o8 G7 n6 \/ ~0 n8 b8 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 z* o) l' X$ B/ \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ S" u( {% q7 ~; b* p2 J d% W j5 F2 K
The program will execute 6 different SIce commands located at ds:dx, which
( {$ n* }5 r) ^6 C: y, W; l) p' hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& n' ^& V; L0 O" P! z; ]4 D- O3 H
) A- B1 i4 ]' d3 S, B1 D2 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 S* u" O" u2 h0 {2 Q, ]0 R___________________________________________________________________________! ^5 _' q, L0 z) D2 |
4 Z* W9 @- Z5 T+ S/ `) u
9 Y" d# k( h; u3 \$ ^Method 030 y: f) ?$ y* O9 X* b7 Q4 y
========= m, D; D( W1 G) s
1 O# Q) i( S7 s! k$ m% k6 [' V% R* tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 z8 L; @4 R8 r: U(API Get entry point)
m) w: ^" n7 n- c& ` 1 E; j5 r% u0 `$ B2 `8 a
! V5 n6 |8 U! @' B xor di,di- v% L1 R2 Y) ]1 @6 M6 _: v8 [$ x4 J, D
mov es,di+ w+ }9 E; ]# \1 g4 y7 ?) N
mov ax, 1684h
) t! @) D4 m n% f$ l. @ mov bx, 0202h ; VxD ID of winice
. z/ G- W1 V+ ]1 N% q" ^9 x, N int 2Fh i; J2 n8 T( G$ ~4 a. A
mov ax, es ; ES:DI -> VxD API entry point
+ V4 x4 u. P( W2 N& b+ Z add ax, di. K0 l' @3 V( H; w; o3 z; _
test ax,ax' A# q v4 |* `! x) z; ]8 R
jnz SoftICE_Detected" r4 E4 ~( [* s% u0 e, \0 Z
+ t$ R9 ?# f8 i+ R
___________________________________________________________________________
; n( e! R# ?" S* Q7 U S6 J% X' ?4 ?" _
Method 043 B9 E- u5 w# o& M2 U4 o) p
=========. Z5 ?8 x3 o% q" R. R5 ^8 F
3 L4 P D" e- x6 VMethod identical to the preceding one except that it seeks the ID of SoftICE
8 u! k/ [# M$ O) M( _+ K% ^* @GFX VxD.
- e8 l5 b6 f, i2 Q, I1 R% G9 w* n/ i: d$ V3 N& `! P% K
xor di,di0 S$ K! F: R" n9 [9 I
mov es,di5 I3 x3 O* @$ ~8 v g3 k# n
mov ax, 1684h 1 {! S8 F: h3 q
mov bx, 7a5Fh ; VxD ID of SIWVID G5 K- [; p7 m- H
int 2fh' w7 ]1 `1 ]9 h# Y: ^, Q9 T8 S# c
mov ax, es ; ES:DI -> VxD API entry point" T* e% t: |6 J1 a% A
add ax, di N2 f9 y3 S; E8 d4 h
test ax,ax, z* j d, N1 h" G# W( Y
jnz SoftICE_Detected
; s8 L, b& _& x$ C; G6 w+ v, {& ]; ^# [2 N
__________________________________________________________________________8 U! J W8 u* w/ A: ^) {+ F# E
) ]* a( P4 p/ [& t
* |. |- l; J: l9 @: z# E$ OMethod 055 A9 ]7 \3 x( _ c" r- t" m% l
=========9 o% X" {% G1 m! b% `* P9 m
5 P: o* d; c1 P* HMethod seeking the 'magic number' 0F386h returned (in ax) by all system( q) M" \# [& j V
debugger. It calls the int 41h, function 4Fh.
+ O# ?2 F9 s( `) J4 b! AThere are several alternatives.
. W! j M" T, K8 J$ M1 I1 d, N% J9 Q
The following one is the simplest:9 H+ t* L# D2 a* o! J
; t7 s( X0 O/ P+ U& `& g3 ?
mov ax,4fh+ ?3 L7 G5 _ @) R* D2 @: @! O' S0 s6 ?" k
int 41h
6 ^$ b% w1 m2 R! J cmp ax, 0F386
: v$ }2 n) Y1 h% M! y' s1 w jz SoftICE_detected" x6 b# D+ U( [+ F# w: O
( I0 t; n$ g* [8 S; L* z% X. L+ D: y* B5 z' K$ B
Next method as well as the following one are 2 examples from Stone's
/ h, m; b$ g9 Z: d, g"stn-wid.zip" (www.cracking.net):
3 W7 z; j; l5 @1 @- [) ?' |% a0 r' \7 R% v2 F; J/ ?* m) n
mov bx, cs
5 @! J v2 ?! l2 M0 @! S lea dx, int41handler2
+ O5 a, Z2 ~$ ~. f. \. H) K, p xchg dx, es:[41h*4]
) j% ~: B9 v: ]2 h xchg bx, es:[41h*4+2]1 s. C# ^3 O% i( ~; [$ ^6 [
mov ax,4fh/ H& u- P+ b1 _5 w& T W
int 41h8 i- e) P1 S% k* b6 a
xchg dx, es:[41h*4]
( S% V3 P9 I0 R xchg bx, es:[41h*4+2]
5 w# }. s. q# B4 x cmp ax, 0f386h
" h" |0 x3 Z1 A- t- | jz SoftICE_detected
: h5 C# ^/ ?. S- r
) Y9 V( t- N7 M( Bint41handler2 PROC4 r# u+ k8 r6 T* I- D7 B
iret
# \ S' b. f) d9 ]& T% e7 U7 Zint41handler2 ENDP
8 Z0 N6 ?0 u3 d1 m" y7 F1 D w) f* K% @$ i9 x
" ]% V( S) E. y; w
_________________________________________________________________________7 \, P* g6 P2 R. p7 h
! s4 R* `6 t; q8 {; \" F( x; A3 i2 C6 |& z: Z, j/ J, Z
Method 06
4 w; `) b# X% ~" P5 K=========2 M& B# t" g8 Y
) l& s- f! N- g. y
# j% y4 w- T3 F/ r1 S1 I
2nd method similar to the preceding one but more difficult to detect:6 j5 d& K2 n7 {$ r7 u. i
5 D5 F1 h5 s% o& @/ v/ N
/ ?; y5 }. k( I4 M
int41handler PROC
' A) [% k. f8 c. @7 o( ?% {4 u$ I mov cl,al
. q* z9 b, O+ W) I0 i0 J" D) w iret- L# a* R6 c1 A3 H
int41handler ENDP
4 v9 o5 e$ E1 _- }: [, B
: h& f) g/ m9 s3 p; e5 }; H+ D- W2 K, p1 A+ {
xor ax,ax
' B8 F4 R9 N) n: A mov es,ax U% r7 v' w: T2 z- P
mov bx, cs7 _6 }! N% n! b0 w* Y5 _$ e
lea dx, int41handler
) H x6 G; M, J" p xchg dx, es:[41h*4]2 I+ o4 \' a! d, [* y1 @8 M, |
xchg bx, es:[41h*4+2]
3 L" N5 q- L2 a8 Q; [* z in al, 40h
9 M% h2 d* j0 c* D xor cx,cx
% C+ j% [" h; E8 a+ j0 z7 B int 41h9 z- ]9 t6 A" \2 p* q
xchg dx, es:[41h*4]& A: p6 u+ P- H- N
xchg bx, es:[41h*4+2]. O3 t3 t/ O+ D$ d
cmp cl,al
9 ?8 G1 |; v, ] p5 k& u jnz SoftICE_detected
3 y3 F5 C7 K5 b2 f- ?. v
3 n; ?/ e9 S0 ?& ?_________________________________________________________________________
& m! A0 Z) c( K0 W0 X5 C$ X6 j
# I' i$ w# i, RMethod 078 P% ?: T. g& m) G' R- F
=========
# _! L& D; x% F' ~. _) a) |. E3 _" {2 W; h( P/ K2 w
Method of detection of the WinICE handler in the int68h (V86)
6 ~1 V) f* c2 v# I- k4 j% X4 ]' g
4 {" E$ Q$ C, }% E' D* Z mov ah,43h
B+ _' Y9 M. g* w; E6 y int 68h" q; n5 d& t9 ?* y C
cmp ax,0F386h+ m4 }4 e8 G2 v/ s; g' B. X
jz SoftICE_Detected; Q+ x. m5 _! B0 v' P8 v
; k$ I/ l b6 h) c$ @
. _) [7 d4 J! T& M a6 D* H
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; n- d, j$ T4 g/ d% A$ v/ g
app like this:0 y0 v$ t0 A1 D6 u
* N4 J+ x$ G2 l3 s% r) ~0 L BPX exec_int if ax==68
+ Z: f7 u8 h7 E0 K( I0 w; \2 P (function called is located at byte ptr [ebp+1Dh] and client eip is
6 d9 _8 z/ F1 Y) _: r/ z) h. F3 J located at [ebp+48h] for 32Bit apps)5 k. p+ J% {0 Q
__________________________________________________________________________7 w. d1 B1 o' z! H p
$ ^+ @1 \2 G2 D2 W, z( T2 h
, \' c- c! N6 }% m/ ? k
Method 08
6 M2 y- ?$ t: Q& \! W5 Q' T3 k6 p. G0 D=========
! P" p V3 {! ^3 m; Z6 s' N0 {! [
It is not a method of detection of SoftICE but a possibility to crash the2 T+ S9 j/ s/ b& V! g
system by intercepting int 01h and int 03h and redirecting them to another
, E2 F, j1 k) yroutine.
# ?5 @* ?' \* G* L" j8 DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 a+ d! R- A& r+ t* }0 \. r0 Y% rto the new routine to execute (hangs computer...)6 {, r. p& N; @/ }
$ Y7 m( g. c$ z" V8 U- d
mov ah, 25h4 O9 E% N3 I q) a s8 Y
mov al, Int_Number (01h or 03h)
( n7 } E0 f% B/ u/ z mov dx, offset New_Int_Routine8 X, e6 J H& a% |( K7 |: ~
int 21h
. d! A6 `- y6 I9 ~: O n+ q3 U' h' T8 M! y: D8 b3 d7 s) a
__________________________________________________________________________
; _! i% E6 z. B% H) e% a0 F0 a" s; o+ m5 z0 k- t/ [
Method 09
: k6 N4 E- r( ]. v' W2 _" x=========
- M" \9 h/ j) O- J: v! p
8 z/ q( U$ g& wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 S l7 f2 `. J/ H
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 o8 R/ K, D& a0 P0 {$ YThe Get_DDB service is used to determine whether or not a VxD is installed) `- N- N+ Y L9 D- V( `
for the specified device and returns a Device Description Block (in ecx) for
8 T t0 v. Y( T1 W6 \that device if it is installed.
/ l& m" v2 |: O- j0 m2 G/ `; |1 U+ L2 o% K0 l0 D9 y# F1 x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) m# U9 a. {. J5 N1 s& N: ^
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ c- Y! @5 ^3 g& b1 g. ?" \
VMMCall Get_DDB
% M! W& G/ t, }8 |) n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" E4 f1 O0 s, D2 S( o ]0 J
+ H8 a, C) |6 F/ G; z* W' fNote as well that you can easily detect this method with SoftICE:
% I: D8 N9 h' x) H$ V- ]/ T+ r bpx Get_DDB if ax==0202 || ax==7a5fh4 Y! {3 {) n$ i, w" b+ ?4 e
6 O5 x4 m, \2 X6 c$ `" y# [& A
__________________________________________________________________________( L9 y; ]9 Z; Q& }/ h* g! F7 d
! W1 C! t& S5 F( I+ j3 }Method 10; W8 G9 ]6 Q! h. S* D5 a9 X
=========" |1 e$ }' }8 r- P+ {
( E: p$ a8 ^: h
=>Disable or clear breakpoints before using this feature. DO NOT trace with, c! L1 L8 v& B4 a' K% W9 M9 O
SoftICE while the option is enable!!2 T5 O; P' L/ u2 y
) W0 R8 m0 Y1 p3 OThis trick is very efficient:( v) ]# J' D7 S: G2 e$ S' j
by checking the Debug Registers, you can detect if SoftICE is loaded
6 V" U7 p- w; g) ](dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ p% E( \3 H3 r! g5 x3 e: lthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) h3 K1 V9 t+ a2 @6 Vvalue (in ring0 only). Values can be manipulated and or changed as well( h4 s! H* i X
(clearing BPMs for instance)" t/ g0 x3 A& I4 d
+ O$ }: X1 n2 g* s4 I& T" Y
__________________________________________________________________________
) ?" u: M9 K! C& l" } J6 Y5 |+ V2 Q! h- t% P/ |/ n
Method 11
$ ^) q! Z, z* D; `=========
% Y& p9 r5 A. l; {4 Q. U* M# o; r
( G' R/ r7 g. x) [3 U5 a, xThis method is most known as 'MeltICE' because it has been freely distributed
8 i9 e7 e, x, u" }, l# ]( K. o. mvia www.winfiles.com. However it was first used by NuMega people to allow2 D; |0 I# t* _, p
Symbol Loader to check if SoftICE was active or not (the code is located" `% f, ?+ r, ~( u% T& A
inside nmtrans.dll).4 o3 b! M7 E# |' K* J* J5 T& B
: A" o6 T0 U& t ~% `$ X0 ]' _The way it works is very simple:# O, q; O' R3 t8 K3 [5 n6 a: C6 L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 b3 y- N% ^8 E: v( `
WinNT) with the CreateFileA API.) [& Y/ v+ v! l8 b3 a% \
& M2 q4 g9 S$ [/ `' h z
Here is a sample (checking for 'SICE'):& E4 r. p) i& A3 H6 n' j2 B
( V, b4 J# F; j5 S4 j# w7 D
BOOL IsSoftIce95Loaded()" h2 v# ?5 ~# N( a
{
+ W" g4 n% [( v HANDLE hFile;
$ R9 ^# u+ f0 ^- ^) U- G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' C* e$ y' L1 g/ I FILE_SHARE_READ | FILE_SHARE_WRITE,
/ j, K6 R3 a+ C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- Z* S# G' t" g; a7 e- r
if( hFile != INVALID_HANDLE_VALUE )0 A" j8 Y% [# C, x ~
{# x1 ?5 _. g" x) Z, e, H
CloseHandle(hFile);
2 n5 k1 d( C) M! X, B return TRUE;
- _6 u( X9 c. q# @$ }0 u$ O7 b' f7 ~# O }
% J9 S9 Y8 D' i0 E' c return FALSE;
4 P* p* G! |$ M- X( }2 W: W l}2 A+ X# I3 D- R
' Q/ |+ t$ t% f$ i0 fAlthough this trick calls the CreateFileA function, don't even expect to be
, B4 l* e' Z, H5 y4 @0 [- U! aable to intercept it by installing a IFS hook: it will not work, no way!
# u& w4 ~% s- f5 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& f& `! B! U* Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( _. m$ Y; n7 _: N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" X: u" y4 ^: v! A& f8 j% a5 x# Ffield.& |9 g) A6 ?& v$ _- m) |7 l
In fact, its purpose is not to load/unload VxDs but only to send a ' d \ N& h9 |- x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: q' U3 H* J) u- B' @to the VxD Control_Dispatch proc (how the hell a shareware soft could try Q) ^7 E' {4 f( D, r7 w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 Z& i2 [/ D$ e1 C" S! HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ I: H' Q4 }8 [2 bits handle to be opened and then, will be detected.
$ S6 ]4 S, E+ I. FYou can check that simply by hooking Winice.exe control proc entry point
8 g& D, T+ W! ^while running MeltICE.. w9 Q5 W i) B
4 d3 G/ f' @% [2 x7 i
) N- z- f6 d# @ 00401067: push 00402025 ; \\.\SICE
9 {+ z2 @, q" c 0040106C: call CreateFileA
4 C |; L( F' u$ t 00401071: cmp eax,-0010 }, |* `+ I8 s0 P3 ]7 c# M* Z
00401074: je 004010913 O7 U. I. T: u' E% G
! V1 B# q! s4 ^7 I( K
, v+ r1 x$ K2 a6 q+ EThere could be hundreds of BPX you could use to detect this trick.) c5 |% i6 b. Q
-The most classical one is:& ^) J" o: s- I, S1 K6 u
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' s' c+ R) M6 Q4 s1 d( o. x$ u *(esp->4+4)=='NTIC'
- ?1 ~; a0 _2 q
' ^# k3 H3 P6 B6 {-The most exotic ones (could be very slooooow :-(9 n4 z! H) [! X# }/ v4 x, A! X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: s" i! Y& k/ N" H6 o ;will break 3 times :-(
' F; m& b3 S5 Z# E7 X/ L! o
9 g8 O% H+ u% W7 |- y& s7 g" P8 j, m-or (a bit) faster:
/ h" R) T# j' s2 u0 `0 s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ F4 K7 @! h; K) C6 v8 c1 |% O- {' R9 v: H/ X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # Q8 I* e/ k& o3 j- X, C
;will break 3 times :-(3 y+ d, q# q0 i# O! o$ f F2 k
( _, a1 s: J9 @4 [
-Much faster:. c( R9 q; p7 S; q- o+ }
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, t3 m. K, `( N V, ~/ b, Z" b( N; Q, T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen \1 Q5 v! h/ v7 Z$ B& I
function to do the same job:
A! Z' w F7 n5 H6 E( Q! n \/ p
" x0 M( R9 j/ n g j# X push 00 ; OF_READ
( c' A I, Z( }! v) | mov eax,[00656634] ; '\\.\SICE',0- o5 m, @4 O- y
push eax
3 S- w( [4 Y6 {' W8 Z8 } call KERNEL32!_lopen
+ d, | d6 {, c9 _ inc eax
9 A- V/ L9 v2 D0 q5 O$ Z jnz 00650589 ; detected
; K& u7 i" j/ @; G. M3 Q2 M push 00 ; OF_READ
1 j R1 K5 V6 E% i mov eax,[00656638] ; '\\.\SICE'
; O4 F% R% K5 Q7 X ^ push eax
5 L9 j& m8 y$ @( x. P/ Q6 a call KERNEL32!_lopen* m* R8 ]% d9 H
inc eax
" \ ]! `" Y0 v2 E2 X* M8 P! b jz 006505ae ; not detected
8 C$ Y' B; Y1 J: k( o9 x7 W) x- {8 z0 {( F' o
& T" w7 k4 F$ @3 K' D
__________________________________________________________________________" W$ _1 l: P, y
7 S& V p: Z5 @: D3 L o
Method 12* m b6 w6 D) e: c7 N/ q! J
=========1 A% I( ?- K+ V
# X e9 N/ R8 F& ?+ }
This trick is similar to int41h/4fh Debugger installation check (code 053 s% s5 a( e& o, g1 n! d
& 06) but very limited because it's only available for Win95/98 (not NT)
, w( Q o4 P1 U0 nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 p ~5 M1 f" Z5 P U b
6 I- K* \% L8 y push 0000004fh ; function 4fh
6 z: {5 f( w) h# e push 002a002ah ; high word specifies which VxD (VWIN32)
7 N. N/ a3 T- k5 D ; low word specifies which service
- G" W0 H4 ]! k3 z: v (VWIN32_Int41Dispatch)8 i) {+ ]7 C, ~( e" G
call Kernel32!ORD_001 ; VxdCall+ C( G I! D- c7 {. t
cmp ax, 0f386h ; magic number returned by system debuggers7 P2 d8 x& N2 @; V' @
jz SoftICE_detected0 W4 }9 Q. n/ Q6 l
; o' {1 U! c- x! g4 M$ F l
Here again, several ways to detect it:
" T8 j" d7 f; P, T+ A* Y* [7 ^. f# X, E, L( u8 M% \
BPINT 41 if ax==4f
, p% Z5 k' u& @2 R" @6 X- |2 O# w7 Q1 |- h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& y# ~$ f/ A5 h+ { M( w! k" h5 q9 Y
- n( A1 [$ X- W5 H6 a4 r, G3 z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 R9 [8 E4 N. V
. R1 |5 h; r% ~0 {( A5 `; m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( A0 ^8 }' ~. V
% \6 b. Y9 y8 V* q6 A3 P0 k7 C8 K
__________________________________________________________________________ o" w! B3 Q0 ^# ^
7 E: ^9 s0 k& u" R0 ~8 ]6 G) _Method 13
0 O8 `5 `* H* z+ f0 \8 p=========# C3 D; c/ w2 }$ o# ?
7 k8 P7 S6 {* i& c4 Q. T
Not a real method of detection, but a good way to know if SoftICE is$ ~4 g4 ]. I" g1 W
installed on a computer and to locate its installation directory.$ |. r n' p% M
It is used by few softs which access the following registry keys (usually #2) :6 s P. r7 [7 |/ G6 ~" n* e! J
q9 L% I$ h# n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) s: [9 O6 O4 ] I
\Uninstall\SoftICE
& s f- F% ?+ Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% d1 t" M S% s5 D( s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 c' q* k. t: D
\App Paths\Loader32.Exe0 D. i' D/ X2 ^
" t$ e: b! y+ H& e3 V( Z. e
! Z4 j- Q9 s0 }+ CNote that some nasty apps could then erase all files from SoftICE directory
7 a- [' z$ E \. a(I faced that once :-(" Z. W V6 U' U0 Y. Q. x* |7 e; y
$ \" \: v1 r1 {5 OUseful breakpoint to detect it:- N# ^, `3 E7 s$ |
* @4 o! ^# A3 {6 M" w% I4 `3 g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ g2 K7 b7 s# o6 i3 t: s- l0 `4 Q- M A( Z2 r
__________________________________________________________________________5 K3 f3 F0 h7 y7 g, i5 p
- {2 T: ~/ }/ v$ D
2 k! j' e, n" [0 W5 N9 u9 r1 W
Method 14 0 Z- y2 _& S( P- V7 x, f
=========
, T4 y, s0 Y# Y/ l- a) I
* v# F4 z# c/ @/ F( N" T* |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 [9 j. l4 S; ]" r; w8 Z$ H+ Pis to determines whether a debugger is running on your system (ring0 only).
' ]$ _8 q$ c) w3 C4 f, c) V1 N# n" K$ q O
VMMCall Test_Debug_Installed
# Q) T- K* J }) b" j( F' _$ _ je not_installed$ d/ k. D6 G7 Y. D) N d _! Y
; \( K; l1 p6 [1 EThis service just checks a flag.
2 C: k; n5 `0 z' P/ t0 q</PRE></TD></TR></TBODY></TABLE> |