<TABLE width=500>% u( a1 L+ I' \& x# s" G( d
<TBODY>
# P4 G3 K& G3 r9 U2 \<TR>
, ]& Y* j+ o) m5 K/ D3 Z& Z% y<TD><PRE>Method 01 + T9 q9 w9 m, G' v6 K
=========
9 @1 T0 j! u4 ?% x6 w) {# ~& Z5 e( D6 n! V! g& s
This method of detection of SoftICE (as well as the following one) is# y* d+ h# }/ u+ N8 V3 l" ~
used by the majority of packers/encryptors found on Internet.
; C7 v* K% T7 w, RIt seeks the signature of BoundsChecker in SoftICE2 v: h# K. w1 R+ z9 r9 A
: G; s0 A" E2 K% O mov ebp, 04243484Bh ; 'BCHK'& S( F0 D' b6 S' y1 T- ]# _3 x8 F
mov ax, 04h
0 w( F( A- J# T int 3
( x/ m8 R5 L- N# C* M& @! }% g cmp al,4
) x" b+ @: c- o8 P1 C7 O jnz SoftICE_Detected0 X7 E( I% G% B9 t* H
# N; ?* ?! U I! j6 B6 ____________________________________________________________________________
: }. U. I. v: Z. g) d5 g0 S! U. k$ S1 E1 G* j( f
Method 02
8 Y1 `0 Q' R- d5 a1 U2 b5 i( B( _=========* H' A1 ^; @9 J
% V, E2 p) ^: z0 ?2 GStill a method very much used (perhaps the most frequent one). It is used$ P4 [: |* i+ ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 A F% S; t$ R/ i+ F+ N% c
or execute SoftICE commands...
4 k0 z; W# h, HIt is also used to crash SoftICE and to force it to execute any commands
/ J- Q8 P6 N7 V6 x7 K' X(HBOOT...) :-(( 4 G; p% P! n7 u, E" u* V
7 @1 \ ^0 Q9 F
Here is a quick description:
/ C6 {. l% |# X4 l7 @-AX = 0910h (Display string in SIce windows)$ s! R, Z$ N* l, T
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ {8 J- \! _% Q+ }' w8 s. _$ }-AX = 0912h (Get breakpoint infos)
* b, \7 y7 ?6 a$ ^-AX = 0913h (Set Sice breakpoints)
& j, f8 b0 [6 _1 R1 L- A7 q6 z7 e-AX = 0914h (Remove SIce breakoints)
8 z! Q6 d6 w" e0 w/ w ~- _4 H$ r1 u) Y9 @9 O2 h' j' F8 I
Each time you'll meet this trick, you'll see:
: T' r4 P. |6 L6 @2 c( Y-SI = 4647h
7 R2 U: F' o! U3 y-DI = 4A4Dh8 B1 o- q+ i( ]2 r
Which are the 'magic values' used by SoftIce.6 N# i. \% V! Z$ l4 x" |8 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 H* |$ Z( {/ _* r6 u7 O( r8 X# U% n) o% a+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP: [ o5 G4 H- e+ z N, o, N
Envelope utility use to protect DOS applications: h3 T: {6 J% V7 |- E
8 M5 o, ?3 h; C1 V" W; v7 D. V" l! [
4C19:0095 MOV AX,0911 ; execute command.. s! }' P: W9 W% w- @; @2 M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).5 w1 e* F) ^: W% U
4C19:009A MOV SI,4647 ; 1st magic value.
2 P) \& M9 k" G2 t* s4C19:009D MOV DI,4A4D ; 2nd magic value.
$ P8 z9 m. u3 A9 i; t5 H4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 j: l; J! d! t6 \9 P9 d
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 ^! ~) L& u7 h; O' \4C19:00A4 INC CX
9 T! B3 W w1 P& r6 ~4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 z# Z5 [; K1 e8 b, b4C19:00A8 JB 0095 ; 6 different commands.
6 J R7 s5 ?4 x0 W* h: `: B4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 B9 A. D' Y" m8 R$ o, ~4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- d7 a& u: A: @8 O+ S' Y
- n7 d. }5 { z2 s/ j/ ]; n2 B& t; uThe program will execute 6 different SIce commands located at ds:dx, which
! a9 h7 P( s$ @: f+ vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 L7 @2 O0 ~9 B0 @! d1 H% Q
7 {& F; v3 P/ ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% P* n+ I5 A9 q% H+ W
___________________________________________________________________________! c( Q. h7 n' o+ [
5 i0 q! H6 Y) c! q8 f. l9 M5 M* N1 d! S
Method 03: _& c# o T' r7 f8 r; U3 `2 o
=========
! Y9 d' F/ J: y/ \ O% `# \7 p7 e. k1 c7 G3 m
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 G; \" j$ N& y' |8 L0 ^% ?" v
(API Get entry point)
; o5 ~ X9 o; C) Q$ n - e7 t$ _) A$ @3 j3 t' }
+ W# x; N$ Z& ~) f1 o2 h0 a" o
xor di,di
+ {: p0 D2 e5 Y& @( o& i7 n- ? mov es,di, ~7 O. h. c; c9 T# n
mov ax, 1684h
5 v5 Z8 y; v _3 v7 X" ~: d mov bx, 0202h ; VxD ID of winice
2 ]' O# u2 Q% Y2 ]. f int 2Fh6 t2 t' ~3 K" U5 Q& U9 }% S
mov ax, es ; ES:DI -> VxD API entry point2 o' [1 c) F6 `
add ax, di
7 [+ p6 q2 l6 X- X( U4 k test ax,ax7 M% d, n$ l, H( Q
jnz SoftICE_Detected" @) i2 a* g: L% ?. c5 {& y
. V9 H3 R9 l0 J+ c
___________________________________________________________________________
" g6 s. {3 X: P
5 r4 m, o3 j" I) I" b. f( sMethod 04
- b" C1 @% M7 B2 n% _) M=========+ z' |! K' b, n% q6 r/ s
8 Y' m/ g4 \. v' `3 O: ]4 Y- I1 RMethod identical to the preceding one except that it seeks the ID of SoftICE
. u* g5 R n+ t' V8 a( XGFX VxD.# s) t6 }# @% }0 c& T4 Y) A
# W) s/ V( Z" E9 `% p0 ^ xor di,di
8 n, D' H3 X0 n, k5 h# d2 L l mov es,di+ h- m9 ~6 g" r. c" T& Q1 a' t
mov ax, 1684h - z9 n! {7 _8 ]. n
mov bx, 7a5Fh ; VxD ID of SIWVID
& g* M+ ^4 N. \' t int 2fh( O @; E# z, _2 q
mov ax, es ; ES:DI -> VxD API entry point
8 @) u8 e0 E; G* m- O' E4 P# s7 C add ax, di- n/ k& Y* z3 J# P( k* X! Y( j
test ax,ax
5 _" O. T. y" h% E jnz SoftICE_Detected) }' h+ f8 w* j# U2 k3 j/ h
" @! Q/ t' {0 S1 y* h! s: _' c1 K
__________________________________________________________________________
7 t2 U0 m' J3 w5 |
7 R9 `- ~$ w5 p! y( _
' M7 q. I5 v- x+ LMethod 05* ` P V6 n! Q- A$ i
=========5 J% A# ]! O3 L- [
9 j* }! B( b: }
Method seeking the 'magic number' 0F386h returned (in ax) by all system' N. E8 |5 E- K) N* B" i* w" H/ k# q
debugger. It calls the int 41h, function 4Fh.( p4 \' }6 g5 H" I
There are several alternatives. 8 x0 h2 h0 _" z4 m
/ i% v: v) P4 V1 m8 }. c9 aThe following one is the simplest:' S7 u( _" B* M. C- I
4 ~* \$ N+ A/ Z8 H! O
mov ax,4fh/ P) i1 R+ g, N
int 41h) Z& d5 J4 }& ?/ j/ H2 u5 _
cmp ax, 0F386( {" h0 }5 d6 ~9 m2 y* E) G
jz SoftICE_detected
. F. X7 N' i% R; v1 L. a8 T7 `& D+ u& F: _
; @8 y; c# Z- r* _) u: v/ G; V3 YNext method as well as the following one are 2 examples from Stone's
0 W9 o* d! [$ i7 G- S! {5 V"stn-wid.zip" (www.cracking.net):: S% c1 v3 c; f, m
: y b3 W( k, E* [2 l J! w$ \& l
mov bx, cs3 g# J- @6 I" Z! a# V% X* y
lea dx, int41handler2
p7 J" B* m N0 { xchg dx, es:[41h*4]
: S5 Y! l" D+ W' f) r# y5 `3 J xchg bx, es:[41h*4+2]2 z% a' p" C e1 p- q
mov ax,4fh: p1 z' l3 X# p- ?3 T) i+ b# p7 I
int 41h
8 x3 c0 w+ O( X: l- v' S& K xchg dx, es:[41h*4]
4 S0 W0 F/ _" L K7 D' x: P. L xchg bx, es:[41h*4+2]
6 B0 r- Z% G; y) r3 r cmp ax, 0f386h: P- Q, Q& v: W
jz SoftICE_detected
7 }- }, _$ x8 d v6 [& B- c [% O+ f- L# l+ h# p4 [7 K0 w
int41handler2 PROC5 l. ^1 Q! S" z" H- z/ D
iret
) }' A+ f& v" l' Dint41handler2 ENDP
1 w3 M) ^4 q# y# D$ g/ y# j# ?/ N/ r z6 F
6 q9 r6 K" n# s4 Q6 M_________________________________________________________________________
5 X9 o5 W5 Z( O* x- z7 W( `5 o' h/ O2 s$ U; @) j" e$ m
( r, v4 @7 O) B8 n8 qMethod 06, l3 ` }1 V/ O f. x ~% d
=========7 ]* o" d p3 R8 O& ?8 c2 ?
& o1 Y j) b8 D* i( ^
9 X2 {1 J( a6 F3 x( W- u& R2nd method similar to the preceding one but more difficult to detect:4 U3 d; X4 K& D) f) ]
# v1 L7 O" ^$ Y8 N, [ g6 C2 ?# v. a0 O) q: B8 [" k( F
int41handler PROC
$ ~+ f( C& c1 I* T4 ` mov cl,al
5 d0 f: Y' g7 ^/ ^" P- K iret) ^" N4 d0 t1 I* F |
int41handler ENDP
U) p1 ~% g/ U9 K: n
: }6 L; f/ w% K* u6 K7 W( i4 _. f& j* z' ~: G7 T
xor ax,ax
5 C7 s Y) P0 @) p+ n! x/ A mov es,ax: K! U8 X. S4 M7 Q; \
mov bx, cs0 r" t6 @" K! ^$ d. x
lea dx, int41handler
) a, y; W: V! ~# u* L1 q xchg dx, es:[41h*4]6 Z) y! r8 A4 x) t/ [/ V
xchg bx, es:[41h*4+2]; r8 H, A$ H. j! O+ f
in al, 40h1 O4 J& {2 s7 r/ o- @
xor cx,cx
: d% @ {, r/ Z7 z7 x int 41h
c/ b' s' A/ `2 ?- U' C' @% H xchg dx, es:[41h*4]
# P) w, ]! P$ l1 e' d; Y- G xchg bx, es:[41h*4+2]
2 ~, r9 j, a, G9 f. M/ X; L9 F( \ cmp cl,al
6 ~" y- x; |3 v# a$ e* | jnz SoftICE_detected7 V: t: {: y/ a, X
; L$ i# D' U2 d* w4 z
_________________________________________________________________________
% e6 `( k# ^6 c; x; Z) U5 t
( s3 b2 r4 `) q% b% c* IMethod 07
: {* A, f Q7 E# o a" b! S=========
7 S1 M' U) ~0 _% ^9 M2 y
1 K' K8 K0 ]& z- TMethod of detection of the WinICE handler in the int68h (V86)/ S. s7 g- O7 b
! ]3 z' A O6 M. N z mov ah,43h( {6 m+ A/ P# p: s9 {: U" y
int 68h
7 }+ ^( D7 T0 h5 s% m( j5 J cmp ax,0F386h
8 b- s( B! `& J4 D$ ]" j- o# ` jz SoftICE_Detected
" U+ B* V( W+ \; E" m6 l& Q s) {- V& l7 X! Y. e4 c( @$ h
1 N) r0 o% `) @% K=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 n$ i' F2 P# A' ^# V; G4 e app like this: r9 I h4 ?, G
0 ]+ Y3 h5 _- T' G/ v+ S
BPX exec_int if ax==68
* F! d8 h' D5 i7 S s; B (function called is located at byte ptr [ebp+1Dh] and client eip is" o1 n1 [& ~( v9 ?5 K- ~2 }
located at [ebp+48h] for 32Bit apps)! K7 M. h2 z4 X2 D
__________________________________________________________________________9 c0 q2 u6 J a4 ^" A0 S! n
" Z }% E! h" h7 f
& j. @3 Y% G; K- u$ EMethod 08
4 u1 z+ l% f. ?' t* h* F$ h=========+ S3 W' ~2 i/ w7 Q) k! k
1 \; |3 J; o$ G! r
It is not a method of detection of SoftICE but a possibility to crash the
: H0 e' U. ?3 ~; l$ e+ }system by intercepting int 01h and int 03h and redirecting them to another6 t. e$ @! R+ z5 ?
routine.
( S7 ^+ D. i* R0 A( D# `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ `. Q; L, Y7 Tto the new routine to execute (hangs computer...)4 p+ A5 f9 @2 p% o X( i" ]1 c
5 x" N+ |1 `( [% [ mov ah, 25h
6 i- x6 M9 ~4 Y& }& V1 w mov al, Int_Number (01h or 03h)
% q7 D( S& d2 g$ [2 _ mov dx, offset New_Int_Routine! {; }) {, a5 w7 f3 q" b2 D
int 21h5 k4 g: _' {6 i5 g9 @
$ o. I1 o$ V5 P: Y; M& S0 p9 h
__________________________________________________________________________
5 h* K& B+ n1 _# f& h; V, V8 `/ N: N8 n/ k
Method 09
@6 U& L- w$ f) m" v7 w0 I=========
; k3 U0 @) F1 h/ r/ f. |) q {' W& B- \$ b. Y8 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, }% K2 o1 q& o: o2 P+ _+ Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
( f5 l5 ] D1 I/ D' [The Get_DDB service is used to determine whether or not a VxD is installed
2 o6 s! b% v" H/ V9 }) F. Rfor the specified device and returns a Device Description Block (in ecx) for2 {9 f: g2 T+ W# }1 f/ E$ ^
that device if it is installed.( V7 h# ~+ r; N3 o, h
% f* q7 e7 I3 _# v0 X" E/ I9 a, H( R+ e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 n! b- O6 c; K- b8 l2 W mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 `; E, t$ h* c& {
VMMCall Get_DDB& D$ f2 \9 W% h$ c4 y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; {/ H# j1 a+ I7 Z; Y5 Z% G" q4 d% b+ f7 u. C
Note as well that you can easily detect this method with SoftICE:
( C: L Z! V, I. P3 b bpx Get_DDB if ax==0202 || ax==7a5fh
# v8 T, f' u. p3 }" L, d
- w, O( ~5 l4 k) K1 I! Y9 I* t9 U__________________________________________________________________________
7 w7 {4 T7 k' a& o) d0 a+ J4 d, N" D8 ?; |+ b; X
Method 10
6 m" L+ _/ X+ i+ R=========
+ K7 R& D5 b* w$ i% w+ G% J6 m& g4 w
=>Disable or clear breakpoints before using this feature. DO NOT trace with2 N" h: P C1 N* I6 p( ?+ F
SoftICE while the option is enable!!% G$ b! u3 c, M, L" u
. s% V3 u! q; k! A- Q4 u
This trick is very efficient:
* N$ w/ _; m) L8 iby checking the Debug Registers, you can detect if SoftICE is loaded" H* U# i4 Z9 A. i. v- {2 Q( V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" w6 [% V, h( G5 n# b% U6 W3 B2 uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) o K+ |0 L3 Avalue (in ring0 only). Values can be manipulated and or changed as well2 _" ]& w3 ~% I. `
(clearing BPMs for instance)1 X m0 V. C( m. G
- h8 ]& D% a8 `* T8 F/ o
__________________________________________________________________________ M2 g! C* C5 Y9 S- r& D1 P+ w% Q
7 _# e# U# V6 S/ R' aMethod 11
' ~* E [ m: e! y=========! o6 L5 A3 n9 ]5 M. [8 e
2 l" S- {7 i" @+ H8 E+ ^$ o
This method is most known as 'MeltICE' because it has been freely distributed
+ ?$ ]1 V1 i9 l1 Ivia www.winfiles.com. However it was first used by NuMega people to allow! w& K) I- i' l
Symbol Loader to check if SoftICE was active or not (the code is located
( T3 P9 o. S" f4 s% k3 I, zinside nmtrans.dll).
2 o) D# x( i$ T4 f) w/ d1 }8 c
The way it works is very simple:/ o2 r& |3 F. u6 I Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! C. W2 S9 o. G6 c. E: T3 mWinNT) with the CreateFileA API.
7 H+ I2 {; ?) i1 f7 F' @' d, {
* f) D8 X( z6 C$ ^6 OHere is a sample (checking for 'SICE'):
9 q3 Y- C3 s s
1 _; E' @; \8 I9 f: m4 kBOOL IsSoftIce95Loaded()
: ?* k8 ^: Y8 r1 t8 V" Z{, I1 J1 I& T9 @% r) K0 @
HANDLE hFile;
1 l& d# z( ^& C1 M: R+ t! N& T& v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 a e) J' G! A4 c
FILE_SHARE_READ | FILE_SHARE_WRITE,
' o0 s8 p: X; u5 i NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# K. U2 P2 } F
if( hFile != INVALID_HANDLE_VALUE )
' r( b- e4 A; R# z. p! U {. O# K; c3 {6 ~- K4 r3 a# Y
CloseHandle(hFile);0 V# W4 [$ [; T( {+ r
return TRUE;5 D v; R7 ~2 G/ \, d" M
}# C1 g! r: d4 [: O7 W8 K5 S
return FALSE;8 m( ?6 S% ^/ U! ^" X4 T( s8 J
}
5 n9 H* k& n4 I! q! E. w7 a B9 I
Although this trick calls the CreateFileA function, don't even expect to be: d, w" F* m/ {/ B; k
able to intercept it by installing a IFS hook: it will not work, no way!
. T" n0 d9 N- H6 T( o2 }+ @In fact, after the call to CreateFileA it will get through VWIN32 0x001F% u- \: {! b4 P+ F7 o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" u6 x# O- D& I, Band then browse the DDB list until it find the VxD and its DDB_Control_Proc
. }, ?4 H* c0 f- Sfield. N4 v' X- N9 m) ^( Q& |
In fact, its purpose is not to load/unload VxDs but only to send a ( w8 l7 o/ f. {4 @( D; G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
o& F3 I. I6 m% @/ Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ B9 C6 o4 m6 Q) h0 ]% @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 t# s- ] _4 e& w7 Y2 E+ s! \3 d
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 a1 l; v8 g/ B5 A
its handle to be opened and then, will be detected.
) l( k% A0 s1 E$ Z; T- \ b& B) RYou can check that simply by hooking Winice.exe control proc entry point
* k" X" K# d& I1 Z! I+ ~& A% Swhile running MeltICE.
. \: x! s( \. x2 x8 U# y
% m+ f g$ ^% W' n5 c% _4 S! A0 l! E3 [8 h! p6 l: I* Z3 p. I/ F
00401067: push 00402025 ; \\.\SICE
3 D1 P3 \2 s6 L9 I+ B% Q- ~ 0040106C: call CreateFileA
6 a0 Z3 D- @2 D 00401071: cmp eax,-001, ?& i- B/ P5 Z
00401074: je 00401091
! E# w2 {' Z1 N. R* L4 ^4 I% W( w0 C6 G, d6 r8 E
( L, d3 P' ]+ ?" n. t2 V: c- Q2 n( g& U
There could be hundreds of BPX you could use to detect this trick.
/ m- @$ ~5 K, p8 n3 }9 u( h9 b' R-The most classical one is:
" F1 J& d) D, U# D7 R5 @/ q7 i5 A BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 o; W* h' ?, \. J7 k$ r
*(esp->4+4)=='NTIC'
# [' f/ G; o! @5 z! s; k; D. W( `7 N& G8 v( J
-The most exotic ones (could be very slooooow :-(3 w3 \2 R& d/ |. [1 Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . e1 u h' X1 D# P. [
;will break 3 times :-(
) z8 V8 h# T @, g( x. ?: ~$ Z
3 p. E5 y3 q5 h5 U7 ^-or (a bit) faster: ! {! b* `5 Z. o9 f! ? |! O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% B7 o0 z( r) T8 Q8 E" B
8 [5 y5 j' Q, `' c4 V* s$ @ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; r8 i0 Y ~7 q* }+ k+ j( Y
;will break 3 times :-() y6 B! D" A/ V/ ~
* C" B+ e: o5 k, I3 i
-Much faster:
! T' s, ~6 H0 `1 b: Z2 y% C% i: N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 ~; Y, ?+ J* U8 y
( E g7 P! g" F, N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. _# F2 m4 }# c+ l
function to do the same job:2 M l7 ~- L. x' h; E1 g, Q! O4 o5 h
& K6 |: l, Z; D" c push 00 ; OF_READ
2 g v7 }8 Z* h/ Y6 Z4 _; z- _ mov eax,[00656634] ; '\\.\SICE',0
: a$ W; C7 R% e3 M4 h# z( B/ p S push eax
) ` o% d& I% J9 W& t i; X i call KERNEL32!_lopen6 X% X1 Q, O1 B
inc eax9 S- `5 _6 C4 Z2 k3 ]: A0 W
jnz 00650589 ; detected
3 _0 }! V5 B6 y; M; ] push 00 ; OF_READ
4 ]/ c! o+ I- R) Y- e/ k8 y7 X mov eax,[00656638] ; '\\.\SICE', m1 d! Q3 {. D
push eax
% S" w6 Y/ H- l4 b5 a- M call KERNEL32!_lopen0 ?4 f1 r, T# h5 L
inc eax
6 `2 N. O1 \7 I; O: G jz 006505ae ; not detected
5 y2 [. x7 B4 f" W% N, A. q! z! u5 K8 j
- \. B ^, n) ^$ F- U__________________________________________________________________________
/ h3 y, x" V# L( m* I* {! X& k- Z0 a6 V' @7 q. }
Method 12( L1 Z, }' B* v! }- |$ ?. T
=========
) J" J8 w+ W9 I" L9 D* z& D" C7 ^
This trick is similar to int41h/4fh Debugger installation check (code 05
" ~$ P% z$ S* B8 y3 y2 `6 _& 06) but very limited because it's only available for Win95/98 (not NT). p: m1 m, i+ T* M# T- U; g; W% l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ y7 v r; W1 @! x$ z
6 B9 Q9 a0 U3 i push 0000004fh ; function 4fh1 n5 {! S, R; C
push 002a002ah ; high word specifies which VxD (VWIN32)
o4 [ E4 P1 A) b2 L, x ; low word specifies which service* |6 H! _# W* ]7 B4 b
(VWIN32_Int41Dispatch)
4 S: L! X p! d& U' e0 R call Kernel32!ORD_001 ; VxdCall2 N: d; s1 r( i M i: `
cmp ax, 0f386h ; magic number returned by system debuggers
* } [6 E; {8 P+ W jz SoftICE_detected, d) G. W2 V' z# U3 |
8 p9 @- w2 Q' r9 i6 N
Here again, several ways to detect it:2 v* Q- t9 d! n3 q, j
1 I7 r5 E% R0 L# ?
BPINT 41 if ax==4f- \( i ?3 O: d4 R
[% i. ?# h0 I' e* v' F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 T. U' ^% O" Q7 e1 {1 I; B
" ]4 y& I; o9 F' }' Z3 X0 u1 G7 @" j
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A( y0 ?5 ^4 ?) X& @
; w2 C3 b- [7 \7 v: w" b- @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ v! a1 c7 I/ y) O3 U- A8 y* O+ k
9 y* d, j0 k# x( @' C; S7 A2 t! x
__________________________________________________________________________6 G1 H2 @8 L% j/ G% U
7 q4 T/ o4 |7 Z8 L; m
Method 138 k4 i: j2 i8 j2 P
=========9 m7 R1 y, l9 {& v& T4 p" x0 q
9 o% L8 j' ~; ~. ~4 l& NNot a real method of detection, but a good way to know if SoftICE is8 r# G1 B1 G! t' y
installed on a computer and to locate its installation directory.
. Q* i M. D" b' K0 t/ p. N" O0 p/ SIt is used by few softs which access the following registry keys (usually #2) :( _/ y9 s& W# V8 D& z8 ~9 G2 b
3 R+ b: v) H' l) C' u) j: ]: P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 U& k8 C' g- }: b+ S\Uninstall\SoftICE
% a' D% J& {) {: L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! H& D8 p+ u6 C7 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 [5 @+ h( @# Z; ~" B\App Paths\Loader32.Exe
; b5 s6 z6 d( W
' |& I. U$ T' P" T% \- c2 v9 G# f. P0 F* T0 m8 N
Note that some nasty apps could then erase all files from SoftICE directory
6 S- h# E* ^2 T' S. P* t(I faced that once :-(1 `! k4 v8 S5 [' u: ], W% W6 }
9 r, o/ M% h" \# [7 O$ w, @
Useful breakpoint to detect it:
" t' E j! L# r& Q T
7 a. M0 V* ^; E& j# P BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'4 I. I: F5 s8 X2 P4 x
& n4 c$ ]! V9 b/ \__________________________________________________________________________
) m$ r! t7 J% {( ~) ?9 L& F4 s4 W1 c7 g& ?; R, Q F$ H ^
& T0 `" _7 h+ m) X5 n. EMethod 14 # Z8 T9 L- n% ~8 }* l! b
=========# G( y# \- `$ N' t' Z' Q( b3 @! p1 _
7 g( t+ y' ^) N' s# sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Z) Q* f E }$ x# h, X( [
is to determines whether a debugger is running on your system (ring0 only).7 D8 M8 F* Q2 I7 O+ O; Y3 w* f
b5 ]# q* k2 {5 V* ~ VMMCall Test_Debug_Installed4 F' @; _! j- n
je not_installed
7 K# c- b2 g; {8 d
+ k% G$ i2 A# N* L0 i* W* P9 W1 aThis service just checks a flag.
. n* n" E# t5 Z G4 E</PRE></TD></TR></TBODY></TABLE> |