<TABLE width=500>, N! f5 [( o- K8 P$ Y3 C. c/ w
<TBODY>
7 r3 l8 g: C9 ?! D' _<TR>
# p. i2 ~' \0 j' ^% `<TD><PRE>Method 01
' w, a* x0 U ~9 r& @! `=========( [4 e$ T( H; K
+ {5 }/ i0 X/ u F5 jThis method of detection of SoftICE (as well as the following one) is
' J, ^9 }- G8 B X9 g* o* Pused by the majority of packers/encryptors found on Internet.
6 J- h+ L$ M( SIt seeks the signature of BoundsChecker in SoftICE
& i' d4 H+ y. E2 G/ s( E6 u- H6 G% [, T% v0 h
mov ebp, 04243484Bh ; 'BCHK'0 w3 V- u& e1 ^& [ e
mov ax, 04h% ?. b5 b$ c) S6 h- I
int 3 $ N4 g9 w8 w& t
cmp al,48 e# [! a: U; T. U$ j
jnz SoftICE_Detected" m' N. ]0 d9 E* w' Y
: k) b9 ?3 U- T___________________________________________________________________________% m Y$ K# X* G' {
+ L+ d( a+ a9 p" E* w
Method 02" Y; l& {4 Y! @5 F
=========
- y/ I2 O4 A8 e
$ _2 O1 v7 T; Y! E/ S5 gStill a method very much used (perhaps the most frequent one). It is used4 S5 [# T: j1 N! v) ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% X, o) D# J, c b2 X1 _or execute SoftICE commands...+ c/ q6 ~' T: D3 i, U2 H
It is also used to crash SoftICE and to force it to execute any commands4 _) [2 x- b7 ?6 E
(HBOOT...) :-((
" a ~9 ^7 \. c$ C
( {2 m8 C% h( c4 _Here is a quick description:" d% B3 n0 i" N& g) D
-AX = 0910h (Display string in SIce windows)/ b; k- h3 P- l+ Q2 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)$ w/ A, g% W) }2 X/ V1 o- U
-AX = 0912h (Get breakpoint infos)
j4 A: b+ p) A2 a/ i-AX = 0913h (Set Sice breakpoints)
; U, y! A. Z0 `# \, _3 T) U-AX = 0914h (Remove SIce breakoints)6 v/ n6 [6 B0 _ s y" [. i; A) b
* Q/ {7 R9 y$ {& t, P6 G
Each time you'll meet this trick, you'll see:& V0 s/ r3 D' t6 E: R
-SI = 4647h
9 C" X! h4 ]# ]! ~-DI = 4A4Dh' ~7 l# A9 I* D% n, y: u
Which are the 'magic values' used by SoftIce./ l9 B8 ~$ B" _) A9 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 e& K6 G q3 f7 C* }
* I2 \0 }6 h0 m' e
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 m( |5 C4 G8 `- B% l$ _) O7 j
Envelope utility use to protect DOS applications:4 z' r6 ^/ X9 b1 z ?
/ @" p6 z1 J) `) Q. U
0 E8 @1 D( N" \0 y- d4C19:0095 MOV AX,0911 ; execute command.
, ?' s9 Z( F& L* q" [' w% C4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." o( u" E" r, k5 o n
4C19:009A MOV SI,4647 ; 1st magic value.
) @0 U9 |0 r- W F+ [# X8 t, T4C19:009D MOV DI,4A4D ; 2nd magic value.
3 `- d3 o' `; v! J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( t( s9 i1 \* m' U1 R8 f! \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute0 |) D1 N! f1 \
4C19:00A4 INC CX( P8 X* G, |/ D- F9 f9 X+ U- k' `
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 c% w8 X5 f4 a8 d6 e; o
4C19:00A8 JB 0095 ; 6 different commands.
3 m* G0 C3 J$ w# ]4C19:00AA JMP 0002 ; Bad_Guy jmp back., b5 n6 C, z9 D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* m e# X! J7 c1 z
: {2 i, h/ \) }* G' EThe program will execute 6 different SIce commands located at ds:dx, which
# t- d U% |5 q' M5 @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! j' S+ q b/ k' X9 @' o* P6 s T4 h- ~: t) {" S% t1 F, E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) I+ A. B0 l$ A, ]8 ^8 j3 I
___________________________________________________________________________
+ J% i0 z7 {% E4 G: F" ^8 K; c
2 L) L7 z% [4 U" w- \7 m- a8 ?
Method 03
# k% }& M: | {7 m; t=========
2 g9 Q0 O1 [" C! Y& L, V
) F+ P! n5 C8 d1 A3 j: v: @% E aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! f1 R) A2 ?3 v2 C4 `
(API Get entry point) \5 A" [: e$ h2 l' t) C6 a1 Z
. e, p4 Z' \9 c% j' V7 M
. `* b4 Y* ^- M4 [8 H) N
xor di,di
) m O- p& v! R; |& n/ C W6 y% i mov es,di* v' N$ k0 h9 }/ k7 C
mov ax, 1684h
2 J3 M1 {# O8 ]% k1 N- f; \ mov bx, 0202h ; VxD ID of winice- l! U; E7 y. c+ t+ ~6 r
int 2Fh
% G1 A1 o4 o9 N mov ax, es ; ES:DI -> VxD API entry point
0 E6 U4 f; i2 L3 p: Y add ax, di# O+ ~% @/ a2 A& y$ O% K) y
test ax,ax
8 ^/ \; R" m) g# V$ l' e jnz SoftICE_Detected X/ l$ [7 V) m* B
% z5 l* `5 I) {9 i
___________________________________________________________________________4 P# S t! Z2 }5 n% ~# a
+ g+ i3 T S) L; o& c7 W; l
Method 04
# p0 j; G0 h6 s( O1 T8 x=========
. v' I/ C2 L9 C8 j0 e( t5 e, Q2 ]) B7 [$ x: t" r! c* V8 ~
Method identical to the preceding one except that it seeks the ID of SoftICE
& ^2 _& f( k SGFX VxD.
, p) ]& T3 B. T/ ^
, C. Q2 r7 G% P$ n xor di,di6 S% ^1 J3 F6 S* O. V
mov es,di9 {& h2 l3 b& a$ a# I
mov ax, 1684h
; c+ j4 c8 U0 W8 O8 F mov bx, 7a5Fh ; VxD ID of SIWVID
0 G. O, U/ \( {2 f+ K! n int 2fh8 f) H( ?) Y; c* W& y
mov ax, es ; ES:DI -> VxD API entry point
& c+ T# k5 N. e, w, B. M3 q2 r( y$ E- t: ^ add ax, di
: v7 a3 \1 R) V& j% x test ax,ax
( R( b) S+ C& E* ^# z" p* k. c jnz SoftICE_Detected
3 s3 ^/ H7 [) {7 y* d% X( f' T. G/ L+ w
__________________________________________________________________________
) e5 z* l' R0 A5 R! V4 i; T/ V b
5 C! ]% q3 ~; ]6 s5 E% W* d. C% k" ~ a
Method 05
7 I: N6 y% o: Y$ K" X. s=========8 B$ S& E& B; `% J1 u) j4 k9 R% m
. M. _' o) J: `; \Method seeking the 'magic number' 0F386h returned (in ax) by all system
, w8 d6 c: Y. O9 a( v( q8 c, Edebugger. It calls the int 41h, function 4Fh.
8 E5 ]$ d/ G8 h/ O% wThere are several alternatives.
. Y4 A/ c5 q, ?+ O; ? X
, b, {3 F) a2 C8 w; H/ B, rThe following one is the simplest:& k0 Q; O8 ^, I4 P7 q% T
- I G( {' C6 A* q3 T _3 w8 M. k mov ax,4fh5 J4 m& F& o: X. _& I* j0 g9 W
int 41h' F z7 ]& z0 \) o' \5 q
cmp ax, 0F386
7 i: h: M/ e& A- q( C ]3 g jz SoftICE_detected2 [4 q* R5 O1 }9 ]( D; N# y
8 L6 ^: K- q1 W1 C; v- P6 M6 `3 F3 H, z! _+ m
Next method as well as the following one are 2 examples from Stone's # C# N4 ]2 d' U" [: a# p/ ^, |
"stn-wid.zip" (www.cracking.net):
1 t+ C* G. H: x! c0 t+ W, p1 K& H. @) T
mov bx, cs+ K" m& l! X3 w, p* ? C5 q
lea dx, int41handler2
$ g7 {5 _9 D' @4 N- E9 }( G xchg dx, es:[41h*4]
8 V& o5 g8 @2 d- k3 ~7 g1 o/ B xchg bx, es:[41h*4+2]
9 H0 j& _# C. v/ s1 j' C( Q" d; D- A9 R8 Y mov ax,4fh, b7 a$ T* S5 v: ~& V
int 41h% t+ ]& [/ f& u$ p/ W
xchg dx, es:[41h*4]8 V/ Q- @, W: {- ?* e- D7 `
xchg bx, es:[41h*4+2] e9 C& n; v: h. g# w5 S9 D) D
cmp ax, 0f386h
) `, i) `- z2 ^. i jz SoftICE_detected
( J" s/ N! L, W+ S( q6 D# D2 \0 B- A+ t
int41handler2 PROC
9 q3 N! G" l3 p6 S1 t# ? iret
! B2 K/ B4 Z u: i& S# xint41handler2 ENDP, N E! Z M: B
. n" j6 Z1 e: G# Z
' H! u7 c' D6 }) d* @
_________________________________________________________________________5 g6 N0 {% T3 R* S; X C1 w0 F
4 W& \5 E% J! S% t0 q( H
+ d. N1 P& m- h* y% uMethod 06
3 M- |: O: Y+ P( F& U5 [9 G: L=========
8 N2 o1 x9 I; Z9 L' ?3 R# `) j" b; v2 H, u4 Y7 _3 [4 T. u) U
8 F8 _0 M( E4 [) _: w% c" h2nd method similar to the preceding one but more difficult to detect:5 r4 o2 ~8 g% T& [: |
) Q6 }9 l0 }4 [7 _2 t
; }6 h$ E8 q1 v1 |8 N8 |int41handler PROC, ^% A3 E/ G6 g+ P) t6 G4 s7 i/ s6 U
mov cl,al5 [" c) z+ E% |& C K
iret
5 }0 G/ |6 n3 C, Uint41handler ENDP
' p. A9 E) ]+ V" [2 ?! B5 R: H
# y( n5 ^3 T6 I) i8 v) T8 s1 Y U- b1 K+ F3 f D9 f$ z
xor ax,ax
# p: h' Y5 u7 G0 P! L1 R& M5 A5 N mov es,ax8 b9 y8 S1 l) s) \, ?
mov bx, cs4 E# e F1 O k$ l8 Z
lea dx, int41handler
* e6 V; F* [- t9 I0 {4 m3 K xchg dx, es:[41h*4]
1 _$ n+ [5 t2 g4 ]3 P xchg bx, es:[41h*4+2]+ l% q1 L; R# O. ^% |
in al, 40h# ^% Y% ~3 N3 Y6 _% `5 j, @; H2 p" ~4 I
xor cx,cx8 \) e4 ^7 R' x# w S
int 41h4 U2 d# }! E, P
xchg dx, es:[41h*4]0 x. q4 t9 @: K9 P* r
xchg bx, es:[41h*4+2]6 {# k1 g- s2 {7 [) h
cmp cl,al
7 V9 Z4 E- P! [, w0 b$ O jnz SoftICE_detected# j% I, p" A2 Z2 B4 t2 R% |8 @: {5 A
0 e: R) V- M% I3 j. K# V( V
_________________________________________________________________________
5 D' {2 d+ w7 I4 W: x" t
3 g+ T: B l: B4 `Method 07
6 F3 `# V1 O/ p9 k: I=========
8 c, a# A% s: ]" ?# {$ b1 {( B
Method of detection of the WinICE handler in the int68h (V86)
2 o9 s0 Q" \1 y W& i3 e
, g2 w$ j) {. |, E' [ mov ah,43h
* s$ R5 u8 K: d f: H int 68h
: W; ^* o* D+ D9 Z, m+ e cmp ax,0F386h T8 N4 ^4 o9 N3 Q( {3 ]
jz SoftICE_Detected7 b" F1 _* q5 A+ I
% z! D( v0 i/ f( D: k% [" S; |8 D1 t j& }- x2 }5 `2 W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 ]. Q s, z% g app like this:1 d5 U$ [ U7 L1 I) t, _' I: B7 r
& B$ L2 f7 S5 c7 ^7 b( C# t BPX exec_int if ax==68
( c' z# i9 k9 G (function called is located at byte ptr [ebp+1Dh] and client eip is
) [9 ?; r1 b( w located at [ebp+48h] for 32Bit apps)
$ F; Y# Q) V6 u( k2 I; c__________________________________________________________________________
# m& t2 z9 D6 `2 X8 I) P8 J+ B$ ? Y! O+ ?: A
' ~4 h7 n! J- o B0 j
Method 085 h/ V- u/ y1 S3 l Z) t
=========
6 M% P+ [) R, y5 [7 J* f6 l2 s+ Y ?' | [
It is not a method of detection of SoftICE but a possibility to crash the5 M* n/ s3 A V: [' f4 @
system by intercepting int 01h and int 03h and redirecting them to another
" y# Y5 J4 S2 ]* M' Eroutine.) B @5 V% W0 j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 T- g4 |* J7 l- G1 H* uto the new routine to execute (hangs computer...)( k6 w; T: N; b7 ~
: A& }& c4 d$ `; }7 V! v( o
mov ah, 25h5 d, W: |3 p6 i3 h0 U+ A
mov al, Int_Number (01h or 03h)) y6 L+ _ U1 t) N. J6 h7 `2 J
mov dx, offset New_Int_Routine
/ L! x& k# F! ^- y1 W8 F2 [ int 21h
6 m9 {: E& ]" _2 l' ]0 j6 Y2 ~% b0 I) `+ s" q" z
__________________________________________________________________________
4 n$ l& `0 }9 g4 T4 {
3 l6 c. g! F' R- C W" ]Method 09, Y2 K( Z" n+ f8 M3 y
=========5 M+ L. v! b# S
0 J% Z# T4 S* ~# D6 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 v4 P" E0 p+ t+ S' _performed in ring0 (VxD or a ring3 app using the VxdCall).
+ Q& D/ L" A2 ?+ GThe Get_DDB service is used to determine whether or not a VxD is installed
~5 D& _- `9 c" L' J3 Q3 Vfor the specified device and returns a Device Description Block (in ecx) for
' T r' x. u0 S. [that device if it is installed.2 C( y! f' E; L4 `
- Z) Q( N6 U* O B mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 S# o' ~0 d/ F5 s' X, a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' P6 u4 f, p3 r$ r' h1 I; P
VMMCall Get_DDB
/ g. `6 U1 i, P @6 n2 S# Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 u7 [- V9 z+ Z4 `) e' _4 L
6 K6 W/ v, w- N7 v1 `
Note as well that you can easily detect this method with SoftICE:
7 H( i0 P( y- b" p/ f bpx Get_DDB if ax==0202 || ax==7a5fh
1 G; c/ L9 B8 ?4 V$ c
. B* t0 H+ F9 ^+ r/ u) Z__________________________________________________________________________0 k1 W% C7 B- c r$ V$ y3 C5 O
8 L+ Z' A: H& X0 K6 y
Method 10
+ A, `+ U$ Y3 V6 y) S1 |; f! v=========/ p$ o, K9 {& d$ [- j
! \% R5 |1 B9 y5 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with2 i6 G$ j. f5 I% C/ g' h N k: s
SoftICE while the option is enable!!
1 K& e6 c) R$ Q: o! ]7 p
1 ]- l- C0 K3 }" X n% Q: L- iThis trick is very efficient:
" G) B( t B6 N' x: }. sby checking the Debug Registers, you can detect if SoftICE is loaded
$ ~( Z; i$ S. ]' k0 Q( Q7 \) n# C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" A5 J3 F$ F$ y2 E5 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
: | }# H$ U, ?9 G+ y$ S u& yvalue (in ring0 only). Values can be manipulated and or changed as well
- P V6 _ E2 [(clearing BPMs for instance), {# q M% ?$ j0 H! T+ b
0 W; n2 S# n9 Z! {6 C! r" o
__________________________________________________________________________& _) [" { s% w
" o+ x$ d* }, P' C$ Y+ A! x8 v* M
Method 11
3 B9 q+ G0 M( X+ G' i8 O; A% X& A=========1 F5 L# e- S8 n+ J: W
4 y5 y6 @/ v' R+ p/ A
This method is most known as 'MeltICE' because it has been freely distributed
9 g5 |6 L: z" d% k# Y6 S8 f* pvia www.winfiles.com. However it was first used by NuMega people to allow
$ ]) C3 H% x5 |Symbol Loader to check if SoftICE was active or not (the code is located0 m* [% ^- r; w% l- s' J. h
inside nmtrans.dll).2 f9 C* ^, K) I0 Z- ?9 \
1 c6 e' a) I- J$ C' h. sThe way it works is very simple:
' p, X) W! N. U) ?; r5 uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ U" ^0 k4 ]: U5 U! R
WinNT) with the CreateFileA API.3 v$ U5 d" M. D5 C; U2 Q. S
- p4 z: i! c+ S$ C, Q, y% t) K$ VHere is a sample (checking for 'SICE'):
& J+ m+ _$ R5 u- ?! d+ y0 I, ]9 D+ e( S, D" z: e9 B" Z6 _
BOOL IsSoftIce95Loaded(): x+ a4 v, v: d! i+ G8 A1 J0 T( j( K
{
q8 r# s4 Z% N# X3 g: D HANDLE hFile;
# h: i" f$ b- h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 {' [/ U4 h# F' U FILE_SHARE_READ | FILE_SHARE_WRITE,6 c3 g, u) G5 ]2 R% C, T j$ }8 I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 {8 A% Q$ z, ^2 b; X& K7 J
if( hFile != INVALID_HANDLE_VALUE )) ^% Q+ C' V* F' Z! ^. q
{* @7 t6 Z* A* V6 H0 d
CloseHandle(hFile);
4 X \0 l& {. E4 w, ?+ L. V W6 |( H return TRUE;3 K F* ?) ` I
}
5 d1 Z' D, g c5 V+ S% O$ [ return FALSE;
# e; Z6 X6 N1 Y# q! C5 q/ O}8 S! m+ Z8 O @2 q6 C6 O
+ F7 H& F& f, S" y9 m. F
Although this trick calls the CreateFileA function, don't even expect to be
% |" ^4 C6 y' q3 j: [: Cable to intercept it by installing a IFS hook: it will not work, no way!
: @# Q: ^: |0 a2 k9 \9 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, c% d9 j3 ?1 c2 K4 g7 Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' o3 Y4 ?3 |2 m1 A) j: S; fand then browse the DDB list until it find the VxD and its DDB_Control_Proc y# ~6 [& J6 B- [# O+ O Z5 L- ~# d
field.6 F3 N9 L! M* O- h( Z
In fact, its purpose is not to load/unload VxDs but only to send a
6 ?* e9 p" s/ MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( N* y6 o$ ~& E& \: ~, |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* k- g/ q% w8 G2 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 W* y2 T2 ~4 J% D I( wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( V6 @, k# Y: T8 Jits handle to be opened and then, will be detected.
9 l" t7 i- }" g6 LYou can check that simply by hooking Winice.exe control proc entry point
5 v! i1 X" L9 b1 N0 h: O3 uwhile running MeltICE.5 T+ f5 z) i8 u3 ?% }
E- c' \' g0 u3 `* p% p5 x6 E' O! [4 H3 D9 a
00401067: push 00402025 ; \\.\SICE
6 J3 l% b) V% P G! U1 i$ T 0040106C: call CreateFileA
M* m, A) `3 ?' @; X9 j8 ]4 r& j+ ` 00401071: cmp eax,-001% m- T( y" C* T6 `1 B
00401074: je 00401091, [$ _5 X. W3 Z3 j
6 R0 H" b2 a; I4 M2 \" @; N# x+ ]. _8 ?& k7 l5 d [
There could be hundreds of BPX you could use to detect this trick.
: E r( \/ M# j$ p2 w0 Q' h-The most classical one is:% d7 W1 ~: w' H. P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 |% r Y; R( R% h* t *(esp->4+4)=='NTIC'
" v+ l+ B: H( C( K8 c4 K
9 H, q4 h9 L1 S0 E-The most exotic ones (could be very slooooow :-(
8 ^+ [7 A- N: i- B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; u" P7 e' W; L5 I* J# T4 D" w
;will break 3 times :-(
" g- V; d6 X4 i3 z1 G) U3 x" m; l5 p& W. I2 o
-or (a bit) faster: ) z0 ?; o$ m% ?: Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 h" f7 A1 f& w
- }. A- }4 f# p# u9 g BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
& x9 I$ Q- n, E* F* C/ Z ;will break 3 times :-(
7 b, A/ l d J0 H
1 g. m/ p' \ V- A5 M2 n7 `-Much faster:, \ Z/ k" R+ V, S$ W) R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 T: l# T% P' c: U
$ l: @3 R+ c( v [7 Y0 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" l$ l6 j! `$ ~- J; \% A1 d0 z
function to do the same job:
8 G) N. A1 W4 y8 @! l$ E* D% r% l0 a: K$ ~+ K/ D
push 00 ; OF_READ0 q. b' Y0 X1 p" P
mov eax,[00656634] ; '\\.\SICE',05 a/ _8 F( x/ X( b" L! d2 K' ^
push eax7 n. r# L; [7 f1 r8 F* s5 h6 T
call KERNEL32!_lopen
5 V" d$ W4 v/ y! \7 d( }# T5 ]; c inc eax4 A; I+ M* b+ X
jnz 00650589 ; detected9 I) V0 ~+ n; a$ Z' k
push 00 ; OF_READ
% B5 c. P: P4 {3 e1 s. g6 S$ v mov eax,[00656638] ; '\\.\SICE'
4 e2 W2 _7 @/ Y3 y, L push eax
0 S- s+ l4 G" D/ o* _) G3 W4 s/ ~ call KERNEL32!_lopen
& V7 R5 ]% [& R; m inc eax
' ^4 m9 L9 {( {! n/ o jz 006505ae ; not detected9 B. _1 T3 v; y( o# |) k0 F& H
* Y: _, G7 a) E. m$ T9 q
6 k' v+ T2 X6 [: p# c/ }. D__________________________________________________________________________
& H' y, U9 b+ x% _' x! H# s( E1 E
Method 12
/ E( f, H3 g5 U, P, Z% n/ Z9 I5 o2 w=========) F+ T7 e4 V, a* a6 i; a4 e( A- d
! I! h- u& O) N2 m& \9 VThis trick is similar to int41h/4fh Debugger installation check (code 050 [* j, v1 @5 P
& 06) but very limited because it's only available for Win95/98 (not NT)3 l5 n2 y+ N+ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! L# B2 y. t1 T* h. X. F5 B) P$ P8 D$ u0 U) p" j: P
push 0000004fh ; function 4fh& b# Z2 l7 A; ?3 [
push 002a002ah ; high word specifies which VxD (VWIN32)& i: G4 x, y: I2 |3 t7 ]
; low word specifies which service
. b) w. e4 Q* a0 e3 S) R+ { (VWIN32_Int41Dispatch)9 x0 p; C$ Y; ]& M# D+ Q
call Kernel32!ORD_001 ; VxdCall/ r6 ?" N% e- D7 U( f% o' S, f Y) K
cmp ax, 0f386h ; magic number returned by system debuggers
) _) K! s% c$ M- t* m9 Z jz SoftICE_detected/ t+ C3 v- H6 h. t c
( `" o3 i# Z5 `9 \6 ~
Here again, several ways to detect it:
4 j$ v& _+ t' l {. l
2 H+ d" k7 k2 D4 M, t5 s BPINT 41 if ax==4f3 c4 z- y! q8 h6 B4 ?7 `
1 s* r3 L V3 o. J; b& ?$ s/ F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 Z! l ?; v+ o
1 ^$ T, K: R$ r0 |3 @) w. } BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ g& Z: i, S5 |
! Z9 f& C6 B: _8 H. e# P( g% k. j BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ C. I* ^. @& o* f/ a
/ K$ S4 G e. d6 ~__________________________________________________________________________$ @- J- }/ b3 I( W5 O; D# |
* ]. F* N7 Y; Z& X* u3 Z9 `
Method 13
- D% S5 V9 x' d8 A/ j3 V=========6 r7 \7 X) M b! M/ @" T
& T! ~; Q; \! v9 g, ZNot a real method of detection, but a good way to know if SoftICE is* t( g, s C w# a( M
installed on a computer and to locate its installation directory.
4 G7 K: z& X, a X( ]It is used by few softs which access the following registry keys (usually #2) :
; g5 W0 d; F' s2 a3 ]2 X/ X9 d1 V- t7 X7 _. w/ e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! p9 ~( ~: ~2 i; b4 _
\Uninstall\SoftICE
$ v7 z" X; |( J9 S, R7 S: I( P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE f+ w* ]' H* u: |+ S8 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 H7 J( K, }) i' z\App Paths\Loader32.Exe: `. k# G% `! o: H
3 X; q! r! n' m, Y$ ^% r" G1 S2 a
$ s, L/ u; S- U' {! DNote that some nasty apps could then erase all files from SoftICE directory
& {+ c, S0 D$ J1 ~( E# i0 t( T& c9 Z(I faced that once :-(1 Q+ { w- j7 j/ r
8 J5 h9 n# ~# J5 Z* D) m, @; F3 H
Useful breakpoint to detect it:5 _% w; S' l5 J- M' j; L
5 J5 U# o9 |* X T BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( ^8 B K0 t, [: _! I) c5 A; Z3 |) B4 D+ k, C% V
__________________________________________________________________________
4 s/ w& o$ @9 `
$ M' ^6 Q+ ~( O4 C8 e( _3 G* T* D4 \& r9 y8 e4 v+ L) d+ i6 r- a/ B$ P
Method 14 3 ^5 t J% \. g# V' I
=========9 H) `7 R3 G+ E* ~
/ Q9 ]. |" s( |# [6 F' m& AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 C8 r% w* s" z. s. _3 ~& A. Ais to determines whether a debugger is running on your system (ring0 only).
9 i' C, q$ Y9 j2 N) P! Y0 Z& Y: K$ N% m
VMMCall Test_Debug_Installed
( w3 Q3 e" ^1 @ je not_installed: F/ F2 b: H( O. M9 ]
, K. O# e+ W" d" }
This service just checks a flag.
, _! d% l( V3 k/ {* d6 P2 ]</PRE></TD></TR></TBODY></TABLE> |