<TABLE width=500>
7 l0 g# a0 B; O) I- H. H<TBODY>
4 e( [" a3 i( i5 q<TR># P6 ~% o j) ~" [% c6 U
<TD><PRE>Method 01 & u! u3 L( c9 ?( I# Z+ D- x
=========) B. Y6 y3 F( w0 n7 C) L0 q% B) k
) z4 W" R. [6 T7 B- @This method of detection of SoftICE (as well as the following one) is
# G% N, E1 \: H; ~6 G& h& ]used by the majority of packers/encryptors found on Internet.
8 |) U( y/ D2 HIt seeks the signature of BoundsChecker in SoftICE- I( {; |* T: h# H
: e/ j% g, a$ g6 V# A mov ebp, 04243484Bh ; 'BCHK'
( I$ @; U: G3 N, z) ? mov ax, 04h
' R# c5 I v% r! u" ` int 3 ! q8 x) O4 P# R8 _
cmp al,4" E! S2 \! Z# v" A' s. U, U0 k
jnz SoftICE_Detected" ?7 P, G9 B6 q1 ~0 Y {
6 I! Y* z# K( W8 m: S& F___________________________________________________________________________4 `( O1 ~, I& T. Y
. i: D: q0 v, Z7 ^Method 02% ^9 W% s! f/ ~
=========
/ U, ]; E7 A2 U# t6 ]! o& {: v! G$ `9 K" x
Still a method very much used (perhaps the most frequent one). It is used) O: r) L+ J6 r( ]4 V% Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 l& |3 j& {2 O# M. p" ?! v. For execute SoftICE commands..." W; |! U) G- H. @* @/ X3 @
It is also used to crash SoftICE and to force it to execute any commands
' V( h, e9 W( V* N& l(HBOOT...) :-((
+ G+ r, `1 I( ^6 v
( r, S: }! _3 r1 `' K* n* wHere is a quick description:2 s/ l" G3 T" ~' C/ z, K! e
-AX = 0910h (Display string in SIce windows)6 x& L( U% c1 U& E" }+ A e. v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( k0 k1 A4 J" Q-AX = 0912h (Get breakpoint infos)+ A q: |$ o; P/ v3 e* A/ E2 z
-AX = 0913h (Set Sice breakpoints)" f5 H5 J$ D1 M: \2 X9 q J. M
-AX = 0914h (Remove SIce breakoints)
9 ]/ |7 l% }" W& b X4 B. S' d0 }. v
Each time you'll meet this trick, you'll see:
, C& p: S0 z1 |4 y; L- A-SI = 4647h4 U2 C( r l2 p T3 f7 c8 m; F
-DI = 4A4Dh9 b" P' a8 L* _& H
Which are the 'magic values' used by SoftIce.3 e9 R1 p7 w8 U, x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ F/ j# K: ]6 M# B% ?
5 ?/ e1 g3 u8 ~4 ^3 QHere is one example from the file "Haspinst.exe" which is the dongle HASP! t; b: y1 O/ f" J$ }
Envelope utility use to protect DOS applications:
7 g% n- h. T* ^0 u( `
; N" v! O: r* D& e0 e* Y9 j0 ~' I# E( ~5 }( I0 R
4C19:0095 MOV AX,0911 ; execute command.
2 `7 e$ t+ w: A2 U. L; U: \4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* \1 L+ V* w- \( F( {" g7 ~# z
4C19:009A MOV SI,4647 ; 1st magic value.
: {5 ~& p/ x# H" E3 ^; Z4C19:009D MOV DI,4A4D ; 2nd magic value.( ?4 n# @; {9 X* s0 B0 S- @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 X8 I" @0 D- N& z% x; `# {9 _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 c# |: p- T2 m. v- ^8 u' e
4C19:00A4 INC CX
: K" z' K. _: n3 n4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) q9 X# i! O; K& `
4C19:00A8 JB 0095 ; 6 different commands.
6 V$ b! N! x( S4C19:00AA JMP 0002 ; Bad_Guy jmp back.. L& }" U% i9 Z5 X
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
# i$ M9 F* m6 u% K. ]
$ w3 z5 `: z2 H$ _7 I0 j2 R5 v7 `The program will execute 6 different SIce commands located at ds:dx, which
! w" Z0 x4 g6 O% O" `" S' g. F/ |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& x4 x& s- y. M2 x$ D2 m E( V4 Y* d \, Q6 E% w0 \+ y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* {8 C8 O5 J7 q$ v6 M___________________________________________________________________________) K [( o( I+ s9 ]2 L, F+ e/ ?6 U
L, W" i4 y. S3 h5 T
8 o( W, f0 m2 X9 {! @( j2 E1 y4 h
Method 03+ |" N2 w | q
=========
: l- e4 S' H# |( Q7 |* N$ V9 m J# Q
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- S/ s8 \. t q# ~( l6 k
(API Get entry point)
) W. e8 }8 u0 ~9 b0 W2 G ; T4 @, p J8 t y
6 c" Z, N- E: t% c4 H xor di,di
+ X' ]- L0 f0 l- c* [) S5 \5 K( B mov es,di1 C& Z& ?. x" w
mov ax, 1684h
0 |4 I( ^2 v [/ X, _5 R" q1 V mov bx, 0202h ; VxD ID of winice1 r; x' f& m) F: J, _- I3 e
int 2Fh
4 n; o4 w% u$ x9 P* Z( f mov ax, es ; ES:DI -> VxD API entry point
* f/ d! L( U. P* p: t. f! j3 [/ J add ax, di
m5 ]8 H5 a9 m# ]; E* w2 D) V test ax,ax. P& Q1 z9 P9 `- q B) J6 T
jnz SoftICE_Detected
# y* a" z/ X9 d& E9 z+ k1 I
7 G& X' t1 M' e# ?0 B! s___________________________________________________________________________
% ~/ x3 A9 }, j
& U* Y2 G2 l, C* ^+ F" IMethod 04
- C# Q4 W6 O) G3 f=========
. S. Y2 o3 s! D6 ^# {
}- s% i; h# q1 k' AMethod identical to the preceding one except that it seeks the ID of SoftICE
1 T& T7 T y& Y9 _3 PGFX VxD.
$ m m* A# R. t L, G, i& t% \9 i
xor di,di
3 ^# k1 e, r3 [" h mov es,di
. l/ l& W/ A1 g; z mov ax, 1684h
$ S+ F( H0 r1 ]" Z mov bx, 7a5Fh ; VxD ID of SIWVID, {0 L! V2 J1 o) S5 N7 @9 a
int 2fh
$ m3 I/ f' p U7 S' J7 Q! S mov ax, es ; ES:DI -> VxD API entry point
5 M e6 c" Q8 T+ i4 T& `1 U7 Y add ax, di; G/ M8 C/ H h* w! ]
test ax,ax
* p7 n9 o) v0 B; Q! J1 f jnz SoftICE_Detected' [- T' i b C4 \
2 d5 Z5 F& w2 a3 ^; ]+ }- W% X
__________________________________________________________________________
; q6 |" k0 ?, r P. K6 ]8 ^0 O$ `. K- e
* M3 a6 d- {5 H3 ]- _
Method 05
: h B* e5 v# Z# ~( M7 J: t ~=========
2 V, v F+ C7 z% h" [
" k3 c. j4 n! w5 x; ?. SMethod seeking the 'magic number' 0F386h returned (in ax) by all system. t, g$ ^8 x7 k L+ a7 S& G
debugger. It calls the int 41h, function 4Fh.0 u: a6 P$ y) h" R( _1 ^9 |
There are several alternatives. i& u+ }/ m" [2 m. l1 b
" b# a# q; y- FThe following one is the simplest:
/ O9 k; \; J# I. M" Y, G2 A' o8 c! u+ d" f1 L) c( _7 C
mov ax,4fh+ p: [# o0 N9 Z0 J9 z# G' K; l
int 41h: `) s9 J8 g. T+ J1 e. A
cmp ax, 0F386" G/ g% e C( t' J! l
jz SoftICE_detected
# `4 P( W. c% {
9 u/ {; h" A. b4 I
$ ~" y8 W& `/ ]0 G+ qNext method as well as the following one are 2 examples from Stone's 1 I9 j; B* h( _/ q, E3 c8 y. h
"stn-wid.zip" (www.cracking.net):- B% H ?4 F' y
0 G4 w; O [3 F8 H& Y: D mov bx, cs
8 t( o9 ]! \8 U" f: F0 v lea dx, int41handler2) z9 I5 V; l* S6 R8 B
xchg dx, es:[41h*4]- S7 n; T" i+ T) N( {8 X
xchg bx, es:[41h*4+2]
6 T6 Q$ K/ z! D! ]+ j, d mov ax,4fh
# \ L8 l4 i% H0 P9 ^) p int 41h$ q4 |5 C' r- O' T, ^
xchg dx, es:[41h*4]! O& S" l) N4 t8 J2 o) g
xchg bx, es:[41h*4+2]% O: _/ l- e3 b( i" x! [
cmp ax, 0f386h. q" z2 G2 E c8 @) ~
jz SoftICE_detected( @5 Q* o4 j4 L! ]' T
0 Q2 ?- z1 |- L7 P) x5 }int41handler2 PROC7 H& d+ ~7 B( H0 g, m6 J0 w, h
iret( ?2 J% _1 c8 E. u) m# `% F4 b6 G( N
int41handler2 ENDP W+ l6 |$ U5 X' U4 Y( q
& ^4 S @$ _) [$ _$ v2 z8 ~
* k- W, O% c. W1 A' X( }_________________________________________________________________________2 B# k; ?8 {7 }. t
; D9 p `( R( z5 w" r
! u* I0 _0 z; [; i
Method 06
* m0 O% t* Z) i. g2 C# h) @=========
1 W' I" Q) J1 h' ?! F2 X" }
5 P) k" a2 F' w4 K$ c
z% I# A3 T+ ^) w( Z4 ?6 w# u2nd method similar to the preceding one but more difficult to detect:
: W, }& y5 a9 a/ `& M' F" @( \+ M7 m& t# C
, U+ W, Q* B( x6 H( p) F8 B! G8 K; wint41handler PROC, n! F/ w; L) m: D- ?+ o% ~
mov cl,al
# M7 l$ j9 ]7 ~' T: S Z# D iret
" V6 |3 I8 u6 `1 Y. ~- H7 Yint41handler ENDP' ?/ z, R$ _7 w! X# }
1 w2 N# z3 h) p# k( G% R/ P' g8 q' N2 ]2 n3 f+ q8 q# o
xor ax,ax
' I, s9 _. R2 N0 j" I6 l } mov es,ax# z3 ?- g# u& @
mov bx, cs
+ K9 h' F g) p3 Q2 B4 k2 P7 s lea dx, int41handler
9 p+ n0 I/ p i) v* e+ o xchg dx, es:[41h*4]; R& I1 l4 o( M$ e3 |
xchg bx, es:[41h*4+2]5 F" l' c' ]$ u; x
in al, 40h
) E& `& X' G, H3 H/ z' Z+ `6 K- _ xor cx,cx, s9 A* b6 G2 q( h+ m
int 41h
9 Y! ~( S4 I5 |- V xchg dx, es:[41h*4]
' c) K' Y6 I8 c+ T- d3 o6 x/ ~ xchg bx, es:[41h*4+2]9 ?& W: l" z- q1 D. [
cmp cl,al
& O) x4 h" T/ N) d4 [ jnz SoftICE_detected
8 `, d p9 k0 j" c! [# Q" K. y; f6 Q; ]% R. g. T
_________________________________________________________________________
7 r. Y- l3 G$ {- R3 r! c
+ n& Z3 L( B2 UMethod 07
$ T) }% L, V6 s0 _1 b8 k6 A; `=========
8 m. S# X1 d/ D' v
1 A4 S- k0 l9 T5 oMethod of detection of the WinICE handler in the int68h (V86)
* {8 |. j' p- Z5 K
$ a$ {' B8 u. T mov ah,43h7 l- m& b8 m7 F; a" [
int 68h6 Z' r# U2 M' i( E& ~
cmp ax,0F386h
' \) a0 ]1 H: h, _ A7 s# P3 Z0 _ jz SoftICE_Detected8 B% ^5 {1 t q4 S& g
0 P8 {% j, y3 M0 K W, Q9 q
1 b# t0 d. c( o, S7 y `- R5 e. T$ J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 \, R. ^- R" ]+ Y* n) s app like this:
; h% x& B4 o3 Z) e! t% K) [' D' {- \! P6 t
BPX exec_int if ax==68
: t3 U( x/ P9 E7 A1 ^( O' G (function called is located at byte ptr [ebp+1Dh] and client eip is
0 X2 h1 a3 q9 ^$ f: L1 j5 S# T located at [ebp+48h] for 32Bit apps)
: X1 U1 W9 {/ P0 o E__________________________________________________________________________
. n3 V" x0 K: F# h1 M; e) {# @7 x1 A1 h; M# a7 o4 d
2 `7 k- k3 b N0 d, {. ?* g9 m, s4 mMethod 08
( {0 d' v/ _ ?, w=========
6 ~* g7 M9 `6 ]' H* w3 @) I, W/ O9 C2 a- E/ a: V
It is not a method of detection of SoftICE but a possibility to crash the: _4 P$ u; j7 f4 x
system by intercepting int 01h and int 03h and redirecting them to another% Q, V f ? y" O5 a& q* g8 E
routine.
' T: M* t; U7 A ^: d+ ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ @, Z% G4 ?/ E9 Sto the new routine to execute (hangs computer...)* M& Z, V9 [' T. {/ I0 d
# T M5 K( m3 y mov ah, 25h
; f" b$ s) w1 T( |: c: o mov al, Int_Number (01h or 03h)
: |& @, p$ Y8 \0 k% s mov dx, offset New_Int_Routine
: E# R' G/ F: ^$ s3 ^: r, R/ \1 o int 21h5 A' O2 w9 v$ X2 h: }% N- [4 q/ c; ?
1 t0 K. Y( S/ U3 ~
__________________________________________________________________________: E f- ~' _! i7 G# e$ y2 r
, E1 Y' N2 Y" K6 P: U0 x& G3 V7 k# |Method 09
; `4 c9 ^6 M; e1 t=========9 ^* [6 g. l5 Z! N' Z$ y
3 J6 H) o' Z3 L0 {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ]7 _ C2 m% v- M0 U9 operformed in ring0 (VxD or a ring3 app using the VxdCall). S z& ]. S( w* }" S: E4 o8 o
The Get_DDB service is used to determine whether or not a VxD is installed
: P% A& Q; D( l# [6 I' H Vfor the specified device and returns a Device Description Block (in ecx) for
" k3 U& V8 a- q7 H! {% ~/ @that device if it is installed.
4 ^' G% O- O3 _/ H7 U0 n/ @
: R* K# ^/ w" b# r/ L \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 i3 B( t9 r4 o
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 _- |- q: d1 X4 }8 N0 Z
VMMCall Get_DDB
4 s! o8 e7 Q6 g N! i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 B" S% K0 D: `) D; ~$ ]
* n) |# W2 c# g2 V
Note as well that you can easily detect this method with SoftICE:
# l, b, M2 W V8 a bpx Get_DDB if ax==0202 || ax==7a5fh, I0 P E& E6 y$ }, M# W0 ?
8 g B+ S. b/ D7 N/ o9 Y* }__________________________________________________________________________
, x) K) n5 X6 _; d3 S& V' Y1 ]7 g1 r' O: Y: h; W% P
Method 10
/ |6 o& y0 E8 L/ Z- f3 K6 X) C7 q=========* R& e! W4 p @ q2 F9 ^0 Y
8 {6 Y, M" h, i; X# f0 n=>Disable or clear breakpoints before using this feature. DO NOT trace with, f# _+ Z- @6 W) ?- k/ u) R
SoftICE while the option is enable!!
+ S2 {3 B$ w1 m- ?6 J) T* M) |+ \0 o3 t. c
This trick is very efficient:
+ C% o1 c: ^: Vby checking the Debug Registers, you can detect if SoftICE is loaded
2 V) b; z! Q- Y" l/ u5 y4 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! g/ |* C: W% _" M0 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their- ^. l4 T f3 s) R* l! h2 u
value (in ring0 only). Values can be manipulated and or changed as well$ \% c1 }5 V) E( O$ L2 h
(clearing BPMs for instance)
G! Z/ a! w1 Y* S5 E. w- [. Q6 C$ T4 C
: ] h/ s5 B- [& \__________________________________________________________________________6 @9 T* f' Q/ i* `
R" K. E, v) h* QMethod 11; I6 t1 y# }' x) e
=========1 u. a: N/ E/ D: U7 n' P W
( ~+ F& y) j7 x4 w% r+ hThis method is most known as 'MeltICE' because it has been freely distributed
R# Z5 P7 c( e$ Ivia www.winfiles.com. However it was first used by NuMega people to allow4 Z( P! u! ?! a$ c5 `
Symbol Loader to check if SoftICE was active or not (the code is located$ U1 Q2 l( \. S: ^2 J. z- f$ `
inside nmtrans.dll).
4 z1 j% a6 J' S0 o3 @# x
. g" D4 A5 E- x/ A% M- k9 KThe way it works is very simple:! e% i6 h6 Y9 N; {# h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 M" Y% [0 S; Y. t
WinNT) with the CreateFileA API.7 Q3 P1 e7 ^' X( h) m9 A
; o: H7 E& n" b; j! cHere is a sample (checking for 'SICE'):; Y: J; {- N6 P6 m
4 A5 i4 z$ Y* C+ `; F+ OBOOL IsSoftIce95Loaded()9 ]# H, |8 z# _5 y" w8 V
{5 b- ^9 u. I7 S s% J+ }( r; K( h
HANDLE hFile; B0 d) U7 ?% `3 F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 A* r. x" E8 `- c! y. U FILE_SHARE_READ | FILE_SHARE_WRITE,
8 H7 v* m. q' V9 B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ Z1 R# M% G! l3 g0 q0 _ if( hFile != INVALID_HANDLE_VALUE ); t* F# o! R7 N9 d; i
{+ X/ N; R6 z! ^( C+ Q" h# o
CloseHandle(hFile);
+ Z' l, L5 k! o. _ return TRUE;
1 D% Y0 F' X( K( O! N, T }2 E3 D5 {) r6 G) A2 f
return FALSE;
* ~9 i$ K& E {# ~ Z. J. G}
4 L1 l) U1 q# n; v
& N6 V. w0 m# [1 [( j* X+ QAlthough this trick calls the CreateFileA function, don't even expect to be
/ L' E! ]2 F+ c$ C1 mable to intercept it by installing a IFS hook: it will not work, no way!& V! Z- ]3 a2 Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 E# ]5 u3 o9 w: j7 v# V; f7 f) Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), K3 d" c; ?. k* r
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 n7 B$ e* c* Z* S1 S2 W* L
field.
. _+ K& i8 j& \/ z; w9 EIn fact, its purpose is not to load/unload VxDs but only to send a
8 C% H# O) l& }; O* m7 RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): H4 u2 {7 Q1 k: ] I- C7 b* s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 @7 N/ \, i6 X) Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ u3 Q5 L5 [( ^: h& sIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 O8 L$ N3 u: B3 n# D! y
its handle to be opened and then, will be detected.0 o4 c2 [( q+ ^" V6 _& G
You can check that simply by hooking Winice.exe control proc entry point
+ @2 { K' X- w) b" R8 `while running MeltICE.# h: z& X1 o4 r# I5 c, K9 a$ l
9 @' R, n6 v8 V& w o7 _, ~0 b
+ h4 V3 ?3 U& K' E" _4 H
00401067: push 00402025 ; \\.\SICE3 S% o, B4 G0 C6 {, D
0040106C: call CreateFileA
0 H" ?& {$ N- I* \2 q5 V2 a# @, c 00401071: cmp eax,-001
# h3 m* c9 B. K- P- g# x5 i 00401074: je 00401091# P7 f9 Y4 v. \4 A2 m
1 G/ [3 p+ ]/ N+ D) x3 O8 { q4 V8 d( Q) e/ L9 N, {
There could be hundreds of BPX you could use to detect this trick." F# ?& U% M7 X$ y
-The most classical one is:
, Y% d0 D& M! c8 N3 g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || h& V+ n6 r" I3 k0 {$ d7 w
*(esp->4+4)=='NTIC'
# r K& E s7 X$ F7 W4 D. N7 t5 E. x5 C% _% K& s% Z5 m, w8 R& U2 w
-The most exotic ones (could be very slooooow :-(
% F- q1 g7 S9 p' m7 s o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. c* H5 P& Z, H3 C! P ;will break 3 times :-(
2 X9 F& c. \, |8 Q7 j' j: P$ k3 c; n( u5 y) ~
-or (a bit) faster:
0 k- j, \+ e$ k, r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
q$ ]' P- [4 _; [& Q9 n ^: U6 G2 T' b$ j. a# _6 e' {
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 C# b$ _& V$ P3 [3 ?+ s
;will break 3 times :-(
2 l8 l$ v y4 a$ y! K! `) j% X& b: z4 K0 \3 d5 w# ?8 l" W
-Much faster:& t8 ]7 E1 q1 H5 L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' M/ s6 f5 S5 { o) z7 _! J9 `: V3 o" b8 e- D: T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* w, x0 U5 ~0 `+ {
function to do the same job:" P8 {- r6 j" P Z0 e5 L+ g, h4 B
9 m0 v- t' I# m% M push 00 ; OF_READ
$ U5 x6 g/ Y S: n3 ]8 g mov eax,[00656634] ; '\\.\SICE',0
$ X+ @$ I. G# f i8 Q push eax7 [* I% `6 {1 j, T* y7 h
call KERNEL32!_lopen
?3 G8 k* W3 r7 i4 M: s- u5 C inc eax
8 @$ a6 ~: u; \/ S* k1 z jnz 00650589 ; detected+ @4 J- e* K' [* S5 i' Z8 E+ D
push 00 ; OF_READ
7 h$ x$ t8 W# v+ f' a$ n9 P' w mov eax,[00656638] ; '\\.\SICE': P' A T8 P" \" C1 K5 W$ Z2 }
push eax
+ k3 |0 {* u' I- G3 i1 X! ~ call KERNEL32!_lopen! x/ N2 R* y, X, @$ V
inc eax! E! t' ~. C0 [+ R
jz 006505ae ; not detected
, t% q3 q+ S8 T9 T, `8 |1 Q, y0 @7 |% I, L) t& X! V2 X% @
. K( R" W) F$ H/ h: ~; n; T__________________________________________________________________________( W- K/ C2 u* @
( _$ J [5 A1 d. A5 U2 q6 Q
Method 128 d# H v" Y; r; D4 z( N
=========
( q4 A2 i7 {; ?* |. P
, c, o$ Y s: x9 M/ HThis trick is similar to int41h/4fh Debugger installation check (code 056 `% ]4 ~" X7 y# ]& b2 G6 C- ]
& 06) but very limited because it's only available for Win95/98 (not NT)/ t- g6 s/ S/ r* J- M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ C+ m% x: j0 T" l0 X9 ~( Y
( x2 f/ G/ C1 v* O% Z; H' C/ U6 c" b push 0000004fh ; function 4fh/ D" C# c9 N$ h$ C
push 002a002ah ; high word specifies which VxD (VWIN32)
0 y+ j) {0 w1 s$ M J$ S ; low word specifies which service
9 A4 ^- A& x4 I* j% _9 O (VWIN32_Int41Dispatch)
- x- x* U- \: q8 }& L+ L call Kernel32!ORD_001 ; VxdCall4 R' B2 W- M8 D6 f
cmp ax, 0f386h ; magic number returned by system debuggers S* U6 }" [, ?- W6 {4 c) R
jz SoftICE_detected
( }) t/ q6 Q% {5 a1 h3 R9 ]- J1 m& W h/ H: Z# T( y+ m# ]9 v
Here again, several ways to detect it:; R( I: C9 {# ?$ f$ k) W/ \
* M! [: p' H$ C. A( t% D0 ` BPINT 41 if ax==4f; q1 [+ y+ n s1 u6 v0 T! @
! z) y' }) B' G9 o BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 Z+ R4 ^/ c! i6 w7 j* @7 ~( X
8 g! V* Y3 G9 H- u2 Q" K6 { BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ A6 g" H/ ?, ^* k: d! U4 M: K
+ q# v' q$ w9 \8 d0 J BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: I( n& \5 R2 K6 J
8 Z8 ], k: e8 P, R0 p! t__________________________________________________________________________) q) ]; m, t. h! j5 R/ Z- S
" b' L6 {4 O, aMethod 13
8 @& R% |4 I. r9 W) Q8 i/ Q=========: p. p) U% N5 g5 o( `
+ f9 T" K* }! {: ^Not a real method of detection, but a good way to know if SoftICE is
/ k- W+ h. z( l8 y) n8 }# O% qinstalled on a computer and to locate its installation directory.5 E& R' G3 k" h6 M/ X7 t
It is used by few softs which access the following registry keys (usually #2) :
- ^* I6 u3 O' r' `8 B9 J2 V+ q/ S/ S5 Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) o, \0 I( |6 M0 P1 k\Uninstall\SoftICE
' C# C( L1 X/ n$ N$ m# k) z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 N5 K; M- W7 l. u3 t/ H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! L! W8 G/ E% u: M, C l4 `\App Paths\Loader32.Exe3 |' Z0 p N% v0 R. I: ]
# U# d' s; ^; b7 {. P4 N
$ x% W6 D5 p( m. d, e0 x
Note that some nasty apps could then erase all files from SoftICE directory. I0 P$ ~* n" }8 n
(I faced that once :-(2 Y( W( _- R9 v; d
8 r% F, E2 ^" N
Useful breakpoint to detect it:
* I. |4 ?- N' N9 p
9 |) t2 G. {. k$ K* M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( ?* h, v. C+ H G) {" k
( d8 O- t; Y! H__________________________________________________________________________
/ p6 t: Y k0 A/ ^! L9 P: A; g
& t1 V9 ]- y# x3 j
, L x) k9 b) c4 |- x1 XMethod 14
7 j1 G5 z, t" f( J+ x=========" t9 e& i- X( B- R; H
; v6 G8 S. p" ?( h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! d7 w0 o* C. V V; x T- E& e/ ?! ris to determines whether a debugger is running on your system (ring0 only).4 L Q' Q8 h' F) n w% z
# w7 U9 \8 J0 Q1 E S$ g `# D VMMCall Test_Debug_Installed
' }6 P- w( I! ~# i4 G+ U$ b. c$ i& l je not_installed1 u: O: K% g a8 ~5 v- g7 l
8 T, c( u# j% p2 S9 x( C/ c
This service just checks a flag.% V" v# T2 ?0 }5 A7 n1 l
</PRE></TD></TR></TBODY></TABLE> |