<TABLE width=500>
; M1 u Q- F Z( d Z<TBODY>
) O& U9 f0 e' I- U2 J3 u5 J F<TR>$ `$ e6 v" ~3 w+ M) R7 }
<TD><PRE>Method 01
# x! W5 T! H6 q=========" k3 y* ~- q+ g1 Q0 m' P' \$ n8 x
0 X1 j; v# e' B; t. h9 r% m7 U1 Y
This method of detection of SoftICE (as well as the following one) is
2 j. a9 d7 e) K# V i! V; Bused by the majority of packers/encryptors found on Internet.
% l1 u8 ~+ ?1 i- ?( NIt seeks the signature of BoundsChecker in SoftICE
( U0 T6 Q- w: Y9 l' V9 J( f( J& ~! X# N0 C8 \8 b0 @, o
mov ebp, 04243484Bh ; 'BCHK'3 B, @0 a& M, c; q
mov ax, 04h8 y3 x& A. W2 {; r, |
int 3
( p9 H7 a" K& I cmp al,44 C2 \9 \9 Z; |4 k, j9 o
jnz SoftICE_Detected
* h0 H# T; [+ [& i: @4 O( Z0 L! r: Y, Q6 ?
___________________________________________________________________________3 @6 {: p, q/ i, ^0 W! ]
' d' Z4 z5 l& g* t
Method 02
) Y$ [9 L7 y! @4 ^=========2 p9 f( I* i1 N5 \4 r: t5 y1 g
; I3 k( H4 M h
Still a method very much used (perhaps the most frequent one). It is used5 b; Y# l0 r2 I; n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# z' Y1 c' b# B
or execute SoftICE commands...
) W: |2 s& A# z# r6 u& kIt is also used to crash SoftICE and to force it to execute any commands
$ B: _& x: h* i2 p; H(HBOOT...) :-(( , F/ r5 @+ ^% p+ P
2 }; o8 D6 C. m9 @* c2 p2 x0 e
Here is a quick description:
+ [3 [% p1 }( F8 A-AX = 0910h (Display string in SIce windows)
/ p0 i i+ H- N o-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" K( U0 H. y; @, o9 W% O- W-AX = 0912h (Get breakpoint infos)9 c) `+ [1 \6 s1 w' O& s
-AX = 0913h (Set Sice breakpoints)" r6 H/ K( e( P
-AX = 0914h (Remove SIce breakoints). L8 G! U2 H0 l% g( v) t
0 b% `0 ]8 R/ ]/ Y- u0 N( p+ z
Each time you'll meet this trick, you'll see:9 Y2 k. B( A: b7 o1 n0 i
-SI = 4647h
! E" ^' D; v$ p* `- M+ N1 y-DI = 4A4Dh
6 A7 i" Z4 v7 V. d* e6 ^9 TWhich are the 'magic values' used by SoftIce.9 x$ v8 w$ c/ g' F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" b6 R1 B8 j0 Q# M1 r5 B7 Z2 e2 x. T+ d K
Here is one example from the file "Haspinst.exe" which is the dongle HASP( r2 R( L/ j8 A, v6 [8 e1 D
Envelope utility use to protect DOS applications:6 f A" i) y! d, B9 U
% A5 C- b. S4 m. P, K% o( m/ g6 Q
3 L+ N3 {- T. U4 {/ ^2 l4C19:0095 MOV AX,0911 ; execute command.
8 p" R1 K }5 V3 R8 p7 F& ]" Y4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. S! B8 _. Z. M* \4C19:009A MOV SI,4647 ; 1st magic value.
3 L; @0 H2 h% r: m' J2 E$ K& N4C19:009D MOV DI,4A4D ; 2nd magic value.
7 _' V" H% M0 M. @# t$ b$ K# O! G4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: H/ |- f1 D# p9 s* k) K* Z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& H% L7 O$ g: n. m( m4C19:00A4 INC CX
- R0 {% G. N3 p# x* w" P1 s9 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( B0 b& s, H; P8 w4C19:00A8 JB 0095 ; 6 different commands.& S) G* F* x, u7 e! T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 Q# H4 ^* B( u" W$ P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; C% n2 O& J( S" b3 u% [& [4 S: u( {1 R6 p) u
The program will execute 6 different SIce commands located at ds:dx, which
: i7 [: U2 f8 a8 Y8 care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 D3 h9 |5 x+ L* v( e
6 ]: v& P6 ~$ e. M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 z0 H, m/ }9 o4 i
___________________________________________________________________________4 }4 M# P! y( n+ @7 U |7 h' h
6 t) I5 H! a* t7 E7 G6 a# {
/ O. e# a- F& x5 f9 v; HMethod 03
6 |. Q6 X* t7 A) r1 X" ?. Q=========
7 X1 K5 A5 P5 e; r& r% u* e! I9 p8 K: q8 T( {/ N) }3 }, v6 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 I. P) |# N3 W1 P9 E! ^' O9 t
(API Get entry point)% j) ~$ K8 s+ K, W
$ H7 p1 U% H- U7 h- Y; o* M
# t, R1 B3 v8 |9 u0 I xor di,di- z8 m D- n8 l$ U, L9 A H. X
mov es,di8 x$ @9 X# j4 |8 g2 M/ A8 ^
mov ax, 1684h
% j2 R8 d5 x& K: |* ~ mov bx, 0202h ; VxD ID of winice2 H% O9 o8 i, U1 c
int 2Fh6 U2 Y8 Y9 |) c* M3 t/ o
mov ax, es ; ES:DI -> VxD API entry point
; _$ v, m7 }& G2 J8 V add ax, di. k, z9 t+ k& }# W. e5 r
test ax,ax
7 @' i+ q$ @$ {& M5 I5 _ jnz SoftICE_Detected
+ o8 ]( f; M/ K. s' L% ]: `- K6 R4 W/ ?5 K
___________________________________________________________________________9 G9 E- G* H. ^; t. J3 `0 U
: c) B n5 V" Q) U
Method 04
6 J* I2 B8 b' q+ f) k, G=========$ F1 w" h, j% C) f: ~
! M. M9 b P# D1 O7 r5 w
Method identical to the preceding one except that it seeks the ID of SoftICE
+ C3 ~3 I6 y2 }$ J( ]GFX VxD.
8 [5 `+ ^4 @8 E7 A, F
4 E- D9 r ~) o( H; T1 ~ xor di,di
3 }5 ~# e' h7 i l y) d mov es,di
- u0 P4 p/ Y7 C2 G1 O2 g% y mov ax, 1684h
: o+ U0 m8 @ G6 r% u6 v mov bx, 7a5Fh ; VxD ID of SIWVID
0 a2 d" T6 v3 `/ m+ C7 G" @- w) t int 2fh: y1 z; o+ X. H# D+ F) E
mov ax, es ; ES:DI -> VxD API entry point
W& O: } ^, E4 ~; w add ax, di
5 E% ?& N$ {2 D' x" @8 a. g2 J test ax,ax
$ y# d: Y9 u. p" B- | jnz SoftICE_Detected& x, r: @9 Y# r6 x0 X
2 `: n' e2 w7 E
__________________________________________________________________________
2 ?9 \/ B: ^3 E7 }1 u0 ~' s C! \! }; l: ~1 ^8 z! v" G
3 w' y1 Y2 `# m4 Z' K, Y
Method 05
- s7 i0 V# d8 P& I. W4 R=========1 c$ l& D; R5 J2 p
2 x' \% R" L4 x' vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ {- B3 @9 y2 sdebugger. It calls the int 41h, function 4Fh.7 @4 M- r/ [1 O' n" T" Y1 ~+ {# d
There are several alternatives.
9 r! O4 H/ Q Y' m2 J
* l8 Z) t! J! W; D5 f: E+ Y1 dThe following one is the simplest:
- s* t% w. l$ I* A* U6 v' R+ \4 I" q
mov ax,4fh
9 F% J3 J, _- s$ a2 q int 41h
: K: r' l$ J* I# e5 [! A$ F cmp ax, 0F386- ] N( v6 I: X8 C+ v
jz SoftICE_detected
4 z9 H0 Q& \4 {$ ]8 X. H, z# ~; z: g, ~, W: P$ V4 \$ s% Q
1 ?/ Y# a9 g. G+ K% o# C
Next method as well as the following one are 2 examples from Stone's
: V1 b* m& Q- _& U7 w"stn-wid.zip" (www.cracking.net):
; B* b5 q* q0 |5 {9 K7 ]+ n$ U' r8 l8 o! y
mov bx, cs3 g8 F3 q( n4 K# ~# M
lea dx, int41handler2; V- N) x% ^1 c; \- S! M
xchg dx, es:[41h*4]
3 W4 {3 n9 S5 _7 Z' o- F3 Y2 q xchg bx, es:[41h*4+2]
$ x0 x+ y: V2 @/ a8 u mov ax,4fh6 T9 ~% A4 ~4 L' i0 q
int 41h m, d( ~! e" `# j: q
xchg dx, es:[41h*4]: p0 m( a2 R9 h6 h0 T8 c/ K7 G% f9 n
xchg bx, es:[41h*4+2]
: I7 O1 a& z$ q% I( y cmp ax, 0f386h/ t% l1 V% K/ Q$ c/ {+ V8 f
jz SoftICE_detected, _& P' j4 ?1 _
- ?8 k( |7 {' f3 F/ ]int41handler2 PROC+ Q1 D% I$ D# x) ?
iret0 K C8 f! w2 B8 C6 J
int41handler2 ENDP
7 A: t% o7 l9 n0 }" L) Y
" R' J' c; }5 L1 }$ j
# L g. z n" {1 m2 J+ {$ O_________________________________________________________________________0 x+ |) z3 c" F% b' k8 v R
. {' W" ^" R- Y8 z. K
! E* |* e% l- b% m* L" BMethod 066 u" u. h5 p3 Q6 q9 V
=========
' J* c2 w: [9 f. r# `/ K
& _7 D2 J- v/ y9 }- x; d$ w) M) X# X0 b9 H% ^; w- |; q
2nd method similar to the preceding one but more difficult to detect:- i7 s d8 N5 e9 S6 ]& d
4 k" I7 l( U) _
4 `3 j Y! R9 k- hint41handler PROC% P d. Y7 u" Z. ^3 w' X1 H
mov cl,al, e' } _3 G4 z
iret
, J% q8 N& V5 e8 Z- h( T$ Q5 ~% [4 oint41handler ENDP8 _3 t; ~, _& Q7 V
5 b* A$ e7 r- C0 \7 w/ D
+ g. g0 K4 C3 W. [3 ~; c1 d
xor ax,ax! ^; u: G! c$ {3 p, V
mov es,ax
`! P& I; q$ T6 X, h+ q mov bx, cs
9 s) P' \, w3 w1 b lea dx, int41handler
3 m9 {7 @$ l2 P/ e7 }7 G xchg dx, es:[41h*4]
, K# J. _& i0 H( ~9 y$ a xchg bx, es:[41h*4+2]: n1 b$ b$ P3 E. Z: [8 `! M
in al, 40h8 X, r# [" h0 s2 K" f/ x: W5 B' [
xor cx,cx
% i% A8 x! D9 [$ U5 ]. k: h int 41h' m. l1 P& ]! i7 E
xchg dx, es:[41h*4]3 J' m% f, Y7 \5 |1 X3 i
xchg bx, es:[41h*4+2]# Z) m3 t; i, p3 G! i# @5 F
cmp cl,al
0 t! Y# p4 S" _' O* w. y: V" _) [$ K# t jnz SoftICE_detected' f: ~5 {: Y" p3 i0 {4 j
* z$ ~- P+ j0 L
_________________________________________________________________________1 }/ k: ?+ U1 P( y' O$ W
2 K; g4 _9 c; }- u, l6 v0 O0 ~4 PMethod 07# t: D: X0 U% ^# D
=========$ a$ t8 F9 ?* M9 _3 b
7 X) D4 r6 A- @
Method of detection of the WinICE handler in the int68h (V86). j* a1 J& J* H% ^ B; u
4 {: H6 J5 [' ?3 S- X1 } e4 }
mov ah,43h
, n; {! o% C K; u. M# h int 68h
- f2 _- N5 A1 N( F cmp ax,0F386h0 F' e7 G0 @( }' ^ e# `& J* W* [
jz SoftICE_Detected$ U8 a3 X6 X8 j. B/ W
+ i$ O' e+ ^1 H
, b5 d( U/ w5 g! }/ B=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 O3 T3 ]5 K9 ]: P) r app like this:
7 N! Q4 L D ~( X* R: l3 l
% n6 N) C1 [8 V( n* t BPX exec_int if ax==689 F+ k) x' d& {/ `$ C% y
(function called is located at byte ptr [ebp+1Dh] and client eip is4 {% i, }' A" U4 ]
located at [ebp+48h] for 32Bit apps)
$ d2 m4 _( G7 V$ |__________________________________________________________________________
/ Z5 E y& J* S# @3 @% {, W; n* h7 ^/ l) j
7 [9 l4 p/ [; ?" {: S" C
Method 08
; K6 C- v1 c9 r G=========, c; J& f1 }$ ^& G8 \
4 X- c% I! b w4 Z) q4 A* g
It is not a method of detection of SoftICE but a possibility to crash the
( U7 d- ?- J% ~system by intercepting int 01h and int 03h and redirecting them to another
% h& o/ P1 C) D4 D9 Z: Uroutine.; z% E- N& e) ^4 R: P7 R1 D h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: X |% Y' x0 m6 I2 N8 `
to the new routine to execute (hangs computer...)! I) U6 j* j9 p) G1 P4 ^
4 C$ V9 }$ z' W. x4 n' y mov ah, 25h
: }; k& e2 g+ F0 x' K3 ?" J. M mov al, Int_Number (01h or 03h)
: X9 k) r. N) C7 c0 U mov dx, offset New_Int_Routine
4 U3 y5 z9 v6 l' V1 k int 21h
( O+ z* k# ^$ o, T: [. U9 R$ k! Q# `
__________________________________________________________________________
7 }5 y, f# i3 [9 R) j( E) i) w1 S* Y! f
Method 09
$ p/ m6 J( ?# s0 U% @8 M=========/ f1 N8 k0 w' h
u% R: ~9 S, |$ v0 d ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 Y; o) T& ~* ^0 f9 `performed in ring0 (VxD or a ring3 app using the VxdCall).0 n1 i7 _4 I: O- J5 m
The Get_DDB service is used to determine whether or not a VxD is installed
1 r) l0 w4 t* I* M+ ]for the specified device and returns a Device Description Block (in ecx) for
, e! S% F, F5 O# J& cthat device if it is installed.; R) |% P% ~% \, r( L1 [
* h3 i+ ]. l4 I8 r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 ?8 S m# N+ @; u! @
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 T: P) ?9 I d7 `3 H0 t. M
VMMCall Get_DDB
0 y" B7 F5 G* j. y- K4 A x: K# R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" i$ N8 ], C: S9 ]; H
5 t! q D: n! `7 MNote as well that you can easily detect this method with SoftICE:
. I, S! }4 \" o' o% F bpx Get_DDB if ax==0202 || ax==7a5fh4 y6 K+ Z8 M& n$ W
/ }# A1 I1 w/ ~/ ]+ X; C* p" ?. I__________________________________________________________________________% E, @+ c; U) X3 q0 |9 Y* I
( k! u N$ S0 t2 NMethod 10
* \; i* T8 X: g$ X& O=========
* U+ W9 {, k; r5 M2 p. |1 u
' T$ I- N9 @( ^- U$ z( L=>Disable or clear breakpoints before using this feature. DO NOT trace with9 m3 D! C) ~$ U
SoftICE while the option is enable!!
0 X% C8 X2 e; H" P0 r) P7 P" S, X+ O. e4 Y9 G8 K; f0 K+ _
This trick is very efficient:
4 S6 w, V" l" P: f4 zby checking the Debug Registers, you can detect if SoftICE is loaded5 `! l, b& p# j! K, i! e. B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ @' m$ K G5 F5 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 m$ l i7 \' w7 z3 l: }
value (in ring0 only). Values can be manipulated and or changed as well
1 r5 A B2 O5 |+ w(clearing BPMs for instance)
& ~# ^: _! |3 u/ z4 K+ i, j, F- l: [$ g! I% h. s
__________________________________________________________________________
1 J" c) k5 [- m! E- d! ~% ]( K5 Y& `+ H' |( F
Method 11
K& ^* n: \6 B! J, u3 R6 _ D=========
) o0 C# {- H) @* A. Q8 V5 o& I8 C# Q5 p# q
This method is most known as 'MeltICE' because it has been freely distributed2 Q6 D! Q! O, o; q0 Z# ~. i! @
via www.winfiles.com. However it was first used by NuMega people to allow# U; h# I( P4 Q$ w& I
Symbol Loader to check if SoftICE was active or not (the code is located
& ]/ h( H# V, f- l8 U+ L5 t2 I* b* Rinside nmtrans.dll).
2 @2 Y/ P( I* I: ^8 J
7 t7 F4 p1 U/ }The way it works is very simple:
* q5 U& Y% h& N2 X" C2 n5 ~; CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& S r0 ]* v7 \. p* a
WinNT) with the CreateFileA API.
' u7 A6 [0 l8 Q/ B0 r+ G' Q
* x5 }/ E; s: N& N% ?# c5 o6 A: sHere is a sample (checking for 'SICE'):' i! s# v l7 Z' L
) B+ B7 M4 u+ S) u! pBOOL IsSoftIce95Loaded(): m3 |4 ]3 e* C2 O8 A1 ?, X
{
_- I& o0 N: Y0 {9 F HANDLE hFile;
2 m; d' h' l y/ s0 I: S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 T; }" F. G& P( }& T* g
FILE_SHARE_READ | FILE_SHARE_WRITE,
, T V* h& ~7 s NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. `6 g; q' d2 v
if( hFile != INVALID_HANDLE_VALUE )
7 Q7 r+ Q. b2 x! X/ K {
# c0 {! M) b' j CloseHandle(hFile);" r- b6 q# ] H; Z# ?; Z* g: j+ |
return TRUE;" N" m% L: D0 g8 d) i1 O7 \9 e
}6 |* `! N) x8 f: H
return FALSE;. F( y/ x3 w, L5 c! i
}
! P1 @* Z6 D5 T5 y( W1 s9 T- G0 z7 u7 c3 H) r1 F8 i1 Z, G4 J9 Z. u
Although this trick calls the CreateFileA function, don't even expect to be" _2 C. t9 _# I, k B
able to intercept it by installing a IFS hook: it will not work, no way! s& \1 I0 o: ]8 o7 \! D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' Y2 |. ^; s, \; a9 u+ q$ [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ D0 \# T' r9 p# t) {4 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: I8 o/ |7 `5 D3 S1 q$ f0 |1 H/ {field.+ Y! V1 A3 m+ w8 u1 } t5 Q
In fact, its purpose is not to load/unload VxDs but only to send a
8 b/ t% k/ j a7 i Q# X( d+ IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, {2 L9 e& }, w/ ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try" }2 ], @$ V1 U _4 z& ~+ X1 ?6 y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 Y* n, V" w2 q$ }9 W3 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow: B0 @/ E8 ~' k# g
its handle to be opened and then, will be detected.1 Q2 X \$ M* B: s2 y7 F
You can check that simply by hooking Winice.exe control proc entry point1 ?: t- K, a$ W) ]
while running MeltICE.
: `7 K( ?$ D* S$ T, v1 c, U4 i3 i
' W6 c5 d. g* y: I9 {/ x6 M. c; g# g' O; r
00401067: push 00402025 ; \\.\SICE$ s, Y6 \6 l2 `. @4 z6 s( O
0040106C: call CreateFileA
! q+ T' d3 R: [6 L 00401071: cmp eax,-001
0 I3 E4 Y) k1 P; \, S3 Z 00401074: je 00401091
/ `9 Y+ a6 a( h5 ?4 w4 r% V! m1 |3 C& H) [
* I. k1 C4 d7 D T
There could be hundreds of BPX you could use to detect this trick.
1 G0 C" Q" c. I1 H5 K; U( q-The most classical one is:
c1 x6 \* C- ?1 X% V1 r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" i- f2 F" V- x* p# ~/ a+ i. @ *(esp->4+4)=='NTIC'
" a" u% O% r1 p: n9 ?, h7 j7 A2 g6 H T2 \1 d9 |" e0 `3 @1 y
-The most exotic ones (could be very slooooow :-(
, |/ V9 p- i6 t: t6 _5 M! j BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' v& m) {7 ]5 m0 t D# n$ i
;will break 3 times :-(
8 f {4 J- Y& r! ]: `( S
0 J( o1 K I3 N9 T. |2 u-or (a bit) faster:
# T* f+ Z, g: c% f; L& H! r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) u7 X6 m3 V4 Z F. S! s
; [4 V# O8 I1 z$ }" t/ v J/ \: ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( d8 @7 o( v+ j1 \8 G3 d ;will break 3 times :-(
) ^3 g! T6 t1 j& q
+ e p3 r& o( u F: \$ @* i1 {-Much faster:) n+ i! Z0 L6 z6 g
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- ^* l. Z1 N9 y c5 i* V# }+ E; Z& N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ B$ X. F! s) `/ j# W9 Sfunction to do the same job:% J$ T4 u3 j( i& {
3 A5 g6 e& k1 T; \$ F
push 00 ; OF_READ4 Y2 ?; Y9 |% U) }7 T" N8 b
mov eax,[00656634] ; '\\.\SICE',07 l! ]8 a; n- R+ L5 h% P+ |
push eax0 D5 M2 v- p9 U) O \: K4 C m- Q ~
call KERNEL32!_lopen) l$ ]5 ?' I! K8 K4 Y
inc eax
7 f" u+ y2 e+ [1 F4 N2 z+ v jnz 00650589 ; detected! }* V/ G/ w% B# d
push 00 ; OF_READ
# D2 n. y1 o# f$ O mov eax,[00656638] ; '\\.\SICE'
9 e. W) G: Q9 q3 G' M0 b0 f) r push eax( G# Z$ S; j( F. Z7 k
call KERNEL32!_lopen
- N' v8 m+ [- C% X* J inc eax
, G+ Y6 [+ z3 h jz 006505ae ; not detected+ a+ C! R# G8 n# ?( C
: a. C: ~( f: ]+ y
' f# K+ q9 P; U) Z( ^__________________________________________________________________________8 \6 B9 W3 x# D6 S* K! @( M
' F* g, C# R& ?( o C' t' l4 PMethod 12
7 z& i8 C2 Y8 v" J6 c=========# Z4 W8 \" F5 r+ l/ R3 d" @- g) A
( g$ u9 T6 K/ u1 f! @. sThis trick is similar to int41h/4fh Debugger installation check (code 05' b, }$ M0 u# L( p0 _
& 06) but very limited because it's only available for Win95/98 (not NT)$ k6 ~8 { `; B/ a' e9 W+ K. O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* L! r# N& V0 a5 }+ o. X
7 t/ o. e+ k( ^7 ~3 C. ^5 y1 _
push 0000004fh ; function 4fh
) q3 l$ o" `7 V4 B8 E% l# G push 002a002ah ; high word specifies which VxD (VWIN32)
o7 T: Y2 J8 L" l ; low word specifies which service8 u. x, ]/ f3 Z, H
(VWIN32_Int41Dispatch)! G6 H% K. S3 G- ] X% G' U
call Kernel32!ORD_001 ; VxdCall; Y: E. j+ _/ X( Q9 o
cmp ax, 0f386h ; magic number returned by system debuggers' W5 o' H! ?7 p# Z
jz SoftICE_detected
5 U! j2 B, b. _) i5 D- K+ @9 i* p7 B- I; T
Here again, several ways to detect it:
$ H1 M/ L" H. U3 c* H# T5 U" [4 J; H% W! ~ {
BPINT 41 if ax==4f
4 O8 k* |) \8 i/ }: `' x0 Y
3 l$ t. _+ c( B$ ?7 \4 z5 f BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one0 q' \0 I$ M- j; N( t
. M6 h+ Z* y& v- ], [. {7 I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 V( A$ ?5 V9 n& G7 ]
! V4 g% F H* V( n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. v0 G" k( m# A" h
& q: D+ x+ k) ], U2 |' D+ s__________________________________________________________________________
( J( u1 e& F2 \6 E9 q
) _" D8 y7 o8 E& Z8 z6 KMethod 137 X) d6 Y0 Y3 k5 W8 x; ?, K
=========
' s8 U9 O1 U' I' S- t* N q: `) F. u* t9 I4 x' B
Not a real method of detection, but a good way to know if SoftICE is- \8 C) c' K/ l5 f4 C% n: a/ i
installed on a computer and to locate its installation directory.
, \+ ]. J& N7 c$ _) v$ d9 |It is used by few softs which access the following registry keys (usually #2) :
$ X. h, `: V1 N& a) J- r$ A
9 m q! d! @* |. l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) g1 M% p D; _; d c- ?
\Uninstall\SoftICE. u% L5 S+ P" f+ \! T+ p u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 A% A: s2 K4 S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion n' }# ]0 D5 r
\App Paths\Loader32.Exe
6 A0 \2 A& E! m Q
! a0 \# T8 v' j: Z& U9 d9 E
" ~. E; W9 q/ ]$ GNote that some nasty apps could then erase all files from SoftICE directory/ R( o2 c* I* Q$ d
(I faced that once :-(. A; a5 h, M8 z
+ U. D) e7 j, n ]- Z9 E
Useful breakpoint to detect it:
% P3 m* T1 ~( J* i- W: H- e" I! R$ v0 H0 j0 H4 V, I8 |+ G
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; V; Y9 t3 a% u5 y: F# j/ \* c& S
" R& ~) Z( z* x9 O6 s4 p. J0 O' P__________________________________________________________________________2 D9 f A' O- b& x: O
" _; Q- ^/ B3 Y4 p4 n
3 ]. Y- v9 A' o' v f: |Method 14
3 S. q# r8 p6 q+ F$ a+ q: j: j% u1 H6 l=========
6 q) f, R2 B$ K% t& S3 ~
6 r, d6 i& }/ G6 M) ^# L- Y" P6 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, \) F; e4 v! f" p: Vis to determines whether a debugger is running on your system (ring0 only).
% }4 A% J! V/ ?1 ?' {3 ]1 I
8 ]; T( k* G! b VMMCall Test_Debug_Installed
W$ R7 R" b S6 [) Q6 @$ L. T$ } je not_installed
5 U+ x; R, v! Z# n4 q" a5 R# K8 g) y9 m" T
This service just checks a flag.
- ?+ m) I6 O8 H) W/ D1 \* I</PRE></TD></TR></TBODY></TABLE> |