<TABLE width=500>
" G1 C4 ]' s- h h- k<TBODY>; E1 S5 a3 E7 _
<TR>9 ~8 n e2 F: c
<TD><PRE>Method 01 0 Q) N# E! \ Q8 E9 }
=========1 Z, R6 ?* i4 p/ ]) K4 U
4 b/ E% B, _* v2 x+ t [& p0 {, j3 k6 u
This method of detection of SoftICE (as well as the following one) is
: n% @# Z1 E2 [, o5 p9 Vused by the majority of packers/encryptors found on Internet.
, K7 V' I! D, M, HIt seeks the signature of BoundsChecker in SoftICE# l- `, d: v$ h6 {( W! G# }' W8 x
: B. E! L/ e# H) m& P: W mov ebp, 04243484Bh ; 'BCHK'
0 B; B+ G' O1 y$ S. d; N7 G3 W, X mov ax, 04h% Q H% g* K: u9 i6 n, S. E+ `
int 3
- l r( u: k% n8 G, [# P/ u cmp al,4
2 W& M. d. U( \$ i1 k) t( L jnz SoftICE_Detected
% r2 x( W9 m2 f: _9 B1 ?) |; v) j
___________________________________________________________________________
$ k' z" Q! r5 [- G7 P- n) T" f! N* o1 N }6 x& f
Method 02
5 e4 h* [6 x1 a=========) J+ e- I5 `+ _8 T2 G9 \
" m( `& T8 ?/ ?) X& A0 f
Still a method very much used (perhaps the most frequent one). It is used
. p9 W8 ~. L+ K {' b& Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- w& K# e' `0 S, i1 ~or execute SoftICE commands...
5 [* @2 i! p, V; @- j1 I% m/ u! J" |It is also used to crash SoftICE and to force it to execute any commands
# P' v# {* c4 l' D# p(HBOOT...) :-(( , v- Q; y" f% ]4 y" i$ X
1 e9 o$ c, N5 H4 w% F, E" h! r
Here is a quick description:
' b! z/ ?0 `* ^# J! Y1 x-AX = 0910h (Display string in SIce windows)
% K" X6 o' J: A; W-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( I" x2 c! r3 N, \) l9 `9 O9 v
-AX = 0912h (Get breakpoint infos)8 {! s1 L! m5 Q n( x
-AX = 0913h (Set Sice breakpoints)
: _8 e7 z( e3 z- G$ l-AX = 0914h (Remove SIce breakoints)
: S" Q6 w* k/ s8 g6 D; c9 m0 ~. Z$ i
* V) }. h$ d3 z( G& PEach time you'll meet this trick, you'll see:3 t) U4 o! l7 R
-SI = 4647h
6 A) R# \, V# H% v" E1 T5 f. t) \1 H-DI = 4A4Dh
3 o/ f; [+ X j1 @% k& eWhich are the 'magic values' used by SoftIce.
" k% y2 p7 z* C% DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 o+ [9 i( N5 ?! e) Z m+ Y! g& T) T8 m, _7 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP. k f7 }/ E# e+ Y
Envelope utility use to protect DOS applications: \4 M' b0 \. l8 U+ G3 N
- l, I! I/ X5 w. w% g& N+ r
$ G* p' t! Z" k* v0 X$ S7 n4C19:0095 MOV AX,0911 ; execute command.
8 y* g$ d9 M8 z+ d. ]0 t- i! L9 g4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% C" l! P7 b2 @4C19:009A MOV SI,4647 ; 1st magic value.
3 X, \4 t3 }$ K) f& a/ n4C19:009D MOV DI,4A4D ; 2nd magic value.
1 }2 Z- C& N Z2 k" F; J# [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ s; S1 ]# @. l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! C' s% W9 O c a4C19:00A4 INC CX
: e9 N2 F8 g* q' V7 q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 G! w% m0 l" Y; m. ^" g0 \ c
4C19:00A8 JB 0095 ; 6 different commands.
+ l, A& B5 H7 ]- f; a2 ~, m4C19:00AA JMP 0002 ; Bad_Guy jmp back.' D( @: J( X5 M) s1 h* I9 t( S: P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
$ ^! n$ C( [5 H3 {
Y6 l. [2 U2 P% DThe program will execute 6 different SIce commands located at ds:dx, which5 _# C! W, C) k# J1 a! v$ B) |0 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: i2 ^3 x5 X* ^- s
- F- w6 l. b9 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( p& K. z+ X, S4 e1 A1 l___________________________________________________________________________$ f! x& h; ^0 f7 I1 ]
& n8 w) D4 J" w* N$ c& L
% V3 T2 m! {- ^# R
Method 03
4 g5 _* O) J& `) d0 g=========
: K* d' u2 P1 i8 S0 \. i* ?. r% f$ n- v; H6 J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h, O# {8 Z. I; a5 B
(API Get entry point)
0 h' V" v0 X2 `6 {+ Y ) z1 T3 Q. R5 t
; M# M' b0 d! U& C/ X, r. V1 T xor di,di
' S; p: Z% r% G1 S. v/ I& ^& F mov es,di
3 B. F2 G% j1 v( o5 }. ^, x mov ax, 1684h % u" d/ r( H6 O+ ~
mov bx, 0202h ; VxD ID of winice2 Z% `6 Q1 q+ l& D& O
int 2Fh
# N! G8 Z! ]! L mov ax, es ; ES:DI -> VxD API entry point
. O c+ F5 g5 u7 [8 V add ax, di+ y F, D" P8 S- x5 V
test ax,ax; E$ |8 G' ^* t/ H% V9 i
jnz SoftICE_Detected
0 |6 }& O; q- K' ^4 T; o6 }$ {4 r# f0 z7 C8 t, C
___________________________________________________________________________
/ T5 Y" P0 x& { L; h
$ r8 {, z- S7 e7 h% mMethod 04
* ^ f/ y5 T" N, d=========5 {2 w. ~* H- {4 T& l1 Q
# S' u) k0 E; q, i+ FMethod identical to the preceding one except that it seeks the ID of SoftICE( F; E! m" g" r; A) a s3 W6 N
GFX VxD.
- L, u4 q* n6 {- [1 L. F& R4 u
! }! c3 ^' x& Q1 c5 a xor di,di, R9 z0 V% @6 g! i* p+ c ?
mov es,di
% H& D: P' S4 g% R/ I g8 X% j mov ax, 1684h 4 r1 K3 \ q" \
mov bx, 7a5Fh ; VxD ID of SIWVID
! V5 I4 x# g5 H5 d- }- _ D' k4 [7 K int 2fh
. F- N5 p* s) ` mov ax, es ; ES:DI -> VxD API entry point% g" J% o! g; ]( A" h+ N0 B
add ax, di
9 m4 X# k. T2 Z( n test ax,ax
% Z" \& o; ^, V! A; j! j L jnz SoftICE_Detected
1 A( c5 M9 z+ ?# t7 j
, E. y, p7 q1 b__________________________________________________________________________4 l' n% m2 D( c" Z3 L# v
0 R |) R" G. i& Y+ B+ x: b" z, @
- S/ r/ R( R, n' @9 [Method 05
7 J j0 Y B' m7 ~9 V0 @: _=========: w; {2 L8 R. t4 y- s- M
$ n! ]% Z# d4 D0 ^; @/ U
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 F, j: v a* R1 W" D
debugger. It calls the int 41h, function 4Fh.7 w# Y' I% H0 J ~
There are several alternatives. , A" @, r( K+ w7 L/ E. S
* s7 O- e+ x- g$ M% D0 ^
The following one is the simplest:
7 P, R0 x: h; S' V( g" ~, n5 s& E7 O1 j5 L {* D
mov ax,4fh+ n3 I& }* O! X+ p9 N, \
int 41h
! h+ _" T7 Y$ ^ cmp ax, 0F386' {: Z# k% G/ g5 u& ~' T+ N
jz SoftICE_detected2 W9 O1 g2 O0 g( I) z2 E
8 E6 i& H. Z! ~2 x. ~' ?, y4 e8 x# C7 U4 Q; v. t% w: Z" G9 b
Next method as well as the following one are 2 examples from Stone's 2 S% Q3 X u. U7 c- P& S
"stn-wid.zip" (www.cracking.net):! E( _6 A$ [6 ]9 c
7 `/ v. ^+ A# P$ Y7 E$ q0 h mov bx, cs
5 K$ `! w& g8 n5 G lea dx, int41handler2
8 p; g) Q5 t0 ~6 U) e+ C3 w( o xchg dx, es:[41h*4]- o$ r2 `6 d: s4 e% w& `1 i$ f# f
xchg bx, es:[41h*4+2]
2 v/ l/ @3 C! Q- t t5 ]' C0 C mov ax,4fh. \3 q6 m; Q$ I2 w2 q
int 41h* A+ k5 L ~) S; D9 W& A/ x
xchg dx, es:[41h*4]
" Y1 A3 S+ Z# s4 y0 P! n% S xchg bx, es:[41h*4+2]
. G+ r4 c Z/ C; E3 \/ z4 Z0 j3 m cmp ax, 0f386h
5 @1 ^3 I# o/ u# I; N0 k jz SoftICE_detected- e" Z. K p) p
% [% E) p- [7 Y4 R0 s/ m+ Iint41handler2 PROC
% I- F; K! p' {/ e iret
2 \) G1 U4 K1 D- K! P( d: aint41handler2 ENDP
/ m: Y5 w! F1 I L" [9 [3 E, l7 [5 k5 n' m, {7 Y/ H
9 I5 i1 o9 e. Y8 t_________________________________________________________________________: S; M! M+ d/ p" a# w
* d1 r/ F7 l4 ]$ x" ]2 i$ ?
8 Z1 k* K# M, S6 gMethod 06
6 k, k; x o! l' Q& v- j=========
, R7 _: D# F: I8 Y" ^( [0 s
! l3 ?" J) t2 W$ S+ b4 S- {/ I' D, R: j3 h/ b9 L; l- W9 O; ~) h
2nd method similar to the preceding one but more difficult to detect:
7 q% l6 i! I/ w1 }* P [7 H8 Y$ }; w: G/ ]" L, h/ a S
5 n5 m* Q+ P! O6 |1 p1 b7 [int41handler PROC! \9 s( M- u0 [( ~, H
mov cl,al0 V8 w0 Z" I6 q! ?
iret
5 M: V% D1 h2 H) Gint41handler ENDP+ g5 E- r6 y( ~: `* e% j
; V5 y7 T' Z) m; b8 B- r
; Z9 I( C. ]/ h& r' B$ z+ T. Q xor ax,ax8 e3 Z2 p! A5 S2 t( o. i
mov es,ax
& x. B! Z4 J/ g' }! z0 F- ^! H mov bx, cs
, q2 Q* i8 \, i3 h6 }8 ]* j lea dx, int41handler
2 ?% I8 Z6 }: p xchg dx, es:[41h*4], r+ p, v v2 Y/ \/ k
xchg bx, es:[41h*4+2]
2 B5 j- F8 w$ y% K1 f4 o! W in al, 40h( ~: S6 ]2 \7 l6 w3 F5 Y
xor cx,cx' t9 F9 n, l$ q
int 41h
! _2 Y' `7 J+ T8 l% Q0 N xchg dx, es:[41h*4]
0 g* P) _) L3 M% p8 M9 z xchg bx, es:[41h*4+2]
+ V, m# C5 k3 c/ B. m, R! V1 F+ M cmp cl,al) g5 E0 l, A; {1 U& i) d
jnz SoftICE_detected* y O$ ?3 l: a, w) F' Z) n
! S5 r! B+ f' b7 R g_________________________________________________________________________
! J; a0 }% o b3 |
" {5 m; z& z- r; BMethod 077 M# B2 x: `4 m2 n9 f! \6 v2 g/ m
=========$ d+ y( `( }! s. C; M; H! p
" w# R8 n* y+ w5 S3 b0 ~Method of detection of the WinICE handler in the int68h (V86)
' }# c ~# {3 _; O$ q: Q! @5 h$ r8 M. H$ q; E- `3 N
mov ah,43h4 U9 K& V$ b- K, l
int 68h
: v$ G& ^1 O7 O0 N4 S cmp ax,0F386h+ u2 w3 d: j9 Z" t6 u6 ^9 u
jz SoftICE_Detected
) Q- f* i2 d+ _( S
, M/ _+ q8 ?1 ?: {2 J+ I
- R! h; ]5 W7 L _2 T=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ^/ C3 _6 \: E$ i app like this:: ^! l: f% M- W1 D
9 I6 U( Q! E( X( @ BPX exec_int if ax==68
* |4 A+ u, o- f& ]4 P- M5 t. j$ g" C" d (function called is located at byte ptr [ebp+1Dh] and client eip is
* Q" m" |+ q$ @7 H9 ^/ d& X located at [ebp+48h] for 32Bit apps)4 S4 U/ L# d ^
__________________________________________________________________________
. m( M7 o' e$ S& v
3 w8 P! ^' m: ~; u, M- k0 S% U; N/ `. f* Z# l- T: U) K
Method 080 M) d' k+ P( @; V6 P
=========
( T1 c' l$ Q5 b6 N+ c& |8 H; P7 ^8 @$ _9 P% X2 q
It is not a method of detection of SoftICE but a possibility to crash the7 g0 i7 H/ x( t8 c3 E4 p
system by intercepting int 01h and int 03h and redirecting them to another
2 R4 H5 O+ V% e% I: t0 n0 \8 Lroutine.
( @6 e9 A8 y& @- p, P( iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* `$ \- X7 Y2 W
to the new routine to execute (hangs computer...)
6 S; U. y/ G0 v) v5 a- M& B! y# c1 c
: @# q/ o2 [) t d9 p- o1 o8 z) n mov ah, 25h- H+ I3 r6 @3 s* ]( G
mov al, Int_Number (01h or 03h)7 f/ w5 g% g3 c5 ?7 M' N) q
mov dx, offset New_Int_Routine
3 a+ k$ ^; ]$ r9 ` E* H int 21h
" ~ v- k; |$ |% _6 q: b" q( M3 \( S( d0 U0 v! q m
__________________________________________________________________________
# @& O& @' j# ?' }+ P7 ?0 ^6 u! {7 `& L; ^3 L
Method 09! ~4 Q% S! b0 [( Z8 n m1 h
=========
; P& O7 c! O1 }9 v1 A4 c$ b9 B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* N; V- x$ d" B+ W$ sperformed in ring0 (VxD or a ring3 app using the VxdCall).9 h: s2 U& s9 G# |/ `, A6 ]7 q) y' t
The Get_DDB service is used to determine whether or not a VxD is installed [3 {4 Z4 g9 T7 X4 L: n6 y
for the specified device and returns a Device Description Block (in ecx) for
0 G" }% o; s- c4 b# rthat device if it is installed.
. m" P% o5 u; p: `. l" y
3 {4 i( w a" D& C- b$ }+ P mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! E5 z4 B( \& F. x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 P+ \: O# Z: |; f6 Y
VMMCall Get_DDB; t$ X7 H, u# D# j! `8 t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: Z2 C4 D+ q- m3 a l8 D& _$ J V
Note as well that you can easily detect this method with SoftICE:
" g9 d5 _! s6 K' {, ]" O bpx Get_DDB if ax==0202 || ax==7a5fh
' B5 o3 {2 G2 w, s( R1 x+ b
' s. \; |* Y4 T$ T- m3 o) v__________________________________________________________________________; U# g5 D2 [& D3 B& U
l- X2 Y- r6 q2 ~# tMethod 10! k0 r Z8 J3 b+ P. X+ y/ D+ \6 N
=========: G; {* g' Y* L
' f% h/ S0 t0 j+ N5 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with7 r6 H* B8 b2 V- u6 W
SoftICE while the option is enable!!
6 o6 N, y! o+ @; Y% R, e* q5 Y7 Q0 V1 c* ]+ r
This trick is very efficient: `$ P, ?$ I0 ^7 p7 H% I
by checking the Debug Registers, you can detect if SoftICE is loaded
7 z9 n3 B& |: o7 h/ I$ T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 Y1 l+ x, n) [$ Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% B) S" a/ r" M# G" cvalue (in ring0 only). Values can be manipulated and or changed as well
9 {5 G# S+ }+ @(clearing BPMs for instance)
' e' T7 ?% C8 ^" P; p6 c+ C
, K1 P- s$ |6 q# V6 ^4 x__________________________________________________________________________+ _) V% c2 u9 x) W3 I
7 U9 T e4 `) G! S2 R
Method 11
% |; ^$ ^. U( E0 r! K; [! C=========4 m. \! q+ Z' H+ D5 g5 Z
% S9 ?& D) }% |( l2 x& F: n
This method is most known as 'MeltICE' because it has been freely distributed! U5 u1 t- J9 D6 _
via www.winfiles.com. However it was first used by NuMega people to allow
1 H9 Z+ \1 K6 Z) C8 d2 g0 uSymbol Loader to check if SoftICE was active or not (the code is located# O. u2 ^+ t7 Z. e- t) e) O8 E# z
inside nmtrans.dll).4 Q0 g) @4 W( \7 c; L
# E! g! r" r! ?( ]The way it works is very simple:- |9 i! l/ O; e+ t; Z" u- U3 e4 G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 O) N( @- @. L7 F) q) f9 F. t3 _2 dWinNT) with the CreateFileA API.5 t4 y9 u7 I8 n4 v# P* q: M
$ K- z: O! S3 H
Here is a sample (checking for 'SICE'):
! h; O* V* b, ]6 L. ~) x O" ^# ~0 N4 a3 a7 P; k& ~) O
BOOL IsSoftIce95Loaded()
5 ], s' _5 I: g2 F* p$ m% \{; m5 b- I2 ^. q, w; ^2 `
HANDLE hFile; ! }2 o1 v( ~, I" B3 R4 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
]: c7 A: u7 Z1 S" r FILE_SHARE_READ | FILE_SHARE_WRITE,/ g9 U( c6 X9 C; f9 \1 I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' d) P8 u& w# P p' x if( hFile != INVALID_HANDLE_VALUE )8 t0 o, [; P/ x; V# z
{7 U% y! k+ d! y d" Z, b5 Y2 T
CloseHandle(hFile);
9 d+ |# O4 |+ [" f2 a: u2 Q return TRUE;
4 ?8 l5 _0 c1 |$ Z }' z/ k8 g7 j7 Y9 f
return FALSE; J6 c) A: d7 a3 @$ a
}
3 b- r& l' D# _
i0 r5 x. L3 RAlthough this trick calls the CreateFileA function, don't even expect to be
( p! x) d3 t5 T/ q# X. y: Y* j+ q7 eable to intercept it by installing a IFS hook: it will not work, no way!
i3 F6 e; O, F+ K9 o' zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 H+ a9 D% }6 b3 H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 u! c/ ~0 S, z# P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 W9 e8 a# w" d6 i0 |8 N) `
field.1 q4 @, H. M+ t7 }7 @9 {4 Y. t
In fact, its purpose is not to load/unload VxDs but only to send a
- F4 S: U# B8 f/ V% n' HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 l; @% h7 e" [: A/ L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. L T) N* y5 L$ j2 m+ E- v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) k2 s* H( ~+ ^+ k/ B5 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# @1 g e! A" t( F* Dits handle to be opened and then, will be detected.
) K) l( k; T! n0 K* g, C3 EYou can check that simply by hooking Winice.exe control proc entry point9 @" _, t# P% d. D- U
while running MeltICE.
) g7 ~7 F# Q1 c% f- d v
8 z! l* v2 Q" C0 A$ p _+ e: j0 w9 `% z4 U' U1 A$ {; s% f
00401067: push 00402025 ; \\.\SICE
8 ~" s& e7 N# T$ ^8 h" J9 h 0040106C: call CreateFileA
L4 @) r3 o3 q+ P 00401071: cmp eax,-001
1 S2 F( [ K6 ?4 R1 B 00401074: je 004010911 Y) q4 P& H' v/ X% n, {4 L/ r8 M
, |& e: G8 E* ^0 N) P# ]. B2 _- p/ Q
$ ?1 J/ F7 C' W9 o, F5 f9 t9 y$ EThere could be hundreds of BPX you could use to detect this trick.
C* P& A) o( o-The most classical one is:
4 W4 c1 _* t5 w0 w/ | BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||+ _- e2 ? P, ^: j3 L H& M
*(esp->4+4)=='NTIC'
. D( Q6 d/ R1 O7 D# J* k. F) X. \$ A- ^
-The most exotic ones (could be very slooooow :-(5 s7 E. ` Z; O
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
3 c+ B7 e$ T' y, f ;will break 3 times :-(
. \6 T4 Y. k: h, S
, y& i/ v" t4 ]7 N& e-or (a bit) faster: % c0 n2 p& C+ z' f1 {' n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* ?' B4 [2 O. U, G
2 L* z+ f- u' U& q( k4 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% i5 g( d, P: r ;will break 3 times :-(
2 H |, @2 h3 Z2 N
% G( `7 s5 O( G5 P5 Y-Much faster:+ A+ d* i( U9 k
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; {! C9 O# [' b# p3 }* _, O
/ c, a% O8 ^3 {0 E& lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 D) |9 i( I. l8 Zfunction to do the same job:) d) v3 w7 a3 i0 d0 d
8 i+ ?7 h6 ?- ]) e. l- w7 k push 00 ; OF_READ
/ C. E8 d3 T1 c2 j5 [% N mov eax,[00656634] ; '\\.\SICE',0
( h7 a( W* U# E% W4 j/ [* K push eax
. S" x* T' K1 \+ F1 U9 n- B9 q call KERNEL32!_lopen* y& L+ F7 w5 c1 m- u7 i- y8 S0 _. ~
inc eax
; l1 p1 C; t0 V* C3 F* t- S- T jnz 00650589 ; detected v3 a7 j0 B5 X
push 00 ; OF_READ
! m4 C. d9 C! s' ~ mov eax,[00656638] ; '\\.\SICE'# a/ R& w. o7 w
push eax
; z* u* ]; y ?4 H8 R0 | I( ]- h call KERNEL32!_lopen
; s' ? f% A) O. }* ~. o: e/ c8 [ inc eax6 B' k) t" k" m
jz 006505ae ; not detected3 [4 \- N( _. v5 ~; B! e5 S/ T
& Y: E9 x) M# [2 u+ l1 Y
) \) | N- J+ B3 l
__________________________________________________________________________
" l5 B& B6 ~+ D7 s, g( I2 x: P
# t1 ?1 Y5 F/ zMethod 12 {/ n% c, k) D$ D
=========% {+ _+ i; G; |5 ?/ [# W6 y2 D
$ s% R! y0 G7 O
This trick is similar to int41h/4fh Debugger installation check (code 05$ v7 f3 Z; {' J% C. q
& 06) but very limited because it's only available for Win95/98 (not NT)5 G( E& }# L8 m! \+ v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 T" R0 P0 ` c4 {
6 l8 ]& H l3 t& y7 f push 0000004fh ; function 4fh" L; D% p+ l6 Q2 Y ?
push 002a002ah ; high word specifies which VxD (VWIN32)
4 ]# M5 R b7 ] ; low word specifies which service$ [" b7 b; u) H$ {) p
(VWIN32_Int41Dispatch)
; ^- S f/ M3 o( t, q3 W' y call Kernel32!ORD_001 ; VxdCall2 ` d8 X2 [8 G' p: t$ W
cmp ax, 0f386h ; magic number returned by system debuggers
# o8 H3 D- P6 o. f2 x/ M jz SoftICE_detected$ R" k* M' N! ^1 g" U/ U4 ]
& r7 N) m/ q, B$ s6 H- a z2 Q
Here again, several ways to detect it:; n, E" B4 h5 x- \# ~. ^ D
( V, M3 s6 C1 L+ f
BPINT 41 if ax==4f
9 n% F9 U2 r3 j2 o* @' |# Y
. A5 K/ B" j6 N* Q2 Z3 b# n$ | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 A% a r6 L! Z: e# K
6 g7 K0 Z5 r, f3 v BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A2 ]/ {" ]" Q4 r% l
; {1 j7 A+ y6 F, ]+ h* Z0 j
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 B" p: F3 h7 V6 R/ z" m
, \. t9 `0 ~2 ~! ]% W: w__________________________________________________________________________# L" \2 [! K3 C+ O) J" C: c: `
" o% M4 X, }: b* \
Method 13
+ |# a d3 G) y. u1 X: C=========& f, X1 _" t3 G$ J7 s Z
/ D+ X+ H/ x2 }Not a real method of detection, but a good way to know if SoftICE is2 ]( _1 @0 D9 i( H) x1 p' X. ]. t
installed on a computer and to locate its installation directory.# i: c. k. |# L( f& \; [! K
It is used by few softs which access the following registry keys (usually #2) :% f+ J3 D+ Y0 |) L m: D
$ O% ]- ~- c; [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 e, ^* ~+ ^4 ]& I9 @
\Uninstall\SoftICE* e/ o! }% w4 A, W4 p0 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 o; o: V8 a& d4 ~* j1 d/ x% Z) \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ i J `7 M# ?) e6 U& T
\App Paths\Loader32.Exe4 j9 h' t! X( k- a6 t ?
+ f4 |5 V% ?, W/ ?8 X( `* }! H3 K
. ?- e5 {% A3 ]1 y6 j7 y4 LNote that some nasty apps could then erase all files from SoftICE directory5 |6 t- {/ c" b2 N& r) v* B( U
(I faced that once :-(- o: l8 x( O/ U" s1 g; J7 x: l
Q& E, h6 N. T# B: s$ M6 zUseful breakpoint to detect it:. ]7 c! t4 C6 `; @0 |9 w$ O/ u
) ^4 _2 Q& T/ @0 Q* a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* k/ N# C/ X' ?6 g: [, t) l
7 R4 o8 o+ w. Q. C+ J6 u__________________________________________________________________________( o2 a* g' X1 a) |- c* q
2 z8 X5 _2 j; Y% Q+ L! d, t
" Q2 B& B" L9 T2 r0 \
Method 14
$ R* B% ?9 _- y: c# P$ L4 H9 Y========= ?. J; C% c; w, w6 N# v
- W s2 t( S* {0 W/ nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 S# F6 U1 X+ I' P% Lis to determines whether a debugger is running on your system (ring0 only).
0 e6 J1 J) \; `9 H5 r( @
5 B* I8 |6 m) x. B, q. x# t VMMCall Test_Debug_Installed# a- ]' M- M4 @* @1 E1 @" v$ K
je not_installed
2 | r+ r- W/ O/ q2 ?
& A% U. t6 q0 a0 N8 rThis service just checks a flag.+ z# j$ C6 o7 R3 s. k2 ~% t
</PRE></TD></TR></TBODY></TABLE> |