<TABLE width=500>' Z: r: M; X% g$ |+ y3 d
<TBODY>
9 A" Z" y7 o& [/ ^<TR>
& f& r& D* n7 R8 p8 ^( R) z<TD><PRE>Method 01 7 B' k/ y: Q7 j0 C+ ~5 ~
=========
, k: n3 F. T; ~! G
, ]6 K0 R T( w, n4 p# ]This method of detection of SoftICE (as well as the following one) is8 o9 _& V% Z4 B3 `2 v% F) I" l
used by the majority of packers/encryptors found on Internet.
6 r+ [& q" T/ U; OIt seeks the signature of BoundsChecker in SoftICE6 H7 A7 h% T9 ]+ F+ x( M6 q2 ^
8 x9 h9 s& ]' O. ]* b" B mov ebp, 04243484Bh ; 'BCHK'
! b; k, _8 H, r- Z- m4 k0 v mov ax, 04h+ V& X- ]: d. ~$ k' h. F
int 3 . E3 Y. z8 b' [8 A
cmp al,42 ^: [/ m Z) w; }6 M0 v+ L& l
jnz SoftICE_Detected) T6 v; K4 K, N9 {7 f; c6 o8 G
. W/ q- ?( Y2 T' N% p, _3 z+ b
___________________________________________________________________________
0 H( ~. v# i* G3 v( H0 _) X( Q6 F) m0 {
Method 02
4 B' w. t4 F8 f& j- u; l2 V% D=========
8 ^7 f! u. f# W. s7 U0 k4 u- i1 _7 a* W2 \6 R9 \
Still a method very much used (perhaps the most frequent one). It is used4 k& r( D5 X9 h: K, y% j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: w* R; q/ K3 vor execute SoftICE commands...& h" A. |# F' n+ z4 e
It is also used to crash SoftICE and to force it to execute any commands
4 B/ Z" ]+ U: b. l(HBOOT...) :-((
. G* M( F, G. O* _
% K/ T7 \8 G* d( W3 i. dHere is a quick description:
7 T1 h2 f, X( ^. T2 O-AX = 0910h (Display string in SIce windows)
# j9 j& i+ V6 t" s( B-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! T/ |9 f+ U; M# F
-AX = 0912h (Get breakpoint infos)
, [0 l8 G5 L$ u1 V r& f5 s-AX = 0913h (Set Sice breakpoints)" w; v5 J, t5 y8 U! k/ W' {# w
-AX = 0914h (Remove SIce breakoints)' }. p- A. P; M2 L/ @
3 J/ I/ L- o, L
Each time you'll meet this trick, you'll see:! w0 v& y/ W% I0 X* D! v; T
-SI = 4647h: n+ t- }% e) l. x$ L1 A1 h8 u
-DI = 4A4Dh4 U- z* J/ ]; e" k1 {: `8 s, m; Y
Which are the 'magic values' used by SoftIce.
0 _& }$ W% \& tFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 I5 `+ F6 P N+ N4 \ s# T: q7 R8 j' x5 s' }; f# R
Here is one example from the file "Haspinst.exe" which is the dongle HASP& z0 r) q* F1 ~* I) i$ i: r
Envelope utility use to protect DOS applications:& @4 f" S0 Z0 U. g6 U9 r5 b
1 @' l; G) p- r( V+ n$ {& X
# ?1 S; P; j0 J9 {, q% e: r
4C19:0095 MOV AX,0911 ; execute command.
$ u$ O. ~9 n8 H, W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 d: `+ L+ d- w) }, V j: g5 n* V4C19:009A MOV SI,4647 ; 1st magic value.
6 T: c' x, D" s1 q2 b& Y0 e4C19:009D MOV DI,4A4D ; 2nd magic value.
W6 j7 y; x! J& j+ J1 K4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 M0 ~6 V7 {; A* o4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 Y. z, m; m( F/ W4C19:00A4 INC CX1 v" n; W9 d' O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( ^: i) P) U1 [% \ r" o0 l" s
4C19:00A8 JB 0095 ; 6 different commands.
4 c2 r6 p: u1 j% c4C19:00AA JMP 0002 ; Bad_Guy jmp back.
! [2 F1 L8 a" b/ c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ z/ u3 ^, ]* z/ n, J x& n3 c
; P4 V& l o6 \, }& q' R3 L
The program will execute 6 different SIce commands located at ds:dx, which6 V! S+ g/ w( v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 d3 b3 ^2 X5 K( z/ B, ~
% l1 Z1 e9 d! d9 s( {3 O( d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ L! G1 L6 u) p |___________________________________________________________________________3 U+ y6 Z" k2 B) G; E
1 ?0 F8 @! `# k4 x! F
# g* Z. `2 L% R F, i. W3 zMethod 03
% K- k. k6 N& }=========
- @2 X/ s5 x) y- m
+ n0 H0 |3 g8 D/ n6 o( v& j4 a# v$ FLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' \0 {+ M$ ]( z( e( v( [$ ]- E3 P
(API Get entry point)2 {7 s+ K: ^1 g* F2 R' z
2 W( C6 }6 q. U* n& d
1 ?* n" G- O: u0 r! ?" F2 j xor di,di
( z9 B T; Z1 E4 M% ] mov es,di' B; w. ^+ f S
mov ax, 1684h
- o/ o$ P) W/ d4 n mov bx, 0202h ; VxD ID of winice
6 d. K, {& g; R: S% o! w3 T8 V int 2Fh
! U8 y, l; `/ r* P5 V3 ] mov ax, es ; ES:DI -> VxD API entry point
( u# { ]! |1 S3 Z+ a) f7 _ add ax, di
3 p5 T- f5 L1 G& \5 { test ax,ax1 i) m9 v. m" C0 L3 |8 K1 @" R
jnz SoftICE_Detected7 _% B6 m- u$ Q+ h6 T& n( @: T
& a8 A5 G: \# Z___________________________________________________________________________
4 g% s; x9 Y6 t9 K& i7 v$ K0 l* N$ m+ N, `: {0 i9 T8 d
Method 04) L9 N4 G9 s* _* G
=========! y' E# E, R l+ @3 T
: `5 c# u7 ], M( R, U" X. q
Method identical to the preceding one except that it seeks the ID of SoftICE& A8 |2 k; k, `3 t# L
GFX VxD.7 G$ v# Q5 \, o
. ]" S- B# Y. J# v; J xor di,di
' z$ ^$ q2 C6 }( D3 w7 ^ mov es,di
4 [+ o( C0 T0 Q- p# O: a) I" @ mov ax, 1684h
# ?" ?. n! W* S2 t7 c mov bx, 7a5Fh ; VxD ID of SIWVID
7 g4 m/ d F- c2 y' c& B- ] int 2fh* q+ ]; A! G. a0 n8 G7 T
mov ax, es ; ES:DI -> VxD API entry point
+ n3 s) c0 T5 g1 N add ax, di; M3 i S4 x9 H9 f* q
test ax,ax0 [3 _8 |/ w g( x6 h
jnz SoftICE_Detected
) T- m) \# v% V, j, r" I4 y3 h7 {2 b
__________________________________________________________________________
* o1 }7 E n- x8 | g% o- W; T, @& b6 o' L/ u$ w% f
- j. u' k4 A t6 B" _Method 05( d) _3 J6 Y- g8 @8 D% o
=========
1 K: Q) `9 d2 I# }4 n* d: [* J% z* b! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system" B& R, W8 R! e
debugger. It calls the int 41h, function 4Fh.
+ t6 |; P( g& {; p9 j( S: P6 RThere are several alternatives.
$ L# c8 m+ |5 o6 B$ d: s5 k0 c* A& m( |/ T' x5 _0 J1 g
The following one is the simplest:6 F( k5 T J! Z# E/ Y# b
/ b2 v5 E$ n( ]& p0 v* {' S mov ax,4fh
0 u4 O+ v n& e/ j; R4 U$ j int 41h R+ ^( K9 e/ r3 E1 Q
cmp ax, 0F386
1 K! D* Y6 I# H jz SoftICE_detected
/ o# o+ k8 V, b4 ~! C5 V# E) {! I
6 i% i! X) I g: Y" I0 T4 _3 Z# m4 A0 ?
Next method as well as the following one are 2 examples from Stone's + K1 E" R) e7 y0 O) w3 Z0 L
"stn-wid.zip" (www.cracking.net):
* D1 H, d) U, O8 |' }5 N2 J6 t" u% h
mov bx, cs
+ ^% E# ]7 E. b' u lea dx, int41handler2 m- E0 a. j/ Q9 }9 Y8 O& g. q" p1 }
xchg dx, es:[41h*4]
" j3 x; [' K' ? B `; s. X' ` xchg bx, es:[41h*4+2]) {7 ~5 h3 U4 ~! O! l* E/ w
mov ax,4fh- l: w; W; V' ^) L$ _& w% X; [
int 41h
5 C( l% N& r# ~4 H, u8 n! s; c xchg dx, es:[41h*4]% x! U6 H; ~* w- G4 m/ Z
xchg bx, es:[41h*4+2]# x) Q8 {( I+ z) i3 Y0 I1 }2 d: w( t
cmp ax, 0f386h" E1 Z q! y/ q, Z( n
jz SoftICE_detected
% h7 s5 [" W* M6 d, P! s5 r" U, B/ @! F
int41handler2 PROC1 o( X/ d4 s; A% s8 @
iret
9 U6 A( c2 }/ s/ p: cint41handler2 ENDP$ ~0 D) ~6 _/ B# q) I. \. I
$ M$ D9 L) ]9 R+ { a: h- m) |
4 L7 y! h) |% e `: l/ `_________________________________________________________________________- E" w1 o9 V: n" c
2 G) T4 R8 r3 J% w
- m" i1 L% Q, m+ f' i6 A' }8 D4 y
Method 06
% K7 D; C; R# ]% K( r=========4 M1 I4 h5 M5 I* M
' v' N" h! M4 P4 u& s
f8 `" ?( }4 A5 I/ j3 n: K2nd method similar to the preceding one but more difficult to detect:
( h. g3 y5 N4 r2 ~, T0 q+ G
- b5 y# S: H8 Y. h# O7 i j c
* k6 }4 ?4 A6 b4 Q# i, Pint41handler PROC
$ v- Y1 D' [* y; C mov cl,al
( J! X% ]: p( W iret" A8 i' V7 C, V$ x2 o
int41handler ENDP1 w* E1 E L, f1 ~' {6 r
4 ]4 B6 \7 w0 P' C" E6 ^9 V- O
9 m. X% S$ `8 [- W' w& _
xor ax,ax! Q$ c( ]; X7 |* ~* x- }# N
mov es,ax+ e, b7 T. s( y7 p1 Y+ i( N
mov bx, cs, k& w. N" f6 D% ~% n+ H4 P
lea dx, int41handler
9 D# f) H$ F5 x4 R$ f xchg dx, es:[41h*4]
! _6 a1 c. q8 [0 ?/ h xchg bx, es:[41h*4+2]
- t X, @9 l4 g) M+ T) C in al, 40h
3 I+ q: y% ~8 ?+ h xor cx,cx
; `+ `+ Z/ D; r/ U( v int 41h
# j) b: B, d C xchg dx, es:[41h*4]
& A% s0 [$ r/ ]* h xchg bx, es:[41h*4+2]
% m L# u! z3 p2 Z8 Y cmp cl,al
1 y( S$ ^5 h4 t! h, e jnz SoftICE_detected
% ~0 \/ o+ h- Q+ C6 I0 c) B, l, v1 R( |" w
_________________________________________________________________________# i3 S, L4 ?' P# a
* P9 ?4 y) Y* s3 ?! o* ]Method 07
$ u1 Q: h; g4 o0 B) I( `=========5 j- I; P; f% X, U. V
/ Z% A% e0 b% V7 p- H( P) i
Method of detection of the WinICE handler in the int68h (V86)9 c. D: T- q _- Q
, |3 v! `0 n! b- N& n; b mov ah,43h
5 ?$ k" B/ F4 n# m! C# e+ K5 u; l int 68h
1 Y# a3 R! \5 R5 C cmp ax,0F386h
& ~# F$ t2 I1 n$ V( x0 s- X5 U# H$ q% R jz SoftICE_Detected, P c8 U3 M, u9 L
( O+ m) |, q5 f& H# L: H0 m' n. K1 r. L& c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ x: b) ?0 I6 g: H
app like this:
; @. e$ S0 e, P) V' O$ u
* ~$ j3 \$ K2 n0 ^: d BPX exec_int if ax==68
# |. n# L5 z0 p( c: j$ H+ Y6 u/ Z (function called is located at byte ptr [ebp+1Dh] and client eip is( @& {2 G: i- d/ \0 M& ] s: L
located at [ebp+48h] for 32Bit apps); o2 g" v- ?/ {+ f* J) `, y2 I8 @5 \
__________________________________________________________________________
0 i4 X- L( x. j/ n K
9 ^7 ^* r+ h- R2 U, h% u: j6 L6 y9 Z2 M8 c% v9 v
Method 08
+ g& D9 s4 g# S7 N=========
" a. a# X8 y; U! Q# l3 g4 ?+ ~7 w. W& \, _( y# n9 T
It is not a method of detection of SoftICE but a possibility to crash the# P6 b+ X! P \: ]8 ?# Y8 V
system by intercepting int 01h and int 03h and redirecting them to another& G( I5 c7 L5 i! O" I7 o" A% }
routine.& z% K$ T; O# X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; A0 M0 ^) A, A$ H; k' k3 ]
to the new routine to execute (hangs computer...)& Y: U+ @+ q( w
; g! B7 \2 m6 s* ~* _ mov ah, 25h. E1 s [4 t! o
mov al, Int_Number (01h or 03h)
' s/ k" Q" u7 W9 T! i: V mov dx, offset New_Int_Routine
* Z# Y j. b& {0 T2 n int 21h( J0 y' [3 M4 g/ k% E; p
, c7 ] P1 O7 i7 {' q: G( i__________________________________________________________________________4 p8 P& M! \; G) Y6 d
- N u" @4 P+ k! h/ K* e
Method 09
/ o0 l4 E( T! [( } ?=========3 ^8 r M. ]& g: ?6 s% T: A" a
; A, W; y7 h3 Y3 U. H& X& u" L' L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 X6 s9 ^! E+ p A
performed in ring0 (VxD or a ring3 app using the VxdCall).
: t5 j& ]4 i) }+ l( `- _The Get_DDB service is used to determine whether or not a VxD is installed
7 c1 |/ V& ]2 }2 {' ^; A$ e9 Mfor the specified device and returns a Device Description Block (in ecx) for
1 J, {/ M* l/ {that device if it is installed.5 S4 F7 K* U- ~0 t4 P
. i/ d" F1 a6 v$ c: J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ]7 R) k( H$ V) R* Y b6 K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* b2 m, E$ F& c+ d( I VMMCall Get_DDB
6 `2 [4 ^+ O/ J* o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ k7 G0 l3 t2 u' K. B. o( ?& ~ N
7 q. f, j% X0 \1 i1 O! E% \5 wNote as well that you can easily detect this method with SoftICE:2 R {% o8 K8 {( M
bpx Get_DDB if ax==0202 || ax==7a5fh2 A6 j( a0 u) V5 s s* a9 g) Z: M! h
# U' K2 A9 y Y1 {( c+ k* E__________________________________________________________________________
5 s" h% T: q" u! [+ T! K5 }6 j: K6 D1 K) t' f. O" W E) b7 {
Method 10
* K8 o2 f3 h( M=========
, c4 D) T; f' Q# a3 @' ~' h) h3 u- A$ @1 I& X& H& x
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' I( O. s4 \+ W0 ?: Z SoftICE while the option is enable!!" Y$ o6 H- ^; J: j
T1 x' j0 B% @1 g% P `5 A" AThis trick is very efficient:
! I# u3 }2 z |& Jby checking the Debug Registers, you can detect if SoftICE is loaded
8 v9 ^/ ?% w! }: P+ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 E, l7 |$ t* N) W8 r. m5 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 Z; i( P+ ]8 u) U) c% P9 s4 ~4 Z3 Dvalue (in ring0 only). Values can be manipulated and or changed as well
7 P0 _6 D5 Y! X$ e- c7 c2 |& z(clearing BPMs for instance); n+ s1 C3 r. S( M
2 I) G. V' j# Q d( V5 I3 m
__________________________________________________________________________' [# c; U9 K; A
% g/ r l5 d1 J6 tMethod 11
3 d0 X+ [% v$ S" y: a; f# J=========0 C0 l- W# H& z& P3 p
1 g1 p0 W* K0 ~0 E! E5 c: F! rThis method is most known as 'MeltICE' because it has been freely distributed
% x# Y+ R7 T' tvia www.winfiles.com. However it was first used by NuMega people to allow4 g! E/ S/ f' I0 Q9 g6 _: N- Y: i
Symbol Loader to check if SoftICE was active or not (the code is located# g5 a. [+ b3 M, b
inside nmtrans.dll).9 Y; ] K) `+ g7 h
6 y) Q( F1 s/ e2 ~, o$ O/ W% E! ^" s
The way it works is very simple:% p5 ~4 _- t Y- u3 g* k5 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ i6 t; o9 s1 [% c3 v3 x$ G. w: C8 pWinNT) with the CreateFileA API.
: c7 G6 o" ]! ^' t/ Q3 K9 q
; ?$ c1 L/ S1 p5 I- Z8 NHere is a sample (checking for 'SICE'):* x/ S+ i! D# }
' X# \+ ?, |3 M# L- ~
BOOL IsSoftIce95Loaded()" H8 h2 A r6 i
{
- f% K$ a0 z& ` p3 v4 o! F HANDLE hFile;
; u$ q8 t. l# H2 ?' l. t. X1 a hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' ^( ^& ?! } @. c7 A/ E p% G FILE_SHARE_READ | FILE_SHARE_WRITE,
+ U' W0 c: S# J/ m3 Z+ C s5 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# u8 E W( x x v* M if( hFile != INVALID_HANDLE_VALUE )2 p3 f1 B& m- ~$ R/ b
{8 K1 {# \0 W0 P1 h- D
CloseHandle(hFile);
6 Z F6 C' [% K* I; i o0 u return TRUE;8 f8 ~- t+ l5 W+ b7 @
}
1 {- G: p' T B. d3 L# N return FALSE;) T9 [* Q( T* l+ `1 A" V
}
2 N' `4 j3 t. O9 b7 F, | N
5 S U$ J2 a0 X- MAlthough this trick calls the CreateFileA function, don't even expect to be" |5 m" b6 v+ X
able to intercept it by installing a IFS hook: it will not work, no way!, \. ]8 z* _" w8 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 U5 j+ R' H* Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 W% a1 V6 r+ O/ q9 [) T; j& @: Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
o7 S6 i0 m# p* v: ~field.4 x8 e0 m" K% V, `) a
In fact, its purpose is not to load/unload VxDs but only to send a 1 ~3 M9 a" N2 M; |& [. f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# R# }, l( _" j% K" z7 d9 y* t. p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 u! s% K) N+ n# ?; ^8 sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
{% Z4 X' k; N6 Z3 U9 F B8 c$ \' ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
" w( q) }; L" u' }" uits handle to be opened and then, will be detected.5 \- Q }" Q% E5 o9 O1 c ?5 i
You can check that simply by hooking Winice.exe control proc entry point8 X! f$ Z5 X5 I/ Z. j
while running MeltICE.- }3 d& ?$ K$ P/ M
B6 v% O: P; }. Q3 G/ q$ F
% ~0 A. s, t5 M6 _+ |& \6 {% Y
00401067: push 00402025 ; \\.\SICE
% ]- \- h8 M1 A! f7 u1 h$ U 0040106C: call CreateFileA
9 r% s. t# ?6 g8 L4 Y& I( w) j 00401071: cmp eax,-0015 x6 w5 r% |# m7 B3 `
00401074: je 00401091 @7 h. O2 c6 a t; O2 E% }
1 _3 a3 {3 B$ ?4 s- j
/ H6 q9 b0 S. H+ `There could be hundreds of BPX you could use to detect this trick.% t: s! g) l( ^
-The most classical one is:& \8 O1 L" G3 W
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ e) m9 l0 ]& Z4 ], M *(esp->4+4)=='NTIC'
: G5 E0 L0 V$ [$ {! Y7 r0 ~6 Q5 _" {) C4 y. i! {4 |
-The most exotic ones (could be very slooooow :-(
* B3 r* ?2 k4 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / R; z' a* n) X7 T* S# x
;will break 3 times :-(
: B/ j% n9 j$ r( G7 j
- D6 W9 s% \! p1 \# F-or (a bit) faster: ! g( D8 W$ P' c F9 d, u. c
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ C* E: u; F8 ?9 B. m# P+ g% G! M
7 V: w9 e' i6 C$ U! Y5 B4 [% d
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * r) }, @, y4 V8 {9 o% |, q3 K
;will break 3 times :-(
9 v/ e1 @2 W" A5 S7 m% r: a, h0 x. Z# M. C8 w
-Much faster:& Z$ V4 [; {* \" q( f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: b( S. m6 q+ P4 F$ n
& m9 y m' x3 z, N$ VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 _' Z/ B2 v9 D4 a( m4 }$ L" p5 jfunction to do the same job:* f3 m0 J2 k- z- ~0 d
( v8 }/ n! T! e2 c push 00 ; OF_READ
6 z$ A* Z: v3 `: W3 ? mov eax,[00656634] ; '\\.\SICE',02 {/ A2 Z8 N" U/ g; X" t' Z$ |
push eax
4 q1 M' x; p+ V& _5 h call KERNEL32!_lopen J# e' I; k! N8 w3 b2 H
inc eax
( `3 M5 g6 b1 y/ A+ \ jnz 00650589 ; detected, ^% j- P8 }& _* f4 j/ y0 T4 ~
push 00 ; OF_READ& g7 A4 z4 t0 [+ W
mov eax,[00656638] ; '\\.\SICE'% X8 h/ @: r- w) _& M: A F- r& S
push eax! U7 w/ D6 E4 J5 f4 E
call KERNEL32!_lopen1 z6 g9 a2 ]) _5 e! b3 V! J
inc eax
/ {3 r8 Z L. q0 X jz 006505ae ; not detected6 W6 E* j7 a5 f
7 u% H8 P+ k* @0 T# W7 V* G
$ d0 Y6 y f+ A" {$ j/ V: o I__________________________________________________________________________" ^0 |% C% X8 w9 P, p
% c6 x- ^" Q% ?6 g( e3 O+ [# c2 e$ d, |
Method 12
" W7 R# }! g2 |0 T( c2 Y1 t* C=========
. P( A* k5 W, g& J7 Q$ j# o: }# D
Z& }5 ^. X* P0 A, v7 fThis trick is similar to int41h/4fh Debugger installation check (code 05
; J3 _1 L3 @) z. T" e3 z$ H& 06) but very limited because it's only available for Win95/98 (not NT)
1 d7 T: t- u( h3 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* u) Q: V" t1 Q- j6 `) Y4 N! ?. ~& O9 W
7 i: {2 o0 A3 g- X- _: X* Y9 f push 0000004fh ; function 4fh+ o. A5 b, t2 \( K9 V' |* o
push 002a002ah ; high word specifies which VxD (VWIN32)
% r8 S- |3 E/ y" H/ U0 _# | ; low word specifies which service* C/ A1 h: H3 Q4 F. i8 V- f
(VWIN32_Int41Dispatch)5 X) I5 `) U2 N0 |( c+ C
call Kernel32!ORD_001 ; VxdCall
) C; c4 Y c$ J' ] cmp ax, 0f386h ; magic number returned by system debuggers
* ?; y% }. d/ Q! x jz SoftICE_detected
% ]& h( H5 j( Q- I
' ?' j* l! i3 i, a5 |0 ?2 ~7 [Here again, several ways to detect it:: G) ?, e. O9 c( D$ V6 J
% l; ?: W9 s0 Q, c! r3 T BPINT 41 if ax==4f
9 b- P6 [4 I4 `4 @$ |0 j
9 L$ t8 e4 l$ M! }" N) L BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 t3 k' N7 ^& V" L9 J9 [" ^0 x( A& u% x, w- j/ Z- D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& \3 R; A4 h, `! a
: U1 V; v, w( @" l3 @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 L) ]9 P& n) n0 f5 |+ p1 H+ ~
: \& M. V( Q; E- f3 }) u# N__________________________________________________________________________
0 ?- o3 x6 x* A# L. H/ t% z i+ y- W- r: r) z' {# Q
Method 13! i& g J+ }" n2 A. ^8 L
=========; b7 z7 A4 `; |6 ~
5 A2 c" M5 B) x6 \Not a real method of detection, but a good way to know if SoftICE is
! d9 e _! F( X* {' Minstalled on a computer and to locate its installation directory.
2 W6 Y# Z1 K$ }0 I, tIt is used by few softs which access the following registry keys (usually #2) :
$ U% w4 b/ g! n0 M9 i4 R8 }
( B! ^; v/ }4 Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' F; w! a* Q9 c. y" t
\Uninstall\SoftICE2 @/ \. R2 U/ U2 i( A% A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, z' R1 U4 o$ _4 A( y2 J, O+ @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 R( _# _' q, o2 A
\App Paths\Loader32.Exe, o$ |+ B, m+ F/ |$ M8 B% F- @+ m
; w& X) e( r# n
& \/ Y$ R$ m1 h& X* ^$ `Note that some nasty apps could then erase all files from SoftICE directory
4 w; @5 r. X4 R( X8 _. K(I faced that once :-(6 [% k9 w' a2 b& A
0 }+ A8 U- ?" ~2 B+ S; h
Useful breakpoint to detect it:, u+ @; d! R `% {: R
& U( e) {$ @0 r/ M8 ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( h; s$ v1 b+ ~/ V0 Q$ W: ]; L) V1 w% y) r" V
__________________________________________________________________________
4 d I# @# S+ T
6 p8 K, d y9 o [+ s6 i
" F; m7 C3 [1 w6 L5 b& }0 bMethod 14
3 ]9 s/ ^, H) g* k+ a8 d1 {% ?=========
. [' w" F5 z0 ]2 S* w" J& {& B0 m) I$ y( m$ z/ e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 W5 ~/ p' m" L6 H5 O X$ o/ \is to determines whether a debugger is running on your system (ring0 only).1 C$ p3 F' Z0 l, H7 D$ ]
/ D8 i( E7 O+ \6 C# H: V& [
VMMCall Test_Debug_Installed2 c' B. R) s; [
je not_installed
! b# u7 k* J9 d
6 h3 B- \1 y3 `( ~2 ZThis service just checks a flag.6 \5 {9 w8 T9 h0 ^9 [. F
</PRE></TD></TR></TBODY></TABLE> |