<TABLE width=500>$ j+ h' Y, }% `8 c& u: @' T( U
<TBODY>, a" v! @/ f. i% o) [, B
<TR>0 O- Z: r6 n. M8 `
<TD><PRE>Method 01 5 }% J& H* l; a5 }" m
=========! R- s, b0 s0 l- U
* F- h: t4 c7 {* C+ N$ I( o9 V5 _ p4 FThis method of detection of SoftICE (as well as the following one) is
" {, v* p$ n g8 dused by the majority of packers/encryptors found on Internet.
3 R8 N3 S! e$ Q( l3 q& N2 n# rIt seeks the signature of BoundsChecker in SoftICE
% b8 X; D& ^# _, h2 B. c3 y) J9 }* w% k6 _
mov ebp, 04243484Bh ; 'BCHK' a# b, o) N6 t0 s0 l
mov ax, 04h* t/ [3 D" y8 |' u. D
int 3
; f6 h- ~$ K2 @2 l. p* Y: `" j cmp al,4& a7 i3 T% b& M/ N3 ]; U2 h
jnz SoftICE_Detected3 B+ v' A) ~; S# n' Z0 H
+ x' P1 {: J# W" W% @; I N
___________________________________________________________________________6 ~/ X$ |. l! V% i1 Z$ d! j
0 y1 \/ A' y1 ^1 D' G
Method 02
* E: \4 s+ g. P+ D3 w0 |: j=========/ h3 _) Z$ A* R" C- R
& o8 X6 d# [( `1 sStill a method very much used (perhaps the most frequent one). It is used$ n& _* ^+ T: D# T5 O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 t; b V3 y7 G3 c& Kor execute SoftICE commands...6 m, `, X- ~: B% m1 p# {) \
It is also used to crash SoftICE and to force it to execute any commands
8 |& I# }) o. @4 g. ^(HBOOT...) :-(( 2 T* c) S5 A2 }6 d1 l( G
/ X7 s* \, Z3 d( r7 X: y# j7 OHere is a quick description:2 Z- y) o0 r6 u8 y
-AX = 0910h (Display string in SIce windows)" k* v$ ~( x. D" F
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 a3 Y4 |0 E K+ p! R' e& D/ E-AX = 0912h (Get breakpoint infos)1 p4 z% a% m7 o4 p7 w( f
-AX = 0913h (Set Sice breakpoints)
3 U, I6 H; b/ t& R5 o+ W( A/ Z& T; U; X-AX = 0914h (Remove SIce breakoints)
; M1 `* d$ q8 L( w2 [) {0 H+ x. y; U: P# ?. E% q; c
Each time you'll meet this trick, you'll see:2 l5 B8 a! B/ T1 i1 t/ ~. y" g0 Y
-SI = 4647h/ g( d/ v' \' o& L% ]# b
-DI = 4A4Dh+ i- }# J' v: m8 [# f8 R
Which are the 'magic values' used by SoftIce.4 j" Q1 L+ ]4 o9 G o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 s+ T, |! ~$ y! g, b
. s0 B5 T$ ^) r' HHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 z$ a" _1 }+ G. l3 hEnvelope utility use to protect DOS applications:! P0 a" S- S3 D/ |4 ]
9 K1 M* N6 a5 Z8 @) _5 G
) T7 U, b5 f [8 `- M4C19:0095 MOV AX,0911 ; execute command." |! E' X9 K, i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).& K4 d1 ?* {) ~; W0 P
4C19:009A MOV SI,4647 ; 1st magic value." @" s; A! q0 \
4C19:009D MOV DI,4A4D ; 2nd magic value.9 M4 f5 ^( T4 i& }6 q" Q7 R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 V7 a ^ Q( D( m$ u" {4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 h2 n4 B" Y6 J
4C19:00A4 INC CX7 u3 p O9 w% \. D0 u' A
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" B6 M e2 c5 |' E# i
4C19:00A8 JB 0095 ; 6 different commands.
' {4 o% U. }7 E7 L+ x) M7 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 k5 g; v+ X7 Z3 s8 D" o4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 n+ U& U* s# l( a
- i: G5 P0 L) KThe program will execute 6 different SIce commands located at ds:dx, which
3 l/ o4 B- F4 n. f' d1 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 ]. y& m2 S$ V: w2 \+ g& s1 I$ U& f+ D: h9 d) n# n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. W/ I$ J) L2 N5 Q: n
___________________________________________________________________________8 C4 |$ ^6 t: q
r' v4 h' H- O% ]
$ l" d* A$ V, `! S% wMethod 033 v: f* [8 E8 Z- `8 {1 O
=========
; o& C: t& h$ t9 B) k4 T R/ L, a8 a9 c: m! u2 Z" J
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' o! \3 c" W2 w. C t
(API Get entry point)
( m5 y6 h5 ~4 M" V! Y1 T* s . M* q2 E, b& u
! y* w4 G5 S9 u3 g, \: [ xor di,di
6 G- \+ b8 W8 ?3 H$ Q mov es,di1 I2 G" K% F0 j5 b9 ?0 G& v
mov ax, 1684h $ i( u6 h" N3 V* q0 w
mov bx, 0202h ; VxD ID of winice
4 o& ^7 V) n9 }! u) z) t int 2Fh
) z0 A; M- ?3 @ mov ax, es ; ES:DI -> VxD API entry point
/ n: y9 E( F6 ^8 d add ax, di
2 W4 |8 e( N* D f1 H" B test ax,ax2 j& z, x- `. v- z
jnz SoftICE_Detected9 O" I1 h2 ]5 G8 h8 P# C
. K& J$ {! K# x7 |! [. }# E___________________________________________________________________________% P3 j7 u6 ?* P( f: p, {
. b0 I# T. F9 |( e; h
Method 048 u x& o. ?! }: [ E" U% I
=========
% L: m. @ q- p1 T- t, i# s4 U |
( x7 i `! F5 B8 i7 f5 q0 F# zMethod identical to the preceding one except that it seeks the ID of SoftICE
* y" z+ H/ F. ^& w7 \GFX VxD.
+ }4 M" r" ]1 }# a* f$ v" c, i( N, l( {, } E9 h! I
xor di,di
# R. i/ K7 A9 Y$ \& @ mov es,di
, A/ H3 y& {! X7 W2 | mov ax, 1684h
! `. A( j! w+ ]! g9 T mov bx, 7a5Fh ; VxD ID of SIWVID* R0 w9 K P H8 z8 T
int 2fh
& n {9 D' o% l' A mov ax, es ; ES:DI -> VxD API entry point; a% Q0 b# y& w* R8 P5 n V" r( [
add ax, di* q. o- v- r" B, ]& P
test ax,ax; D( U1 @9 T. V3 k5 ~! c' }
jnz SoftICE_Detected- o6 B# F7 G+ T5 y, Y
8 u0 N1 j/ M* ]* t; d& M. ?6 Z0 Z__________________________________________________________________________( Z; Z+ @( ]$ m5 F9 F
/ H7 E3 }6 W, Q7 L( I O
7 L$ a/ n! k+ A4 z/ V/ }# G( EMethod 056 I* O! b( k) J; o' o! p+ [, J) y
=========
6 h3 M* C4 j, Q1 ^
, J$ v6 h, [* U2 p" P% {: QMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 t7 _# `# l% s# Q5 F. } s+ Q1 rdebugger. It calls the int 41h, function 4Fh.: m( d# Q2 B! y' t3 Q
There are several alternatives. 5 K5 Z6 h' S' n4 p0 d+ Z/ S( e
( g6 W2 Z- I6 G+ n2 AThe following one is the simplest:: U+ j! o6 {8 X" W5 y0 h- B
: H s* J! i6 H( O& p9 Q2 X' l
mov ax,4fh6 u" y7 T; [. v; I) [% D
int 41h
$ t3 g6 \+ v8 k' I cmp ax, 0F386
. z" W" m5 w! b6 \- r jz SoftICE_detected
+ s' }! }2 G X* a6 [- H8 N
9 u/ F4 \$ W% ^1 \" { Z9 k4 D4 C2 @. r' L1 d
Next method as well as the following one are 2 examples from Stone's
7 a9 E) k5 C" ?# k"stn-wid.zip" (www.cracking.net):
. j# X6 A; F% n, z' \1 F; g# E' p
8 {! j \7 u8 W! a4 Z3 U7 S mov bx, cs( c9 j# h) e" E3 u7 \) ^$ X
lea dx, int41handler2
0 |0 m& g& K3 f xchg dx, es:[41h*4]
5 E' ^0 O3 W4 o" _" [. x& K; k xchg bx, es:[41h*4+2]
- {1 X$ O* ~* f9 J/ j- A' B8 r: D mov ax,4fh$ A3 p7 N4 p1 b# y* E
int 41h( f1 |9 O3 A7 c9 Q1 v. k
xchg dx, es:[41h*4]
* q3 O: k5 d! y6 H+ h* h/ r xchg bx, es:[41h*4+2]
- u2 c0 p8 M$ W9 z9 u, w# w cmp ax, 0f386h
+ l/ v' V( ?2 B' i4 { jz SoftICE_detected
( L" F' Z+ G" r% w/ m" e1 d7 _' C+ r1 A4 V$ h0 j) e Z
int41handler2 PROC
i0 m1 w# b# q8 Q1 g iret) h$ P1 ]. Z+ ?. R% Q7 p8 ?
int41handler2 ENDP: f1 a2 I: B" f' ]6 [
; n( H$ ]) y: L# t( h' q
2 W/ k7 ^4 }& |
_________________________________________________________________________
- Z* n% s7 [3 I: q2 k! H* e8 W2 l9 G+ n. R$ I
! Z3 @1 p" R# v- B, d" ^8 J
Method 06
Z* d$ \# F2 J6 H: j) E: I=========# S8 E$ }$ R- k
2 Z+ f6 x) h: P2 t
+ ^) K! f" n( A, @
2nd method similar to the preceding one but more difficult to detect:
H& x5 V1 F5 g) V" e9 T$ U2 O! ]& z; P
3 x' |3 X0 [+ c# ^( Oint41handler PROC7 u- v& c V0 \2 b* o
mov cl,al4 k6 O, q' G& B( r; ^; j
iret; {- H) i. k6 ]* {' C" Z
int41handler ENDP
2 I l. C" l, n$ e
2 p# Q0 z3 A% Q) R& U- W( @$ x0 J
! T' G- }2 V$ e- t- S# B6 p1 J5 n xor ax,ax. m y1 X2 O$ W- q& d; B, s5 f
mov es,ax
, J0 n; E, t; c mov bx, cs
: j2 s/ ~5 R8 O% g$ \2 a) |2 c A lea dx, int41handler, |; S3 ~2 L9 o+ R
xchg dx, es:[41h*4]
7 g9 W$ r9 {- I7 b8 n xchg bx, es:[41h*4+2]
' h3 \0 ?% K8 k. R8 r8 n H in al, 40h3 a8 d% z( z* b* t0 I7 @: t6 S+ _
xor cx,cx0 E- r4 ]3 [ p h5 x! Z0 o
int 41h
% ], B w0 x% i& C xchg dx, es:[41h*4]
8 \7 U. v4 R5 T) g xchg bx, es:[41h*4+2]
2 W, c. x% \8 j" n; A( q cmp cl,al
9 m2 z; R$ V5 k2 j jnz SoftICE_detected
% `( }% ] u1 P$ A0 e, x- G* w
' I3 M$ `/ l- [( i: z' Y* \" V* m_________________________________________________________________________8 Y9 i2 H/ W' n4 G S
' \( M# O4 o3 H8 tMethod 07
( G# j# V G) J5 h# E5 X* l=========2 W/ R& U3 p. p6 j3 ~& d/ G
2 w0 I! z$ J/ p# l) W; c
Method of detection of the WinICE handler in the int68h (V86)
' `. N; G* }0 s3 o4 f9 K; f1 B* J; s$ H
mov ah,43h* c& z, r8 m8 L. R' c; P
int 68h. c' d! U( Q) [. S1 {+ x
cmp ax,0F386h
( y7 c' U& D1 @4 X# D+ n jz SoftICE_Detected
# }. r8 ~4 H4 i, Y: @2 Z9 d$ F$ X7 r6 X" |# M1 q- x2 ~
- O% F# z/ Y% p/ _# o- R2 u0 I. t- l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit W6 W' h5 d2 ^8 H& t( N
app like this:
1 y3 I4 `( C. L
; S5 |. d6 W$ @9 r" Q; Z BPX exec_int if ax==68
; {3 W& f+ g2 l1 l; D (function called is located at byte ptr [ebp+1Dh] and client eip is" I, G9 \$ V* e3 f2 b6 C0 p
located at [ebp+48h] for 32Bit apps)9 R" y5 }7 n1 k* L9 l
__________________________________________________________________________
& a- K9 j8 n) i, {+ p3 f+ J O- Y; w! D) I
6 d* @' d8 g9 ~- P9 X NMethod 08& U" X% `7 O8 p& v0 |* }. t$ r$ K
=========) l7 R# ~# P2 t! O6 O; R
% X" F4 L0 U; U
It is not a method of detection of SoftICE but a possibility to crash the+ n. K9 W- y* i; e7 k
system by intercepting int 01h and int 03h and redirecting them to another
x G5 \5 Q# K4 W0 ]3 P2 }routine.
/ Z; o8 c8 F' E0 o$ O5 f+ w/ o: b8 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* I4 @ K- r t# T8 _4 \3 T0 Y0 V
to the new routine to execute (hangs computer...)) O$ l/ l1 P O8 H. Q; u# c
! V4 l7 v+ c( O7 V" o. W) i5 ]$ c* T
mov ah, 25h" r0 u9 Z& D5 A% S+ A9 e! i
mov al, Int_Number (01h or 03h)0 z9 M9 z2 L T# W( S' i
mov dx, offset New_Int_Routine
& M4 C: u# ]( I# m# e. Z int 21h1 X, e" i1 O& M6 C
. }! Y4 ], q" y0 U- q' Z# w" }
__________________________________________________________________________
/ a& a( K. r' b) L
. v$ x4 I. F9 U2 gMethod 09) ? ]. U, C# S+ G
=========
6 E2 t" k$ q3 ^/ q' P
: R( E. h4 _% T! Y; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& Y# R( S* E1 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).* ?( }: e N0 c8 S0 n
The Get_DDB service is used to determine whether or not a VxD is installed
2 B3 {( N# a3 y* {for the specified device and returns a Device Description Block (in ecx) for
4 \4 D2 l) o. z# V& w0 Ethat device if it is installed./ |: O. ]' r" o
- t, s3 w* n. c' O' C0 f3 Y7 G! A+ k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ p4 n& Z( L+ |, z8 n! p" E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( d4 Q% Y/ ^6 p" r3 k8 w VMMCall Get_DDB
( N& u: w; q5 X& {% Y: T, m mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: O. f' a) M: i
8 Z( H0 y: C/ ~6 m# J3 ?Note as well that you can easily detect this method with SoftICE:4 ?- n$ \6 O) v( S# u! D, y- W# J) C
bpx Get_DDB if ax==0202 || ax==7a5fh' s, a/ M; D8 z) Q3 z
4 h2 A1 Z- m5 V__________________________________________________________________________
3 @6 c" J( F/ y
9 }( d$ x7 R" ^* A$ VMethod 107 G' f4 |! k5 r0 T" U6 Y
=========( E. n* T; Q/ M
+ X5 w1 y: @3 M S* m
=>Disable or clear breakpoints before using this feature. DO NOT trace with- X5 ^2 e- E. q6 [2 R! S2 I
SoftICE while the option is enable!!. A7 K. ?& c! y+ h m
9 G2 y" E+ c! i0 q8 PThis trick is very efficient:
9 h# |- ~8 k+ Z! ^& L/ H" Q8 gby checking the Debug Registers, you can detect if SoftICE is loaded: d" B# m" ~! p8 D' H8 q6 v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 g% N* c. h0 K6 o* {5 a+ g4 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ @; g" H" e% S O4 `
value (in ring0 only). Values can be manipulated and or changed as well
3 |+ G' b$ K' W" H7 \7 `& q(clearing BPMs for instance)1 B* f, d$ J0 u) T# i
+ d6 |' M; t/ I. w$ }__________________________________________________________________________
6 d8 @7 m9 x$ s+ u& s% C: U* [ n+ N3 }" ^2 E9 w
Method 11
3 I' M& @! q( {' A, d=========% |' }6 ?* c7 k; r1 A/ m
/ S2 r6 r& M; R' [/ z/ l
This method is most known as 'MeltICE' because it has been freely distributed: g) _. {; ^5 A) \& C; ]5 g
via www.winfiles.com. However it was first used by NuMega people to allow
1 @. Z2 ~% [; \6 ]Symbol Loader to check if SoftICE was active or not (the code is located7 |1 @. h* W* q# @4 K
inside nmtrans.dll)./ _3 m9 e$ N# _. f9 f- c
$ }8 A: s9 O, T/ KThe way it works is very simple:
1 F+ _3 _' _- n9 \8 U; V( bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% w! K- @0 m9 S+ k9 O2 `( kWinNT) with the CreateFileA API.
" s% _' y9 K: [
4 a/ o2 m8 l) u$ SHere is a sample (checking for 'SICE'):
5 X. F M0 [5 ?; C4 M, Y( t2 _/ Q" r, n5 ?8 z2 h# i) P
BOOL IsSoftIce95Loaded()
/ g! h# d8 F+ N; S& e" L{& O; a9 M( _ w3 X5 I1 \) |
HANDLE hFile;
8 `/ U* E% y H" ?& f8 Y: B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' |, }( r) j$ ^ FILE_SHARE_READ | FILE_SHARE_WRITE,, v, v1 {" [ _) |, F9 \1 ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" `0 S7 X; U$ E8 Z1 g; r0 I if( hFile != INVALID_HANDLE_VALUE )0 M4 o2 G7 x1 A* u1 m w
{- _9 h3 p5 D% p; T7 q8 r; ^
CloseHandle(hFile);
3 w$ q7 M4 y3 t( Y return TRUE;
8 n4 q2 A$ R7 W- H$ T* P% p }
7 C3 z/ Y( l- Z0 y return FALSE;) W N4 b: X/ B2 \; T# ~
}1 _( O" U' M% G9 r* P0 |7 K
7 y( k0 }3 v$ ]) Z2 l+ J vAlthough this trick calls the CreateFileA function, don't even expect to be5 |2 D) C5 r) A- Q9 z/ ` m
able to intercept it by installing a IFS hook: it will not work, no way!
i, J) L f: z1 R& ^3 @* }: WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' e, |; ~4 ^& i. Q% k! x7 D( oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ x! ?$ d( X) T& k9 N. X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ {$ s+ G- v+ U* [9 Hfield., Y0 \/ V g. r" e3 O. I
In fact, its purpose is not to load/unload VxDs but only to send a
0 x X% N! J$ R' ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" K2 d- i/ {; Z# O/ Z2 m e5 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try) V. u: _+ o3 a5 R5 i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 ~) t- b' s) Z$ h. y& I& j* JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& }) U6 {/ N( a3 ? \its handle to be opened and then, will be detected.
4 p$ c, ?" v( S! R/ yYou can check that simply by hooking Winice.exe control proc entry point" d G0 b \+ _) j1 Z6 M
while running MeltICE.
" F8 W. F+ ~3 o! m& E; z
' J$ u0 k* T: i) ~
; s* K/ u6 I* i% q 00401067: push 00402025 ; \\.\SICE' D+ ~. P3 X8 {' ]. r
0040106C: call CreateFileA- B3 j" Q* U2 |
00401071: cmp eax,-001
4 Z3 R7 \5 Q& Y% o4 b 00401074: je 00401091
( L/ |$ j9 ^; t- B+ J9 J9 `) Y q# E7 \& G+ j, Y
( ?8 g# L4 R; m7 Y
There could be hundreds of BPX you could use to detect this trick.& s, }, L2 o! n0 g
-The most classical one is:2 p% |$ ]6 q) X9 I/ s2 ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% S/ N0 P5 \. f! n. {" _/ Q
*(esp->4+4)=='NTIC'$ G! H1 _! K, R/ K$ {
+ L# C. K N( j/ ^: z2 u
-The most exotic ones (could be very slooooow :-(9 u' C8 z8 s: t+ {( S9 x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 J' |; {) R& Y4 l* Y ;will break 3 times :-(: J6 w- }- k+ ^" d6 l% J1 j. W2 e
- d3 B5 |! a- |4 Y2 k, A( p-or (a bit) faster: 8 D4 E8 a! o( G* V) {% [$ h' D/ m
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ m8 R W, n2 G6 I* }3 W( Q1 c: |* l3 R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 f3 z, a3 } j ;will break 3 times :-(
- A' S- ^( Z, O; ^ g
2 u, q: R5 F( E. c, U-Much faster:
2 `' K! X- r3 |! | BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! a* e) \6 e1 S g' @9 B( L4 e4 F% \! x$ _" ?/ }4 x" h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 {' L( x6 v+ d, i* m5 |$ D9 hfunction to do the same job:$ d7 H& k1 O$ e+ Z& @8 W% @
3 s K" Y( d' w6 o( z* a
push 00 ; OF_READ
8 h- {% O% U* w' L& X; r# l2 H mov eax,[00656634] ; '\\.\SICE',0
+ v$ J p+ z1 F' e# D* t T9 W, a# c push eax, Q. ], ~3 y! _8 d5 E g. A
call KERNEL32!_lopen; G8 v! T4 J7 l+ u& z
inc eax
. e& U6 _; |$ A. R, G: s3 _& A jnz 00650589 ; detected
" y. @4 x3 D0 ]' ]) k$ z5 l; h. u) G push 00 ; OF_READ9 }7 C/ g, t7 S4 W* w0 E( k! ~
mov eax,[00656638] ; '\\.\SICE'5 z9 |8 m. f# O- Z
push eax
1 o6 U6 V3 j# S8 s" {* v- `" x call KERNEL32!_lopen: G. @( Y" |# h, @. e% N
inc eax
! ^8 ^6 Q* s4 z5 a jz 006505ae ; not detected
$ W9 j! P; h0 `! e9 `
% f% k) ?3 D, V$ ^ q8 K; f- `& x# `
$ q. l. w- _/ G* [' ]% p__________________________________________________________________________
" l- n& X/ S. C8 Y' w
' d. G9 B+ P5 y( I5 xMethod 121 {$ V) K6 r( m. H. `
=========2 Z( y3 s4 r. |3 i% @
# K2 q0 K l- P v6 x5 W+ \This trick is similar to int41h/4fh Debugger installation check (code 053 X, b T {' I- |, x$ G7 o4 ]7 r
& 06) but very limited because it's only available for Win95/98 (not NT)5 X( U7 w" |' O8 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 `8 ~) x- h4 T7 u! c/ I( G, r
' h7 w! ^7 Q- x push 0000004fh ; function 4fh
5 W5 F6 Z# \2 |1 A: d push 002a002ah ; high word specifies which VxD (VWIN32)
2 j8 ~- m3 P- x3 X4 V9 x ; low word specifies which service
* S8 p% K4 a; v2 Y" ]) q3 t" K (VWIN32_Int41Dispatch)! {+ M: o: T3 g
call Kernel32!ORD_001 ; VxdCall
/ m! M) r6 x; Q; P, m8 ^+ b cmp ax, 0f386h ; magic number returned by system debuggers/ t; p5 e1 E+ ?2 O+ w6 B& j
jz SoftICE_detected
; ?* H. `/ n- u/ \0 U: T, e9 u
, J# [& K! K4 P9 i: ^Here again, several ways to detect it:" S, W, ?/ \7 D# X/ z. y2 Z0 {
1 i1 G3 ]& ]! p9 v; x- Y
BPINT 41 if ax==4f
3 k# a6 v; P6 [4 C, u
1 t1 w+ f Y+ a4 \* u: i2 } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 ~4 [; i# [6 {$ W' L
6 c" S4 {- g! ^& D7 X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ H# W" r9 h" {% Y
" T, `( t' q$ U2 p) e, s3 l. X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
2 c0 C/ H2 w. e ^$ a; u
! f% R1 N" o$ A8 A% j__________________________________________________________________________8 |9 T5 i' }2 I4 E
/ B, l% f1 _3 t/ e0 X( U7 c2 sMethod 13) f$ v/ A5 Q' B) R. ^2 @; D9 S
=========
4 ^" A5 G2 |8 r: ~' a$ o/ b' h, n2 i$ N% h# [
Not a real method of detection, but a good way to know if SoftICE is [. |3 ~3 W+ E8 I% ^ y
installed on a computer and to locate its installation directory." \& v6 p, a+ F6 f8 K
It is used by few softs which access the following registry keys (usually #2) :% G3 x& c9 x4 G; z, I
9 \ ], ?7 T! V1 R! v0 u% u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ Z& g! g+ [- r. R3 {
\Uninstall\SoftICE" X% K' t/ K/ Q3 h3 x2 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE E& ]2 a7 g* t" k8 w/ J( e# E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
@' M7 ]2 i0 \0 H\App Paths\Loader32.Exe) `$ S i) J4 c0 a2 X+ t* o
) d& M5 ?" E) U; |: W$ n8 q
5 @( @' v5 A/ Z# `6 Q1 n6 s
Note that some nasty apps could then erase all files from SoftICE directory/ b( o& s4 J- M0 E
(I faced that once :-(
3 D! V0 @4 X$ m( v( r7 ?+ K( F
8 U) q/ Z0 V- Q6 b) v; Y% a" XUseful breakpoint to detect it:
( x6 m' O/ t; h& z" [* ?' V4 S) Z) j7 u- t7 q1 V, n Z/ S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( o3 Q0 \1 o& S3 X7 Q4 E. q8 L! e; E' y/ V, w1 ~: V: T' {. m
__________________________________________________________________________
0 T) c# t$ P0 v4 _& [+ l) U8 @
/ L% V: C" p6 p* D
* L. _3 q7 G2 y- vMethod 14 # R& d+ f( j8 L1 C% c# g, g
=========
- Z/ c+ t1 N0 ]+ |# ?) `/ @3 k' C
) |; Y( c7 P& P1 }4 j, k8 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ n" @ P5 ~' m4 z6 `) pis to determines whether a debugger is running on your system (ring0 only).2 _5 M7 d6 n5 m" B' i, S6 q+ q
1 Y2 m9 `! k" y% ^
VMMCall Test_Debug_Installed( n7 ]* o i& V- f9 W- O
je not_installed0 X* F" _/ t- p, m
- E Z' a' _" M6 D5 V- Y5 r
This service just checks a flag.
" m A( N7 ? J- x; L: z' Z</PRE></TD></TR></TBODY></TABLE> |