<TABLE width=500>$ L/ a( V; I3 q6 T7 F* D' D0 H+ b! K
<TBODY>8 M p$ ]/ S1 ] ] D( n9 y4 i
<TR>
- H- m3 w. a b) C1 k* S0 W8 v<TD><PRE>Method 01
# O( F0 k. l' _9 v9 C5 @% E, J H=========
; C- P" X, Y. H
* S0 L3 V$ y; XThis method of detection of SoftICE (as well as the following one) is
5 ^4 M& j/ d: v. Q1 Wused by the majority of packers/encryptors found on Internet.
$ [3 {' L5 L+ NIt seeks the signature of BoundsChecker in SoftICE
. L! U; L, P0 a0 N8 H( J* K2 y& _7 X! q! p" `5 @" C: W
mov ebp, 04243484Bh ; 'BCHK'2 c% s6 `! L V! T2 h) g
mov ax, 04h
" i. ^9 n9 M! N! S4 t& } int 3 % S: Y* |1 V c2 K1 `' r* T
cmp al,4: M R3 D, x: F$ z
jnz SoftICE_Detected3 w" k5 P; ?, X3 G) K0 N
- h* H6 W8 V& H" u
___________________________________________________________________________
- l+ M1 r, j! W& v! l
; l, j, T' W/ x dMethod 02
5 @# z' i% ]' S2 F$ Q$ L' z# M! y=========6 i; ?/ J8 A" [8 W* D
! J, H3 q$ ~, d9 M$ H0 l# {& l) PStill a method very much used (perhaps the most frequent one). It is used
$ [/ Y4 W# U" ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 H4 P+ o+ R d3 ~! d
or execute SoftICE commands...7 w# K4 c- _! E5 Y$ q& N5 n3 g
It is also used to crash SoftICE and to force it to execute any commands" Q2 H. t) d! C& M9 }
(HBOOT...) :-(( % Q+ o/ ` r. Q$ F- |) M2 {
9 L/ D& `- [- m3 l3 u( Q4 }8 \Here is a quick description:
% _7 b( O. y" R! x. A& K2 C-AX = 0910h (Display string in SIce windows)
8 E+ [/ [# W0 F1 `5 e7 u+ U% R-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) W% W- n h' c; D7 ~7 m- d* l
-AX = 0912h (Get breakpoint infos)
, O8 [; y. N1 T6 i- w! g, l, a-AX = 0913h (Set Sice breakpoints)
6 G8 L$ b. C. ?! N-AX = 0914h (Remove SIce breakoints)
8 L8 Y$ D. h6 @% x# Y ~
: u6 G. G; i; r8 B7 XEach time you'll meet this trick, you'll see:
3 m6 _8 w1 Y. f! W-SI = 4647h
" `; A0 C8 O" F" {2 t( a7 J-DI = 4A4Dh# x, O% Y" D- s
Which are the 'magic values' used by SoftIce.
4 ]5 ?. j8 P% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ X" B- H8 o) m8 q. M6 x; ^- U8 }
Here is one example from the file "Haspinst.exe" which is the dongle HASP# x3 C# a( z8 ]6 t0 a- y, b
Envelope utility use to protect DOS applications:0 j4 _4 ?# h; u G8 r1 `2 c" H
& ]$ @$ U9 b$ s W+ o
4 `1 ^# ?% B* J7 T7 k. B4C19:0095 MOV AX,0911 ; execute command.
( e) O# v5 f/ s/ t( |; R+ E4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 n6 Q% E: q/ Y1 R
4C19:009A MOV SI,4647 ; 1st magic value.
6 I, |6 p, @4 F9 i4C19:009D MOV DI,4A4D ; 2nd magic value.
. z& y4 n8 a* v+ B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 `. E& q5 x" v- C* {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' u. |" F' j4 f2 M9 K
4C19:00A4 INC CX1 |' T, s( F8 o$ \% H: ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ I2 r0 s3 Q' d7 k9 L
4C19:00A8 JB 0095 ; 6 different commands.5 U4 O, C/ K: d: @# h! r/ C
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- Y; y" G# Y1 Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)& f( y/ M7 J" T% Q& N8 D" b
% G8 I/ w4 I- Y, c% a8 uThe program will execute 6 different SIce commands located at ds:dx, which: J1 t1 T: u5 v. {. Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 k6 j6 P' o' y! f& A0 j
# u a* ~$ W' L; v, I; c9 y, R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. A/ q! t4 @& R' v' J* N
___________________________________________________________________________
1 m$ W, c, v$ S2 N/ D6 U" L2 c6 f1 s4 o( m& Q4 X7 s. N
- r$ T4 w$ l' ^5 ?9 @) v
Method 03
) W% I: S! H3 g' g6 F2 ~3 c- V=========: `: z' i" V- S
0 h/ t0 `& h( ^8 Y5 |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" L( _' ^# F Y" V+ B9 ~
(API Get entry point)
_# o) }% R; N) q5 ~% \ : F7 f' b$ p$ W6 U* Z8 R
& f) C, M: @6 ^# _% j4 B1 n+ T
xor di,di- H0 X; {" x3 D' F* P) o6 @2 C
mov es,di
- }, o; V' V* h( z6 M3 i9 ^ mov ax, 1684h `( }3 |/ s" b* B! z
mov bx, 0202h ; VxD ID of winice
$ I. r. l9 n+ E& H int 2Fh8 h4 Y; m* y" x& Z7 N* O6 ]
mov ax, es ; ES:DI -> VxD API entry point8 I; i0 G! J6 j5 P) o# j
add ax, di
- C$ n% E" _1 | T6 z5 {8 d test ax,ax: `/ f4 ?& L6 J/ q% h1 S
jnz SoftICE_Detected
; J7 n# q! F/ L+ _, \
- u e( y+ ?. p5 [___________________________________________________________________________
, V* i$ V$ C. T: a
! E# X* L! b. _1 e# g* h o# N' EMethod 04
6 k9 q+ P X, o5 X- V=========
( Q( y2 U! u; M; Q+ j. ?
* ~0 x/ A" M: H; a7 c& YMethod identical to the preceding one except that it seeks the ID of SoftICE
8 u. r. V' F l" B. l# D8 C' M/ OGFX VxD.
: s( t A6 X& x/ K% X7 R0 H& D- o) m& p I
xor di,di( ?8 `8 x* |& V; l2 Q2 ~
mov es,di- d# c3 @6 O" R1 e, i
mov ax, 1684h 8 u- v# U6 y# y5 A) Z v
mov bx, 7a5Fh ; VxD ID of SIWVID
0 O5 p; P' @- F) z2 T! e int 2fh7 W( G; V/ s# ~! `, N* r4 w
mov ax, es ; ES:DI -> VxD API entry point
4 ?2 W5 {8 z6 Z5 p& @1 P0 ~1 J add ax, di
/ @6 w5 W$ C, p$ g test ax,ax
2 @1 Y, c6 |" `" F& E |8 M jnz SoftICE_Detected" Y9 D& @, y$ ~$ [
+ V" x5 v- b6 ^$ H8 B9 {& Z
__________________________________________________________________________
, K% b) p' ^% K5 i. n# j7 X, F! y/ G
5 r6 s: D" i7 z, ^) X9 u* eMethod 05* f( R. H. W' ~7 O$ E
=========
% a1 {) ]6 P& d; F1 @; i' @# _8 ~
7 d G( J2 q# ~7 {: ?Method seeking the 'magic number' 0F386h returned (in ax) by all system* t: b& E4 b8 I
debugger. It calls the int 41h, function 4Fh.( [4 f4 }; V& f/ t1 Z
There are several alternatives.
6 _7 h1 P. `( h9 A; M( b3 P7 ^0 J
$ i% t% z4 {$ d0 o: [7 hThe following one is the simplest:8 l7 k) f$ m' Q0 J! V) g
/ w4 v+ s z9 f' j9 y* j. \. O mov ax,4fh& a. J( F2 M: n% d) F5 l- {
int 41h
3 x* W, |# N- G9 {- } cmp ax, 0F386' v. s& s3 Z+ U/ |' M
jz SoftICE_detected
9 h; E4 U- n7 A5 G) ~
# L% S9 D2 b6 k4 R" G" n% h$ y- _$ [9 Y6 t" f
Next method as well as the following one are 2 examples from Stone's 7 L/ l2 A2 m8 f7 ^2 r" h' B) j
"stn-wid.zip" (www.cracking.net):% \& R4 a* \* E7 q
. ^. R+ t( N/ Z! G
mov bx, cs
- f [) {1 u4 j1 Z lea dx, int41handler2$ |+ T0 m/ l/ Q ^4 c
xchg dx, es:[41h*4]5 M$ Y* I+ I* @' `
xchg bx, es:[41h*4+2]" V3 o2 O7 h2 F2 `, P5 x1 O
mov ax,4fh
7 d" O- x% p0 d int 41h" ^3 @( t. Q6 {$ R' a
xchg dx, es:[41h*4]
. D) A# b0 Q0 s- B. l5 l xchg bx, es:[41h*4+2]
/ U: V3 {+ w8 o# I, |; P6 K cmp ax, 0f386h5 h7 z' ^9 N+ Z2 J
jz SoftICE_detected6 x# h% S8 h' `8 Q/ u0 ]# P
( [9 d7 v/ x1 ~' h9 N
int41handler2 PROC# X6 d8 @- H _2 ~, X
iret. X( P! F: N( j
int41handler2 ENDP# P0 _8 ^# D4 u" P6 _& f+ V) o
A) y" A+ l" g
* l: ~# Z3 n8 G
_________________________________________________________________________: z1 S7 y O; x
. \: _- w0 x7 m
/ z" o9 u- w. r8 G/ UMethod 06
8 v% E$ L: e; a0 H=========8 b) `) F3 m5 O
/ E9 q* |6 D6 h+ e# |6 v8 k8 [
& ^# _3 |1 x8 Z+ x6 ?; t8 `) H6 I2nd method similar to the preceding one but more difficult to detect:: y2 t2 V# e& i; i& t) B
: \- g* t: S+ Q( y! @+ q. n
U* M9 j& h( h1 e
int41handler PROC0 ?/ o4 n8 b% u& x3 {) q
mov cl,al& [3 F% ` e- O6 K- U' g- o, z4 c8 z
iret
& g* f+ M! E+ R$ [int41handler ENDP
* J- J6 q* d f' n9 H V9 K6 x5 S! J, Q; h0 ]4 C+ ?8 u5 t
v3 n( Q: ~: U$ O3 F6 B. H xor ax,ax
+ l7 Q$ d. E7 \' _' `" V! H mov es,ax2 C7 ]. {& _: p; e
mov bx, cs- \. g3 _0 M, \1 f4 Z' s" k: j- v
lea dx, int41handler8 c# _. E$ E2 y% f9 A9 b0 z3 c9 L- G
xchg dx, es:[41h*4]) \. F+ S: t$ N9 q
xchg bx, es:[41h*4+2]2 G1 w2 T( H$ Y& Y( ?3 ]+ a2 y7 Z
in al, 40h
" z6 W; ~6 v" e/ ?& v, g5 O( A2 u$ } xor cx,cx3 w: P9 Z: U1 o; M6 I
int 41h
) M( N! x- u. k7 r( e, s xchg dx, es:[41h*4]/ x& v3 v2 {' u+ U9 S+ F4 \# V4 Z$ `
xchg bx, es:[41h*4+2]6 \- A3 Y; m" @0 z; \: M \
cmp cl,al& d1 P5 E7 s7 U) q4 Y. R7 o
jnz SoftICE_detected4 ?9 J# X6 S3 ^% T1 W
7 O; p) M# {& L_________________________________________________________________________
; @( @1 B1 n, m* a
4 c8 w7 ?7 W' z6 V4 A! T- p" ZMethod 07" O& R8 N) R, q7 [
=========
' u" @' f% J- P* ?( v1 |& S2 H% P) m' ~ l" D
Method of detection of the WinICE handler in the int68h (V86)* W' M3 i6 x+ R% l
9 a/ ?5 n5 u' d. K+ X4 _
mov ah,43h6 O8 N5 x* s. j6 p: ]* u& S% w
int 68h* J3 O! ^* v1 G6 Q1 m1 Y
cmp ax,0F386h, `- P0 B+ m1 h! q# z* w% v
jz SoftICE_Detected
6 k/ {0 L! R, R0 e7 I# l3 O
0 V1 p& F4 i/ H8 t. y# {; J5 C. P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 H5 U1 E; p) i app like this:1 k M2 w E4 L! L/ n4 m
; g9 p0 J, q; q* V3 V: ~; d BPX exec_int if ax==681 f! H- F0 l5 f' I/ R; y
(function called is located at byte ptr [ebp+1Dh] and client eip is
* |& P% q6 H9 A. e0 L& _: C1 m3 y located at [ebp+48h] for 32Bit apps) J8 V1 n6 \3 E& ?. m2 u. w* o
__________________________________________________________________________
: Z, U$ N" T8 z7 ^( e6 r# @8 r' U2 V( L8 q: i. x/ C& l
7 d6 T$ L0 _3 j8 w5 Y b6 ~Method 08" [9 s* P' h7 V; q3 J* ^
=========
/ B1 g' X! A: b: v$ _0 m
2 w3 B l6 E: hIt is not a method of detection of SoftICE but a possibility to crash the
% e% L# _: C6 X, e: T( zsystem by intercepting int 01h and int 03h and redirecting them to another
- p$ U) b) X \7 F1 A+ I2 Nroutine. I3 I# E5 Y1 k/ M0 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* S/ B1 B z9 A: |$ T5 }* r
to the new routine to execute (hangs computer...)) _) ?* X: ?, `
. H) l/ j: f& ?3 V0 q mov ah, 25h l7 A1 f, n2 Y# m; Y
mov al, Int_Number (01h or 03h)
; g5 e6 c G- b* n mov dx, offset New_Int_Routine9 Y y9 W& O6 |9 a7 y, j- w
int 21h+ p3 S; t, s- z% a) l: k7 P/ U
1 a6 I/ g3 o7 `5 i6 i__________________________________________________________________________
& n& h M# q8 E# v. O5 M
( B& c4 w1 ^! E1 B3 ?4 L' }Method 09! Z" Z1 c3 f2 F$ d0 M J8 Z
=========# u; `% _# M, K! ~; \& W' M' o
2 n W5 G1 w) d: e! I+ WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 o: O2 Z+ e- Y+ }& Y1 \% d5 P3 H
performed in ring0 (VxD or a ring3 app using the VxdCall)., ]8 _9 U9 e( U0 G7 H2 E
The Get_DDB service is used to determine whether or not a VxD is installed* Y' G8 ~, k5 c. ?& ^* k
for the specified device and returns a Device Description Block (in ecx) for
4 v1 ]; [1 |# T( q& h0 c4 r: t* u: kthat device if it is installed.
" Z) _/ [4 n& v+ ~
2 q$ v; K! v) w+ U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. \9 Y* D" K/ l3 G2 V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 I4 T+ ^! r7 R/ O) O c VMMCall Get_DDB
' m2 V0 O3 ?5 G. g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: D* W7 B' ? Y8 {: Z
' E5 i0 f W$ L8 S# J, U# WNote as well that you can easily detect this method with SoftICE:3 S8 u3 E$ r0 x z' I8 L
bpx Get_DDB if ax==0202 || ax==7a5fh2 X% M* e' D- U+ H: r- a* k+ a
4 Q, y( T6 B7 ~) `
__________________________________________________________________________
4 d$ ]: U @: R8 o- b' p/ T' L3 e7 m' { ~8 K- Z y* a# u) n% @
Method 10, }* R! n9 D& N* b
=========- T5 A2 A, p# Y: F8 s5 G5 v
) v/ u$ U7 j# d8 n. g% v3 T) r
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ [" U) L$ r0 n* @. \) {2 {1 g. [
SoftICE while the option is enable!!
1 O# U1 Z4 u9 y% [0 n+ o
4 n1 U2 \# U7 _( N. t- `# WThis trick is very efficient:9 G- ]) R: ~9 c
by checking the Debug Registers, you can detect if SoftICE is loaded. d1 c* F2 Y9 W8 `7 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: r5 I- R# B/ }, o$ Q0 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ j! y6 E# K0 _' \* e: N9 t( k
value (in ring0 only). Values can be manipulated and or changed as well9 v' m# l- f0 n( f" `2 J7 _
(clearing BPMs for instance)
5 f% ~5 |- ` g* I( t
3 Y& i' {! A" q, z0 i__________________________________________________________________________. N% h/ L3 V+ O X0 `: x1 x
T# ?/ i6 B; E' J* \
Method 11
+ @" c$ l- e& N, h# B=========- v7 L* ^! l9 y# E# w( e) d" u& D3 v
7 [) t4 B( I% r% C6 y5 H5 z& l
This method is most known as 'MeltICE' because it has been freely distributed' j! A! d) m+ A# a
via www.winfiles.com. However it was first used by NuMega people to allow
6 z7 b/ y, l% V9 }& m& n1 \- \Symbol Loader to check if SoftICE was active or not (the code is located; E$ h) Q* A1 ~) V, U) Q* m8 j+ n
inside nmtrans.dll).
5 e0 m) T e2 B
4 u7 |! @- ]; ^2 U. n. jThe way it works is very simple:
% q9 w2 Z4 [& J6 R( T0 O$ t1 NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 {$ ?+ x/ B7 K4 ^9 F$ l$ LWinNT) with the CreateFileA API.# k4 Y V! h8 R7 }# h! E6 r9 D
' ^1 x* u7 d8 B" }+ SHere is a sample (checking for 'SICE'):% Q$ s1 f% c6 |% H
& E1 |' G [9 @BOOL IsSoftIce95Loaded()
: c+ `4 F! z7 b1 h% [* `{
7 j5 f; [6 u2 w U* `3 c HANDLE hFile; * }) \, ~6 I$ N, a, ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," \/ w* h+ V5 b( c5 d5 f$ S
FILE_SHARE_READ | FILE_SHARE_WRITE,
) F) g' Y% R4 x4 v$ Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. `7 z5 p8 b6 ?+ R if( hFile != INVALID_HANDLE_VALUE )0 K( l7 b# D0 P
{
" E7 S W) b O; R7 B( j CloseHandle(hFile);7 G6 e( k! M7 q: A$ y; p% z
return TRUE;. ]- W) l7 \3 p O0 V
}
& ?' R, S2 m/ q return FALSE;
* |+ d9 s# C$ U}8 Z' Y" y7 ]' r
" \9 B' F- t2 T5 W# `
Although this trick calls the CreateFileA function, don't even expect to be
2 \1 h" l- c0 W6 }able to intercept it by installing a IFS hook: it will not work, no way!' t( W- \3 i3 c3 `0 ?" t, T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 I- f8 g V- mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' Z& u6 t6 h5 R5 @& \# t( J @ A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. ~8 q3 N8 o3 N) }- a! }
field.( I1 j6 E4 G9 d0 B y% w
In fact, its purpose is not to load/unload VxDs but only to send a : D! p( l. K& m; W9 g G: a) X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 n0 r! R8 C; n* W! h Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& H/ U m& t+ C' z7 p' r* xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- g4 }; O( Z: W$ ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
j/ O$ a5 ~8 v0 A; f, \its handle to be opened and then, will be detected.
4 C+ {% e6 ~* h4 y+ O' lYou can check that simply by hooking Winice.exe control proc entry point& i& }2 g% n) W( O; e1 R
while running MeltICE.
. |1 ~ A9 c8 |; y6 t2 d* A2 O& w/ }( e- m1 k; k4 m) G
! b6 B' y' f! M8 @" p5 Q3 ^ 00401067: push 00402025 ; \\.\SICE1 N0 A6 F6 M8 W( Y, [1 I
0040106C: call CreateFileA S) C* M F+ O1 e: u9 R' M/ W
00401071: cmp eax,-0016 T2 E( ?# Q+ O
00401074: je 00401091) h+ f; S- S. Z3 O8 x4 c6 V
[/ Q) Q$ t# ~! x" X, o4 {; |' N& a
There could be hundreds of BPX you could use to detect this trick.
3 g/ \6 j7 ^& a" y-The most classical one is:2 i$ y2 [$ F& v7 a6 l6 Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 R0 m: J6 x+ d4 `
*(esp->4+4)=='NTIC'
- G3 ], \5 P2 S9 a, T- O8 \
K. {+ i G- z B-The most exotic ones (could be very slooooow :-(
- i) s$ N6 i; f4 h I- f" S BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 B' [* ~: {5 r1 P$ ~3 T
;will break 3 times :-(
: M; v. m: {9 G; n8 H3 t/ @) v6 @1 a+ q+ g8 k
-or (a bit) faster:
7 O3 [9 m" z, l! J; T BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& f& Q! Z5 Y: E6 H! `2 M1 q8 p6 Q
. _2 `# t* s4 D) z: F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; G2 [% X+ P4 q2 Y/ S- l6 [% [
;will break 3 times :-(
( B1 H6 h8 l7 J9 R) L2 d6 O4 o0 Q4 u) j
-Much faster:$ w' c5 P( L5 S2 ]) B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% N1 G# L5 }1 N$ G
% L5 \% s* Y* u- H \7 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen( D, W/ a* A o. F5 m! X& J/ a/ `2 y4 _
function to do the same job:1 o* c( [. I- G, I- F1 Y+ s# C
$ d4 p* h- F* y
push 00 ; OF_READ
( Q7 {! L! D. V# P( Y4 P/ j mov eax,[00656634] ; '\\.\SICE',0$ M9 k+ ?$ t6 S
push eax9 {" k$ k( y/ P8 R
call KERNEL32!_lopen9 T( K5 Z$ a' F- {' c8 ?: U
inc eax7 z5 K' }! P: [0 G# f
jnz 00650589 ; detected
+ A7 H$ R: N8 t$ p. ? push 00 ; OF_READ, J# P0 C4 P# J6 s
mov eax,[00656638] ; '\\.\SICE'
( z' n5 T8 H( j0 ~4 M8 p push eax- a+ C# e! Z& Z g
call KERNEL32!_lopen
5 B7 ^- M3 u" o' b7 m inc eax
) k" l& z n% t jz 006505ae ; not detected. z# s Q3 P. i4 N ~* C
; ^# w1 r5 c+ G4 v! u- b" w$ l" n0 E5 C5 r5 x7 M! a6 E8 O. U8 u
__________________________________________________________________________
1 ~) H& v* t! M- O: b; [. b+ s4 K e: `/ z% d Q6 j
Method 12
; _2 J% W% P/ [' z# I) ?8 X) t1 k=========
# x9 L6 i' a# }- A; i# \2 e; ]) s6 n1 y! O/ _+ G
This trick is similar to int41h/4fh Debugger installation check (code 05$ p2 j4 e) d1 o9 }, Z" ]1 t
& 06) but very limited because it's only available for Win95/98 (not NT)
0 [( z1 P, }2 P$ r" [5 K6 mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) u3 e, e! N* b2 b9 e
& T( F: N0 b0 F; y
push 0000004fh ; function 4fh# W# G# \- f6 y
push 002a002ah ; high word specifies which VxD (VWIN32)
o6 L: u) D9 f( Z- R( J ; low word specifies which service/ L( {; ~/ B1 U i- C
(VWIN32_Int41Dispatch)
# y5 w: S! E( d; }! v call Kernel32!ORD_001 ; VxdCall8 `3 D/ H) K$ r3 _* m& L& z! Y
cmp ax, 0f386h ; magic number returned by system debuggers
/ x' T- ]( c R$ L' C jz SoftICE_detected
, Y7 w+ t: q* F6 {$ l( z5 B+ e( o- F8 s7 [7 y/ q5 I4 b& ]
Here again, several ways to detect it:0 D* Q3 S3 ?+ U/ p, e. _+ w
3 m+ A7 }* _7 T4 O5 p7 c0 L
BPINT 41 if ax==4f' t5 i5 R# B+ Z" a: v5 \2 |
6 i$ m" z& _+ y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ f3 u; ~3 m# m/ q9 S9 i: }
. [; Y+ I6 ^9 ^3 W" u7 a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) \! ~, m& E7 M! K8 M H6 f( [/ ~% R: `7 {1 \( y! Q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!. J+ W w( Z5 J I
/ F5 Q/ c. ]6 L( J& K) d! \
__________________________________________________________________________2 t9 Q/ c6 v O+ K3 c# E: G
) i1 Z- \) {0 l$ e5 @8 J7 @/ R0 ~Method 131 Z. g) U4 d9 k1 j, E6 l5 S
=========
* t' Z- T+ ?9 t* P* x
# ]6 J3 B8 r3 oNot a real method of detection, but a good way to know if SoftICE is2 K* m! E3 h) ]7 I4 Y$ a* O
installed on a computer and to locate its installation directory.
- ?8 M8 B% Y$ g( J" r: L- ~+ |It is used by few softs which access the following registry keys (usually #2) :
$ `# B$ ]& `+ m9 N7 C4 g% @2 x3 `# Z5 S/ {0 N% U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( ?5 S+ {0 @) B$ G/ }) f5 y+ J' ?\Uninstall\SoftICE
( m- v- c/ i9 f# a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- [, w/ X; e5 v; H/ _5 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* b7 V5 N- @: h6 }, Z$ g
\App Paths\Loader32.Exe' t8 t5 F. G' O
5 d! @, M2 ]; y
: O+ _3 T; I5 F+ r9 I k1 [; aNote that some nasty apps could then erase all files from SoftICE directory2 e: S! ^) D" R$ g
(I faced that once :-(
: ?( @: r$ t/ B b% J, x7 U& I, e! U- K" [' z+ X I4 d8 l
Useful breakpoint to detect it:: S8 S) E/ y; j- E3 M* q2 V) E6 I ~
7 A2 ]/ ^1 B- d" G! s" W5 l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 ~5 S; T T& E1 X/ k) G# L4 a
" `" i& A3 Q2 X% n
__________________________________________________________________________
$ @5 o8 A5 K$ _6 @+ L8 ]9 O) L7 {" B4 H% h$ @# z
0 s: A5 ]0 l- {2 r5 sMethod 14 1 x' B7 | @/ h* o& {1 I
=========( M0 H# x& M$ G% L+ U
6 ?' J- R* M. y3 ~& T- O( s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 x Q4 c) C1 x# p% I. b
is to determines whether a debugger is running on your system (ring0 only).8 U; K! E8 X+ t0 ]8 Q* r
: t0 j" i- H" j7 g% G VMMCall Test_Debug_Installed
7 z; \3 v$ C+ R& P. ?. o5 T je not_installed; M2 N: E& X# d3 x8 j5 m" b: M
8 P! ^. j4 U( z2 H6 E0 L5 |This service just checks a flag.; \7 Y4 ~% g( G J7 n! n1 j
</PRE></TD></TR></TBODY></TABLE> |