<TABLE width=500>. e5 o# f. A( r) H
<TBODY>
" c1 |+ i$ v) q; I0 j<TR>
% S9 [: _" g Y& \<TD><PRE>Method 01 " u: g# R0 \- F* D0 t
=========/ z. o g4 i [( z) n, `$ Y% H
8 K3 E9 z7 _# ?% _0 h c( BThis method of detection of SoftICE (as well as the following one) is# a( H! b' C6 W b- J) {
used by the majority of packers/encryptors found on Internet.
, V+ N# h6 q* ]3 B( S" CIt seeks the signature of BoundsChecker in SoftICE. {) O0 k- _& H$ G) O5 u
, f0 x$ j7 y8 [( `) i; A1 h$ ?' o
mov ebp, 04243484Bh ; 'BCHK'% F* l( w: H6 s" ~( k% ~
mov ax, 04h
3 ?1 F! ^' w: K! S int 3 ; Y% { X8 A: _# L+ J6 c5 P9 w1 [
cmp al,4 K' H5 j# U/ w, r7 R* \/ J B! K5 n
jnz SoftICE_Detected
$ x& s8 O% c2 W0 i0 M% T8 ^' N/ b" v! S1 @
___________________________________________________________________________5 \- b) N; c4 C" D" T
! d) L* t$ I# m+ V- `. O" }( |! I8 IMethod 02
& j5 A6 b9 k( L4 y=========
, R- _" [5 ]0 G5 K! Y7 S6 \
, w5 p9 k5 `8 C; GStill a method very much used (perhaps the most frequent one). It is used' G" {; d0 U. N$ k' _9 ]$ z' s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- \2 P% u" r( h& I
or execute SoftICE commands...
( W0 U y, c! x/ B% kIt is also used to crash SoftICE and to force it to execute any commands
0 D `$ |2 j2 W( i+ y1 w; V- b3 Y(HBOOT...) :-((
8 t* j( H% U1 P4 ]- q
8 @- @7 s# U8 l: d# U1 }Here is a quick description:4 S6 V% r7 Q X6 O" a
-AX = 0910h (Display string in SIce windows): \& f; {2 H" y7 @3 T9 n5 E# l( ?
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& Q& \, ? X. Y# J( F2 M-AX = 0912h (Get breakpoint infos)
9 B& @1 k/ g% a, D9 K0 H-AX = 0913h (Set Sice breakpoints)+ |0 B/ r9 z8 n) n
-AX = 0914h (Remove SIce breakoints)
/ _( z' a1 l* ~% f) @; F+ h6 }0 @# v3 x$ M& X7 `1 C) _
Each time you'll meet this trick, you'll see:
, `3 h3 s. m' p. f-SI = 4647h4 U4 H0 F; i b) {
-DI = 4A4Dh
7 ^& I+ w+ y+ ^' O: i& _Which are the 'magic values' used by SoftIce.3 C" S: v, q/ V: U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. q' ^' g0 R1 a" x5 B2 G: w* o. y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# L: |; n6 f/ g0 v- b8 H& B7 BEnvelope utility use to protect DOS applications:- Q# ?( T2 P: X# C) [$ n. }
+ w/ I* w1 Z( \# f* F+ B+ `( A
3 c# p' F* O$ D9 M7 Q8 V( O: Y4C19:0095 MOV AX,0911 ; execute command.
, A* p' }! L q" c4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! h3 u# f' v) a. l4C19:009A MOV SI,4647 ; 1st magic value.
/ C% G+ j8 q, H G; X4C19:009D MOV DI,4A4D ; 2nd magic value.$ @ X2 y' V) m' `) j$ R
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ q4 E" f; Y2 p4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# x( ]' q9 j/ P/ _( s7 t6 B& x4C19:00A4 INC CX. |7 o! Q) H8 P5 J- l }" A" t
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; d5 U$ `' C, [* M4C19:00A8 JB 0095 ; 6 different commands.$ n, @ ^5 j8 {; P" Y0 z5 o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- E2 r) p `/ h2 L' }6 B$ Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: A* D- p: _. {& b; K# }. X) h& x
0 U: ^' W, A3 z0 ~% iThe program will execute 6 different SIce commands located at ds:dx, which
9 Q/ n Y! ^+ r5 a( \ ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: U) B, m1 s7 |! ^
8 _% F( |, c8 N( R g1 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 I# v$ O8 H; ^* L" v___________________________________________________________________________
6 g. }; i% j; K' b5 E7 j5 h
0 w8 {3 u- K4 c$ }, o F0 D7 |8 H8 T5 q/ T& i, n
Method 03
6 R+ Q% a: K; z/ E# V: _# A( J=========3 e' Q! P) C! Z! l
+ K4 y9 f3 p. D. m8 B
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ n8 Y. \7 Y( M: j
(API Get entry point)5 S4 J n1 |2 t9 ?
" {4 T. Z) R, f. l) P2 y
4 Z+ e/ h Y( a xor di,di
( c5 v& F$ @, z B# K! j mov es,di
; [) _" f0 p, j- \6 ]5 k' s mov ax, 1684h 1 d! z! ^2 [2 y" ^0 x
mov bx, 0202h ; VxD ID of winice
6 T8 Z$ j. J+ Z% w3 H& \( |+ g# G2 F int 2Fh$ K. D, H+ q& b5 z: [: \, W, C
mov ax, es ; ES:DI -> VxD API entry point
c% k4 W6 h7 f9 ^ add ax, di3 B, z, h/ U* F" ^# A
test ax,ax
9 p- T4 R0 C6 ?. d. y( Y jnz SoftICE_Detected/ b* W: `+ s3 k; r+ k& j! u( C- F
! k& L9 [$ j( q* P; [+ F
___________________________________________________________________________
3 I- W8 k( Q. e; c/ |& n1 [9 i- v- `
Method 04/ B" K& \+ t" _3 v6 @) k3 t% v
=========
; Q( i ^0 S8 m/ D O: D
6 H3 `. q- J; t" y% vMethod identical to the preceding one except that it seeks the ID of SoftICE7 P2 V, Q3 \# v2 }
GFX VxD.
1 g% l2 E2 i# D Y) k6 n2 L" j+ A7 Q4 J' Y% Y4 G4 q
xor di,di, \, T( N5 F6 ^) j8 Y
mov es,di- _2 q% {7 s$ p. ]+ `
mov ax, 1684h - W z. M/ l% ~3 p7 g# p$ _
mov bx, 7a5Fh ; VxD ID of SIWVID0 }# ?) c6 x- I( D5 E+ n
int 2fh
5 j) \* `+ Y7 r3 Z, a8 n mov ax, es ; ES:DI -> VxD API entry point% F e# g. I! |' [9 m. f. I; g
add ax, di
8 s" [9 e: H& P3 { test ax,ax
7 i( d3 Y- Y( I' w5 [1 x" h2 Y jnz SoftICE_Detected
4 I. F9 g- d# R5 G/ q
D9 h9 b1 \5 S7 H L% @__________________________________________________________________________
" {- ?* c: q# l! {- n$ i
) E$ i% J3 I9 x j: \7 A- l2 _% o$ V/ Q& N f
Method 05
3 m6 K0 y1 {( e, t* k1 k=========
: a) O6 i: j8 u# r. s' E2 g0 `/ e) w
# I1 Z; v2 x, ^3 A5 U1 {5 AMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( M/ R" p, `7 V; L X; ^+ P0 Ddebugger. It calls the int 41h, function 4Fh.8 U, M8 _! _0 E$ j' M7 z1 i5 ]
There are several alternatives. 6 ^; p( ], n! t$ N
% [3 O q* A1 B3 d$ K. z% A
The following one is the simplest:
. B/ {- j: ^% G& g6 n5 z1 @; a7 z4 ` w' i' k! A0 h: l
mov ax,4fh6 B) y# w. H$ h# t" E3 t
int 41h* p8 q& h2 j7 I; |7 t" }' |0 O5 K
cmp ax, 0F386; ^0 K" ~) O0 L. h+ J8 T8 }7 T3 t
jz SoftICE_detected
M5 M6 A& r* U$ D3 ^: t# o
) M- m% C; j6 f3 c
8 j% I0 `. a/ [. [2 UNext method as well as the following one are 2 examples from Stone's / H: Q, J( p o& U C
"stn-wid.zip" (www.cracking.net):
/ s7 q5 ?/ R0 l
) I* P, T0 z1 x$ [% v' X mov bx, cs0 ^: P) Y2 q2 |6 n. }5 t% {
lea dx, int41handler2" r4 U$ G5 w1 I2 ?" G* m7 g9 T
xchg dx, es:[41h*4]9 h5 [- x+ U$ Q
xchg bx, es:[41h*4+2]8 x- J+ f0 u* N) ?
mov ax,4fh
6 r, M- t2 D& h+ A int 41h0 k; i0 q2 {/ \1 ~0 s; O5 G+ h5 B
xchg dx, es:[41h*4]) f: \; k& q2 S# t0 B
xchg bx, es:[41h*4+2]/ U+ e- Q$ Y# ~& \9 z
cmp ax, 0f386h% _1 P6 ]0 n( N$ y5 _
jz SoftICE_detected: B9 F* f; ?, q6 G/ e. K
/ v0 x; G! O" U
int41handler2 PROC* G* ] }8 y d+ h' j
iret5 L7 P( k& C5 Z1 I( s" h
int41handler2 ENDP
4 {" @% Y9 Q$ o) K h* n
8 t/ u* \8 z: ~* j3 P& U ], j" ?5 [% K; X8 Q p
_________________________________________________________________________7 `, \0 A$ s3 R; j# e
3 e ]# v# m; S9 A( B3 A, x' n: X" h! r* N/ a( b
Method 06
2 D# K% I) I3 q6 B5 ` {* O=========
7 ?+ P& N1 W2 C$ u/ N3 S% K) q$ F z
+ r; C& y5 _ @6 R) a# u
2nd method similar to the preceding one but more difficult to detect:
! K. ?% w% k8 i: a# b
2 I y% U9 i2 @* {& @. H
8 @ s2 g4 R4 E. H: [) iint41handler PROC
5 z/ }4 ?% A. a9 Y5 I mov cl,al; Y6 M( O- k. G9 B0 A* N, L, L. i# r
iret. G) g( m; p; W* o% o6 E" y" W% _ I
int41handler ENDP3 u# S* L3 Q$ \0 z
6 O9 d/ \9 c% T% O* o! E/ N/ J' I. ?4 d$ K. l
xor ax,ax5 b; F- b+ h6 w: q) l# c
mov es,ax2 D1 r1 |) W( i4 V3 Z& c; B
mov bx, cs- Z& N6 v. j" r8 V( O4 F3 Q A( m
lea dx, int41handler
, H4 Z7 w! _+ Q xchg dx, es:[41h*4]
5 L, ^' ^6 n7 B6 K xchg bx, es:[41h*4+2]
/ f, w1 u" F8 K! `; j in al, 40h
( d B8 ~1 v J xor cx,cx) D, P8 \4 {# y: z4 l; M6 z; ]
int 41h
, I @9 g, p. p1 h xchg dx, es:[41h*4]
+ I o1 \& `: k0 W' H2 x xchg bx, es:[41h*4+2]2 F. \! C6 |' h, Y6 K7 K! \/ @
cmp cl,al' s% o% g7 k! G1 ~- L
jnz SoftICE_detected
2 P% i. q8 E3 z+ W# T! ~# p1 X* S$ g6 E, M7 @$ q$ i2 O% R! M) `
_________________________________________________________________________
2 u2 ]& b* r- A+ O6 {; o" O* ~) o
# x9 a1 ~4 r) Y2 u0 LMethod 071 i- M# D6 Q6 G" m5 ^0 E) @; _1 K
=========
3 E3 P3 E, X1 {9 J# D3 p
) k% j4 C: B9 P" B" a% AMethod of detection of the WinICE handler in the int68h (V86)
; K! q ?% O) m- {5 r) F- @3 c: H6 w% g* p8 S
mov ah,43h* F3 t$ n( Z0 q1 P$ ~2 k: Z. Y0 W# b1 X
int 68h3 S# ~/ ^# ?. R+ e. |/ Q
cmp ax,0F386h
" ]" K* W& M' T+ K6 O2 o jz SoftICE_Detected
! l0 O" N5 X. v6 r, M, ^
" \8 B; Z: T$ G# `" \- p6 E
# \9 K, A& p) P; o5 {, a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' i+ O: r/ |0 l8 h+ f: S5 X. I
app like this:
' f, Y! G/ Q! E; C5 i* i* a- Q t
# n' M2 o; ~# {3 O, ` BPX exec_int if ax==68
9 l- E$ x e4 E6 B/ k& v! O (function called is located at byte ptr [ebp+1Dh] and client eip is
# r& X6 z1 N' p/ c located at [ebp+48h] for 32Bit apps)+ M6 F9 p8 u n0 [: j/ f2 N
__________________________________________________________________________8 c. N# N6 p! o3 M
5 ?. ?9 l1 J% N j" o8 h
5 r! E# M+ f/ N) u- w. E& M. TMethod 08
5 r# J# U4 ~, E* R=========
9 r& ]. A( q3 e' J$ m9 \5 H+ P3 L! `, A# C" w+ ]" I$ k" I6 w
It is not a method of detection of SoftICE but a possibility to crash the6 B: J1 V$ A( F3 Q4 x
system by intercepting int 01h and int 03h and redirecting them to another
& D; |) ? l/ r/ n6 [routine.# l/ w- h) Q1 I$ @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 n2 R0 e k9 p" s( Y" m6 e( u9 W, V
to the new routine to execute (hangs computer...)' y$ a# L% }0 J, `" R
8 ?* b1 Q0 T+ y8 Z7 H V# ?2 Z mov ah, 25h
$ a7 v: l) @7 \( m; `; _ mov al, Int_Number (01h or 03h)
H3 A6 Q# J9 I4 P" F mov dx, offset New_Int_Routine( N. ~1 t; l- @5 N
int 21h
% A2 o+ R5 u1 T* q4 e- N5 j- @% k) L$ I- T4 Z
__________________________________________________________________________
/ \! j0 D+ ^0 w* \3 L1 H+ S; \ P" y8 ~) D# y
Method 097 f' K7 a7 g |) ?) X% Q
=========$ h# L! L( q# B& p
Z, b- e$ _& t( U1 ]. P" [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 ]) u' C6 X% I. x1 @0 q) e
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ |+ \ z+ n% N5 T* ^8 Q2 N* BThe Get_DDB service is used to determine whether or not a VxD is installed. J9 X( \: D9 O
for the specified device and returns a Device Description Block (in ecx) for
4 k8 N: E% I7 p" I$ D. Athat device if it is installed.- ?# l* f4 _9 e# x
! W1 @; \% ?8 N& l0 Z1 ]5 h- S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( V# z8 m4 J) Z* G+ E! h0 w- W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- c$ }& b, I) ]' q$ D" X, h
VMMCall Get_DDB
1 ^( l1 Q- N/ E: S- m4 Z! @ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. K0 P; p- x8 r [3 }) x& U# B$ t5 `- z6 O
Note as well that you can easily detect this method with SoftICE:
" L! D# _5 w8 z bpx Get_DDB if ax==0202 || ax==7a5fh# {3 Y) f3 F- B1 W% M, r; Y
# d1 ]- o: L/ V7 M ?
__________________________________________________________________________) g7 y v9 \5 x$ ]
. o p% }' v) @+ H# h) FMethod 10
) e; g) z( N0 P4 Q=========
; T- t, t( h( R( j2 D$ _ B- r0 f; a# z, g& y6 G* O' H% [. t
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' B. W) v0 ?& ?, l# U SoftICE while the option is enable!!' c. s |# D" b9 A
- f+ {) ~! a( e! e. z. e4 Z& NThis trick is very efficient:, O) @7 J! c! f
by checking the Debug Registers, you can detect if SoftICE is loaded% Y+ T- \3 ]& L0 s! i. ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- j$ T$ y1 \1 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their- U1 x/ z0 A( e4 L
value (in ring0 only). Values can be manipulated and or changed as well3 W" \+ F) y3 {5 D0 k$ V$ C. q
(clearing BPMs for instance)
$ J/ ]0 l* I& k8 p, ~5 N0 v( u, O2 i) }6 o1 ^5 o2 y2 n' N& L4 d1 {
__________________________________________________________________________
0 i' ?# R5 |4 N/ {# U; @( O" ?* k; D- C' E# A; n
Method 11; v8 x: _, _. v
=========
9 Z4 F$ \ a% e5 s9 ]2 b% n$ }1 }6 S# h. E* z$ ^
This method is most known as 'MeltICE' because it has been freely distributed0 A& y: x5 m& `
via www.winfiles.com. However it was first used by NuMega people to allow
6 B- I# F0 E, v' P6 jSymbol Loader to check if SoftICE was active or not (the code is located4 {2 L% H s0 ?7 T2 F3 k
inside nmtrans.dll).
' `/ c! s* L% _$ ? ^5 d0 P* L [4 q
The way it works is very simple:
; B! ~- e7 s. z Y, R$ A* @/ aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: T' c; ~1 O" D
WinNT) with the CreateFileA API.8 i. c2 I$ l; N
4 W& F, D1 S4 S6 x8 M0 LHere is a sample (checking for 'SICE'):
0 _, y9 ^4 T" [- }& k
4 {: o7 h! T: M# tBOOL IsSoftIce95Loaded()! P4 P$ V4 t& r, A6 L; U/ z
{
5 G& W, q( j$ k, D- U& f7 \ HANDLE hFile;
2 O" m: v1 N7 x% `" w5 v5 J; ?: c hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! y: g! W2 z! a FILE_SHARE_READ | FILE_SHARE_WRITE,2 A4 d5 }+ M; J7 D" L
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- \ S) J: N" D) h4 D
if( hFile != INVALID_HANDLE_VALUE )4 |. R+ R) A* `% z
{) l' }* M. W) P! {0 J4 M: d2 J
CloseHandle(hFile);
2 V( w: J4 I; [2 Z; \9 b return TRUE;# ]$ Z/ g+ w& M+ |7 U# [
}
% U1 a- \/ u. z" Q' o return FALSE;$ L! X, E$ K2 c( m2 ]. }
}: f0 {( {% ^3 }
0 j; j0 L% E$ D% X; I6 [* @3 u' {
Although this trick calls the CreateFileA function, don't even expect to be
, W8 t. I( ]* D" M4 _- Table to intercept it by installing a IFS hook: it will not work, no way!
7 i0 w b- S3 H* p3 Z) X3 [: j5 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 [- S% B {. v- |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 _3 n0 V" O# z% u$ d. S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ {6 S+ ^' ^4 \& l
field.+ X m7 M+ E4 r
In fact, its purpose is not to load/unload VxDs but only to send a X+ f' c; t& c3 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( }+ Y+ @9 Z5 {! Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* J4 Z% J5 O3 O. M, E* Y. l4 f7 Z) ato load/unload a non-dynamically loadable driver such as SoftICE ;-).6 j- J! \4 z& s' B/ a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, b! P' }+ M4 e6 a( ^; q) r oits handle to be opened and then, will be detected.
& E; _# g; q5 E3 _You can check that simply by hooking Winice.exe control proc entry point
- U! m9 H' L& g6 O# R1 e' E, J( _while running MeltICE.
3 C6 D' c" a$ U2 F) {
9 l9 R% `" F0 g
( L% _6 T) @" f/ A 00401067: push 00402025 ; \\.\SICE, U& r+ x/ h9 z
0040106C: call CreateFileA
# J( y; |# _- c6 n; S 00401071: cmp eax,-001
" W+ D) j$ F6 J7 [- V6 F3 [ 00401074: je 00401091
" {: J3 q( C$ E: Z& {* @( l6 F- Q# y6 `0 I' J5 p% z
+ c1 e6 j7 J2 Q8 p' l
There could be hundreds of BPX you could use to detect this trick.
1 x7 M( z: J: G# D; J-The most classical one is:6 g b% K* A; z& r; W5 W3 F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 I) c7 K. f6 k6 N- N1 r1 O1 z
*(esp->4+4)=='NTIC'
! j p+ r) e) Q4 {
e" s8 m/ r" Q! n3 a-The most exotic ones (could be very slooooow :-(
' f& H3 N& K( U1 i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" B$ W1 z" B5 F/ u8 C1 [" A* o ;will break 3 times :-(
2 W' o, O; t0 q6 m8 c* Q1 V0 L8 F+ r; g# v! S- S4 [2 w
-or (a bit) faster: 1 V1 r& }' f( o4 x( a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) N# U# ^) A$ ^7 r% F2 u
' ]6 t& a; @' k6 O: J7 A+ r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ |' o2 H4 a0 q ;will break 3 times :-(1 q7 s \3 V# Z
2 {* z) I& |( L9 e, B-Much faster:* q3 A0 o$ D# v C8 V0 T# F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 b1 [$ Y$ O. E2 J) l l0 ~$ h6 V! i, d! m; P+ E+ J$ r) ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; K& S& C4 ~5 k& Q2 B5 I
function to do the same job:
: a. Y. L* \+ ?$ B- b4 e6 {5 Y; e* x
; d3 a0 x+ d' ~' U5 t% J push 00 ; OF_READ
) \& D) { w% f6 T% ?$ o* v mov eax,[00656634] ; '\\.\SICE',09 O0 m E/ h5 N4 n+ D- C
push eax* ~$ F" S* W0 w
call KERNEL32!_lopen
/ q5 x' i: a5 n* [ inc eax5 q4 l6 u/ U8 ]4 i
jnz 00650589 ; detected* ]; C {: ~; s. f# A v# \/ h
push 00 ; OF_READ
8 g; Q' c9 H' S/ _ mov eax,[00656638] ; '\\.\SICE'
! l/ K) D% Q' }: ?6 H! d1 E+ } push eax
2 x9 v2 i3 Y; c/ E4 z9 B; k call KERNEL32!_lopen
* C9 f; m- y8 n/ f9 {& p inc eax
* U3 e- H4 C# ~8 D/ G7 P jz 006505ae ; not detected
* H4 W' {& p, n; [/ q6 T7 U2 m3 ~( Q: M2 k& E- w
3 u4 B, ]9 T" G/ r. |4 L
__________________________________________________________________________& d9 ~& G. r B
5 U) M) O' @0 i; B3 P# V1 V! k" [
Method 12
" i- L/ F4 r; N+ ]: L=========
3 h" n( n3 w1 K. B7 @# G' A' r
. o: o. \: ^5 x; T9 n8 WThis trick is similar to int41h/4fh Debugger installation check (code 05- e1 Z2 D3 M1 D. J2 @
& 06) but very limited because it's only available for Win95/98 (not NT)
B& u: o) a+ n' Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% t$ D* I M0 t# f, W6 p8 y T9 y% q( D5 [: j
push 0000004fh ; function 4fh+ Z" Z. C: r6 c) ~
push 002a002ah ; high word specifies which VxD (VWIN32)
+ J. }( `" }* c. p1 o" } ; low word specifies which service
0 g8 b5 k9 Y/ o& Y (VWIN32_Int41Dispatch)' K7 i% {) ~2 I; L$ b. J
call Kernel32!ORD_001 ; VxdCall: C' J; d' r- Z+ V& @
cmp ax, 0f386h ; magic number returned by system debuggers" N/ }5 [9 H0 H* L7 O
jz SoftICE_detected
3 s& L( c" H9 i! l1 B
( ~3 _, N& l; gHere again, several ways to detect it:3 [: R1 a q4 W8 U
8 B( P+ M: j2 j& V BPINT 41 if ax==4f: g% S8 E+ ]; H3 D; u* s
% w3 D. g9 D6 Z0 r5 l& o0 e) g
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 M- E) ~' V5 Y9 y$ m! S) |4 D
9 H( Z) [+ W7 p; }5 e BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 w+ Z+ x. O+ e! F0 w- a3 U1 X5 P+ q
- \/ W+ T, D0 U8 D2 @4 @0 U, l BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ C6 E# w; O+ P! R
+ i* ]0 x* d2 |% S__________________________________________________________________________$ U0 Y3 B' J9 x6 \" \2 [
4 L, u* p+ \ z
Method 13
! R( y! i6 ^+ s. `- K. v=========3 g2 J7 b. K/ i& F0 z r
9 {8 a1 v$ C* g- C
Not a real method of detection, but a good way to know if SoftICE is% P0 \. i' p" Z
installed on a computer and to locate its installation directory.
2 @6 T! G- z, d7 AIt is used by few softs which access the following registry keys (usually #2) :, I% ~6 N( h3 i, r( A& X) h5 y& c; u( U
' j, B0 X5 z' ~, V5 }4 ^" g! P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 u- u& Z' \* [9 V8 d
\Uninstall\SoftICE
) X+ _4 t, X: g; L/ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE |5 W; r5 W* J- v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 P9 m+ F' n& q) t3 |
\App Paths\Loader32.Exe
3 j, p9 `, i6 u1 q4 M1 @- ?
. y& G \% R: E/ Q: N
- r- \3 m# w. A. i. c/ t9 ANote that some nasty apps could then erase all files from SoftICE directory- ]& J/ W7 G9 H
(I faced that once :-(* E; S; d. e' J8 T& M1 @
; I$ i9 o! e4 e; p0 y
Useful breakpoint to detect it:
; x# M3 @ z8 {4 t7 _0 r, t1 R
: |- _1 x$ [, c. v! f& C BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: q* V, ~1 ?/ \- O1 f: h" f5 j1 F D9 s' K( R0 u3 N( f) H$ M
__________________________________________________________________________ n- l1 |2 `+ ?6 m. @1 Q6 }
( G5 c, |& R, [3 i- G! ?& k' u
. M8 [! V5 O& T( W% G/ ~Method 14 1 q: m4 |2 S* d/ b, L$ q9 l4 {3 M: J
=========
' f: m, V; P' e) x- M1 g: O" v; Y- Q" w- R/ a$ v" i$ e* `2 w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" R2 _: R% f. t; G9 ?is to determines whether a debugger is running on your system (ring0 only). N8 s# y8 ~3 T7 z
+ {' d7 e( Z2 g8 G+ h0 Y- S VMMCall Test_Debug_Installed8 |1 ` B: I2 s, ?- X) V
je not_installed
: S! E4 Z+ E$ H4 ~+ t, Z& l) H3 I
This service just checks a flag.
" z& l1 z) s6 p# i3 c</PRE></TD></TR></TBODY></TABLE> |