<TABLE width=500>& t" E$ H# p- I* ^% x% I5 ~
<TBODY>( d0 v8 C5 D! l5 m% a5 |* P7 B* A
<TR>2 T% j3 m. e. L) `/ ~
<TD><PRE>Method 01 9 u2 ~: R8 g4 N! K0 X; R
=========
7 W- J+ i* W0 D [. r8 Q+ K5 Y
: c& T5 p5 |8 i; G& S7 VThis method of detection of SoftICE (as well as the following one) is
8 J- v1 X+ P; C$ }used by the majority of packers/encryptors found on Internet.% c: }! }" J$ ^
It seeks the signature of BoundsChecker in SoftICE8 t6 n& Y! B3 T$ m& Y) h
5 k) W# [2 p8 n( \
mov ebp, 04243484Bh ; 'BCHK'
- N2 p4 A3 r% i$ }" j* u mov ax, 04h
( u. W3 b/ R1 h$ B4 Y/ x) m( y( i int 3 1 |! `& A6 P( j( _# f1 s
cmp al,4
5 M0 F1 {4 w7 _6 y! N jnz SoftICE_Detected
g/ T4 n" \# y! r: ^3 D! b+ m
6 H1 z- \! ~# s___________________________________________________________________________- G' _5 i# ^1 m( y+ q. Z) O/ y' L/ w
( O2 p% s' ] b4 b9 X5 vMethod 021 _1 w7 H6 D4 x/ U% K+ B m# ~
=========! b3 S! `2 { U& ?; F
7 _: S# C; Q4 X" u/ \2 C. a
Still a method very much used (perhaps the most frequent one). It is used6 T* J0 N7 o& l# B9 I# x; C2 D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 x9 o: J" v6 \) |
or execute SoftICE commands...2 s1 e: o+ l" k Q" H' z! F$ K
It is also used to crash SoftICE and to force it to execute any commands
9 ?+ j) }/ x8 ^5 ?(HBOOT...) :-(( * d: l0 t, I, ~8 v
' r; k$ {" m. G" k2 {# D- J- P2 BHere is a quick description:
3 \ u$ g* r0 j0 U* i-AX = 0910h (Display string in SIce windows)
& Z. c; f9 _( _7 K. f% ?" O-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& M6 I( b L9 z-AX = 0912h (Get breakpoint infos)& L# R' i+ e; ]$ M$ P
-AX = 0913h (Set Sice breakpoints)3 e- ~) L, K r( Q5 H
-AX = 0914h (Remove SIce breakoints)
8 s! c9 w+ C) c5 `
8 p3 b4 W( M) Z# }Each time you'll meet this trick, you'll see:1 b$ E- i8 Y5 ~) I9 F' Z3 g- @
-SI = 4647h4 K' N8 U! o' @- _2 C
-DI = 4A4Dh5 J7 M% ~0 N# I- c
Which are the 'magic values' used by SoftIce.8 g+ z, b5 i/ a' B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 t; Z- P5 g1 W) A" K. G
2 q* f$ j2 g1 O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 v* x H* L p6 zEnvelope utility use to protect DOS applications:
1 b# k% [0 A4 h1 `! d. [2 I+ e) U, b5 B1 c- Y
) Y& ~% F3 ^; v: g m4C19:0095 MOV AX,0911 ; execute command.( f2 J7 J. t- T( q. G& W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
_: {1 U* I/ S0 N8 u4C19:009A MOV SI,4647 ; 1st magic value.0 M, p' c$ Y- ~ J
4C19:009D MOV DI,4A4D ; 2nd magic value.+ N/ O2 F& I- d; E% q' K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)6 M9 o' l. ]' W( n; w W# y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: r/ c8 [ d- m
4C19:00A4 INC CX
# Q# a6 A8 F) k L6 G1 C/ }8 d# G9 C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' b* m" B- l/ J2 `" s
4C19:00A8 JB 0095 ; 6 different commands.
5 g6 u- \# h/ n n4 R4C19:00AA JMP 0002 ; Bad_Guy jmp back. r" Z2 \7 {& n* ]% U9 S. O6 N0 Y- O b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 @: y2 {: |% u
$ G% S, d: p: Y" M; H. q* nThe program will execute 6 different SIce commands located at ds:dx, which K. Y( h' F* e) k. w2 I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 s) K6 _' Y: u f! R# |
' C' i. z( J$ U$ L% @+ i& L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ y( R) g: G4 p7 T___________________________________________________________________________
6 u. \6 t# N7 N5 \! r6 z
& _& Z8 o' ^- f$ f1 P' o
- V. A0 ?: B/ k! SMethod 033 l5 W. X/ V) `: I& [8 y
=========4 I8 @9 F% a4 V9 M
& ^6 M3 \6 ]- [# g9 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 l' N; j2 w; m R) [(API Get entry point)
4 v; H# T9 y% u) _* N# K 7 n n% X) y, X
! g4 o7 C, _1 y xor di,di6 A: Z- H; { t. A4 z' v2 _# h
mov es,di
2 v; G7 m: w! p. g5 f2 ? mov ax, 1684h + S; E/ ~$ \* J1 s4 L* T
mov bx, 0202h ; VxD ID of winice
/ I, P6 S; r$ H# \ z! q9 i2 j int 2Fh, v* D' I' Q) q, [' y3 S
mov ax, es ; ES:DI -> VxD API entry point
; I. K* ~& K `: J. C" s add ax, di, h& s2 z: }7 E5 Z* w
test ax,ax( I$ P: D/ q, i7 p: J- K
jnz SoftICE_Detected; o: ]5 Q% Q: D' }7 e% h
2 Y4 }" P4 f$ f' c3 [___________________________________________________________________________
$ `2 E; t" [* P# o0 c! ]6 O/ o( z" ^0 C4 u! A! k$ B. }
Method 04
& X/ i# |5 F5 V7 f" I=========8 Z. M! s( P; Y+ C
6 |, z. G5 O! c( B6 a9 N. f
Method identical to the preceding one except that it seeks the ID of SoftICE; ^. G; B; @9 E5 O( o
GFX VxD.+ V4 |* ?% A- ]8 l: A9 ]9 p
" I# b* v3 p/ y( p% e( F6 [
xor di,di5 v* r3 r4 F: z& W! ^6 a! P1 D
mov es,di: h) Z' p( l, v; z
mov ax, 1684h 3 b' n+ b) @- H9 l7 f" y: J. j1 j* h
mov bx, 7a5Fh ; VxD ID of SIWVID; L0 y3 F. m1 j; {$ O! c. U
int 2fh
5 S! F% l6 @( g. n0 }, R mov ax, es ; ES:DI -> VxD API entry point
# z' k; d( [; m; o; B add ax, di
6 p$ r# [* D, g/ a7 ^. ?9 y. k test ax,ax! k! t. [, n2 t# Y O, Y1 Q
jnz SoftICE_Detected) a9 L7 V r; z, w- x' b
3 r" m; S3 H9 @; t8 b__________________________________________________________________________
# W5 q- {1 s4 Y# w+ Z% f: Q) n( C/ @' _3 i' \6 b' T- n
& U- U9 z& G/ @ B/ E+ |+ bMethod 05
0 A& e k* ~& C- t=========
, o% `; O ]7 G7 x9 s) ]/ Z& r+ L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. H) a7 U2 n& ?) Ndebugger. It calls the int 41h, function 4Fh." c" B' |1 E( S6 G# f; _) A' i! @3 U% t6 r
There are several alternatives.
- Z, T) d* o6 P; t7 j% V& C: o, ~# m5 h R- j
The following one is the simplest:
- D( C( N, U2 |. v/ N& ]" \' ] B1 }$ B
mov ax,4fh8 h5 c3 _& O7 u4 \) ^# B" \
int 41h
\* ~5 o+ I" }: ^! l0 s- A cmp ax, 0F386/ f, e/ M L7 C1 }0 U. Z/ U
jz SoftICE_detected
. L6 h) Q# h' h) {+ J
% z. N& y8 `% [
8 L( I7 z9 w& ]$ j. S, q& }Next method as well as the following one are 2 examples from Stone's
$ }& o. e2 R# w" _"stn-wid.zip" (www.cracking.net):
; R; p$ N# y( j4 j( b3 j6 ]
: S6 I+ W7 F5 J$ T9 ]3 T mov bx, cs' `$ w# z0 }* _. H/ x) d
lea dx, int41handler24 K, e& S5 Q& p8 A/ r- n
xchg dx, es:[41h*4], y4 D9 ?5 A" E3 ?
xchg bx, es:[41h*4+2]
2 w6 U- ?1 w, d& ~& a2 m! q mov ax,4fh
0 [2 R8 H+ E& D* w int 41h
6 }( x @: Y* S xchg dx, es:[41h*4]3 i1 F8 J+ {. d1 p$ |+ L5 G, a$ p4 o
xchg bx, es:[41h*4+2]7 ]1 l0 y8 \6 ]5 q9 E+ ?
cmp ax, 0f386h5 t$ h5 `5 t) n4 C9 Z
jz SoftICE_detected
( i/ `$ |4 R2 z2 ~$ ~2 t
& [8 y5 \8 p, iint41handler2 PROC
9 }: x$ ^9 j' N: U iret/ V9 M9 z" Q9 Z$ c9 k7 K( l# L5 l
int41handler2 ENDP. j/ `) U: G9 x) |8 d% A0 R# C$ k
" H+ x, [/ H. c3 X7 E& _: v$ c6 @# O! w
_________________________________________________________________________
! y, @8 q3 m4 D- L! N0 Z" T, R1 w8 w0 i0 I+ x F; K5 i5 a0 F1 O4 O
6 l( u: [2 L3 r8 G' l! d1 rMethod 063 f% }; @% H/ o5 \9 m/ J& o
=========6 F; c. n! J+ @/ F: Y
1 @) N( D: t9 L/ @3 I3 p
6 @/ I6 t+ \( g, a8 j8 d" n9 Z8 c1 x2nd method similar to the preceding one but more difficult to detect:
5 C+ v' R$ ]8 [: z4 ~# y
" G# n6 {2 K ^6 E
% l1 \2 q1 k7 x) i+ ?, y' e4 Lint41handler PROC
1 P5 Z! d% K8 I( s mov cl,al7 g9 M% T1 U8 {, L
iret+ C3 f7 a7 V# U' u& b
int41handler ENDP2 X. Z7 s4 J9 q7 A
0 [/ ~) L) P3 j. E% ^/ A u/ v( \
$ D5 |5 b# j! C5 @7 i& c% X xor ax,ax. z5 I0 S" [9 U8 c
mov es,ax9 ^+ t6 h( r. r; P8 Y$ q
mov bx, cs
# e- n9 w$ S7 G6 [# P q lea dx, int41handler
/ U' W0 z& J& T0 q: z# Z0 x. V xchg dx, es:[41h*4]
4 {0 x2 _ a% q# v' i# g# L xchg bx, es:[41h*4+2]* p6 j$ g+ k& V' D. m' K
in al, 40h3 p* U5 K' }. N$ ^) T* O
xor cx,cx
$ U3 ~7 b1 o. o+ ?6 z9 p int 41h2 m' C- Y4 V9 j& X/ ]: a2 n0 m$ x. O
xchg dx, es:[41h*4]
; V$ A ]8 ~+ B2 u; V; g xchg bx, es:[41h*4+2]
0 c" Z7 v: w" e* m* i- e cmp cl,al
, q! y3 [3 N- M2 ?# V) J8 N jnz SoftICE_detected
! ~. r1 A$ r' q* G, F! j0 u& V; l! L* i7 P$ s3 X
_________________________________________________________________________
+ m$ U! X1 }2 z. z, R0 ?5 |& C
' X& `0 e8 c3 {4 FMethod 07
3 e$ |: ?/ ]; L( I% M# t, f=========% x4 X9 K2 _: u& G( T* C) Y# z' @
; D) j, P \, P. N7 [" {$ ]Method of detection of the WinICE handler in the int68h (V86)8 r- R: t( q. L$ G
; [6 r& x w, @ ~- k! B mov ah,43h
3 y5 C4 w; v- t- z/ ^% q/ ~- H int 68h
7 t! t6 @/ _5 y cmp ax,0F386h
/ E9 j- ~ L' l8 g7 b jz SoftICE_Detected
+ j% g3 b) o+ W4 o8 }4 ?' Z' |
, o I9 m2 O8 t5 w1 C- x4 ^0 n; _( ?9 X+ ?4 L0 B' _8 t
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: d: a, }' S' Q
app like this:! L6 L0 g7 [9 v$ ?6 Y( S; ^
: O5 p3 m4 D6 |; f
BPX exec_int if ax==68- Z7 E8 i1 ^ Q" l. ] e: s
(function called is located at byte ptr [ebp+1Dh] and client eip is# q/ z! G% W' r9 D' r7 r1 k( e* r
located at [ebp+48h] for 32Bit apps)
7 H" I9 n1 x7 W8 S$ N% m7 U__________________________________________________________________________
! q8 ?/ @$ N( o: n0 l* Z) w# c9 @% ?6 E6 g/ \% `
. v% {1 \* V$ l0 y
Method 08; q3 L) O2 i4 E
=========* ?! x% S" b* z+ M% M) _
% `! _; `: b5 e9 E! j6 DIt is not a method of detection of SoftICE but a possibility to crash the9 L* k8 R7 F1 ^+ k
system by intercepting int 01h and int 03h and redirecting them to another0 H# d& ]3 m3 |3 w
routine.9 Z M1 q9 z* f; x$ D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, j) a. k0 A" A& y- ~ `) q
to the new routine to execute (hangs computer...)8 P, S$ o. M- G2 p% Q4 U! w2 U! {
8 i* O2 V+ {* b0 ]; a
mov ah, 25h6 ^! x( C3 _) p
mov al, Int_Number (01h or 03h)' b2 _8 s$ }6 b4 G& D# C
mov dx, offset New_Int_Routine
( h9 @0 g5 g' E6 [+ [7 e int 21h
* R) ?! P, [9 D+ K( j+ Z+ z5 G9 T/ z" {
# o' g* [8 @7 [- z% x+ G; ^/ N1 G__________________________________________________________________________
* ]1 S5 I0 f+ c" u! b! w) I; D+ L7 n: e' r: j; S- W
Method 096 [5 W0 `3 y4 x* o6 j4 ]8 Y3 e1 L* Z
=========( @; h8 t1 i: o# a3 V
% |) c3 ]/ g, v+ C$ F2 n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& i1 M, }5 ]: |, B! J" [performed in ring0 (VxD or a ring3 app using the VxdCall).
; z" [7 J6 U+ L+ _# }- `The Get_DDB service is used to determine whether or not a VxD is installed
" I# |+ q2 ^3 f' w; t! e! n8 f* E7 F" Pfor the specified device and returns a Device Description Block (in ecx) for
_% ^9 n+ P; K7 S+ \that device if it is installed.7 i5 T; H6 i* R& `( O" y3 ~, h& |9 n
- l4 ?! u' d/ t6 _9 q9 q& ^( T, I3 E, B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* y+ l, N0 e6 e% |% \ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 z8 o- q @1 O, O: e
VMMCall Get_DDB0 _9 Q$ {4 S, n6 j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: d! @, m) E/ u; l% @
* I' p/ L4 |* P% `- J r! c' e5 jNote as well that you can easily detect this method with SoftICE:
- t9 u/ ~2 i/ G! z bpx Get_DDB if ax==0202 || ax==7a5fh" g N9 D1 R5 ?" v
* y% r" ^# X/ D5 K__________________________________________________________________________# w1 m& B' n) Y) E! O; Y( v
$ g, D4 w% f" T
Method 10# {. u7 x. G) N9 Y2 e* m9 U' B
========= {, P* a- M `3 x' p1 W" l
$ T5 ~6 }7 V' o- _: w, k# j=>Disable or clear breakpoints before using this feature. DO NOT trace with. z% C1 m* {' C; ?% V) f1 p
SoftICE while the option is enable!!
5 h9 h, X9 I" p& p1 O* P i7 G& F
This trick is very efficient:% S2 t/ x( @* K8 @* x
by checking the Debug Registers, you can detect if SoftICE is loaded
6 _( B9 M; V. y$ a7 w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Z+ i. w* @1 r, o* S* ?- ~3 q$ \there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ ^" I- k" v' _2 R( [value (in ring0 only). Values can be manipulated and or changed as well# D0 R) x7 i! ]/ F0 F
(clearing BPMs for instance)$ G" ^: _8 k3 j1 {, r" S# r
* X8 L9 B7 U# f6 h6 w0 l
__________________________________________________________________________' y$ O! B) e; \* J7 x# }) f
* K9 w" j e5 l9 O {# A& `Method 11
1 W) f2 ? q5 E1 y=========6 @. _. j" B4 {& E$ B
& x* V0 @9 B6 O& {7 Q4 lThis method is most known as 'MeltICE' because it has been freely distributed
( i4 O; K7 G+ g) p9 E9 v8 hvia www.winfiles.com. However it was first used by NuMega people to allow# q& I+ y, M7 x9 n
Symbol Loader to check if SoftICE was active or not (the code is located. \* e. N$ N6 [* @1 D# @
inside nmtrans.dll).$ c" b( n4 g- l
, B, V4 Q3 _; |0 c a
The way it works is very simple:
5 s1 R$ ]) @6 i3 l1 ~( XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. m d m: E) h7 Q, kWinNT) with the CreateFileA API.
# R0 K6 C* F/ i5 o8 A. ?3 R: e+ u9 Y9 I. W/ V/ x; j* E, Y
Here is a sample (checking for 'SICE'):- ]( G- y' k, E, k4 E# g
" m i3 O8 n0 J) W4 x( j
BOOL IsSoftIce95Loaded()+ C0 ]% p. Q8 t% d, L
{' h i" c, p/ f( f. K
HANDLE hFile;
( i& L1 K0 S$ A! {9 S" O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% D/ g. t: B% R% k% { FILE_SHARE_READ | FILE_SHARE_WRITE,
8 U: Z, p: X& Q; e) `2 B% {$ j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- G& X2 N, j2 ? if( hFile != INVALID_HANDLE_VALUE )9 ]( g/ I6 x* R7 y& d
{/ B/ ]2 P. s0 T& n! Q' Y
CloseHandle(hFile);; H9 f8 ^" w4 w/ V' J5 T2 ~4 c$ X
return TRUE;+ |' v" k5 d, E- F
}
( Y2 L5 O- d, V4 l t return FALSE; r. ~/ |( b1 {
}' `& }- e3 D) y! {: ?. H
: q1 [( {- z; J+ Y* d
Although this trick calls the CreateFileA function, don't even expect to be7 m2 l. s' u1 S+ z
able to intercept it by installing a IFS hook: it will not work, no way!$ q6 `5 ~$ |, g( W1 ]5 K+ Q' i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) m$ Q( }) r3 C( rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 B. c2 \. c% c/ ?. ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 Z! D/ a) V" I. [
field.7 o; H0 f' k; t6 C* U
In fact, its purpose is not to load/unload VxDs but only to send a
" @, z; H/ k+ c* \& uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# h. W7 j1 H# \5 @; x; x+ jto the VxD Control_Dispatch proc (how the hell a shareware soft could try. D6 d. j3 f) }, h4 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' h+ s" r1 T1 u' E' X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% G3 k% z! n$ s' S8 ^its handle to be opened and then, will be detected.
; E( h- d) E0 Q' BYou can check that simply by hooking Winice.exe control proc entry point
3 j& x4 v" E+ D: r! ?while running MeltICE.
( ^, W, I& R- j+ A( r
# e9 ]8 ^/ K/ d' T4 B n; i# q9 o: K4 K
00401067: push 00402025 ; \\.\SICE
5 B- Z( U- x4 l0 e- {0 q& C 0040106C: call CreateFileA
4 `/ `* D. w! C" k; @: W* t 00401071: cmp eax,-001
9 L- t2 C" X, i 00401074: je 004010918 {+ l N M1 e! j& c% |( T
, y" Y* D0 c3 J3 N. ]
* n1 Y% ]0 {% s( [# v! ?' QThere could be hundreds of BPX you could use to detect this trick.
2 t. k% w. w; z+ k-The most classical one is:1 K# r! a) G c6 e- R
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ k1 o" E9 Z( X: D9 m' Z *(esp->4+4)=='NTIC'
+ U+ V5 n) k* x7 W9 A; q: T) w U) Y+ o
-The most exotic ones (could be very slooooow :-(0 y& s/ @1 Y, y$ w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( q; G1 a2 z* p; k5 k ;will break 3 times :-(! V8 u/ n5 L8 M$ v! O% Y( J; v, p
2 C! ^5 t) P& j' B; p$ I& F0 q-or (a bit) faster:
4 J- ~* k( Z: r" M+ n7 x, D% e BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). t+ K! f7 n! b1 m5 h7 `+ H0 o
7 `2 y+ C4 p5 A" A# \
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) k8 u2 r: F$ h9 M- @9 m ;will break 3 times :-(/ x7 J$ ]) h9 ]/ d4 c* t
% p$ _; G% ?7 m' p6 A-Much faster:
) {1 m: E# p$ m% U. r" ~ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 H5 G; [1 o3 o
; a9 s! n& q/ X3 @* s! s: JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
p% V8 S8 o# }& Dfunction to do the same job:
0 Q6 B! [9 ]0 l' a& o: v: Z
- a* X1 F2 R1 Q push 00 ; OF_READ. d3 T6 c# F$ j# K; k1 K
mov eax,[00656634] ; '\\.\SICE',0# M- q& J% g- p4 w6 k9 s% ?! N
push eax& L+ J6 [& l; @7 b1 T5 J( Y
call KERNEL32!_lopen
. X* i- E# f8 Z! j2 P) I inc eax4 m1 r R9 {5 a8 g. f
jnz 00650589 ; detected7 x: @. [" U7 f- O, P
push 00 ; OF_READ
2 c/ J6 }$ H3 `5 d: o0 ~ mov eax,[00656638] ; '\\.\SICE'% [4 ~2 s m/ o
push eax
# \# p4 c- C; V. H, P$ p- L& r3 U call KERNEL32!_lopen
) V$ g. S. h$ u inc eax- Y. y1 Y2 _7 F9 t' ?
jz 006505ae ; not detected6 {, C9 r+ Q7 L1 T; v8 ]9 [ f
l, r \' V& J9 K) Q5 [' y" a" J$ B' b8 r5 D% G# S9 f7 D
__________________________________________________________________________
1 M. O, U9 N- \9 Y0 E& f# ~/ h$ p4 s2 q3 n
Method 12
9 ]& [# Q4 b H) y" {4 W=========9 |: b) A7 ^5 f2 o
& a6 R X2 W' g2 z3 ]& g' BThis trick is similar to int41h/4fh Debugger installation check (code 05
% v* {2 S; b' G! l& 06) but very limited because it's only available for Win95/98 (not NT)
2 m% p; j( |+ t5 L2 n' J# das it uses the VxDCall backdoor. This detection was found in Bleem Demo.% G% b: p3 q/ @1 v
, Z# S) s4 m& r& | Z
push 0000004fh ; function 4fh$ n2 L W- d6 v
push 002a002ah ; high word specifies which VxD (VWIN32)
1 g4 z0 ]! M: [6 O1 y ; low word specifies which service& \) _) N8 s. V
(VWIN32_Int41Dispatch)
9 A- { B# F& f5 s5 j7 E call Kernel32!ORD_001 ; VxdCall
8 U& u! e# Z8 i" d0 q8 I cmp ax, 0f386h ; magic number returned by system debuggers& w. Z2 x( T9 s8 u& M
jz SoftICE_detected
8 z3 M. {2 n6 H6 G5 G' J; n& m$ H* [
- B- x7 I( k: G: x: c& r1 A! n6 QHere again, several ways to detect it:
& h* X% U$ z" N
( b" C& L2 J$ P- o; @ BPINT 41 if ax==4f9 r8 f% E: m2 S, G( E4 V( |* L$ j
1 S9 G n7 @# B2 z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( U6 U3 F/ [ h1 [/ U9 k
' @0 T8 b e1 v, o. X BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A R. Q$ C0 `6 B7 b* _' J0 G
* y* S+ u# [' p" c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 Z, p' y2 @4 ^ Q+ `
" V' @/ g# l1 y/ ^__________________________________________________________________________
& M r- [; l1 G; A# X$ \7 r- I+ ~! o) ? X5 M1 G* ^% c5 ? S) H
Method 13- z9 G6 |# x: ^
=========
' J; e6 J X1 k+ [$ K% W! V1 R/ m; _& {/ Q
Not a real method of detection, but a good way to know if SoftICE is( W) _5 z: Z8 l6 k( z
installed on a computer and to locate its installation directory.
. d4 l3 B) U& K/ \It is used by few softs which access the following registry keys (usually #2) :9 [# L1 L" I+ i, Y& V
0 N$ D* ^& i; j( i2 |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) C" ?2 S r& E- z$ I/ _. M+ D\Uninstall\SoftICE5 h; m4 z; W, V+ w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# }- b8 W% ?: }- i) A$ b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% F% a) _' c/ b+ S\App Paths\Loader32.Exe B p6 {+ k) t3 d) N% U
, \7 U; O0 Z, H$ ]& F) \/ X3 A0 }2 I
Note that some nasty apps could then erase all files from SoftICE directory
" }1 a, O8 Y; c' i. E, z' [! V(I faced that once :-(/ `) i9 A6 {. u. A8 g( z9 h+ Y5 I
' y9 c; I; h! M/ E* GUseful breakpoint to detect it:$ {$ }/ N! m! k3 F' d' G M# I
- n, t! T$ j$ v0 n9 U BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" C$ Y# o; d, N& ^' |
( G( a9 i$ p- |( M__________________________________________________________________________& | d$ v5 t j8 W3 Y6 P2 E
, u, C6 Q" F P( I5 ?# _6 P9 P. m& E" |0 T( g+ m2 G
Method 14
2 N. v, ]+ k$ r& ]: p$ s1 n=========
9 ~1 @: I* a2 B( O5 ~ C1 f* x9 |9 ]: O9 `1 N$ d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 _6 s$ k7 T) q' \5 U1 q& I' Bis to determines whether a debugger is running on your system (ring0 only).' m f0 j) t5 C
# @5 Y# [2 a& J, b( J# i* r
VMMCall Test_Debug_Installed* J2 t' D }8 c$ Y) e& y
je not_installed, y5 ^+ w1 c! r* w3 D. D3 e ~
, @4 [- ]- e$ r
This service just checks a flag.; z2 b4 a" p3 X1 b1 ?: u& v* E
</PRE></TD></TR></TBODY></TABLE> |