<TABLE width=500>- i+ K7 S8 B4 r* O6 N/ M
<TBODY>" o, \( y9 Q. }! Q9 G3 Q( ]% |* f
<TR>
A5 J* N! I, \0 t% k* \<TD><PRE>Method 01
0 g) _- W8 X2 i/ p6 i$ ~- \1 ~3 R=========
0 ] _; P& B7 z( n# G D; @; E. ~9 [
# [6 E4 Z C6 tThis method of detection of SoftICE (as well as the following one) is
6 }& b) B r1 k& Oused by the majority of packers/encryptors found on Internet.
6 j" Y& `+ v6 C# }+ U9 Y3 D7 T' JIt seeks the signature of BoundsChecker in SoftICE
$ S* K) z# \+ ]. q/ R
+ ?5 e/ f/ I( i2 N! @ y0 }1 M mov ebp, 04243484Bh ; 'BCHK'/ m+ b R5 p% A
mov ax, 04h8 l" B$ C! G p$ r: W. F: l
int 3 " f) g# c* z& k
cmp al,4
7 @3 o( Q* \6 P4 e; o jnz SoftICE_Detected0 ^$ J, E" R+ K# u7 F
( a2 J. R4 k9 k
___________________________________________________________________________0 x; E/ ^2 U2 @) w& m
) Y; C2 T, \9 Y8 v: k' k0 _Method 026 h& G; t$ x/ G4 d+ r
=========7 X+ Q. M& x9 c
/ n- Y# x& b. i9 n4 k% uStill a method very much used (perhaps the most frequent one). It is used$ `# ~% V# C1 E4 ?" T6 p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 N/ h" |# l4 L6 w4 Q) z" j+ f
or execute SoftICE commands...
9 W: E; U& M, V* _ }5 s! uIt is also used to crash SoftICE and to force it to execute any commands
; ^% t: Q0 D Q5 A! D( i1 X(HBOOT...) :-((
! g7 i" I4 u2 i$ g# V
+ B9 | }+ u0 u5 UHere is a quick description:; L7 D, R" l& o" M
-AX = 0910h (Display string in SIce windows)) B" \* f* D) K. h
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
H( J; w# E$ ~1 G7 _2 e-AX = 0912h (Get breakpoint infos) @+ u. X" t0 K t- K& G
-AX = 0913h (Set Sice breakpoints)( J% D- {9 O) u) t- i2 S' L8 ?
-AX = 0914h (Remove SIce breakoints)
" C( N5 L$ R3 {% U* J' P4 ]6 d1 O, a; u! x, \7 S% i
Each time you'll meet this trick, you'll see:& x+ X% B. j: x, t5 l
-SI = 4647h& G3 k3 B7 U# V3 M7 r7 W: i- [! D
-DI = 4A4Dh
" i! R' e- b& S( I1 r+ VWhich are the 'magic values' used by SoftIce., c9 X0 Z, f. n9 G7 T C" _6 c' x6 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' f1 i, X4 \& _# M, T4 n! N
`; Y# d- o& c, p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' C y- d; @+ PEnvelope utility use to protect DOS applications:7 w8 o/ q: ^* D5 M5 K4 h( Z: A
. x k% S1 B( [9 q
6 B# b2 [$ a# z
4C19:0095 MOV AX,0911 ; execute command.7 j2 ^0 c/ C! `' T. v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 l0 G% O4 m$ [. M4 F" @
4C19:009A MOV SI,4647 ; 1st magic value.$ c& F M9 W- \0 @' E6 n. c9 O
4C19:009D MOV DI,4A4D ; 2nd magic value.& C7 U4 m8 M/ q/ N/ ?
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# l) j9 Y) u4 x3 w/ s# z8 M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ o) M9 i y6 V% N3 F
4C19:00A4 INC CX
$ G/ X- [& \+ S% G) E4 \& I4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 `( j5 h$ n; v I. Q+ Y4C19:00A8 JB 0095 ; 6 different commands.
% I! K/ H4 M6 p, @) {) j, B4C19:00AA JMP 0002 ; Bad_Guy jmp back.8 b- I0 ~; \2 [, o
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); H# U) C. B& \
( z1 K: {! [3 Z# aThe program will execute 6 different SIce commands located at ds:dx, which4 n, v2 P& ]3 F9 s3 D4 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 e- |- ]; h* C9 N8 M, x$ ~
8 \- R! i2 ?( I# W$ e B5 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 b% Z9 X( o L" T9 ^___________________________________________________________________________
[$ z# T* k0 a: T, y
; Z, `! M# G( N/ Q, j" w) n( B: G& [: f8 d7 W8 O6 @6 T) L
Method 031 ?) `# q- C/ ~2 P0 X$ z) J% y
=========
6 Q/ t! g/ k% D. [# q
3 w( J' X6 X& v& qLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ |! k4 s0 \; b5 E(API Get entry point)
( V$ m e+ M! c! x- b u# Y' }' y : L3 ^9 D) T5 w% b! n9 l) l0 g
/ t, r o, o& ~! W C
xor di,di
% F, ?, @2 g+ Z7 A* J+ o$ P O7 V mov es,di
+ B0 s' L+ U7 s: `( E$ v mov ax, 1684h
# | _$ f1 m/ P4 Z mov bx, 0202h ; VxD ID of winice
$ O5 z/ {/ ]) c: _. w int 2Fh
' `0 U$ I$ C' |& ]& n+ N mov ax, es ; ES:DI -> VxD API entry point
; p5 F% y% z5 l3 t' r9 X( C add ax, di, w- Q4 R- B- Z. l% s
test ax,ax
' C. v. M+ q: h2 b) S) G! I jnz SoftICE_Detected. ]. p# e, f% N& d# C; o. \
: e( T( u% X$ }# T7 r2 {
___________________________________________________________________________
+ d- L, j X4 D7 G0 K: S: f: ?6 m; v+ e
Method 04
9 K3 ?8 i; Z+ S$ D! h=========: g7 v, _. U( r
# P/ @4 L& G. J$ D& e: `Method identical to the preceding one except that it seeks the ID of SoftICE
0 B& ~! o; R6 Z* r F3 Y3 aGFX VxD.
9 a F8 ]: x) W; u$ R0 {/ q& i- h* o9 n# L& a: M+ D" r
xor di,di
% x+ w$ ^3 m; I1 T# Z mov es,di4 p/ f3 D6 g% G7 A
mov ax, 1684h ( v0 s k2 R8 Z, A: Z
mov bx, 7a5Fh ; VxD ID of SIWVID
9 \1 h! y! g3 O4 y int 2fh5 J+ M+ D; D( j
mov ax, es ; ES:DI -> VxD API entry point$ u& X( q8 v, q
add ax, di
6 e: N9 m) N! f3 m" m' O$ [ test ax,ax# D2 M2 \: O* x" _9 O! V
jnz SoftICE_Detected
' b" F x A2 {# g7 b; X7 ], A" Z( r9 N
__________________________________________________________________________
3 d# l" d( @9 y& N8 L* ?1 m: d {! u1 p( {+ d5 t
5 I* v4 {. X; f+ o# }1 ]Method 05
* P* d; c1 t, a9 T* s% G=========, G# D9 E3 H5 e2 q! ^
1 V; W. L0 l' L
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 v" s$ |5 n( m8 e0 m3 a, Cdebugger. It calls the int 41h, function 4Fh.
3 Z9 M* L; n1 ?+ b5 h6 U' d' l/ jThere are several alternatives. " d% o! \5 |" P; Z
+ X* i$ ]' R: f9 i& e$ k2 F7 gThe following one is the simplest:% \+ o' c5 n' s% E2 R
" @# {6 @: i' w2 O
mov ax,4fh
8 W+ y2 o; A3 P4 Y* P( Y int 41h7 ^+ B6 ]2 x0 U* @/ v+ |
cmp ax, 0F3864 T& H6 t; U. c$ ~
jz SoftICE_detected
, i3 f$ h! c+ b! U' w4 @: j0 w' S9 r, G; f9 e5 i
2 r* F* L% `7 p5 p- R
Next method as well as the following one are 2 examples from Stone's # Y7 o+ C$ {" s3 |$ y
"stn-wid.zip" (www.cracking.net):
, P7 U) o- P. n5 A7 ]" y/ K# }8 C1 k( Z" \/ k: u7 u! v
mov bx, cs
' m, F8 ?0 t0 N. C) V6 H$ U lea dx, int41handler2! f j1 n3 l7 p5 q3 U' \! s# O
xchg dx, es:[41h*4]1 n1 v# A2 L9 s5 R$ W8 ~
xchg bx, es:[41h*4+2]) E/ h8 c, p) b: n y0 g
mov ax,4fh/ X4 b/ s7 d7 b/ S2 f
int 41h
; J+ i& w4 j# `/ ]; ?; S \0 m( W xchg dx, es:[41h*4]
4 v' }# z( [" X' H xchg bx, es:[41h*4+2]
I- D- r N% o cmp ax, 0f386h7 R# h2 \% D, E, I5 Q( @' f
jz SoftICE_detected+ G' e1 Z4 S1 u T+ V8 T7 z4 D
/ L3 P7 m1 l8 T0 @ I* f0 G* z& ?int41handler2 PROC
$ j7 p' n! O' \8 q iret1 U% V9 D [" S# i! p5 p
int41handler2 ENDP; o! ?( x ~! E" v$ p
: U2 T( o, j; _3 d, t9 N# N( M/ A$ I$ o. B6 b
_________________________________________________________________________8 ` C$ _! l! z2 w
@& j$ A6 `# L9 Q+ [
6 _, Q! ?# |+ s4 e
Method 06
" q; w. X) ~+ q5 M=========- v8 B9 J- r8 p4 y% v8 E
, B/ {. `3 @1 p7 C# }- U& i6 w9 F5 b* x
2nd method similar to the preceding one but more difficult to detect:2 h( i8 Q z4 z" |5 w! z% ^# u
' I4 g% b1 z/ r! ^4 P" o6 k# Z; F2 O: N
int41handler PROC
# V- _. r. L4 d e mov cl,al
; |2 h5 H$ a& v8 i5 j4 T iret
2 j2 ~3 \: }0 k* m2 m. n+ C! ` W+ cint41handler ENDP. N' a& L* s& }0 Y0 F* A
; W$ t. j; i: Q8 |+ P
* [5 H5 v' g; G. L( [2 [ xor ax,ax
( h$ P( a2 T5 Z, O5 j mov es,ax4 }, w% ` \! J
mov bx, cs& k; r1 p$ Y {2 H: E# N
lea dx, int41handler
1 }9 t6 u8 \; F$ |' r+ J. j9 e xchg dx, es:[41h*4]- Q4 o: z0 v' u2 _
xchg bx, es:[41h*4+2]8 L4 Z" R1 p/ i) X
in al, 40h
+ z) ~+ [: ]9 K) u) a xor cx,cx8 Z$ k+ k% }8 c. g9 s! s
int 41h
9 V" |" t! @$ i0 y( V xchg dx, es:[41h*4]
2 S: D9 k; f9 j, g xchg bx, es:[41h*4+2]3 }* h |) S: [5 `
cmp cl,al
% z4 Z {8 A2 l2 o: E# ]8 H1 J2 ` jnz SoftICE_detected; y- e4 O' [7 }9 u
. {' K" {9 Z& z6 c+ @
_________________________________________________________________________& Y- x( Q O3 x& u9 V
. n9 ?% d, _. r
Method 07* Q$ d. {5 X7 K7 j
=========7 N5 ?5 c; }+ B& C7 `$ U$ P% `
4 U9 a( ~- ^ i4 \7 ?Method of detection of the WinICE handler in the int68h (V86). W2 o: L/ ~ r [& ]/ r1 u! h# x
5 G! T, ~7 ^" j; {6 V mov ah,43h& ]7 p) i9 o+ t; Q3 B3 `5 W4 Y
int 68h7 R5 X, {% l; U
cmp ax,0F386h
' e. F$ Z- p1 v7 s1 @7 _! x jz SoftICE_Detected
$ G+ A! S D+ `; R5 ?: Q
1 n* Z/ C% K6 `% r3 p# t' `$ U2 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 H8 h0 s( P! v& E$ R: c" c7 S6 q" s- V app like this:
8 a H3 `' J- @8 ?- Q# z8 z7 ^# D# s: G |+ q S/ K b
BPX exec_int if ax==68
$ \! Z8 q( W# ]& ~' y8 t- f (function called is located at byte ptr [ebp+1Dh] and client eip is
+ B7 u5 Q$ V6 b* p located at [ebp+48h] for 32Bit apps)
7 \) m: f2 l. m' d1 O, k__________________________________________________________________________
0 J: u- g9 A) g( u! s6 j5 q$ G* p1 I9 e, ]3 ~& o$ [& Z
& ~- O: q3 h! s' y( E
Method 08
0 U2 D) T3 v* c# R=========
, X# W8 y! A8 S) P3 o' C5 B+ x( [' W! k8 W* F- R7 x
It is not a method of detection of SoftICE but a possibility to crash the
% h5 a$ s$ b' M5 q, Hsystem by intercepting int 01h and int 03h and redirecting them to another
0 o) _3 w; K! ^& Z9 T, g1 x& }routine.
) j; H% Y" a1 S; @) UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- o; q) _/ w$ u3 @2 Z) ]* P: n Eto the new routine to execute (hangs computer...)
. \ r/ a/ V( t- k8 [% X5 y
+ |7 y4 H. h: `) n+ X mov ah, 25h4 \* Y w2 h$ M& V! y8 _8 Z
mov al, Int_Number (01h or 03h)
3 A* u( t& K3 W" v" K3 o+ d mov dx, offset New_Int_Routine( R' L& \- W; z. f, c
int 21h/ F! e7 S5 T/ x( Q, G8 S! K
! [8 n3 H& Q* {, n3 q
__________________________________________________________________________
) D4 W! c8 L) V" `2 K7 S( A5 n0 W8 y. [$ K# a; a/ ^' j: x- F
Method 099 P+ P! Y/ F5 x% Q* j8 h4 c; m
=========. J: e& j: a, J. [
7 @) J+ _: S% p" H4 z5 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {4 Z& m/ O! F, {& p: ^* r+ p. uperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 o4 a- L- M/ W) n+ mThe Get_DDB service is used to determine whether or not a VxD is installed b, d+ k4 j# c, q2 K# i
for the specified device and returns a Device Description Block (in ecx) for6 h! F) q* |, w; V5 w$ o
that device if it is installed.
8 c5 K( L; x( t6 F4 q8 c D, f/ ^1 m. ^' Q6 h/ _& T5 L% B
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 B- Z! q2 D0 ^* E8 ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ j. t2 n- L! d
VMMCall Get_DDB
# `% W2 Q2 O- R$ Y, ^: K( R mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& Y4 M7 y+ c$ Z# m1 o1 X( v+ \- a/ T
Note as well that you can easily detect this method with SoftICE:% U: e' n* `0 t8 {
bpx Get_DDB if ax==0202 || ax==7a5fh
" c+ e& d+ v, Y: G- Y( [7 @
. {' q. S3 {4 \__________________________________________________________________________9 T1 Z: Q' d3 Z+ I: \/ l
0 O# X2 R: D4 z7 V3 d) f* sMethod 10, m: E5 H% i E, d, y9 m/ `
=========" n! r- q- a' U) Z9 f$ x9 k( i
/ O- i8 t' S. v! ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with
w, f# h- d& X4 X- |) k7 X SoftICE while the option is enable!!
F [# g0 T( t5 Y- o3 g1 j6 ~3 [) n- X" u3 b
This trick is very efficient:. f8 X8 x, C+ t: p* {: h& Q. \/ e
by checking the Debug Registers, you can detect if SoftICE is loaded
; E% G9 C* v( p+ K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 P( N3 L$ W) r1 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" }8 }% p/ V7 \' m: Gvalue (in ring0 only). Values can be manipulated and or changed as well
8 j. p' U9 t/ M) p+ e0 a/ s(clearing BPMs for instance)( y3 X2 h, k& Q4 w+ h
+ M1 W' S- X4 a" H: P4 I/ x__________________________________________________________________________0 m8 d- h+ ~; l& {3 E9 h
$ Z ^/ ^( P# |+ h7 U- Z
Method 11
) S$ n: H1 W4 c; c- t: o0 m3 O=========3 }( Q1 `8 D8 a# P _) I
' \5 a" R/ B6 s8 @
This method is most known as 'MeltICE' because it has been freely distributed+ [) v9 t& \ b/ O7 \( Y6 T$ ^. b
via www.winfiles.com. However it was first used by NuMega people to allow
" Q$ ` R2 |" p, c% Q# @/ U, ASymbol Loader to check if SoftICE was active or not (the code is located; r8 z! r" G$ S0 E( D/ ^5 y6 N" h
inside nmtrans.dll).! t! H9 ]1 K& h4 ]
& N# T# e! k( @; w6 HThe way it works is very simple:5 _$ L9 z+ ]9 v2 g5 H! o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 O4 r/ \; k. ^1 e4 P7 T& y! ZWinNT) with the CreateFileA API.2 A% \; g9 t& {7 b$ G
* M* [ {: b& n5 m) |Here is a sample (checking for 'SICE'):9 p7 s* U3 Q5 L" p. s9 q
) z/ P; u$ @+ v, ~) m7 X# O: N1 T% L+ P
BOOL IsSoftIce95Loaded()7 B6 d8 f3 H/ @; O+ T! L
{
! S9 d) Q/ C3 m5 k+ _! X: m4 q HANDLE hFile;
0 e- @4 G# p6 P( A J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 A& |2 I, W- H( X
FILE_SHARE_READ | FILE_SHARE_WRITE,! u2 z# s+ z; C% R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: |0 Q+ l& ^/ k if( hFile != INVALID_HANDLE_VALUE )
( O" C( \' j* \/ b {4 R* J4 L1 t, y4 e5 ^
CloseHandle(hFile);
7 G3 Z: C/ [( p5 a7 d( F return TRUE;
6 ^. R- n2 R, }+ l, z6 ?0 S8 a }
7 R ~/ l4 L/ m6 i) u1 v return FALSE;
5 w/ b0 i* E$ x3 }/ D$ M}% O0 N5 E1 N/ I% l
- O. y7 p, ?4 f1 p4 SAlthough this trick calls the CreateFileA function, don't even expect to be
% [* G0 l" M7 V3 ~able to intercept it by installing a IFS hook: it will not work, no way!
- b- m; |4 E6 P' L g+ m. s7 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# ~8 R8 R5 i/ u+ c) n# ~- pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 n9 I' b: A4 c+ y8 c5 |+ D- }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
}6 [% F7 Q9 Wfield.
7 S5 S1 s9 l; z& Q/ NIn fact, its purpose is not to load/unload VxDs but only to send a
$ F$ v. e5 A, r7 a8 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) p) n' g: v6 n3 D" a8 l9 M+ b' q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& H3 X& z# a, ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 j! A/ g2 a* g$ rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( h2 s2 m; V: U6 ^5 N7 _1 ?8 Tits handle to be opened and then, will be detected.
( w% L) R3 Y2 B: G1 qYou can check that simply by hooking Winice.exe control proc entry point* c1 b d& m1 z7 C0 _8 u
while running MeltICE.3 ]( A6 t$ U9 z* A9 @2 u, q; d
* O7 r$ |1 I8 P- [( e4 h/ z! \) l9 b9 I+ y/ G2 V2 r
00401067: push 00402025 ; \\.\SICE
& _# s4 y& X9 B, B c! P 0040106C: call CreateFileA
- n6 }7 r1 r7 m) R( P. N' { 00401071: cmp eax,-001! p& S- H0 ~8 J* t1 b
00401074: je 00401091" S8 I: n- |& ~ g. r# n: E0 M
L( L4 F- C9 J1 o6 q' x4 ~
& a! n0 B/ V B4 x% @' JThere could be hundreds of BPX you could use to detect this trick.' H. o3 H9 }; j' J0 x
-The most classical one is: g( ]! e. m& ?! Q# q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
, i* s) N: P) Q6 j4 i% S0 [" [ *(esp->4+4)=='NTIC'
7 b( `0 f! g# t" {$ r4 b$ F% [( h
! W+ f, {6 K5 s0 `2 W; I4 b$ c1 [-The most exotic ones (could be very slooooow :-(
0 M3 ]/ K0 f! z3 w' Q( F! y BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 }! ?# \ e" J7 a, v
;will break 3 times :-(
" k2 f, }4 Q8 m5 J* g: L" W- v0 ~+ X; \. G" w) S
-or (a bit) faster: ' z% K* y. ?+ y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; P# p& V/ m7 m/ |3 T' S4 _; N, U6 G m/ X% b9 e% W6 X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 3 C. G/ y5 k) W/ Y* L1 H
;will break 3 times :-(! e% Y! u) W" f+ \# t7 _
~ }; z% z9 E, z7 E5 Q
-Much faster:
& Y. U' q: R' J3 F+ O BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', p" M8 }2 l( c5 }1 m4 D
/ f/ T, n( L& A( h! A7 i8 W: t' `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 B# f+ I2 |$ L) b
function to do the same job:1 ^$ X- A) S' v9 g/ f) q. B" i
. P' H; E' m2 i. b8 x X push 00 ; OF_READ! O% }+ T6 `( r$ g8 Y
mov eax,[00656634] ; '\\.\SICE',0 G2 Q ?0 d6 E+ S8 ~2 V
push eax
- j" w, p" n* z( t% Q% q1 g3 ~3 I call KERNEL32!_lopen4 a( U. Y6 R% U5 p
inc eax
5 Z: O7 j% Y' Y4 ]+ o jnz 00650589 ; detected
- R) A( c! u# p; y$ T( V push 00 ; OF_READ, z) I9 z$ F0 B" v2 e
mov eax,[00656638] ; '\\.\SICE'
9 A. v1 S& }; k2 [7 V" F8 k push eax
% p* P) ]' \1 b8 l: i call KERNEL32!_lopen
0 o7 }' @+ p" Q/ k- ?3 H inc eax7 P0 V) f8 K* p+ p n$ q- z5 y
jz 006505ae ; not detected* `- g$ g0 q+ b) B! _9 L! K+ S
6 Z% j# k! U* W1 x* G
; @ c0 H! |2 C; L4 b" Y" ~__________________________________________________________________________" W% |- t* O, ~8 [
+ h# {3 Z+ X/ N* tMethod 12
% R: U4 ^+ b3 t2 L8 g7 y=========
7 [7 Y! R5 E2 |1 m+ x
+ p, ~( ?/ k& m# E/ p0 \7 s6 `* }7 ]. A! }This trick is similar to int41h/4fh Debugger installation check (code 05
- e# u9 ~) }1 I6 }1 K- z- k& 06) but very limited because it's only available for Win95/98 (not NT)1 q% a; \* e) O( x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 d) j; o0 K' h G
7 d) c* o4 W" d# r/ s* J
push 0000004fh ; function 4fh
0 x0 R2 x* D+ s( O! R) \( i push 002a002ah ; high word specifies which VxD (VWIN32)
6 p' ~/ e$ v( n0 g" |/ F ; low word specifies which service: B9 s }6 K, T( s" E% I- V" G7 ?- ^
(VWIN32_Int41Dispatch)6 m9 M6 U6 b- r9 W A Y
call Kernel32!ORD_001 ; VxdCall, T$ V* f# E* R
cmp ax, 0f386h ; magic number returned by system debuggers6 X. I8 a; b: ]) {8 m& l& y
jz SoftICE_detected
( c! s5 N: [0 g' l# j1 @3 Y) J0 B3 ~9 Z1 k" M& F8 q e
Here again, several ways to detect it:
! I. V1 _2 L) B Y
7 H( c! N! X2 j1 T9 V, n BPINT 41 if ax==4f
; u+ k" i1 v* N1 |
3 S0 B# M1 v) ~" {- ~& b3 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 r2 p; o' b8 d3 y2 n) f
2 a8 ~# R+ y+ `% g! M, j$ y4 U0 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' W/ w5 k. ^& R' e7 N, p, }9 d7 B% r! \5 A6 |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, K% j2 I' _5 _. u
- \# p' o( U# m' f ?4 _
__________________________________________________________________________
* \+ v( X9 b. G# u' ~4 _* i3 D) R& \) i8 {# |0 M
Method 13* ?& V; K& E: C. ?1 |' Z1 \, l
========= `2 t( s* K, I* g- G5 k8 K+ m
( S# \- J" I- W/ r. L( x6 D* d
Not a real method of detection, but a good way to know if SoftICE is# r8 N$ Z0 s& K8 N9 g, t
installed on a computer and to locate its installation directory.
% V( l1 g- \( C1 N2 X% fIt is used by few softs which access the following registry keys (usually #2) :
$ a/ |! S1 T2 C$ P1 H
$ u0 M9 h4 ~+ `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% d: P! ]/ Z, P* c1 x\Uninstall\SoftICE
9 U9 S% i( ^+ d7 n# c+ @" y1 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- U; U6 k: O; M( K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ V8 c4 M1 S+ Y+ ?! D
\App Paths\Loader32.Exe
0 \6 d2 D# a8 e. _6 l, {
4 l7 }# M9 o1 u$ r6 J) b3 j, |. b6 F b* t- C# \
Note that some nasty apps could then erase all files from SoftICE directory/ F% L- W7 r. X, ?
(I faced that once :-(0 N" ? y& p7 R7 {2 K# \3 g Q
0 X# m& @: y, {6 P, \; X$ X! h) _" b- w
Useful breakpoint to detect it:
& o: Q/ f, x" d5 M5 n3 L
% z% A2 W9 k8 g& @* n& K; p* H BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& w9 A8 J, d5 M) B: a
0 x' f- D3 ~" d7 g5 ]3 b% c
__________________________________________________________________________+ z& z! g* b" l$ B4 O8 I
" L; s" I% _: o/ @% G
; h* |6 t( l8 m% H9 I; f9 EMethod 14
9 B( [) W* a. R; q' s3 J=========
' L6 I- x% O* X' n: Y% F* b, M2 d% \+ a c Q+ I! B; @, ]7 T
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( \" J0 m( |5 ?# J" w7 v
is to determines whether a debugger is running on your system (ring0 only).
' j4 b/ g0 W% a$ X ?3 M9 ?$ U$ ?! T0 P& V1 \& _; G% H6 I
VMMCall Test_Debug_Installed7 K0 f. V) d$ P- {
je not_installed; w+ _+ G) v( p6 ~, e/ U$ c
$ W+ E5 S! l ?( Q0 C; ?This service just checks a flag.$ O8 ~( _+ \' |# X1 s& \
</PRE></TD></TR></TBODY></TABLE> |