<TABLE width=500>
* J' D; R9 D. L4 o. p7 E<TBODY>6 ~6 m c! [" n* \. X
<TR>2 u& X* _7 R# x4 V6 e; ] I
<TD><PRE>Method 01 3 ~ X o; L t+ b
========= H9 U! n; j6 K% H: @% }! Z
* s3 D, _; z0 F$ V% jThis method of detection of SoftICE (as well as the following one) is
5 k8 p5 f+ y. ]+ W7 d/ K6 z* Oused by the majority of packers/encryptors found on Internet.* v4 g! b N4 ]6 \$ t/ ~" ^ n5 j
It seeks the signature of BoundsChecker in SoftICE: c1 N7 [" ~ k* P$ k1 n
! a" |; K5 P; I& T mov ebp, 04243484Bh ; 'BCHK'
+ B) O' d! \2 }- x4 t9 n mov ax, 04h+ D1 M' |9 S; k% N7 B' U* ?& r; _. D
int 3 / k% `% |! |) h' {# F" X
cmp al,4" d4 M+ L" y/ X1 s1 x! f) c3 T
jnz SoftICE_Detected$ r/ x7 u& q# b2 D. e9 L. y
* A* i" o3 R/ ]* U. Q3 D___________________________________________________________________________$ c4 l7 G4 p y* I2 o! w( R1 r+ Q
+ y( X" M5 S/ O4 O" F7 @
Method 02
7 z& r1 d/ N+ }# U, F7 }=========
7 ?* L0 d2 s! s N& e' }: ] @# b+ |* w' e( D* d
Still a method very much used (perhaps the most frequent one). It is used& z. K! o$ I! Z% t: z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( k, T% z1 |- U- Y1 zor execute SoftICE commands..." S7 Q& u( u4 m9 u! t& A0 x. a! `
It is also used to crash SoftICE and to force it to execute any commands
9 e! I0 Y( f1 w6 @8 V9 l(HBOOT...) :-((
+ ?7 ]# l' V, i9 E& k) d1 u* u; i* O3 z! j
Here is a quick description:
: j' V- G0 E8 |$ @/ U0 B7 K-AX = 0910h (Display string in SIce windows)1 k6 x4 \# W3 ^8 V3 v4 ?, [* q8 c
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 ~' G' c; W7 ]
-AX = 0912h (Get breakpoint infos)
3 D. i4 p. ^* G; T! B* K% h-AX = 0913h (Set Sice breakpoints)' c* i9 T3 r8 g, j2 b
-AX = 0914h (Remove SIce breakoints)
, C6 e4 w0 v& R5 w; N) I7 ^7 u5 |! z8 o$ s, G) B u4 n
Each time you'll meet this trick, you'll see:
0 G5 j! Q9 J. L' u, U4 V7 F" @-SI = 4647h& M- g" z: `; x; I g/ }# I
-DI = 4A4Dh5 ^$ y! a, `4 w' f: l0 r
Which are the 'magic values' used by SoftIce.- e( M3 V1 n( l6 M, _9 \+ ?3 T4 n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% _6 F' D- S8 o* ^" h# f
) O5 {. e. A8 |9 b( H M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& J# s C6 Q1 A& a$ zEnvelope utility use to protect DOS applications:# d4 y- o& u8 o J; j( `, O5 ]
; z3 a; L# p6 |% }1 ?9 B
" [$ r$ I$ ~2 {- c
4C19:0095 MOV AX,0911 ; execute command.
5 S4 _& C$ W$ D7 H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 o, S/ F$ m7 I1 I
4C19:009A MOV SI,4647 ; 1st magic value.) z& `. c; _( J0 `2 a) M* a, i
4C19:009D MOV DI,4A4D ; 2nd magic value.3 W& c% a' d8 m; y: u5 h1 \4 C
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ Y {, M- x1 R* D1 P8 P/ K5 K8 r$ L% m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
z* _, Y: g0 Z4 ~" x/ u: h& f4C19:00A4 INC CX
; u% H0 P- i" \2 H3 ~* W4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, ?' Y7 R3 L; }. \* p9 f& _$ V4C19:00A8 JB 0095 ; 6 different commands.
$ @4 T$ u2 P3 p4 U A0 ^% w, M4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. k/ Z# \2 o q: f2 @4 t4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 N; y/ ?) b; D* B9 l: ~! ?
2 \/ [. {! @$ l* c$ [- Q b- M+ k) V# tThe program will execute 6 different SIce commands located at ds:dx, which
! v9 r8 W$ K* g `/ Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; [) s0 r: t; s( j
9 ?2 h. |; W" {7 V' e9 c( _6 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 p) ~) g- l# h. ^! w) t o! Q___________________________________________________________________________2 ~/ P9 l9 h) M( ?
5 k2 N, {' [1 i6 a) D2 T0 x. P0 l" ^0 n# w, u4 }' N- E
Method 03
# |; f# G* G: V7 _/ V8 s+ N=========
0 M9 m" W/ P g7 X( D3 A
9 K. }# `+ u& F- G6 p# r+ zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 o1 d# n5 H" a% k# T) o- w(API Get entry point)
; b1 ]$ o+ [6 V* J . M; e$ ?" {# H/ U. r
5 `/ c9 B/ c: m* C0 x" P. ?
xor di,di$ H1 a6 k8 t0 w3 o: @. W% [- a
mov es,di
( C) @3 h f' g* F5 v7 b+ _. U mov ax, 1684h
3 j. a# h0 c( e( B' T+ H mov bx, 0202h ; VxD ID of winice
0 v! y5 b( X0 N$ s a int 2Fh5 [5 ?( j2 u( o% j9 n0 i
mov ax, es ; ES:DI -> VxD API entry point, T$ g% w h/ D' G
add ax, di
9 z5 D5 i+ x6 J! ^6 ~# T test ax,ax6 S. h5 b/ B4 {% n
jnz SoftICE_Detected
: R+ R; U! M3 ?9 F/ Y+ E; @2 \0 k7 {+ _) K P7 T1 | x% I
___________________________________________________________________________
1 ~5 Z6 U. u& a5 z. B/ O
, G9 l3 @% l8 p; P2 IMethod 049 o A* `" j% P; W" U+ K
=========
' w$ B- S7 e( a9 a4 |. j+ I4 r1 o7 W( Q2 L
Method identical to the preceding one except that it seeks the ID of SoftICE. R7 C c, W- s3 f1 w
GFX VxD.# \2 t1 W9 f3 ~8 F8 r1 H9 [9 V
' a0 G; a8 X( M/ g" a
xor di,di
0 p" j5 S1 [7 ` mov es,di: @) P% @- _" V& j$ p
mov ax, 1684h
7 Z2 V" w; M$ w% H* \ i0 I mov bx, 7a5Fh ; VxD ID of SIWVID, v' Z3 M; h+ h# K( J) ~' ^
int 2fh( K3 }7 E# `. e( M) d
mov ax, es ; ES:DI -> VxD API entry point
/ B0 K* x/ L- e add ax, di% I4 E p8 {+ `
test ax,ax
. [; Z% x! c# f# | jnz SoftICE_Detected6 R/ F1 Z# J: p
' I) U' ~# t% ]" m8 s) ~
__________________________________________________________________________
% e5 e6 h% k. F! X: O/ W3 M# ~6 U7 T
, @! e; E6 ]5 i% D8 z" [) f7 M7 y/ S
Method 05
5 |* {7 ^: s6 O9 }$ x! Z1 V9 J=========& Z; e- k9 N' \$ O' i) E7 c, X2 @
5 }/ o' W L m7 O: { A
Method seeking the 'magic number' 0F386h returned (in ax) by all system. h6 v+ }- H/ Z
debugger. It calls the int 41h, function 4Fh.% b' R, Z' n( W' V G( ?& O1 t
There are several alternatives.
) d9 l+ @( A$ h1 A& v5 s$ o+ ?
" A( g4 L2 N1 _1 \7 K! mThe following one is the simplest:- A$ F% K; H! g+ d& J
+ X/ g4 [2 Z7 i mov ax,4fh
* u" c' z& F. q int 41h- e/ J- }% P4 x. m5 j( [; X
cmp ax, 0F386
- y. j/ `; O! U! q2 r jz SoftICE_detected. j( G( B. U6 x, r
2 U$ T6 o7 @0 J! }
8 x' Z+ }/ b9 O' `
Next method as well as the following one are 2 examples from Stone's 1 Z! Y6 v* U9 I6 b
"stn-wid.zip" (www.cracking.net):& l$ }& c6 ?) {4 |* u2 u0 @
9 [0 d1 m. x& ~5 P9 o mov bx, cs F* s3 {; D) n2 c
lea dx, int41handler2* B. f( N- D0 }! C+ y, ?1 @5 i
xchg dx, es:[41h*4]6 v o9 c* D$ O+ M$ D6 L- M2 M' A
xchg bx, es:[41h*4+2]
3 r& ~& ?! Y/ w3 ^* x, I mov ax,4fh, H! t u# T, | J
int 41h
+ s4 ]7 M0 e2 D" U+ ?6 U- Z5 r7 a' o2 h8 T xchg dx, es:[41h*4]
2 c) x- _# c: {4 t' ]5 m. o2 J7 Z xchg bx, es:[41h*4+2], P' J( `" S$ ]" t3 j
cmp ax, 0f386h
' ]. Q8 Z( V, N9 B2 u: n9 A jz SoftICE_detected
! f8 R C. v0 k& K! T8 i' E. q5 L
' ^) K9 }% k; G& A6 _1 Cint41handler2 PROC
" H* n$ Z0 u! @: @ iret
& m2 Y: t. E! Sint41handler2 ENDP
+ ~2 t- a) K ~5 S4 O* G- r: T
7 e8 p3 z V8 R9 f: O+ z. @: m* {' E1 N' |
_________________________________________________________________________
( r |" D7 _2 Z7 F" W$ n- G$ |6 n W( G. A7 h7 L) V8 H
* n; _5 e4 h2 N$ ^, e
Method 06
- ]( a0 ]* ]& g& g=========
7 q0 x1 i( e {; a; p) w" Z8 j6 | P f. O9 A. v5 ]+ r; |& L
% u- o7 N# G/ C/ T) t! ?
2nd method similar to the preceding one but more difficult to detect:
) ?9 s1 i% Q& W4 b5 Q) V
" A" ?; ?# ]) X" t; g" m# j3 N1 X( K6 h& y- k9 F5 I9 X% ]0 ~
int41handler PROC
. Z1 o. h) Q+ E. v+ Q/ m) D4 { mov cl,al W0 A, b2 r& N* x
iret
: z; m! O3 I8 l% p, i, K& f3 W: zint41handler ENDP" F2 h* n0 J* d* Y5 L
5 r3 i& w: t( ^
) S5 ^( ~) W7 U: y- ~/ S8 o
xor ax,ax* j! o7 ~0 f. k7 a7 B) ~, y
mov es,ax
6 [5 a* m$ j, p H* R, E3 }2 { mov bx, cs
X# J$ ^6 R2 \! J2 Y* L' G lea dx, int41handler6 ^+ G7 F# Y. |% n5 ?
xchg dx, es:[41h*4]
& y* Z" J, @5 z% G xchg bx, es:[41h*4+2]- {9 @$ A5 a* j# Y% |! m
in al, 40h! [' X6 q/ K1 G2 t% W. ?" g. J
xor cx,cx I( A0 m1 H. J& z6 J
int 41h
7 b: `. ], R5 m" t xchg dx, es:[41h*4]
0 y+ c4 E6 U' U xchg bx, es:[41h*4+2]
; I) D. d! c6 D+ j0 G6 r# Q cmp cl,al
% f! e5 [1 h z jnz SoftICE_detected
6 q$ v; T, `7 z# `$ X5 p0 U3 P4 s# z: T6 l$ x8 h+ t8 I
_________________________________________________________________________
" \1 S) M( X8 v0 l) o! d! X
; S1 m' D5 g6 c2 V8 p4 n) ]Method 07
0 S; \- {1 v4 z7 \5 n=========/ L$ N7 C' I7 k: o# s, r* H
/ B1 I) u! O7 D$ t h1 O b# `Method of detection of the WinICE handler in the int68h (V86)
) }$ ^" k0 D( N: J a# k* J
2 g* I: I1 R, Y+ Y mov ah,43h
: T8 E9 f4 |: r5 j% V0 Q+ p8 R% k1 F int 68h
. ?. L1 u, p5 W cmp ax,0F386h
$ L: ~7 Z" z1 u$ e jz SoftICE_Detected1 F* k; L: v, A/ ^
- C7 G. L0 j3 ]6 P/ @
/ `/ j1 S! k0 j1 l: R% V8 \5 B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' G8 f& O$ x6 v1 m. K; |& v
app like this:: H$ n/ }7 I/ C$ W% |" o
! X/ o1 X& r5 U
BPX exec_int if ax==687 H; h. c1 l, r! t( f* t+ ~
(function called is located at byte ptr [ebp+1Dh] and client eip is; a( F6 Q. d1 R4 O
located at [ebp+48h] for 32Bit apps)# v9 H1 V$ ~4 F% K3 F6 p
__________________________________________________________________________* p# v* q7 v& z, ]
; Y) F! z$ M) j1 N$ d
* C8 B3 |" U5 F) p- xMethod 08- _+ _6 u) \2 l" f
=========
# N$ t# n6 r, w5 a
- e5 Z5 f; ]& f2 Q8 O' m- cIt is not a method of detection of SoftICE but a possibility to crash the0 O2 N* r: v; w n
system by intercepting int 01h and int 03h and redirecting them to another
& h6 C7 X9 }- {$ ]( wroutine.8 s) R1 C; h0 |# ~2 P. T
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 X6 V t5 Q1 P0 w& T. F R
to the new routine to execute (hangs computer...)! S7 i6 B* W! \, S: N* v
; d4 w( ?) L" X
mov ah, 25h5 c5 o0 m1 e3 E, e
mov al, Int_Number (01h or 03h)/ J r7 o- q: J0 Z
mov dx, offset New_Int_Routine
7 ~( E; a6 w4 z; ~! h int 21h
4 c# ]8 ~2 _9 u' L
8 x& J2 c! `. e% y. j__________________________________________________________________________. n( H; i( V8 ?$ I
. T+ G0 } t9 W8 }, i0 EMethod 09" T; L [1 J% i* e
=========, k4 V2 N. _8 \& B2 k9 N
) g4 |2 {3 p( M. j4 e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 v% R# l9 }) w, ^performed in ring0 (VxD or a ring3 app using the VxdCall).8 K! C2 c$ p7 k4 G$ X% {" a2 U! Q
The Get_DDB service is used to determine whether or not a VxD is installed% t$ I6 h; v* o
for the specified device and returns a Device Description Block (in ecx) for
7 m/ T+ t9 R4 o0 K9 [+ T$ Xthat device if it is installed.
0 D4 s, `$ q1 S0 L
% x% ?( ?1 U/ v, L mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! Z4 v4 s5 d# e+ {9 ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- w8 n# M" S& `* p. c
VMMCall Get_DDB% L9 f- i/ T6 T8 d! [
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ Y- k% C2 e0 r' v4 r6 Z
( C7 E3 G; M: Z4 i- k9 ~8 `! m3 PNote as well that you can easily detect this method with SoftICE:
, W7 |4 d, P8 i* t; B1 w+ K' L bpx Get_DDB if ax==0202 || ax==7a5fh* t z) ?6 F* P8 A! O) E. ?
- W8 ?2 a( u* ^0 L* J: ~__________________________________________________________________________4 Q- c* A7 A$ H3 Q: k) _( e
/ U$ P' J# O' x& E# h
Method 10# K9 D7 r9 h; A2 o) K+ z% b. Y
=========( o8 b; h! h' k
6 S9 ^% b8 @9 i, |' Q5 j, m% @=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ [! @, K6 [. a% P! r3 j SoftICE while the option is enable!!# N' [, P3 M' T/ Y! O5 z% B3 t8 b
+ W1 p7 z: k1 Y! _: K+ ^% `This trick is very efficient:; v3 Q t) x2 @0 n
by checking the Debug Registers, you can detect if SoftICE is loaded
2 j( }; G. P9 N1 P) |+ Y( s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; I N7 l$ z/ I: x0 i. E
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# }2 p( q* f; T# @; j) i0 C- zvalue (in ring0 only). Values can be manipulated and or changed as well
* d- |8 O! w9 U4 k0 n- O(clearing BPMs for instance)7 G+ \9 @" I' m" F* l
& m: d+ T2 H1 A4 \! P2 Y
__________________________________________________________________________
+ Q4 \6 E. w5 Y; t! d6 ~7 A5 {- B1 n# i9 L# t' }
Method 111 J2 g/ U$ z( m6 m4 j" u
=========% {( l, P/ G9 D; l2 Q% S$ o. ]( s
2 h$ y9 s& f0 |- i9 }2 P
This method is most known as 'MeltICE' because it has been freely distributed$ N9 i P; Y2 Q) S0 Z" }" {
via www.winfiles.com. However it was first used by NuMega people to allow0 K5 \1 j2 [4 C# q+ D! E
Symbol Loader to check if SoftICE was active or not (the code is located/ q! z/ ^* v9 i& Q' ]' R3 d: ~
inside nmtrans.dll).
; j9 C; k2 _! g. }1 M1 g4 `8 i' h) X5 T* k T
The way it works is very simple:0 `& `9 N s$ Z- z% ^. ]3 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, l+ X* C4 W0 R* ZWinNT) with the CreateFileA API., R% s; @1 N8 d. r
! D, I: [" @5 D5 v# R, m/ R1 _
Here is a sample (checking for 'SICE'):
' Z8 R) N/ U7 Q7 V! c9 `/ p: G
- T1 w9 c, h3 TBOOL IsSoftIce95Loaded()
0 @ C* ~" `6 y6 W8 a{
3 x$ p8 H3 u2 r( g HANDLE hFile;
1 @ w! P$ l0 E$ h( @; O9 T1 k hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. |3 {) z+ q, [5 @
FILE_SHARE_READ | FILE_SHARE_WRITE,
. R' h5 A. {2 r, K! x$ o1 W% k9 B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ g" K5 V: F1 I/ w7 M4 u+ J% {) d" l
if( hFile != INVALID_HANDLE_VALUE )
5 R! l+ _# J& G, Q {
{2 a. S/ g) h1 I" H- e. Y5 s' y CloseHandle(hFile);9 y% z7 M9 k" ?( \- b I
return TRUE;
9 N+ x# l6 A4 P+ P6 u( l }
6 n* Q8 `" \! B5 p return FALSE;
: `4 J2 l* I3 E9 ]. {}
/ ]1 ?- _5 k* } @5 a
: x: K: G/ Q# d0 z3 ZAlthough this trick calls the CreateFileA function, don't even expect to be: Z5 D/ p) v; T1 U
able to intercept it by installing a IFS hook: it will not work, no way!+ ^: s8 p- H% o' r. p7 E, ]( W' e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 w: R$ J' |3 t' V8 `% n; @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. d9 M" Y, n& yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& C5 S: m. F6 N- \8 Kfield." `1 r" A4 ^6 J
In fact, its purpose is not to load/unload VxDs but only to send a - }8 r4 |, i) I; E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. q! D$ q, {# o5 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
% t! A' A2 L! uto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 @3 V7 B1 w8 ~5 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 I5 |7 ~, O' \) Q4 d
its handle to be opened and then, will be detected." l- n/ d7 C3 p
You can check that simply by hooking Winice.exe control proc entry point
5 @& C, s7 ]; n( Ewhile running MeltICE.& O- E+ M9 ?& v% U4 `8 P9 i: l# s
7 f6 v Y+ P% j! ?) Q' [# M5 N0 N0 L
00401067: push 00402025 ; \\.\SICE5 D6 D* g& h A, O; q3 h+ s. c
0040106C: call CreateFileA* l8 d0 d+ P+ G; E# P+ E
00401071: cmp eax,-001
q e* [5 `& F$ u+ @ 00401074: je 00401091
. R6 A' l6 ~( i) H* `# q* D( S4 O: P% v
\$ s. Z6 X+ E4 y4 g) |) f5 l s- u0 xThere could be hundreds of BPX you could use to detect this trick.
6 I, |! W: F2 d* S: s2 h0 U6 K-The most classical one is: L! t* ]2 p( X$ w* Y5 {0 a
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 B1 O' W- Q/ A8 F3 n9 u9 g7 i1 s0 p *(esp->4+4)=='NTIC'' o! B# P0 G3 Z! u6 \
' @9 o- l- f5 _5 x5 w8 g-The most exotic ones (could be very slooooow :-(
7 d1 `2 A/ P# G& e" ?! p t9 O; Q3 G BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 f8 ^9 J- J8 l+ ^; C1 J% Z u7 ` ;will break 3 times :-(
6 W. e; M) { m* Y; ?( | c4 B2 G" i1 h/ X7 G9 W0 B
-or (a bit) faster:
1 A$ t% \/ W, i! @$ a9 H/ { BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 S; h$ |1 g& n2 `
" o- W/ w4 |9 C8 H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' , T/ @/ q6 r3 v1 v" K3 n3 |, i# g
;will break 3 times :-() @4 W/ i! Y* I8 C' {
' E. U9 i% V; P) j-Much faster:5 i" n5 J# P+ m# w% d7 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 `1 R4 H, {4 [1 L
0 v( U" H4 A' F9 Y) Z2 f0 `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" C) r; O1 k; p0 i- e: ofunction to do the same job:) m' m" R, L& w% Y
7 L: s* S' U) L7 f: s5 V& g push 00 ; OF_READ
% V/ v4 o- H" a+ h' ? mov eax,[00656634] ; '\\.\SICE',0$ |3 m& E# o4 s# I
push eax
8 F& [9 [6 @4 T' Y! F call KERNEL32!_lopen- W: y& j! A% {3 U3 l3 f
inc eax0 ~7 @' e6 W5 h
jnz 00650589 ; detected
7 O$ e C$ \* @" ]' w" @ push 00 ; OF_READ
( i3 R3 N Y! [) c) j) O6 G3 E4 ] mov eax,[00656638] ; '\\.\SICE', F1 }; p* y0 h0 r! K
push eax+ p# l( g* U! `) D8 I/ C0 E7 ]
call KERNEL32!_lopen% \4 R/ l; C- F) O$ f# _, B4 t
inc eax* L, }: F& x8 V9 e3 x( p7 M
jz 006505ae ; not detected. f8 C3 M$ w1 L' }
2 [( \3 Q V( q& W) H
% N2 q C) C* W9 o- S5 D K__________________________________________________________________________
7 _9 Z: U' Q. F9 V8 \0 f$ P' [+ D( _9 { Y
Method 12% [4 p; F) s, l1 `/ k6 ?6 g" Z
=========& U) N c. c/ A$ t7 H8 f0 y0 e
# J. D/ |- z; a7 I
This trick is similar to int41h/4fh Debugger installation check (code 05
! c, y: |- c( [& 06) but very limited because it's only available for Win95/98 (not NT)3 M& |, ^* Y4 L$ |7 E; J) Q5 z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: h1 E6 P/ J5 A% Z) ~
5 u$ N3 L& Z0 f3 F$ E4 ~( Y
push 0000004fh ; function 4fh) x0 T- _1 C+ F" t- T6 d3 b' v
push 002a002ah ; high word specifies which VxD (VWIN32)) y% d7 w& V+ g' W* L
; low word specifies which service
5 A5 A3 f' b( w7 C+ O/ Q% u- o (VWIN32_Int41Dispatch)) w# s4 U* ~& M% P2 D4 f' [4 n
call Kernel32!ORD_001 ; VxdCall
6 w8 a- u# |! [' m$ g/ t7 _ cmp ax, 0f386h ; magic number returned by system debuggers$ f* h0 S3 @) B
jz SoftICE_detected
3 g+ P) _! I+ r& m8 U8 b
/ k! X$ x5 Y- M. p' RHere again, several ways to detect it:
3 i3 T; Y% ? X9 a q U V
4 d+ b _, f4 U7 @1 |& a BPINT 41 if ax==4f7 s+ a5 R* m1 c2 G7 Z( k# ]
# _* K# W/ o7 O# a, p2 ?3 P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' z$ A4 W9 v7 j) r/ R3 k
% X" j. ]* } P. Q0 q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
3 B0 F5 r' ]& T' S; E" [$ U4 _1 ?
9 g% x) Q" d" A. h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!$ q G: | j* R6 U% r8 l
' ?& f, s( A) W- p2 w! }__________________________________________________________________________
1 a, N, I0 K/ c2 D7 n6 Q; `! U3 `3 l7 t
Method 13
4 c9 s! j, ?. B3 c. }=========
& r+ S! n6 |6 p
! \8 u+ G% [+ C- t @1 [2 DNot a real method of detection, but a good way to know if SoftICE is
% k7 k1 S6 g: N# L" b8 rinstalled on a computer and to locate its installation directory.8 s. w( S2 M4 s+ Y9 g
It is used by few softs which access the following registry keys (usually #2) :& c* F" G. M0 d! X: _" D
1 g. m) P Z: y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ x, c4 }% |& x0 \7 K\Uninstall\SoftICE
$ V$ @- q5 j. n; M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ } @* g/ w# A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 \/ K( k4 g2 C\App Paths\Loader32.Exe
! R5 Z. r# M- F0 c7 H( Y. z1 S o: m# Z8 b; K
! G3 K7 y5 [+ D0 U, f# G
Note that some nasty apps could then erase all files from SoftICE directory
o* W. |& J" f(I faced that once :-(1 t8 E$ m; b' m" K& c* R; O
+ ^5 {. u0 W5 u8 D6 a# n8 A
Useful breakpoint to detect it:
: B# F) {- L" x0 u! J# P V
9 z! l0 V8 K8 U( u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 E) O. r! |" T5 R* [
% a" z/ m& v& J# e__________________________________________________________________________. o2 X l$ U3 B( F; w7 I8 f
$ r# ^5 g4 a( M( m
1 R; V" L2 h' h6 `Method 14
% ?& C7 o# y( e! p* X=========7 D" c& Y! m! E
! R1 E- t; _' \4 x0 i) r
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) f6 W& V# `& q" o* G6 }* Z* Bis to determines whether a debugger is running on your system (ring0 only).- X9 v" v) I) d9 ~4 ~+ _
- r- U- \* ~# i5 P
VMMCall Test_Debug_Installed
% n+ F& `! K' c1 Y je not_installed( m! x4 W& ~6 @! i, _
( m0 N& N! U0 W/ d& wThis service just checks a flag.
6 a- W. _. B# m9 t& f( p</PRE></TD></TR></TBODY></TABLE> |