<TABLE width=500>& Q, D+ r2 [* }$ I! M4 C' r; M
<TBODY>" n9 C$ N5 D. C$ k& J. m- R
<TR>4 a6 T+ p' F; l- m# Q% {
<TD><PRE>Method 01
# }; |* w/ F0 N1 L: x/ k=========
1 C8 n7 q: F! ?/ ]8 ^; C- }2 ^! f
* w: S7 x; y, V% U& M9 o& jThis method of detection of SoftICE (as well as the following one) is
9 m6 ?# [* |1 P- b( pused by the majority of packers/encryptors found on Internet.2 c, k% K$ Y3 O7 l( `5 I4 p
It seeks the signature of BoundsChecker in SoftICE
9 U' L, D0 p2 k. ?- S+ c: g# J
% j; g* O7 Z/ W' b f f7 A4 c+ q* O mov ebp, 04243484Bh ; 'BCHK'
8 ]% A! e* ~/ c$ b$ z mov ax, 04h
8 X+ [2 _. C" O# c" W int 3
+ D+ q2 z+ {1 ]4 V/ ~1 s cmp al,49 h! ?3 y, A0 n9 z) X0 v: R
jnz SoftICE_Detected
' V1 y8 Q x0 z; M* \7 \' e2 {& W7 M X) }. _+ V
___________________________________________________________________________
( m1 x! H+ C* \+ s+ n/ ^
" G, H5 e+ u- N- WMethod 02
]# M8 h& y5 x% D=========
8 s% R }! K* y7 r. y9 R/ C0 h- m5 \- J6 j2 F% k+ {8 U
Still a method very much used (perhaps the most frequent one). It is used$ Y. E5 i) D0 W5 Y9 i% ?8 r( p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
n& h+ K; j6 D' Eor execute SoftICE commands...9 G6 h# z8 G6 J+ F. W: L
It is also used to crash SoftICE and to force it to execute any commands
4 z% p1 w1 ^. y9 e- ]/ M(HBOOT...) :-((
- S; V3 L& h$ h/ Z
. Z- W, q4 ~+ |* n9 B& Z* gHere is a quick description:
- b' {& d8 l D4 |2 P-AX = 0910h (Display string in SIce windows)
# P# K4 Z; Y' o+ l# m8 x-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). v; l- ~/ i; k+ x/ \+ k! V
-AX = 0912h (Get breakpoint infos)$ Z. k" L/ C% V, j0 A
-AX = 0913h (Set Sice breakpoints)
( o( x# i) Q( x+ l7 D: G Q-AX = 0914h (Remove SIce breakoints)( q. V+ B' C* s
" {3 v |2 w. i1 K [Each time you'll meet this trick, you'll see:* q7 M. ~/ b& k1 e- V
-SI = 4647h: y$ g5 y2 d. E# Z: B1 ^$ }- A
-DI = 4A4Dh+ C: M% Q4 l* b; Q5 t) F
Which are the 'magic values' used by SoftIce.5 T" {; O" X: f Y/ R0 S8 l% I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ m2 G& G) ~" `# n9 W: J' |2 n+ N4 V! `+ s9 {& l/ J# B, C
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ ^9 t: b Z( X& l
Envelope utility use to protect DOS applications:
- {# ?& v3 U" I2 m/ P3 B) y2 q& L \
! f% ]2 _1 t+ f/ z4 e; ?$ c6 ^$ D5 x' a+ e+ t
4C19:0095 MOV AX,0911 ; execute command.: c$ O3 t ^3 u/ r- B( E/ v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" e5 Q& P3 M; l4C19:009A MOV SI,4647 ; 1st magic value.: v7 z( N+ m4 w! a' Q( q
4C19:009D MOV DI,4A4D ; 2nd magic value.; X y: s2 d* Y% X& f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 t8 c* D# ]/ }+ _" ~. W+ d1 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 Q7 T: i; R( T" ~4C19:00A4 INC CX
" X, C6 \ M9 h9 c$ g' i0 |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 c- l; D7 p: D$ j) G4C19:00A8 JB 0095 ; 6 different commands.) l1 Q i. E' Q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* P0 q5 F; n) r; `+ V& ^; d4 Y5 i4C19:00AD MOV BX,SP ; Good_Guy go ahead :)) Q2 P9 y. j8 Z% ~# w: q) g" U
' S; \3 Q! `6 m) ?' m( EThe program will execute 6 different SIce commands located at ds:dx, which c% P$ E u: ?3 \- q' g, R/ R8 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& g7 H, R& ~; w
/ G( O/ d3 ]' y: n/ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 f, s( [" ]* V( \8 b5 [1 H
___________________________________________________________________________
1 x6 d8 l1 f Z# @7 i. U2 g$ j1 g2 [& z. u# j
$ o3 t- K* I2 l9 g
Method 037 q" U/ v' k9 L. P/ ]
=========/ H. u! r# j' u1 U! K# Z
8 N' `1 i) S! B% E' M y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 p9 e2 d3 w' b1 l: g) D: s
(API Get entry point)4 q5 v- ]' _/ |8 F" u v1 w: t
+ f+ Y7 m8 r9 z/ q
' X4 X( @0 c/ s9 b: v/ J9 O
xor di,di
3 C* e1 t) v. c' Q( e* ^: J mov es,di
' k! [: F$ p* w, d. ~7 U; N mov ax, 1684h 6 w- }3 Y) H$ p. _" b' _* `0 z
mov bx, 0202h ; VxD ID of winice
: w% ^# f2 a! Q7 V! V8 L/ S1 O int 2Fh; V- g3 b, u1 u% n; L4 q
mov ax, es ; ES:DI -> VxD API entry point* t9 q. b# m& R( Z3 T- u+ d2 m
add ax, di
x1 E2 i4 `2 h, q n, I+ A test ax,ax
5 L3 X2 [- j1 c3 g k( ^0 u9 l jnz SoftICE_Detected- L% T! t f9 \2 y+ |; _6 Z
# Y' m& W* s7 e a4 S" g
___________________________________________________________________________, Y# m0 w; [0 E8 x
8 b$ S* g# b4 b5 ]+ J# H) T6 r4 |
Method 04
3 F G. E+ t# g, j5 Q+ X. l+ d" D/ m=========; L& {+ L% M2 J: g2 v
) u% V# y1 M$ {$ L: \+ Y9 N/ ~Method identical to the preceding one except that it seeks the ID of SoftICE
3 H. e$ B: s, J: |8 ], [GFX VxD.
7 s1 {- c- ?& y: F! q: y7 T+ O& h; H4 k
xor di,di; c% U& c( F- i$ t$ t# c) @
mov es,di
) l% b1 i1 O: s. s! W# @ mov ax, 1684h 7 u- g" X0 v f: [
mov bx, 7a5Fh ; VxD ID of SIWVID3 p H' T% t( h2 y+ V$ K! ?
int 2fh! _& W) `8 b7 C) ~ I1 [. U
mov ax, es ; ES:DI -> VxD API entry point
% d" d r, _4 a) V# e& t- ? add ax, di: T2 s9 C+ U# ?. X/ l, ?* L6 q
test ax,ax3 P0 I4 c! P4 X q9 `; g n
jnz SoftICE_Detected0 c% g* A. F/ P1 d2 @( F; `0 {5 k8 S
$ M T9 H3 m( H \! l/ B__________________________________________________________________________
/ E* `0 s2 r* h4 ~6 n( _ K4 b
& H, k9 Y$ ~2 t7 i3 n$ j! F
Method 05
0 ]7 L4 h( T& E5 _=========4 m" w5 K, C, Z5 s G" w, a. B# }& c" P
2 G) |% G; ?/ X" Z' n) @* m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) e" l( E* K% s9 ]7 L' T! Ddebugger. It calls the int 41h, function 4Fh.9 P8 U# |; O9 f4 g4 R. R
There are several alternatives.
. [8 }* a4 ^( L5 w6 T! B) f: h* }+ u+ J) n
The following one is the simplest: ]" }! m. r3 i8 {1 A
7 K- e# s$ g* M# R! P9 \; {9 u
mov ax,4fh% Z2 }$ b( q0 N2 i+ |- h8 i7 N% @
int 41h, c4 e& ^3 v0 b! T
cmp ax, 0F3867 n7 K( g9 p; p" |: d
jz SoftICE_detected, ^- x+ E" R* D& k
! d8 T9 n% u3 ~2 y$ V
8 N% c/ B8 \* w* J( ^. o% |Next method as well as the following one are 2 examples from Stone's ' M' g; C+ K7 t9 P( r# ?6 ?3 f
"stn-wid.zip" (www.cracking.net):8 X; v) J! F, ]& O# f8 |3 F9 o
, h4 s+ W N! q! J& g0 a; |: @# c mov bx, cs
. I# V9 |% O: } A: ? lea dx, int41handler2
4 ^9 {. K4 n$ ~9 Z1 Z. | xchg dx, es:[41h*4]
# G* V* [* ^5 _5 v: u) q4 ] xchg bx, es:[41h*4+2]5 \0 _0 p) r5 T* h( o |
mov ax,4fh" [4 w# e4 c0 m- A6 z; O/ g) z
int 41h
& y' ]4 J( m1 X$ A6 p/ o+ c xchg dx, es:[41h*4]
- |9 B4 v; y8 i xchg bx, es:[41h*4+2]
$ E( r& [) J5 P% }" B' _ cmp ax, 0f386h
% ^4 J5 x1 Q5 N7 c jz SoftICE_detected
/ ^( ], L; Z" i* E* h% c
. X3 X* }% J W- D* R$ Fint41handler2 PROC
) ]; J& t6 w1 Q1 O! ~1 n" K& r9 v iret, t8 A1 Z5 K0 S6 ?
int41handler2 ENDP2 O4 }% r. i/ M2 |3 V
, x) ?1 J: X8 @) F9 O x5 n
& r8 y, N6 d6 C+ h4 h
_________________________________________________________________________7 e$ L( L& N* T9 v+ e8 Y
. {! Q' h4 ^: H* [% U8 E6 c4 h5 g3 o. x6 [" s8 t/ j6 U4 A) Y; c
Method 06: y" I/ R) z' z4 R0 U
=========9 F* i! J; \1 C/ S$ x
4 H" r J0 ?2 _# k7 Y/ V# x: }1 r. a4 B B/ U
2nd method similar to the preceding one but more difficult to detect: R7 J( ?. x; M% A4 Q, i
9 `& v' m' A3 R$ d8 K
3 K; `: Z1 i8 B! J2 }1 G3 o# Uint41handler PROC# w* G( P7 x8 q% c6 } x
mov cl,al
1 i7 ~/ m# `6 b$ a8 U' i& s# H+ i% G' G iret
0 E: K: t7 i5 H& l* p6 ^int41handler ENDP' e! M1 a2 w8 i/ k
8 h0 q1 m( K) k3 B2 `' f! d& D
9 P2 J. N! r% P" ?) R4 A6 | xor ax,ax4 x, _ ^1 N5 l# N( k) v
mov es,ax2 Y8 w7 [. _2 {: Z9 x6 J. ]# O
mov bx, cs
$ z* _& _0 i. C; N lea dx, int41handler
6 Q% t* k. I+ z3 ] x xchg dx, es:[41h*4]& J2 b8 a' u9 u2 d: U3 [1 g5 R/ v
xchg bx, es:[41h*4+2]
( E& B* Q/ K3 W! Q) q# m) M" ^ in al, 40h' ]- u/ S4 o- O: \! |. T$ \+ F
xor cx,cx! {: Q0 |0 {! ?) \: D
int 41h1 @2 M3 d5 q! q, m/ h
xchg dx, es:[41h*4]/ l# q/ U2 _# v4 K
xchg bx, es:[41h*4+2]1 F# ^ ~; a1 v" L
cmp cl,al
8 S+ |+ ~8 D; ]+ I5 s jnz SoftICE_detected
. O9 i5 G7 j1 g% H6 {& M/ t, i. E/ l) Q5 ~& Y1 w P4 K$ ~
_________________________________________________________________________- B7 S6 D5 I; R7 c/ V+ J( C
( C$ }( j+ F y6 |- eMethod 07
0 L/ @& W3 h( e' @=========; `" g' {: V7 b
/ @ S1 {/ G5 N( D( h# l9 L/ T$ S$ B* Y9 i
Method of detection of the WinICE handler in the int68h (V86)
2 `( m+ c* x/ i. m/ w. O: {- l, m
3 A% E. X5 B7 w' p* k0 O$ ^5 q- l9 d1 C mov ah,43h
5 K e; Y- B9 `9 F int 68h
2 U$ r6 E& M9 {: \" X/ v* `3 }$ \ cmp ax,0F386h3 B) t$ i3 x) z2 q% q
jz SoftICE_Detected
$ b' O6 y6 \2 n
$ @/ W- a' C5 h! w% G7 X- d; p% S2 n w7 T( u) m+ x* T
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ?. J& |: F' C6 L& r
app like this:; [ I, ]6 s* A2 c
, V9 u2 r2 d/ Y9 x1 u- u1 B BPX exec_int if ax==68
9 [# c8 U& r# @; _ (function called is located at byte ptr [ebp+1Dh] and client eip is
! P5 D/ I1 W$ i% O: F9 {% m located at [ebp+48h] for 32Bit apps)
7 p' i d4 F3 A+ _3 L__________________________________________________________________________
' T& n7 R# N3 Z( c5 k( f# u' q+ V+ K9 F' h3 ^- e3 u
3 A4 M. Y( ~6 x6 f! J! u' [* k
Method 08. |( @& T' h; k2 o( H
=========) b! M v" Q) M) X3 |3 u" Y
; Z1 k1 V9 A* |
It is not a method of detection of SoftICE but a possibility to crash the
5 ]+ C: \& D5 m% r+ esystem by intercepting int 01h and int 03h and redirecting them to another
4 q- b4 J9 u" v$ ]7 E4 f% A- xroutine.
5 f! ~' s, Q1 L. }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 i% c* ^' k1 m* F
to the new routine to execute (hangs computer...)3 c2 K8 P' b( w' `, u+ h
0 q; P% S3 Q$ o, v
mov ah, 25h
8 {* Z& `, P/ B: _% f" I F mov al, Int_Number (01h or 03h)
0 C2 z. d1 W5 i4 n" y9 ]& G! F. r mov dx, offset New_Int_Routine
9 M' y' \+ h% f int 21h, p/ g3 C3 A, J
1 d7 C# k( E* b2 [
__________________________________________________________________________8 X% r* N) b. X- z' E3 c0 O
4 a. r$ x" ~# H' jMethod 099 d/ J( z" i) x8 u7 U+ \
=========
% N4 S8 ]6 W6 c9 A8 Q8 ^" w3 q& ?! W0 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
p" U1 h1 t' g/ Z2 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).8 O2 [. Q" ?4 I. K; m( e
The Get_DDB service is used to determine whether or not a VxD is installed0 i5 a, d7 d+ |0 S" S$ w; G+ Q
for the specified device and returns a Device Description Block (in ecx) for
. W9 y, C$ q+ Q! b: Zthat device if it is installed.8 m2 Q3 s0 A3 V+ L( A! l' i
9 C; R2 y2 k9 P' W7 I. J
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 Z' [4 m% \6 U: y9 |; p( x: l1 P
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& n+ d3 o; J! C- B VMMCall Get_DDB- l# S6 h3 ^* g8 E+ w3 T
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: S( X: P8 |9 q; [
2 ~" s1 u+ s$ c; c$ W" nNote as well that you can easily detect this method with SoftICE:: \. D$ g, i8 o$ d F( j# y3 Y
bpx Get_DDB if ax==0202 || ax==7a5fh
3 f- b# ?& \+ x, \8 J1 X7 M* [2 B+ T: @# c. b7 q
__________________________________________________________________________
3 f: |9 i/ P: d! w0 R5 E
, S; {) k$ ]) J" UMethod 10
0 K4 Y P; f6 D7 F=========% N7 q X2 n, S" l" K
* [! I5 k4 R3 y/ O# R% E3 Q=>Disable or clear breakpoints before using this feature. DO NOT trace with0 r; n: U; F9 S/ F* c
SoftICE while the option is enable!!2 C+ ?! h: b! L1 u8 y
7 t2 N+ Y9 V! M `2 Z d3 s& iThis trick is very efficient:
; b `6 P* F9 S5 L' e! i' H% \, nby checking the Debug Registers, you can detect if SoftICE is loaded
3 B1 j" m" P! N8 k, ]8 e9 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 d! [7 b; o% ]& Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
& |1 N) g5 J1 B; f) H% \$ u9 a! l$ ~value (in ring0 only). Values can be manipulated and or changed as well& N8 w5 S& o, ~% u
(clearing BPMs for instance)0 C$ W6 z* {$ K3 K& a7 [5 D
, G S6 T/ m/ s5 E$ D5 O% r0 Y
__________________________________________________________________________
& `2 q$ [3 {: `" p8 C- @- s
1 I8 U6 Q# r6 [( {1 y. DMethod 11
8 r8 E7 v, O r=========
) v& B: [9 s( |- p4 @
, k: i, K* T! P) K% h1 W7 WThis method is most known as 'MeltICE' because it has been freely distributed
5 q+ S; A6 k* d2 fvia www.winfiles.com. However it was first used by NuMega people to allow
) m m: c# m- w& T1 T: QSymbol Loader to check if SoftICE was active or not (the code is located% w3 m3 |; t" h2 g
inside nmtrans.dll).
0 w. c/ q7 f1 ~( S! @
2 v& d3 d9 X2 d4 O( r6 EThe way it works is very simple:
b7 h% t! g- x& S0 V9 h3 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 {: p( l$ i: L zWinNT) with the CreateFileA API.
& M7 V3 C: f$ ]; U2 V. L, [2 ~& ], V# j" I3 O) d o* t1 `
Here is a sample (checking for 'SICE'):0 C8 Q, _1 Q, w" {& w) z
1 h; P4 k- m9 l, U# t FBOOL IsSoftIce95Loaded()
% O p, H; Y* Y& j{
9 E+ E) b6 B. M4 d4 V u HANDLE hFile;
' P6 N A6 o& D: Z4 G hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- r( {/ x6 W' X9 g+ ^
FILE_SHARE_READ | FILE_SHARE_WRITE,7 |$ T8 ~' ~+ o
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); x" I, P( z3 D2 D3 Q w9 B5 I
if( hFile != INVALID_HANDLE_VALUE )
/ G( T! L+ J1 s$ _1 L& y7 M# z" z+ C {
8 d% g ]- [" V1 B5 n7 P5 n CloseHandle(hFile);
2 }) i3 S. r/ r0 \; P& S$ ?( v0 F return TRUE;
0 M5 c. }( \0 e2 I% x& a }" Z) f- r6 ?, r# d r* o
return FALSE;
5 e2 R: f' I+ K: c, \6 A: M}
# \% `( H: G- x6 X0 H: K- z& a) d% }3 u6 j! z8 b3 d
Although this trick calls the CreateFileA function, don't even expect to be( {+ k( U6 Y. K
able to intercept it by installing a IFS hook: it will not work, no way!
+ Z& D7 V, Y( Y) {" x6 V% }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# e/ W! F% b0 w7 ~+ G% O C: t' y Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
`$ d+ ^3 S2 ^" x3 E- u qand then browse the DDB list until it find the VxD and its DDB_Control_Proc& v3 M9 B+ u* }8 N) V2 h
field., t! ~$ ^- w- m ^& Q
In fact, its purpose is not to load/unload VxDs but only to send a 5 Y4 _0 i G$ z7 v9 _" D) O/ ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! h! w$ z, V; M% Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try- I- s0 y2 |, a+ k( _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' v8 r9 n2 l, L7 l, cIf the VxD is loaded, it will always clear eax and the Carry flag to allow& A4 z) @( X9 P) b4 v( p8 {5 ^$ v; ^
its handle to be opened and then, will be detected.
# @ D( s. w6 Y7 y- KYou can check that simply by hooking Winice.exe control proc entry point
9 G1 Q' c" c5 n m1 r& w. T$ hwhile running MeltICE.
+ Z% |& ]: {9 R5 t0 J/ g& r8 R1 M- | a
9 U% P6 ^' q- B1 N/ G 00401067: push 00402025 ; \\.\SICE
' l% V* O0 D& f2 e 0040106C: call CreateFileA
0 o+ M3 c7 X" T H6 X6 ^ 00401071: cmp eax,-0011 D' i6 H, w( d! B: W; ^- l
00401074: je 00401091
% K' L2 w, m# q! u/ G2 A V4 `, D& @* E/ [; `
1 C- e, M0 r+ ~! a1 OThere could be hundreds of BPX you could use to detect this trick.5 {( \) i3 A( | D' H
-The most classical one is:
) X, u- T- b; o1 X# R BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. I+ [* e1 b7 _2 U4 n5 L7 q, f; I& ?
*(esp->4+4)=='NTIC'" o, V& G: q' j; e3 {$ E
# a* ~# ^* w3 Q O# C3 O1 h& v
-The most exotic ones (could be very slooooow :-(- u0 z J5 [4 h6 ]4 r/ e+ n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 s$ I( W9 M1 r, R ;will break 3 times :-(
6 C+ L. y" L1 u/ \: x* j6 C" ]+ A1 D2 w9 I- r. k& J
-or (a bit) faster: 4 [) @9 p$ W) j) |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' }* c7 T" U. J& K6 a
) {5 w5 d! I$ s, }) [
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
4 z+ m6 A! F! ?, { ;will break 3 times :-(
, @% N- Y- @' I1 v
. i" ?' Z1 w- A% S# h-Much faster:
" P7 e2 [8 e) j" j! {* B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ d" d& B n5 M& G
6 r& P9 o* G- J) h; d; `Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' @* A1 L) c1 F
function to do the same job:
! N F4 g) Z, A, O. M
1 F+ J6 O2 z2 I e/ { push 00 ; OF_READ6 }$ { R; Q* }8 C# a7 s0 Z) n
mov eax,[00656634] ; '\\.\SICE',0
* [# o$ y( \: K& f push eax2 e$ {7 J5 p! Q" M
call KERNEL32!_lopen: H x0 L. a; R6 m
inc eax
I% I$ N6 q; X: n! n$ F! o% e. e. m- @ jnz 00650589 ; detected
) Y* r& l" N+ c2 Y1 E/ w! O& T push 00 ; OF_READ
* g! [: R+ @, ?" c8 S1 M mov eax,[00656638] ; '\\.\SICE'% E* p0 Z- i( o7 u- S
push eax* J: ?# U) R6 i) X
call KERNEL32!_lopen, E4 B; w4 Y! R' O
inc eax- ^! I3 @! E. h9 k8 Y
jz 006505ae ; not detected$ |6 O: ^# k! T7 |2 n
6 A" l. k+ n) n! Z7 [5 l7 f- t+ c
' h i9 L! f% b__________________________________________________________________________9 Z; o5 }6 |0 Q( f: `( {- T1 F8 j
& |) ?2 c0 ^4 p* E; X# p' R! J$ AMethod 12
+ n' K1 @* y( ?0 K% r4 z4 x=========# a9 ]( W5 A2 E# ? |8 i' e
: `! Y' Y2 Y9 ]; s! r0 WThis trick is similar to int41h/4fh Debugger installation check (code 05
4 j4 @0 `. X% Z' l! _) `& l& 06) but very limited because it's only available for Win95/98 (not NT)! L- a6 e9 o8 h$ [4 X( o9 L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' i! G' c7 p2 `+ R8 h
- e. C3 K( K) d push 0000004fh ; function 4fh
& Y% j# D; C- \, v5 M' ^, | push 002a002ah ; high word specifies which VxD (VWIN32)% Y$ C& v5 u5 j1 r; D
; low word specifies which service
$ ]3 h J* T5 _* v, O# i% ] (VWIN32_Int41Dispatch). D A* V1 }+ u9 F! p, _
call Kernel32!ORD_001 ; VxdCall
8 G# J& m7 u8 r6 n6 @1 f cmp ax, 0f386h ; magic number returned by system debuggers
0 x7 k" o ?, t$ ] K jz SoftICE_detected. F4 X f8 Q0 e0 f
% M$ N% S9 s9 }7 [, G, ]
Here again, several ways to detect it:; G6 K! k7 h3 p0 e+ N% p
7 P% p; X9 J/ n. L
BPINT 41 if ax==4f1 q+ t" o$ R+ U0 b8 E, P4 O8 \
/ A j1 z/ t9 ^1 @) ^, y+ j6 s4 b) F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ z2 E$ j- q) ^) h+ b- n8 ]
7 k, D# t) f, D9 J. Q& U
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 ]2 o4 P Y9 \4 y- O0 O; B7 `
+ h1 {( a$ ^7 p V0 v
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 @6 M4 g' ]) o6 C
* k* n( R3 Y1 w$ j__________________________________________________________________________, n' E: o9 O& R9 l8 o
`: r' Q8 o7 TMethod 13$ {6 Z: Z8 w+ s8 A+ y$ }8 e
=========0 p7 D, x" I- ^% e2 O* g
; k/ T( E1 W% }0 F- M, g; m1 p
Not a real method of detection, but a good way to know if SoftICE is3 Y, u$ O( e. u* Z" y1 V; m
installed on a computer and to locate its installation directory.
9 G' Z9 {! h. s# w5 a6 kIt is used by few softs which access the following registry keys (usually #2) :
4 b* T5 O$ l: P. b" D4 P+ C. A0 S c1 H4 |- `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 h, h( X6 d7 |% C+ H
\Uninstall\SoftICE
% c9 u" p5 ?, S) Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 O& [" m& `0 q; W$ F% }1 B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# g! h& O1 E- v7 b, i\App Paths\Loader32.Exe
. P0 O6 Y. x& N! x9 d3 x) ?" F( t
9 L% \/ R1 u; U) k! v2 C
! P$ ~# j- b0 L2 a7 v) {; dNote that some nasty apps could then erase all files from SoftICE directory: l6 d/ ] l* l
(I faced that once :-(* s p" T( z* O: B8 C' z
9 t$ F; @! x4 lUseful breakpoint to detect it:
3 G% d, I; Q$ g1 ], g: c* b( [( z' G9 p3 V3 j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': k' p- n' Y# r5 h! x
3 t1 z' y6 w5 N0 B4 q! G
__________________________________________________________________________9 F3 ]7 }( k" K/ B2 K
9 O) r9 X+ }/ l2 Z6 O2 O( m! o" r+ o9 ?. v7 t K) v+ h
Method 14 6 F; @6 Q. B& p
=========1 {9 X, {! h( m; g( o7 z3 C7 @) @' Y
. E" U W0 h b- ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: F7 v- x' s& ~6 h7 ]
is to determines whether a debugger is running on your system (ring0 only).. M2 [4 f% y. j" O
0 x- ]! ?' N {/ v& W VMMCall Test_Debug_Installed
* F! j+ O. |, L/ T; k& \ je not_installed
1 ], i& ^- B9 u+ E) w! O: r7 _) e' T$ b$ U- @0 k* l
This service just checks a flag.4 M6 ^8 \/ E/ { F' ?7 d
</PRE></TD></TR></TBODY></TABLE> |