<TABLE width=500>
, t1 \; J0 z8 Z& R<TBODY>
& B) W) v% \: `* G<TR># K/ n/ {' I# f
<TD><PRE>Method 01 # H! T* t/ D$ C3 P& v$ S
=========3 u8 w1 ?! P2 x0 m: P
: o5 Y7 x) c9 k4 f; {! J
This method of detection of SoftICE (as well as the following one) is& J4 c; a: J5 _4 F- O! N ?
used by the majority of packers/encryptors found on Internet.- C' K" ^6 ]- M2 {0 I
It seeks the signature of BoundsChecker in SoftICE
+ m, C4 V/ k8 {+ h M B) X
i c( ~( k( @& o& C; i mov ebp, 04243484Bh ; 'BCHK'. ^9 ^- s% t% k" O9 e6 S
mov ax, 04h7 ]: g9 ^+ H! p$ s
int 3
6 u; O9 k4 W! \) h* W cmp al,4- @2 [7 f7 K5 _
jnz SoftICE_Detected
" ^& ?/ [' P- i# C
* m8 R# u, X0 M- f5 c___________________________________________________________________________
( W- V/ L+ V! I5 [8 _" v! P7 }
- ~6 c* f0 Q! t1 X0 W) nMethod 023 o6 M5 C o) j3 M/ y% F8 j2 C, n
=========
) U" c( T5 q2 p* \- Z
; \4 {8 z! k- w" F3 ]: B- bStill a method very much used (perhaps the most frequent one). It is used
9 j1 {5 S; d) ~ U4 i8 E$ G0 wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 i/ y) h5 [, Y; M" l+ N6 l6 y
or execute SoftICE commands...
0 @! }+ G! q H m5 n- xIt is also used to crash SoftICE and to force it to execute any commands Y5 ]' t0 p( r i3 v) }
(HBOOT...) :-((
# I9 T: a4 O' y8 x) ?2 V% q" C* K3 a
- F0 s G0 p8 T/ H9 V4 THere is a quick description:
7 O) t! p2 r2 @-AX = 0910h (Display string in SIce windows)
* ~2 y7 s' Q% X$ g' d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) j1 m* f" t/ ?9 }) R; ]
-AX = 0912h (Get breakpoint infos)
0 Y2 I! Q+ d z! g* k0 `8 [" i/ U-AX = 0913h (Set Sice breakpoints)
/ ]7 a/ t7 s. t6 x-AX = 0914h (Remove SIce breakoints)
. ]: L( v" u- P8 n" o" |# p _
; s7 `2 X2 P) yEach time you'll meet this trick, you'll see:
$ J; |$ m! i+ C: r( b, B( @-SI = 4647h- D/ w3 D0 `" f3 E
-DI = 4A4Dh6 ^0 |1 N. U- z# x9 E+ V
Which are the 'magic values' used by SoftIce.) `9 q M- D( N/ n3 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! f. |3 l8 C: `: f2 X. g' S3 M
: v5 U/ Y& L7 |1 {, GHere is one example from the file "Haspinst.exe" which is the dongle HASP- |6 R; `0 V& K" J9 _
Envelope utility use to protect DOS applications:4 @; p0 X4 S1 q7 `* N9 j
4 I+ j9 q6 n z _- A" j( a
. S- g8 h$ ]6 [$ L) O
4C19:0095 MOV AX,0911 ; execute command.1 m4 s: n0 O5 i: J9 c
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 m8 c/ ?" q' e0 T
4C19:009A MOV SI,4647 ; 1st magic value.
4 Y* W4 j, B7 x) d3 b4C19:009D MOV DI,4A4D ; 2nd magic value.
: y# h9 J; L, Z% }* \. F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ U) Y n0 t' D; O- d! T2 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* `. Q% }$ B9 l$ z+ D
4C19:00A4 INC CX
+ K8 B/ T" X8 ^4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ ^ e: ?; ]* R/ i4 Z3 I$ K4C19:00A8 JB 0095 ; 6 different commands.
% J4 C5 Z* y, r% V" l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& V( H& F3 x2 i: I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: ~6 p. I3 `2 q: a- ~# w& @7 F+ i9 q+ I( H; [0 ]
The program will execute 6 different SIce commands located at ds:dx, which2 A' n$ K, } J) b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 {$ i& v4 E" R1 J) R8 V
* p- T. `" L9 M P0 s: I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( I" d% R6 e5 t: _; J& T/ j5 L
___________________________________________________________________________0 [' `1 g" R- s# y! Y
# x% p) c6 ~0 E% e3 a S9 _
( `* o6 M! c, A- K) m
Method 03* Z7 D \2 r4 l9 h0 j) F" I
=========. s0 r. H9 z5 j! h p$ z0 ?) Z
7 F' \, R" U) i7 v6 ?
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 l- s1 l0 h0 v C, N
(API Get entry point)
+ a. E! a. J% i$ v0 a
6 A v/ d- Z+ l% r- `: P( S- J6 b1 P& W' M/ H' G+ _
xor di,di- i% K X- E; A! p+ @1 R& `* c! f
mov es,di
* m4 K0 h9 t# Z% T) j/ Z1 c4 Q mov ax, 1684h * c% w7 @8 u$ M! O& A
mov bx, 0202h ; VxD ID of winice: w5 M1 j2 `: \8 D# g
int 2Fh* u" @( |; H; @: u& `/ t
mov ax, es ; ES:DI -> VxD API entry point; S& Y' Q3 T8 Z
add ax, di3 A6 |3 s4 U$ ~
test ax,ax
1 y( R. q1 M9 Z1 H jnz SoftICE_Detected
( p( e b0 S4 ?3 k
; a1 g& h0 t/ ~: ]___________________________________________________________________________
7 n/ K, R$ J3 E2 y3 y0 y7 j8 D
' I: A3 e5 W n& A& _: v5 SMethod 041 [" I& S j: h C/ N5 ?
=========% L d" c% S" w1 [+ P
. p9 Q( H, ?+ C" d9 z) M+ sMethod identical to the preceding one except that it seeks the ID of SoftICE
7 a, k7 \9 G$ BGFX VxD.1 f% N$ C0 V; E* W6 l9 |$ D
+ \; D" j( ~, b% o8 u xor di,di
V/ r& s( \+ k/ q! O mov es,di
# P, T7 Y5 y H$ c) p! `5 q( A% i mov ax, 1684h 0 f8 }( ~# K$ c# o1 l7 }/ g, b
mov bx, 7a5Fh ; VxD ID of SIWVID, D% ]1 L' v" n9 i- }. H2 O- S! W6 K
int 2fh
7 p0 n' [; b5 b+ q' n mov ax, es ; ES:DI -> VxD API entry point
8 W+ Z) \8 |. _7 n9 q1 C @ add ax, di4 O! f- O& g( q
test ax,ax# e# @+ A% L6 z
jnz SoftICE_Detected
$ r [- j( {0 U6 t6 G* |! B4 g2 R- Z1 R# @8 p
__________________________________________________________________________
2 L" r& t) g" x2 l$ T4 K. G# z% A7 N. X6 H
" Q, K! X' u2 s2 g, o- sMethod 053 Y! e; w& `8 h4 d+ z5 |
=========% T6 B" z' E; U3 g0 K# C1 X4 r
* U! }+ X9 R2 A$ h8 V/ u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, E. v3 f' [- Z2 g! s5 `debugger. It calls the int 41h, function 4Fh.
. U8 r! M b0 {; rThere are several alternatives.
' F( n- P' h7 c0 ?* k4 ^9 P' w
% _' y3 a" e; s- G1 J _The following one is the simplest:0 H# N8 `/ n( z& W' ~
( H; P% r4 j8 \( M
mov ax,4fh+ q, ?* h2 |( j0 W9 K5 h
int 41h
* B z3 Q0 [$ f8 C4 g: K cmp ax, 0F3864 A8 l0 f2 c" F$ E0 Z1 D) |
jz SoftICE_detected) ]8 [3 ?" Q/ S
; G0 i4 X& c) ?, e+ q! l6 ~0 y2 f# a
+ k c1 K% S5 s. hNext method as well as the following one are 2 examples from Stone's 4 M9 N# a' W3 v
"stn-wid.zip" (www.cracking.net):
7 N. |; T! P0 @7 Q2 e% o! m
: ^! a7 c+ U! ]; I& p) Y$ p mov bx, cs
2 J/ M7 {& ]% i" D lea dx, int41handler2
3 `" c/ u1 h$ r( `6 k" r xchg dx, es:[41h*4]' v1 i. q+ P. @0 B9 B* l; z4 K! s, X
xchg bx, es:[41h*4+2]8 j m) i$ l: w$ G
mov ax,4fh8 L0 C' o& {# w+ x2 ]. I7 D
int 41h
3 q8 \6 x2 J# T! C# z xchg dx, es:[41h*4]
5 `3 r7 b0 p8 A6 F xchg bx, es:[41h*4+2]+ H! X0 q) L7 a% D3 F; j* C
cmp ax, 0f386h% A: K3 {3 y% k+ v, J! a {' T
jz SoftICE_detected
4 \& f* {; J3 _, |" P6 c7 ~( x9 K6 }) o3 T: X5 L
int41handler2 PROC8 ~2 t2 z" X+ Y$ ?7 T0 I; H8 I
iret& f; f- w% t8 C3 y2 I1 [3 @
int41handler2 ENDP
( N% V" x ] P( W5 K* i
& D% `2 T* S9 X& \5 N F6 U- V9 J
) ]- r, @& v& |4 X3 B_________________________________________________________________________# y) l7 ]1 r* F0 ]4 ?) `0 R3 o$ R
7 U8 P0 A6 \2 J9 s# T
" a/ T* ?, O& uMethod 06
" y6 j8 @+ Z2 C6 x=========
5 E' f" d7 H. j& q( D6 m- }. p) q/ e9 O8 f9 N2 |
4 P8 N6 T% Z9 }" w' W# V. ^
2nd method similar to the preceding one but more difficult to detect:
/ p; b& W$ W% K- B4 {# d" p7 h, c$ b$ T2 L" o
# f5 |/ \, T1 T* j/ V$ k' H* m9 \int41handler PROC1 e3 c( o4 X7 B2 L& H2 B( b
mov cl,al
0 f/ ?" T3 } T# t1 j8 c2 u+ U1 i iret2 s/ l$ A7 d6 g# i3 e6 ]
int41handler ENDP0 X8 Q( |/ t* V6 _1 M4 S. `
R! g" X# c: }0 g' t# r/ O
7 l S$ z7 a8 E7 H" V+ s1 u6 S xor ax,ax
: o6 i; p! h# Y4 E mov es,ax
, f+ ]( V1 \) \% A1 b. B4 X" r mov bx, cs
/ L7 M, `3 B) Y& L/ u* y' X3 x8 A lea dx, int41handler
5 @' u( s9 e: [. h( n xchg dx, es:[41h*4]5 O X' X1 F7 _9 Z$ `* v: {0 {
xchg bx, es:[41h*4+2]
' w0 o7 S2 S: k, t! v1 ^ in al, 40h0 d9 |% C/ f# ]& r: g
xor cx,cx5 ?$ K3 k- K5 l. @
int 41h
: }9 ]5 C ]+ L( i xchg dx, es:[41h*4]6 U9 e( ?: o7 G/ v- R
xchg bx, es:[41h*4+2]3 A) N( n0 k) t. ]4 B" K2 S- \
cmp cl,al
# ^" N* C& R5 ]$ O; Z jnz SoftICE_detected
' V8 V, W p- B! {7 o" m9 ?' f+ G7 ~* M3 X
_________________________________________________________________________
' X3 ^% ^, d4 |. m& v; W" J2 r1 {9 H
Method 07/ j2 X( U( i/ D
=========7 I: Y! ]* B. O+ z9 E! `6 Z, G( J' H
2 B5 D* ^1 g. U# q" ?+ Z1 f
Method of detection of the WinICE handler in the int68h (V86)
; K7 P& f9 E7 q' _$ w9 l0 Q; x
- m/ u/ i7 S0 l; c: q mov ah,43h+ H, A: g" u% S( }9 g" o+ Y
int 68h3 \, E( J4 x% A" M( N1 h, V: Z
cmp ax,0F386h
0 K; s# T, f {* k* i8 }0 e jz SoftICE_Detected
9 H7 B8 f4 x8 V! [4 F
, H3 Y" r9 A/ m, x3 {3 S9 C0 o& d# `8 E- W
1 n x0 l- v( w' a=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 a1 E: d- X) C# D2 Y& |8 I& Y
app like this:
\9 {; ^0 u5 ]0 b
) L) o4 q* @/ L X BPX exec_int if ax==68
9 D% G- C8 `" R$ A (function called is located at byte ptr [ebp+1Dh] and client eip is
, w4 R6 X5 {8 n5 Y6 ^ located at [ebp+48h] for 32Bit apps)
$ P9 |& ]- M" S. d9 b__________________________________________________________________________8 P5 ]" G: _4 O
2 j7 h+ G# p( k. `7 f
. ]: A" x$ d7 X0 @7 eMethod 08
' G) V. W! Z$ B=========
" Q9 j: b* j1 v$ i/ x3 o- ?! K/ y+ C# N# g; v) U3 `! ~# S
It is not a method of detection of SoftICE but a possibility to crash the
+ c2 \; p( z# ~. E: ^! w: p3 H; jsystem by intercepting int 01h and int 03h and redirecting them to another( x* l) n ]0 O# e& `0 ?
routine.( ^& H& F3 Z# w4 k8 l) l1 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 v% s5 ~/ o. {, U* e+ cto the new routine to execute (hangs computer...)
1 d" y4 F e: Q; S
. e; K1 t B- \; |. R, z3 r mov ah, 25h
* x2 y! |3 M/ Z mov al, Int_Number (01h or 03h)1 [" X; `1 N/ D+ s, F
mov dx, offset New_Int_Routine3 K9 B2 O- r5 a4 K0 H& P
int 21h
- g' I G5 |7 h$ f6 I9 _2 A' c' L& l0 {* w9 s. P2 r3 b5 E+ S) F
__________________________________________________________________________
6 D, [5 Q2 K9 R9 H2 A4 @. H9 p" |) H3 k* @" y- i
Method 09/ d7 z7 y9 p2 v' b/ t& r
=========
5 D1 w4 I* [0 [9 }( m$ \5 K% H6 o- ? T# P8 J# l, C- P4 r1 _6 d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- P) }8 c1 P& G" C2 _6 a
performed in ring0 (VxD or a ring3 app using the VxdCall).7 ?1 Y& o( ^9 e& s& `
The Get_DDB service is used to determine whether or not a VxD is installed
: T% c! O+ _8 H. Y6 V' Z; b5 R) |( s4 _$ }for the specified device and returns a Device Description Block (in ecx) for- R A% R- B. I! E3 y" O
that device if it is installed.7 G1 S, I0 ~9 x5 |, s. h# X
, [, |7 a, F# w9 S" X+ ?& W mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; k% g# y5 ?, s+ a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" O( c% T7 h. S, i
VMMCall Get_DDB
" r" c0 l3 ]2 Y* N* E mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& l7 d& j: w, U( L0 c, j1 J1 K; K
\8 |& c+ W4 p; V% uNote as well that you can easily detect this method with SoftICE:
" L3 K" T- |% H, u bpx Get_DDB if ax==0202 || ax==7a5fh
4 G/ C3 y( V0 q+ ~/ Y$ T* l1 O$ _
/ I2 U3 ~, m& }, |__________________________________________________________________________
7 P+ x1 C' r2 M& U% N' k. a4 P' E; e# ?6 o5 f
Method 10
( `" p9 J0 c3 q1 p3 s=========! W- ?' Q; E! y9 Z
% q5 I* S1 x# _" `) S* J=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ V/ X! |3 f! [$ F8 m SoftICE while the option is enable!!
$ P! O4 K9 Y# }9 ]- E, L/ K; [8 l- x! f' z# ` s4 f
This trick is very efficient:
+ R/ ^3 {" |0 I- \. O. }! iby checking the Debug Registers, you can detect if SoftICE is loaded ]: C: t$ @9 k2 `+ X0 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 `4 F" y, Z6 ^7 B1 {7 y8 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 \2 F2 O ~6 d& l4 A% \* F
value (in ring0 only). Values can be manipulated and or changed as well
9 |: G! a n4 v* a) j( j; a(clearing BPMs for instance)8 R* I( ~! |/ Y( N- S# G, K! X
% G$ I# F3 Z: h. d2 D: N
__________________________________________________________________________
4 C/ A- t4 W7 ]/ r
( P; y- M* s9 B7 N+ a# X' AMethod 11
+ ?; f9 K1 G- T' ?( c- V5 e3 K=========
' _+ C3 r3 }' t, C/ |& ~$ |" q6 a4 w: z0 E4 F' j( y
This method is most known as 'MeltICE' because it has been freely distributed
6 ~2 x3 Z- g7 a9 C' o9 B9 bvia www.winfiles.com. However it was first used by NuMega people to allow
8 a# c6 f, D) f0 N5 fSymbol Loader to check if SoftICE was active or not (the code is located& R) U; n2 {- x! W5 e; N3 e7 I
inside nmtrans.dll).1 I* l+ q+ n& a* q2 X- D( w
! A7 G$ c4 D" z/ P+ J( W% F% u) h
The way it works is very simple:
7 T( K5 j+ v& S* i1 N% ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 B7 o1 ^+ Y+ T* s7 G! S1 h
WinNT) with the CreateFileA API.
7 h2 I* Y' Y3 y5 i
& `4 ~! k6 b. V0 aHere is a sample (checking for 'SICE'):4 A: \2 p& g. y4 ]+ O7 P8 Q
+ U) ^1 Q% t* |3 e" t$ x
BOOL IsSoftIce95Loaded()1 H1 ]( @" k' A1 Z a' X
{5 p5 p, O& j! k# \+ ~+ z
HANDLE hFile; + x, n* Y! W k! [# z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ e' q& h/ l. p2 y! l
FILE_SHARE_READ | FILE_SHARE_WRITE,4 _/ w- r% E& w$ L5 f, o9 t
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) k* S: @+ a1 `# v9 } if( hFile != INVALID_HANDLE_VALUE ) L8 Y" T6 Q# A1 j, ~0 Y
{6 J5 N/ X1 j+ |& B1 c
CloseHandle(hFile); z8 K. U) Y: g, B" h; i
return TRUE;
8 b! V) R. t/ W+ D }
% d2 X' G0 c% c return FALSE;7 c+ Y# C6 Q3 d4 v
}
( c \7 T" Y& d7 ~4 \2 e4 V
( b: c5 ^8 W4 ?Although this trick calls the CreateFileA function, don't even expect to be- J) n7 ^7 Y3 e4 J) \
able to intercept it by installing a IFS hook: it will not work, no way!
% ~" y4 j0 b; y: w% v& \In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 L; N& x7 {- p& j/ u: M6 p( X6 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) N# [7 E6 N. w+ W! zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) E' J" X. b5 `# _, R" W1 z# C) pfield.
' P. z9 e9 k; J) Q# \$ b- }) dIn fact, its purpose is not to load/unload VxDs but only to send a : [5 b! u, r$ i* r1 {5 J# {3 R! `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" i0 h# Q" I% N3 |4 `' Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try% p1 @: l$ h1 j Y" z$ u9 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. U* P% E0 ?! }9 b. q
If the VxD is loaded, it will always clear eax and the Carry flag to allow. `& p" p( Q) S2 V+ L
its handle to be opened and then, will be detected.0 P3 v, J' x3 H3 a1 O
You can check that simply by hooking Winice.exe control proc entry point/ J# I* U4 V& X, p
while running MeltICE.4 O! l& ~; t( @5 }5 S4 ^
g3 @6 M, a5 X
; M. g9 T+ }8 \! f9 @ 00401067: push 00402025 ; \\.\SICE
1 n7 Q. |! g5 W& \9 A( H3 i. | 0040106C: call CreateFileA
- d0 z3 ?8 M# s1 K g$ x: R A2 {% ] 00401071: cmp eax,-001& ]; `- a2 T n# W
00401074: je 00401091
% g# H0 R9 X# G3 l- _9 A5 _$ X" X- q# _5 x. a! z. }% b( y6 j8 }
, L5 u' ^& r7 m+ S7 Z: K
There could be hundreds of BPX you could use to detect this trick.
; ?9 ?" v3 s% {0 M% F-The most classical one is:" U; J. M. S9 b9 w* o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 Q, @# t$ }- C. P- w *(esp->4+4)=='NTIC'2 E' m. e) w! c7 g
! s2 ?2 X' O g3 w-The most exotic ones (could be very slooooow :-(2 Q7 T2 c3 E+ G- o0 L
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') N2 e( Q0 w" |/ _& o: e' i4 R! Z
;will break 3 times :-(
4 F8 H( Y4 L, m& h1 x/ Z
8 c/ x; o& o; W" |1 Z6 m% c-or (a bit) faster: 6 G2 P+ F( d, G1 \9 O8 F; |
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# R* P d. x; T' {) v: G; v1 w, @$ @* E" K$ ]$ k5 \/ }
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' q: a* r) h3 y' ~# U; C( X" J
;will break 3 times :-(
- n0 m" O* b* x- q
3 o' D2 i9 g9 E& q j# K% |) s-Much faster:
% {: }: s- |: m5 t3 q: s3 f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# {9 y' S" ~5 p9 e% {" R1 K
# s( B- A" H) d/ h$ _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- ^! \$ G( P8 c! R2 \& u" gfunction to do the same job:
; o/ _. F! l! ^
- F7 \8 e J* n% s; P5 G push 00 ; OF_READ2 z, f: `2 B" R6 b6 q' `1 @ D
mov eax,[00656634] ; '\\.\SICE',09 h2 q0 x" b. q9 t5 U
push eax
! J) j% T1 Z2 }$ E& O5 B call KERNEL32!_lopen8 u# j% U+ f* q( n/ k
inc eax
* b0 S6 ~3 b3 }3 e; f jnz 00650589 ; detected
/ f8 A7 V7 A( h! a2 u$ P push 00 ; OF_READ, E9 m) ~# b4 \4 W
mov eax,[00656638] ; '\\.\SICE'5 e- q5 ]" n7 S+ j9 w. V" l* @
push eax' N; T1 D/ Q* p4 {4 o$ t5 x/ Z
call KERNEL32!_lopen) L4 }" Q7 n7 I+ T6 B7 D' P/ }, w
inc eax
9 r) G" c+ N$ {9 g7 B7 o jz 006505ae ; not detected
" S$ b! c& n3 d& D+ G
- `9 }2 g1 H& P3 t/ y) v4 {, z$ D3 G5 r j
__________________________________________________________________________( l! x& e6 o& p
; m5 U& Y* m5 C0 S& j* fMethod 12
# w" f" ]( _# z* V=========
5 l" @* _1 W6 \& N* B0 m; R6 s
5 W/ ~3 \! C) A( ~% `6 rThis trick is similar to int41h/4fh Debugger installation check (code 05
% U/ m3 F' A- z V& 06) but very limited because it's only available for Win95/98 (not NT)! l! j$ P& k- c$ r$ c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 o Q+ W# [9 s+ H c% U* w+ g0 i3 j& H, \$ `+ `
push 0000004fh ; function 4fh8 G( {5 p/ O# a/ \
push 002a002ah ; high word specifies which VxD (VWIN32)) K& u, B+ i% P/ k
; low word specifies which service
* B% T1 V0 p8 { (VWIN32_Int41Dispatch) K) S3 o& U# v2 V' t( C! d% A% O
call Kernel32!ORD_001 ; VxdCall& D9 {; _$ l, A- h
cmp ax, 0f386h ; magic number returned by system debuggers
5 u5 i' W* c( R1 c4 H' h& k3 h5 d jz SoftICE_detected
$ b. R1 P4 P9 i9 k: W5 [4 W7 y! |( j: h, y. E! J0 j
Here again, several ways to detect it: I; X' \. P/ L" e ]( X- v
9 c- O; Q$ _) W* |
BPINT 41 if ax==4f! U: P1 l3 i* m6 w# Y0 H
% f a4 ^) B! ]% I% r7 q9 F# V7 [1 D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& ]! i8 m9 l4 r+ s" H5 g2 `3 i
; N* R! i9 q* u1 a& I9 ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A' J/ f: s1 d" M" g3 V T( \
( g" J6 h" S* F BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
J" W" R( {% w! B. J/ X
3 V% S6 s. G6 `1 `__________________________________________________________________________
/ t: u! W) h, y e I T) w+ J5 j7 a9 O
' v s) O" b; e& n8 DMethod 13
P. J& s L) j/ F7 X=========
: H& c x3 V4 J) k
& Q( h8 y- t4 R6 h. pNot a real method of detection, but a good way to know if SoftICE is; I1 {4 d' D, s {) Y/ `
installed on a computer and to locate its installation directory.& V% R- `: h H$ o
It is used by few softs which access the following registry keys (usually #2) :
5 B% |7 c& I8 o' q! ~) o& h( `+ M
0 W( F1 l7 S* p; H: Z! u0 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 b+ {+ d7 ?* \ a; ?' N+ }\Uninstall\SoftICE
$ K( {9 [$ _ K1 S) E$ ]1 h4 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 ^+ j6 `1 i* }# ]" S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' A# K( {8 I8 f! a0 |( p
\App Paths\Loader32.Exe) b) i G% s5 ?, z+ [$ Z4 \
( z) P$ c T( H
. z$ ~" E' g: p% m
Note that some nasty apps could then erase all files from SoftICE directory
0 ^! @, M( _# Z1 ]8 ` g(I faced that once :-(
5 M; M' @7 H4 `5 n. @, ~9 y9 }5 ?, \4 M9 C
Useful breakpoint to detect it: ?2 P* B. K& ^5 D: ~( o+ e% ^
# {5 s b* P1 D1 @8 _1 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# a# F5 ?. P# x+ v
9 |5 s) g) @; S3 J1 f# a
__________________________________________________________________________
, |; F. @. o6 @0 c8 K/ v
5 {; A; L' m2 f" N0 G0 A: z' v
# Z; S W. v) ^Method 14
4 ]0 E! p! V: b$ O' ], N+ C* Z) {: |=========
d3 W- X" l1 ^* H& } i
" ]5 Q2 x8 m) t& ?# m* rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( |' Q* Y1 T. C- @6 v% d6 r4 a
is to determines whether a debugger is running on your system (ring0 only).+ R9 {! T4 A% D) Y7 D
) v/ g' K' H3 ` VMMCall Test_Debug_Installed: L! G8 H. Q, \+ Z8 R; O1 i: P
je not_installed0 x4 ^) L7 W6 D" `9 y
5 V! j0 l' ?- b7 k) K
This service just checks a flag.8 M- A/ V, ?# y
</PRE></TD></TR></TBODY></TABLE> |