<TABLE width=500>- v0 O7 ^* K, a2 b' h3 Q
<TBODY>
8 f& r% l. x3 T( [% D- v<TR>/ D. E4 G1 J+ H: J
<TD><PRE>Method 01 & K" x, D' {" A
=========3 ^& h" A( _7 T* Y7 t+ c
h y6 |0 v* h! @+ I
This method of detection of SoftICE (as well as the following one) is
1 G) m1 h! ^3 |9 n3 O; bused by the majority of packers/encryptors found on Internet.
, M9 N/ _0 R3 d h+ K5 ]3 cIt seeks the signature of BoundsChecker in SoftICE$ ^9 T9 n0 K$ Y2 Y* x0 P/ X5 u
& I; Q7 e8 h# U& Y" e mov ebp, 04243484Bh ; 'BCHK'
4 @' D' x6 o- ~) Q4 l8 l mov ax, 04h
, x: E/ ]& L5 s+ M int 3
+ ]' @6 u3 i8 i4 ~ f5 ? cmp al,45 H' ^! a8 t% z7 D# e. G8 |( ?7 m
jnz SoftICE_Detected* @ @6 P+ |0 C; Q
6 P. @! |7 q( W" O: z: o) P
___________________________________________________________________________, P# ?) K, {+ ^4 \- G- T# q4 s' @
3 f0 h, h1 S# YMethod 02: D n: d) ]" o. n% [3 d/ w+ K
=========6 i3 ~8 y- l% K$ c5 A# q
* ^' g# T( q" `" O; ~
Still a method very much used (perhaps the most frequent one). It is used
m9 w+ ~+ H8 K+ o6 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! N8 X- v4 c4 v; g' ~& }- ?
or execute SoftICE commands...( s0 P6 f5 w, V" D
It is also used to crash SoftICE and to force it to execute any commands
& h" k6 q% _' _# `(HBOOT...) :-(( " H) N- S2 N) N& J( q7 l
5 @$ W. O" K( d
Here is a quick description:( k/ Z* G% s) k: m# Y4 Y
-AX = 0910h (Display string in SIce windows)$ W* S. [& k( x: T6 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ |( {2 {, G' p" U, z" E" a8 O! `
-AX = 0912h (Get breakpoint infos)5 H, l; g5 o, Z0 a, z1 o4 V: h+ B9 z1 Q
-AX = 0913h (Set Sice breakpoints)1 w7 z& O ~. ^
-AX = 0914h (Remove SIce breakoints), z! J' M- W0 M; W8 q! R+ A
. ~% N) a* T/ `/ z5 u& u: REach time you'll meet this trick, you'll see:
) ]+ f3 U0 }: f5 @-SI = 4647h
; K" x2 Y6 J: R) c$ [$ M7 g0 f-DI = 4A4Dh
( C# K6 S* e& K2 f% W- l3 pWhich are the 'magic values' used by SoftIce.' U# n7 Q1 k' R \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' `, M' Z# Z) f7 ?- h% ~/ o
& d4 n5 r/ p$ D( aHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 j6 v9 x( Z/ n% Q. |4 f" bEnvelope utility use to protect DOS applications:
) `; U* }/ a3 G. \- n8 ]$ a+ u3 d1 D c* r( N3 h/ {) {
) j( R7 W2 s; b
4C19:0095 MOV AX,0911 ; execute command.
) O1 s; v( ?- V4 b4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ v' M( J+ N' ?$ ]4C19:009A MOV SI,4647 ; 1st magic value.
! v* N# n+ ]3 E: f2 P- H4C19:009D MOV DI,4A4D ; 2nd magic value.9 l4 @! G( n% \7 _2 C- i
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ _" T5 j. o* |" y5 u4 w4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 |( F0 m/ u4 U& r( w4C19:00A4 INC CX
0 M8 N7 W8 u: K+ J4 w4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 L5 g2 \! I) W1 S0 w4C19:00A8 JB 0095 ; 6 different commands.
2 |2 v, L+ d* ]# `( z1 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 o A# z) ^' y) k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 s2 C7 x6 M0 o: X6 o
( i) S3 E/ S/ eThe program will execute 6 different SIce commands located at ds:dx, which- R% _/ e/ ?. }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; i; K6 x7 J- h
( ~( l: z/ a# i) |2 l' C( o. g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' l8 Y6 _/ M- a; X% p___________________________________________________________________________
3 b& R/ g3 l: U5 D- {/ `$ j+ G1 U1 h, C+ t5 U& y( m
. n; @0 |& N4 L6 RMethod 03
' l4 c" A8 G. ?, V5 ?% v=========) p/ T" R# d7 @& C2 k" U8 J- ~
: d. j, D! g& ?+ d2 _# @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 M4 Y( d4 n0 S1 a F/ X
(API Get entry point)* K+ H. Z4 j# ]$ I' P/ U/ E
6 r$ S& ^$ _& m, T$ V% a; `% l2 c! E# j! _8 m, Y2 b3 M" w
xor di,di
. k6 f9 V. l+ e4 Q+ P mov es,di2 O* U; V7 F- Y
mov ax, 1684h : f. r! o; X5 ~2 N! A/ m
mov bx, 0202h ; VxD ID of winice' A. q: w; g/ _) {# |
int 2Fh
1 K5 _( r( |. j0 j8 W% I' g2 l mov ax, es ; ES:DI -> VxD API entry point6 S4 b3 x3 W+ I! O' H, e4 L* b: n
add ax, di/ s4 ]4 U) `: B
test ax,ax+ l8 I6 w/ i: o4 D' M% m# C
jnz SoftICE_Detected/ @1 G) Y! N! e' ?. r5 S
; P" F5 ?9 _. S" j/ \___________________________________________________________________________
2 v2 A3 g, D- m0 }7 V$ O) `+ o
o1 R; N. p& A4 Z# @Method 04% X4 _" H& z" x) \
=========
' h" A2 G- s1 }$ u! _9 Q# k8 j/ a( \
Method identical to the preceding one except that it seeks the ID of SoftICE b; `$ Y4 e: R: T. W0 {7 Y
GFX VxD.
) ?) O; c# S2 `) I; R J0 ^
7 @; l7 d/ v' n xor di,di
5 j5 i. E' y; ? mov es,di
1 H) {0 |7 i3 r" e1 [) d/ W. e6 ~ mov ax, 1684h ! c" L( A) l, D Z! A
mov bx, 7a5Fh ; VxD ID of SIWVID
2 d( S2 P0 u1 [( H, }9 m! D int 2fh1 t5 Z5 D ?# T4 y" j
mov ax, es ; ES:DI -> VxD API entry point1 J1 O* s. a O( E% T9 N9 c
add ax, di
' Z' O Q9 o7 [0 F+ D" c test ax,ax: M# U: J- T( _4 z
jnz SoftICE_Detected! ?: W% }; C0 u- h; q5 ^
" N+ E- L1 B: z2 X8 b+ q__________________________________________________________________________' S- z" {* J% {' A W$ Y9 m6 ~: p
% y- \' i7 p$ _' o! o
+ `1 o. Y8 w X( iMethod 05 z6 b# p2 s2 J
=========1 g7 ^; B. {( ?! h, v) Z2 Z
. O% G& I( V- l q7 y0 C0 U
Method seeking the 'magic number' 0F386h returned (in ax) by all system* R" j) c8 B; r" j
debugger. It calls the int 41h, function 4Fh.- z+ i) P3 D! t8 {3 \: F1 s! Z U' e) l
There are several alternatives. % `) c7 F. x1 A) y! y% A3 w
; Y* z' L, I7 @
The following one is the simplest:+ ^% `" `2 G2 A) p7 K
9 v; Y H8 h3 e0 r# R) s3 e
mov ax,4fh
. I9 g( F- L, X, b; ]; W int 41h
: O8 N1 r( H/ ], h& n' U4 R cmp ax, 0F386
- |9 K9 F# s# q( Q& q jz SoftICE_detected
" D$ [5 |( j* u8 Z' \$ A+ \ p9 [1 Y3 L; @* E! ^7 X
+ s- ^1 V" `3 Y0 R
Next method as well as the following one are 2 examples from Stone's " d' s/ b2 P9 g! r8 x. g
"stn-wid.zip" (www.cracking.net):
/ G- U n* N# e+ ~1 E6 M: ?7 g" r
/ i1 L1 a9 i4 Y1 U! t! k! }& O# ] mov bx, cs3 |9 Y F/ i: j- F* Q3 [4 t, p
lea dx, int41handler2# J$ J s& V/ S8 V% y. ?" \6 g
xchg dx, es:[41h*4]+ F+ o, @7 T" G( E
xchg bx, es:[41h*4+2]
9 b4 S0 L( S9 K4 C mov ax,4fh, ^: w. }7 g/ l6 h: E& S+ N
int 41h, x" {( x/ d8 {, Z
xchg dx, es:[41h*4]4 ~6 n% B, ^. |# C# a4 I/ ?
xchg bx, es:[41h*4+2]
3 f/ p& v$ G- s4 i! i* T cmp ax, 0f386h
) `& V' h9 ]( R9 C3 S jz SoftICE_detected! ^1 Y9 z* |( h+ i" O# L
6 i# v/ m, C0 f. v- l: {- D
int41handler2 PROC' J$ e, l/ S% j( Y4 v- I
iret6 b( ]& o) t" a! s8 G. R6 M
int41handler2 ENDP9 @ ^/ ?& }+ Z1 h1 `0 T
}$ P6 G$ E+ Y! t8 m: w7 y- m5 `1 ]
_________________________________________________________________________/ x! |. m; J. `% x
5 V- o$ u# G6 u' h, \% o9 L! A
p: s: i! v4 q# {+ A) m$ FMethod 06
$ o- a6 |$ ?- ~/ ~=========
! x) b5 J3 e% G, k; d* Z; q
) f# G6 ], |# }; o
/ Q2 _3 d5 A5 T& r2nd method similar to the preceding one but more difficult to detect:( C( `! b) H7 Y9 j; W2 n
5 x2 S" U' M1 S" ]4 t; e! ?/ m; i, W8 P4 Z* d
int41handler PROC y1 W, c) l& J S+ A+ y* e) i
mov cl,al- }2 n8 M' h4 w2 M' R7 K
iret
( G( ]6 B2 ?( |( x0 ]+ aint41handler ENDP
5 f5 q% W) w4 ?- b8 M- {
& G* |* j+ r) o, d% R. ~& R0 y, q
xor ax,ax4 p3 u% R% ~5 ]3 F" V
mov es,ax
* L1 d3 U4 Y# X mov bx, cs( m4 B9 [9 _4 ?* j& x. ^/ y5 K
lea dx, int41handler7 k4 M( q6 x5 |6 H: A2 e- m
xchg dx, es:[41h*4]1 i( }6 [) [; k+ K0 e& q4 K' L
xchg bx, es:[41h*4+2]# e+ ~/ X% G o b+ y1 N
in al, 40h) }; D3 `+ G. C4 l# r
xor cx,cx
/ ?1 p5 B) B# _; _2 s" [- } int 41h
0 f$ [9 d) d0 `$ W5 T0 ~ xchg dx, es:[41h*4]
- t1 T W" m* E4 w3 O% j xchg bx, es:[41h*4+2]3 e6 R/ Z8 K3 m$ U# {. s
cmp cl,al
# Z) Q* ], A: C( v/ y* M# ^ jnz SoftICE_detected
0 \( r, y' o& M6 c% h% [1 D. I$ ^. y6 l" F0 J" z8 j+ h
_________________________________________________________________________/ L/ h% @- s0 E) o. U: R/ b
- S2 _1 E G9 M! J% I2 l/ P2 PMethod 07
) ^0 H9 w0 ] p4 g4 @=========
$ K- T: _8 F9 |: q
7 V* X S- R3 |) M1 I. \( kMethod of detection of the WinICE handler in the int68h (V86)
1 Q: g* j5 V) ]% h; c% t% [" `; \% p5 o! P6 o+ H% B6 i& R# f! b
mov ah,43h* a5 c0 P9 }! _( z4 ]& k
int 68h6 c/ ]) [- q+ r" l8 U' x* T9 G2 g
cmp ax,0F386h
% }/ l! c- F4 h4 a0 ` jz SoftICE_Detected
& i) r( d2 N G$ }6 C5 E' D9 k& S6 {+ @0 b+ w5 Q/ m
; D" j& D+ o2 O% H E- W5 l# r" d
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* L' q, [; f7 D7 e b8 O
app like this:
, s" b8 g {% \ K# O5 y$ c# A) T0 p" A3 Y4 Q0 |0 H+ e
BPX exec_int if ax==68
. A+ D/ }0 g v) Z$ j& _5 F( G0 } (function called is located at byte ptr [ebp+1Dh] and client eip is
/ ?" \$ {" M9 M located at [ebp+48h] for 32Bit apps)
% `: ~+ M" u/ Q__________________________________________________________________________
! t# v; j/ K! h8 I
/ V4 s7 ?- t. k" ~4 _9 b. Z1 A6 a% w" S: i# y, y) J
Method 08' _% @- t2 h! f v9 H# u9 x' y4 s
=========; t8 c6 \& Y9 T0 I5 J" h r0 x
+ f3 @2 t3 r% r( P4 z# a
It is not a method of detection of SoftICE but a possibility to crash the/ M0 n( z8 L; q. W* Q
system by intercepting int 01h and int 03h and redirecting them to another8 I% e: t( n+ Z+ G- f& V
routine.
( {' |5 F& @ {" Y' }4 EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% N" J: G0 e! Y) p& d, z6 e/ ato the new routine to execute (hangs computer...)
2 P0 `9 |0 f1 D6 V1 W
O; M8 B8 g1 D1 S. g: S mov ah, 25h
9 J4 V# M2 o/ I" P3 N: I mov al, Int_Number (01h or 03h)/ q0 }0 n. _: Y3 M+ s6 S. d
mov dx, offset New_Int_Routine
- `" Q) }+ @* ^: h int 21h& V I% j/ F6 s* g6 A( i
& p! e' ]0 r2 W" C4 `
__________________________________________________________________________" R5 y5 [; Z# i% F3 z3 ?+ s
- M4 _& H% E9 X& MMethod 09
- z/ x0 ]/ p& M9 E9 V F9 b=========$ A/ F* B/ N: m- q4 x
, _4 h8 |- b" h4 C, f8 t) dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) D+ b9 V: R4 R# ^5 }, r/ @+ pperformed in ring0 (VxD or a ring3 app using the VxdCall).
% I. T u5 L' c% D1 \, ~8 iThe Get_DDB service is used to determine whether or not a VxD is installed& @6 L) ]9 q' c7 a. x1 @
for the specified device and returns a Device Description Block (in ecx) for6 g' p6 h q- X/ a$ i- H9 Z
that device if it is installed., N" `( @3 o1 l- i
+ V9 ^7 n. _ A5 w" m( z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 S7 }; i5 A% r9 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 p7 u* F; G8 o/ |% n VMMCall Get_DDB
m, f7 m* z& @2 A9 b* } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed/ c( i0 V4 o' l9 Q" y* h
3 ~, p. t' p3 h/ Y* N! ^Note as well that you can easily detect this method with SoftICE:
$ ?1 w+ e* K, Q bpx Get_DDB if ax==0202 || ax==7a5fh$ V K6 J. @% p7 J3 w6 R0 w7 e" Y
0 P3 @) l" {. I E3 a3 w- t1 B
__________________________________________________________________________
/ q4 z( b: x5 S( }4 a% b
8 m+ f0 O9 Y+ g9 ?& j( ~4 iMethod 10! Z* T2 C a; L% k! x2 t/ [
=========
0 O, L% e) E/ J# N/ p7 Q& D W/ b3 ]6 T- Y3 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with# ~; n( t2 i; n- L: Y
SoftICE while the option is enable!! ]& Q1 F, p; [0 e/ Y' i8 q z
/ g0 [5 Z# n1 O+ e5 N
This trick is very efficient:7 d, R' X, w& @. I6 e0 R4 `. W& R) V
by checking the Debug Registers, you can detect if SoftICE is loaded
# v) C% w0 j3 c$ }( U" r* b" [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. ?$ b: v+ C0 ]6 X( `there are some memory breakpoints set (dr0 to dr3) simply by reading their' _2 N2 X. f, \! |5 ?9 G: l2 h
value (in ring0 only). Values can be manipulated and or changed as well% s- e1 y5 K4 Y- @ }
(clearing BPMs for instance)
' X9 N* {) j3 i) E$ c7 @6 {- j; g9 u( o
__________________________________________________________________________+ t9 O' }0 e v& j
9 @- r! S! l) v' i6 K/ WMethod 11* E' v' d3 D _. E" X5 w; r
=========
+ Q- [; s" _5 m) M+ o
" K- ~ J$ K, W+ {0 X0 oThis method is most known as 'MeltICE' because it has been freely distributed
- x/ K! B2 v& c$ h1 |* Fvia www.winfiles.com. However it was first used by NuMega people to allow9 ]6 L" H) y# C. h5 p3 d' c U2 G' g {
Symbol Loader to check if SoftICE was active or not (the code is located8 x* U* F; ^+ n6 B8 ?- S3 M
inside nmtrans.dll).: @. O+ s" [: W0 \+ O0 c$ G
% l1 X1 B2 v" R' G9 n/ U. z- ~% M3 _" lThe way it works is very simple:
7 T) B# b/ A. M$ K% m9 w7 z' wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) N9 p1 M2 G' X" [! s7 J) I
WinNT) with the CreateFileA API.
; v% m6 i3 A" C) a- P; A$ P5 ^+ q& U% l- z, W
Here is a sample (checking for 'SICE'):
: ]1 H) J, d: L0 @7 _$ R& ]5 ^3 L% ~" e1 }$ T
BOOL IsSoftIce95Loaded()
$ @9 x2 [4 ]2 R4 g7 g5 R. J s{* n( \9 y" O3 @: o
HANDLE hFile;
- J, x9 d- I0 h9 A% I( O- R, s; I/ J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 T. i3 f, j: M5 O2 o; O+ c5 |, V FILE_SHARE_READ | FILE_SHARE_WRITE,5 r _3 A) d. `: {+ b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 W4 P7 Z t( U5 Q3 v6 A. [
if( hFile != INVALID_HANDLE_VALUE )7 _' f" k$ c+ Z. b l5 q, P$ F& T
{
: e& o# V8 D7 i2 a4 L CloseHandle(hFile);
0 ^4 q% Q3 ~% N8 p8 S return TRUE;! r" x" Q5 |+ i/ D& r0 C
}( X ?6 f. L. e3 p
return FALSE;7 d- z% b* s3 y
}
0 p+ I1 A' R L0 e" t
! H# S" T* H1 y" x7 h" }& E9 {3 AAlthough this trick calls the CreateFileA function, don't even expect to be
+ T; ]$ z# N' L W: a; H a5 q) yable to intercept it by installing a IFS hook: it will not work, no way!9 f: z7 m* V! x2 O& \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; p( M: ~1 `( ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; ]5 r: A9 Q0 V; O+ C4 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ S5 P$ B4 w: F1 h0 \field.& S! B4 Y7 i0 Q7 V5 e ^
In fact, its purpose is not to load/unload VxDs but only to send a ; i% d/ O3 H* A% f* Q. z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( _& t- { s& `! B) n- l% f: vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 v$ H+ o$ K7 a5 Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- g# K! n+ W6 o+ U5 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow: [7 @1 }6 r1 {
its handle to be opened and then, will be detected.% D& M4 ?$ f: V
You can check that simply by hooking Winice.exe control proc entry point
" n9 d* Z3 {, ~5 r# hwhile running MeltICE.5 ]* {: s8 y+ p( m, H
3 M4 l+ ~- h" l3 [4 x; s7 ]! y7 W
: J) c s& [2 Q, L1 n& e/ O5 Y+ K, ^
00401067: push 00402025 ; \\.\SICE" r1 Z7 D0 _& G9 V$ P; h& }
0040106C: call CreateFileA. ?4 X+ `* W, F7 x0 \
00401071: cmp eax,-001
9 h! r2 E6 q$ a3 M# R 00401074: je 00401091. N& b7 P# [# k- A' D
5 I+ h3 l& i9 H
S; Z" i, y8 w0 UThere could be hundreds of BPX you could use to detect this trick. F" q- i7 N& i( N% ^
-The most classical one is:
/ R. P7 ~: c9 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 j& o2 s' H" L* @* H4 P* p( _% `1 c- Z
*(esp->4+4)=='NTIC'
6 H, h/ D7 [7 W3 ?0 ]
6 U) R4 J1 }; n/ x+ `-The most exotic ones (could be very slooooow :-(' J/ d/ z+ P6 O* r) g% I$ O' r
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 @+ E( X, l0 M) M0 q" f ;will break 3 times :-(! F1 I' q: s9 ~. u/ x3 i
- P, a k. o; }9 _' d& k
-or (a bit) faster: / ~7 z% o9 d: [; E. Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) j( K9 e7 h2 \
: v; b0 P1 ? s2 [& H BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
; m" m [0 b& d# v. X- l$ s: ? ;will break 3 times :-(
% n, H" [5 ?2 |
; u$ z' Y n8 y2 L2 d1 }+ [-Much faster:
1 \4 a6 r% O/ E) j N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') z' V& j% y0 s, E2 a' T
8 Z3 b- i9 G; \; LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* L5 v6 I; k, W) {function to do the same job:, U$ A6 I( g' ]3 u# p) o8 `9 K ]
0 _7 \; I# @) p, d, g% v% B' c push 00 ; OF_READ
- P# y7 w$ f1 _ h+ N; L, x mov eax,[00656634] ; '\\.\SICE',0+ i# `/ z) ^4 u& S3 \( [
push eax
$ G; ?- z1 O$ H; B6 P call KERNEL32!_lopen
. m. v Q/ T. G. A, ?! a. ^ inc eax6 A, t7 r) S. Z v. o9 n1 g1 j
jnz 00650589 ; detected/ m% U3 Y9 r8 \/ s( f" G( A
push 00 ; OF_READ
; l/ N9 z B7 p+ l, B/ n mov eax,[00656638] ; '\\.\SICE'
* S. e+ ^1 h4 R7 W4 E, G$ f push eax8 E4 J0 z4 J0 `6 k9 ?5 j4 j
call KERNEL32!_lopen& g8 I/ O, m$ @1 [! [5 Y: U5 q
inc eax
% m% w* t" Z- h" @: o8 ~9 a jz 006505ae ; not detected6 p' i+ X: S2 p
, j* @8 y) \' z! P' R: r
/ w2 ^8 v: ~* j' z/ O& Y__________________________________________________________________________
+ I" s; R$ U. }; r4 O! A/ I
6 ]8 b' v. b, w1 }/ R+ ZMethod 12
K- m. B( y7 _& g# M=========
' v5 a4 \% b7 r, o2 z. V5 \# D I8 a2 O% q( Z
This trick is similar to int41h/4fh Debugger installation check (code 05# V5 h- s0 x8 B: @; l
& 06) but very limited because it's only available for Win95/98 (not NT)! y, }/ B1 q6 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 s, S$ n& }" m( G6 r4 V, Y. q
% [1 Y% `! s1 W* S, f push 0000004fh ; function 4fh
: A7 F- m, g( B/ m push 002a002ah ; high word specifies which VxD (VWIN32)
5 t+ I! O) C# w ; low word specifies which service$ V5 e* X" F4 v; {2 f0 d
(VWIN32_Int41Dispatch)7 L- m n8 ?4 ~& Z9 P7 ~
call Kernel32!ORD_001 ; VxdCall
! c. i. J) A' D9 j) x, @6 ^ cmp ax, 0f386h ; magic number returned by system debuggers
3 q; \0 |' u( A% N: X, z jz SoftICE_detected: a4 @, C: x6 Y1 k( G2 K! b& C
7 x9 B1 B& g/ p
Here again, several ways to detect it:- U/ B2 n% p+ g
+ K% {& Z% i) A! | BPINT 41 if ax==4f
4 p# s0 [; V' s* Y0 f' A5 L
' h4 V9 X' o! X$ R' O& y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 N; n3 ^+ G1 o4 x
( D3 w" K; v' W. Y. T* @4 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 { u* ^0 M& o; }+ G
- W2 m6 `- N" B( S/ k
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: K% h, g* H; v# R% Q8 G# Q2 H. B8 j7 U
__________________________________________________________________________
- V( W. e0 n( d1 `( ]9 T
/ u, }5 h) n3 d/ S! I# \- xMethod 139 K* q' G9 {9 }0 t- F- ^. G
=========( v$ t4 X0 c: b& j6 U
' P: r) x' L* t: ^3 z6 A# YNot a real method of detection, but a good way to know if SoftICE is
0 e% M$ C4 q/ M( J$ t/ O* d$ s& ~- Einstalled on a computer and to locate its installation directory.6 `! t" _! H$ R8 r& i
It is used by few softs which access the following registry keys (usually #2) :5 \/ a5 T/ `5 p# P: R% N
8 b9 H; e1 H1 ~( { j/ B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 ?8 I' ], l2 v0 B; Q4 ^9 ~
\Uninstall\SoftICE
4 _1 a) Z8 g+ d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 j5 @/ G0 q4 X8 z! k4 t$ q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 x# ~/ {% l2 K\App Paths\Loader32.Exe
7 z( X7 E( b+ s g' u/ }
+ p/ h1 ]; ~, m1 I0 a0 G
# ?2 S8 G- K' N U& X: \Note that some nasty apps could then erase all files from SoftICE directory/ c0 C; ^8 X' T$ s3 m
(I faced that once :-(* Z$ k1 |/ E {% I1 O
# A* V! Q4 N1 o" D% `Useful breakpoint to detect it:
9 S' J. w; D2 x5 [1 _2 n, N
/ b q3 z8 X6 ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- P6 [" N: n9 i( E
3 |0 i; n8 z* l
__________________________________________________________________________: i6 O" `, z9 t4 b5 d% Y' t- A
# S" M4 K- g8 p; j. w7 C v9 M
8 T) t7 ^7 f+ V9 g& e) p3 Q/ OMethod 14 4 p( h9 @/ }7 f3 J* W0 ?
=========
% E& e9 v3 d" c3 _ G' {6 W& u' I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# G9 K n4 I* K' ^5 g; ]; t% r$ S5 r
is to determines whether a debugger is running on your system (ring0 only).
' O) C! {: x1 H% b6 ?3 w1 s% P
& B: v/ ^" Z3 ]5 |2 t VMMCall Test_Debug_Installed
W3 W* h* \2 l, I5 v8 e je not_installed
! Z9 k4 C: P9 e" \' a: `
4 U( _8 d3 w- g: VThis service just checks a flag./ v! K6 L9 B5 V5 L- a+ A5 |, y
</PRE></TD></TR></TBODY></TABLE> |