<TABLE width=500>' |; Q' ^# M9 g3 H7 Z U
<TBODY>
1 O0 l0 ?; I- T3 S<TR>1 Q2 g' l) P: \6 L, l& {
<TD><PRE>Method 01 2 v+ E: ]/ W) g7 t F
========= D0 |& b5 \7 w% W
& g4 ]. Z f8 q- j0 K# sThis method of detection of SoftICE (as well as the following one) is2 Z: p/ y$ `" T% M, k& n0 i3 d
used by the majority of packers/encryptors found on Internet.: ~! w- ^( U3 J E( G$ d) ]
It seeks the signature of BoundsChecker in SoftICE
4 @4 V( N$ F7 o0 w: A5 g; Y' ^# p! f+ ?/ |
mov ebp, 04243484Bh ; 'BCHK'
$ }( T1 U) q, m mov ax, 04h
8 C9 L/ P$ O2 ^1 d1 U% | int 3
% d( k" S$ \: ^+ [5 N- V1 g) D cmp al,4
, x6 D: t; u" Z6 l2 U jnz SoftICE_Detected
2 y: m: C' G" y" q
* W! l/ V% [- F! v9 ?___________________________________________________________________________' z! ^2 ~# m6 ]
3 P- K+ L$ e& D4 f& R9 FMethod 02" N# [+ O1 Y# [4 }3 o
=========
0 o! p5 t% s# o3 m, F$ D7 y* |1 C$ R! h- L, F, H* H
Still a method very much used (perhaps the most frequent one). It is used
) ^8 v8 u! `8 M1 H; c+ Q' m0 j9 z5 Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) c( |3 g' `+ S" Ror execute SoftICE commands...
# h1 k7 o* p" e; X E$ X7 M; TIt is also used to crash SoftICE and to force it to execute any commands
' s# P) F# s8 R. A) w(HBOOT...) :-(( 7 i& g$ c" e% d4 u1 T" z2 X3 g3 k
9 J2 ?8 s7 h% {4 }$ P/ v T
Here is a quick description:! ~- ]+ D+ k" m0 d, N5 _% O* O* Z
-AX = 0910h (Display string in SIce windows)
X3 Y8 T, U5 v( ^5 `! E3 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 b4 W$ J- A- `6 i3 u" v( P-AX = 0912h (Get breakpoint infos)* z) J/ d6 f/ ?( M0 W1 e
-AX = 0913h (Set Sice breakpoints) x' C, y2 n* `4 v2 f, x$ k0 @
-AX = 0914h (Remove SIce breakoints)" `/ w$ ~; n8 ]$ ~1 t7 {8 Y
' ^! C1 y( K. {. c5 w
Each time you'll meet this trick, you'll see:
# y# P M$ _9 f/ ^-SI = 4647h
) U; S6 f8 I3 r+ i& [-DI = 4A4Dh- k9 f8 C" y2 a% I' z( L
Which are the 'magic values' used by SoftIce.# w) r/ k5 T* a- e* o4 U4 M# [2 I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 A" j% c$ d. B! U
4 W/ t4 d, A4 P% X. r6 e" R( m0 I7 l
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 Q4 ?& h+ [. x3 c5 ]! d1 \
Envelope utility use to protect DOS applications:
; \, e, t8 V \! Q, x* a4 W3 ~3 B3 e) I
0 {) y" n: s. d0 ?
4C19:0095 MOV AX,0911 ; execute command.
/ x7 @- J+ ^/ A( M/ n$ E) M" O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
S8 D8 I: Y* p/ Y3 o- _4C19:009A MOV SI,4647 ; 1st magic value.
9 H# [! u1 E9 _# n: f- K8 \0 r4C19:009D MOV DI,4A4D ; 2nd magic value., F7 k; ]: Y4 J1 p' o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
) i. S% q& ^# J# g6 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& Y! I4 m$ W4 {7 o# m
4C19:00A4 INC CX2 s( H3 w# R' h9 }6 W" B; W
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; _! ?: s4 {& A! d0 r o
4C19:00A8 JB 0095 ; 6 different commands.% q6 F2 F% O! K
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( C: Y# C7 d2 l4 ?9 n4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% t, S. Y! [4 a/ S& W& m0 N" B9 F" K& k$ n
The program will execute 6 different SIce commands located at ds:dx, which0 H6 I% D3 c6 r* p8 ]7 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- g8 D7 z; A9 G q# M
$ `' |3 o# w% y r5 l; \- S# ^% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# _! R2 c$ J- T
___________________________________________________________________________
0 R5 S8 o+ ~3 b {! V4 N
Q$ J3 h0 \; v0 k7 O2 s" p" m" T
( _ e% t3 F4 i7 [+ g# {Method 03
l6 u" W1 K. I=========
% ^! O; s' l! V, Y4 U7 w
+ E) z- W5 v, O' R7 @/ n# _3 C- LLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; Y8 ^2 c% H8 m8 d2 I! u(API Get entry point)
0 o& R# B2 F# L* b( { 5 M( m# l; P; }! U9 _3 o
; R+ \: |2 R2 g; K8 L/ g* f6 \; } xor di,di
/ O9 |% R) E+ l6 {* K mov es,di
7 |0 t$ {2 `" j; Q0 v# Q: u mov ax, 1684h 4 |' _$ ^( a$ N! P" A5 ~: Q- z9 R3 G3 d
mov bx, 0202h ; VxD ID of winice
* S, G9 B8 P; S7 i int 2Fh
b5 _( Y( w+ {( m& Q! z2 A( Q mov ax, es ; ES:DI -> VxD API entry point
) j; \. [; @7 l2 o3 t add ax, di
; ~& O( V1 V2 u* t test ax,ax
; ?) `9 n9 l. }/ z; }/ }- s jnz SoftICE_Detected
2 F# p$ ?! `$ p7 P' t; u& S( x
0 o ^5 j/ [& n) O___________________________________________________________________________4 }7 [# @) d4 Y0 q
2 z, E& e7 E# Z* N. z- W a
Method 045 s& L9 T) z! q( I( ^/ s
=========
/ }, J3 }$ |+ ?! t1 f* Q$ o9 M' X% f% ~) E0 a+ @# J! T
Method identical to the preceding one except that it seeks the ID of SoftICE! x- R1 B0 X" |# q! f
GFX VxD.
+ ]' x4 G' ?$ l# O( w+ F
4 t* x5 a) O4 T1 ] xor di,di
5 I0 o! B% e) z F1 G, Y mov es,di
+ \: B3 D. }% K* Z' Y% n mov ax, 1684h
3 v7 H; q& K9 B ]7 O: S mov bx, 7a5Fh ; VxD ID of SIWVID
L7 v6 U5 s2 r: T) z int 2fh
$ ? b, X! h9 O mov ax, es ; ES:DI -> VxD API entry point' y( b0 y2 @1 s( _
add ax, di
3 ^5 \" J% \- N7 E4 `! N test ax,ax
D1 U1 N9 r3 O jnz SoftICE_Detected1 R9 Z2 d8 r1 F9 J1 `% T
" f8 k/ j+ _5 e' v3 W' P__________________________________________________________________________2 a; I/ R# l, a( S A* r/ f% r
3 ]" @ U. e. d6 ?- s% ~4 g
4 @, p. D" P1 o! U! S% JMethod 058 B* z }% \, \/ d
=========; w) J9 }: v1 R1 ^% K6 x5 t4 M
' n: Y, G1 ]/ U/ K3 N1 X
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 c6 I/ a2 `! h% m2 ]
debugger. It calls the int 41h, function 4Fh.
: r S! M6 f$ q, U# TThere are several alternatives. . {( b1 p. x9 e% {4 {5 R+ ~
4 A" s4 a' f! _2 q$ ~The following one is the simplest:% C( e' |) y" x$ r% G
; q" \+ o. ~+ G& m
mov ax,4fh
8 {9 `) f' @, e) X7 C* W int 41h2 T7 P8 l7 Q7 O3 K- T3 d
cmp ax, 0F386
# A0 D+ _) a! y8 e: z; t, L5 y jz SoftICE_detected5 o- P+ F, h" Y- i( B" |5 _' o1 w
2 b1 h) o; \2 L2 ~# |
3 N; A9 b$ I, J2 K
Next method as well as the following one are 2 examples from Stone's ( a% o* G" [7 g4 P% N) }7 l
"stn-wid.zip" (www.cracking.net):
4 [* E# t8 m9 Q; P! `
8 c# D' F6 ]' @1 Q1 V4 v9 a; a mov bx, cs$ p7 f5 O9 J9 ^6 k
lea dx, int41handler2
' K2 k: n0 b, i( H xchg dx, es:[41h*4]" g- `, W, r: l3 w' q; B
xchg bx, es:[41h*4+2]5 M+ z* o$ x) U0 P' |! h% ?
mov ax,4fh8 }7 s, [6 r S0 I3 i+ f5 z
int 41h2 X5 q& ]" w) T( k- K1 @* y
xchg dx, es:[41h*4]2 o6 f5 m" ?6 c7 E3 R' D6 Y
xchg bx, es:[41h*4+2]
% v* d9 e3 H' |/ f6 u* Y' J5 w cmp ax, 0f386h
* I! D' q' `4 M jz SoftICE_detected' Z! d' w/ l9 [
5 u" p: g9 v- T/ V! Pint41handler2 PROC5 [3 ?3 h' {; y2 y2 L' Q
iret4 L9 j' F/ X& a f$ ]9 Z1 f; ^! B
int41handler2 ENDP1 v$ B) m% M( x z
" R" {- u+ n/ a2 U$ A- |
; A8 o0 R( R" a# E7 H
_________________________________________________________________________0 z. r; l J/ p. j' \* x3 w
8 B( h, z2 ~& ?
! B: ~8 I5 ]' sMethod 06
$ n0 d5 R1 [- s8 g) `( L" ?1 c=========; m5 Q0 W7 i5 d: S4 @) m
8 b& N8 \5 I m" x' a, o @3 p$ _$ ] p, M' Q: f
2nd method similar to the preceding one but more difficult to detect:
1 P/ l, i) m8 X" f8 ^% H1 q& j- M5 @* a6 Y% Z7 [) V7 U
: Z5 j6 f( l) T! v
int41handler PROC
7 a3 N) t ~ L. Z2 V& a mov cl,al4 d( b5 k9 |6 K1 C3 ]; p+ K
iret( y. E2 Q0 T$ L1 @: @
int41handler ENDP
7 u) G; `9 D4 g: [; U7 P! p, e' ?+ S/ F& x" I% _, h4 C
# d& [" D1 f% U( ^6 R& z8 b xor ax,ax% K& x! ^6 P7 F
mov es,ax; ^) M4 a) j) Z* |; ~
mov bx, cs
. q+ V& w$ Q# c lea dx, int41handler
7 G7 l- | p1 I9 j( | xchg dx, es:[41h*4]- W: I- c! {! m( R) a; ?3 I% O
xchg bx, es:[41h*4+2]
- Z7 u7 `8 E' y in al, 40h. G" z! k( ~( l0 R7 W4 k
xor cx,cx
6 G( w( J2 G2 L5 Y3 O) z/ d int 41h
2 j7 }5 v7 Z. N# l$ D xchg dx, es:[41h*4]
3 e- b( T- W3 Y$ y- k( U xchg bx, es:[41h*4+2]; J) C0 h: E' R3 P! d8 a$ ^
cmp cl,al( o a) l3 T- f0 y" W3 G
jnz SoftICE_detected( G+ {0 V% f6 }, i
. r, Z6 o( M8 q/ a_________________________________________________________________________& I. i$ F% B- L. n$ }6 q
& q$ T; G$ a; Z2 X- W; [0 f
Method 072 T9 q+ V; J3 v2 d/ z2 _
=========1 A( L" f* }' B8 F
: a4 O" A/ X. V4 r* @1 z/ L( ^
Method of detection of the WinICE handler in the int68h (V86)7 Y/ E# `, c, k7 K- r
& d+ P% ?& N+ z8 {% m
mov ah,43h+ N; E. ]+ z2 w! x
int 68h
( L/ `5 o& ^" P cmp ax,0F386h' u' ^. J2 I: V$ V- t/ G" c# i
jz SoftICE_Detected) @# @: }1 ]( G: T8 t
( G; b) ^& J" z& u6 U9 d1 b5 _+ p5 e+ {8 {! S# X3 O ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' f/ o" a4 h! e7 U
app like this:
; P* E1 w. a" g% f9 k
8 t, H4 y+ p: g0 @! R) \ BPX exec_int if ax==68/ H7 z3 H& [- Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
( Z' w x$ s+ K. w5 \4 Q8 d& x) P located at [ebp+48h] for 32Bit apps)0 f. q4 p- ^8 ], s
__________________________________________________________________________* s' k$ ]5 g# |# ?6 T n
. R5 z4 {2 k) p3 J6 L& n+ N
; C) N8 W) P/ s5 A" r8 h
Method 08
$ G+ u6 }% {$ x* g1 X6 k- n=========& X( ?, a- C. Q* E3 R3 D
/ I9 s: d5 R( c5 b" `
It is not a method of detection of SoftICE but a possibility to crash the
3 t3 M* y0 R+ j5 B; H) Gsystem by intercepting int 01h and int 03h and redirecting them to another
; X* k3 W- i+ ^ k/ r0 Froutine.
" R* m% k2 Z* f4 K" R. W" g. EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 f7 I& F( `9 @8 O0 S' D d4 [
to the new routine to execute (hangs computer...)4 w' A6 W; H- _. _, c
: Z H8 @6 `9 X0 ~& z mov ah, 25h) O* d6 X$ I* o0 a7 b' l
mov al, Int_Number (01h or 03h)0 F2 F# e* E" |& p1 K
mov dx, offset New_Int_Routine
: d+ K g; F4 B E4 x9 u% P3 d int 21h6 K* Z: [4 q- \+ X
4 g e8 {( d& _& K+ @# g& w
__________________________________________________________________________
/ }$ _3 n# O3 u* K5 J
p* \1 _7 I' q, pMethod 09
4 o- X. j) l$ z/ Q) M+ B=========2 s, D- q9 _/ ?1 @
/ \ Q6 r4 F+ u% n: r. k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# b5 T% H1 }, C. D
performed in ring0 (VxD or a ring3 app using the VxdCall).& [9 E) J8 g# p$ E
The Get_DDB service is used to determine whether or not a VxD is installed; _ r6 i% j9 K
for the specified device and returns a Device Description Block (in ecx) for
y. s/ u/ N: ]that device if it is installed.
5 }1 v: o8 w2 N n+ k$ I# Z5 l& `1 V- I7 k( h: k E' i1 Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 d8 z& {# {' |! f! a mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 v2 @% e) Y" a# }% q0 v4 P
VMMCall Get_DDB/ ]* s& d. `) _5 C
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 u5 d+ I* O: e7 c5 L- X" M- ]8 A( |" \8 i. y( ~+ T3 [
Note as well that you can easily detect this method with SoftICE:* l4 i& `4 ^2 D; Q1 r: B+ @5 o& _: B
bpx Get_DDB if ax==0202 || ax==7a5fh( J% s* f9 x" {3 s7 O C7 x4 I4 X) o/ ^
, [* @+ ?2 ?( i" J+ W0 a
__________________________________________________________________________
: J7 E# S$ o5 v9 o! w$ ~
1 I" Y. P3 ^( u' M- n UMethod 10
% W" E; E- n/ z1 O9 ?. `, o8 J=========
' @1 @5 L: x' ~' a% w. c( h V; e' x) H7 o# R3 y/ W. D
=>Disable or clear breakpoints before using this feature. DO NOT trace with) R1 e4 E6 m* s
SoftICE while the option is enable!!1 F$ I7 z% r1 b0 r, z) j
3 w8 i& L f( Q5 Y6 j! s/ NThis trick is very efficient:+ V/ R+ @; h: W4 `! C7 ~
by checking the Debug Registers, you can detect if SoftICE is loaded
, v+ `1 _$ {* j. o- A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 }1 T3 d& g$ E3 D+ v j( }. d4 ?there are some memory breakpoints set (dr0 to dr3) simply by reading their9 {0 I5 t+ [5 d) m% V7 b5 m
value (in ring0 only). Values can be manipulated and or changed as well
) y' X1 x5 v! v" O0 |1 V(clearing BPMs for instance)
5 F4 D+ i( N' g" l; O
6 q" S* g/ y4 C- t) Q# t__________________________________________________________________________
0 Y5 {8 N, s" G: R- I. O- {% x, Z8 A! s( K) e& b8 h
Method 113 ?2 A9 j8 u) z$ v9 A
=========
6 E1 K3 G9 ~* s5 F
& l0 {. a2 y' f: f' x kThis method is most known as 'MeltICE' because it has been freely distributed
& f, H7 w8 r. Z3 j3 V% I2 {( o: Z nvia www.winfiles.com. However it was first used by NuMega people to allow6 |0 p) G" C# ~" t
Symbol Loader to check if SoftICE was active or not (the code is located' i# W$ f+ G: m+ v9 F9 S& [2 C
inside nmtrans.dll).
4 p* _& U! G% x# Z4 V/ s# c" t Y7 k3 u% p: B. b8 J) ?' P% h( A; c7 w
The way it works is very simple:4 n$ v" e8 C' a' ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ^1 L9 q P/ J w% K. C: {3 C" s
WinNT) with the CreateFileA API.
: `$ q$ p% \, G+ n& `
$ l1 O8 J+ U1 o$ O: WHere is a sample (checking for 'SICE'):
6 Y4 _, Z$ ~2 F+ L. ]
! r$ h3 p3 u! B% d1 Z6 b5 U2 lBOOL IsSoftIce95Loaded()
5 K/ P ^0 K3 n, E6 E{
L% V$ }3 O x* U8 }( K! J HANDLE hFile; " Y* O P7 ?. M
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 L$ W1 b) p& K+ \
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 @6 L; G S3 H/ m. Z/ `: W" @" h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 ~7 ?7 n" o; s# o
if( hFile != INVALID_HANDLE_VALUE )% _( g5 J& G( r6 x! K
{6 O" J2 v$ Y5 D0 @% j
CloseHandle(hFile);
) r$ H7 }# F& _) w' C7 {( j% m return TRUE;
9 [8 Q% f: A- Q, `- m }5 A$ @5 ~$ m3 x1 T
return FALSE;
0 t+ h- W2 n! U( @9 v; |9 t}
/ P* \3 }2 m. V7 ?3 g* t! q L: P& K6 D' E
Although this trick calls the CreateFileA function, don't even expect to be0 t9 p+ H* g$ S+ z% V/ q! \# T. _
able to intercept it by installing a IFS hook: it will not work, no way!
. S, S% I! Y; S1 _6 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; e4 c: ~. X* ~: l+ a, ^, ~0 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ q' s5 ?& ^- R% |. C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( F7 i5 t* q1 ~: S1 U' ]field.6 Y, O1 J6 q! I8 e' w
In fact, its purpose is not to load/unload VxDs but only to send a - i- }6 O: b k) [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 o) V9 z8 g. e' [, j" F1 O2 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) N M- J% u9 h) t- v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% f, ~; b* ]( Z9 ?) }! L+ `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ D: z7 j2 {3 N" @6 w' F3 f6 @9 fits handle to be opened and then, will be detected.. l# \$ K2 A; g
You can check that simply by hooking Winice.exe control proc entry point
4 _! Y }, x& S ^' \/ B7 Jwhile running MeltICE.
( K" c: P' A" J( G: B
7 U9 Y$ O* z( a5 q; d: A! |3 k6 P K: U/ c* E" b0 }& A1 E! t3 j' |
00401067: push 00402025 ; \\.\SICE
8 U) O% n; L3 ?0 f5 N, Z+ f) U 0040106C: call CreateFileA$ q& b4 g; X7 @* X: r8 A/ e" F7 \
00401071: cmp eax,-001
6 p) d+ y$ X5 Z6 z( ?1 _. ?8 r 00401074: je 004010914 @! I+ o9 u. r& ]; |5 U
f! ]9 Z) ~5 Q8 H8 R+ Y, F; w. i) P$ h0 O l
There could be hundreds of BPX you could use to detect this trick.3 P# x6 a0 c2 Q) N" L
-The most classical one is:: q5 O, ^* m M0 Y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
# R. F( x! m2 \) Q *(esp->4+4)=='NTIC') u- S! q; h- m% C; N
7 r% ?, e& t* J. |4 H3 w% Q- F% [+ F: J-The most exotic ones (could be very slooooow :-(. l+ x( ~2 Q2 X
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& W5 M: [8 s4 @- A5 w. m U ;will break 3 times :-(
) [3 F2 O X0 o+ Y% C) _& i+ C0 p5 @8 p. W4 U5 S1 g
-or (a bit) faster: $ Q. ^; B- W; C% d
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, V5 H# K5 F. E6 ]; }! G: U7 J) s4 R) D( r6 \( |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + a/ V; |# J0 E; m& ?# o3 V; e
;will break 3 times :-(
7 K6 M1 A- R6 @( F/ j; s
) C: i% a ~( Y- {- x6 B; t-Much faster:7 ^! V" u: H1 w& Z& \
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 Z/ j; |) W" [1 h8 ^7 ?4 f7 h" q5 ]0 A7 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# \9 T1 u& m0 B+ B( lfunction to do the same job:
3 \, Q+ x* M5 w3 | b, m6 {
* p3 j( m% m# U l; h" D! `) h push 00 ; OF_READ
9 ^% V0 f& N& d$ X! o$ O mov eax,[00656634] ; '\\.\SICE',0
( P" a* K. F$ s( k push eax
) ]. B6 W$ z i. H5 | call KERNEL32!_lopen
8 v) H. d0 O8 q" z3 N4 N9 H inc eax0 g5 P, i9 W! v1 q: ]2 e
jnz 00650589 ; detected
7 s9 ?& p6 P; O& s: y( a' a push 00 ; OF_READ* d# f) T$ g2 }) u
mov eax,[00656638] ; '\\.\SICE') ^2 `5 k9 P7 I: W5 H$ W* K; x
push eax
! ~# P. A, P0 S) B$ M- B) Z call KERNEL32!_lopen
" d6 @% D: F6 ]. m- c% B/ P inc eax7 {+ [% L( E& o$ \ p9 u; Q% y) _
jz 006505ae ; not detected" [9 C( `5 A% J1 g1 u
8 J$ X' s# P% c
( y) A% c1 g1 Y8 i8 y& [. w# F__________________________________________________________________________7 \+ s7 [& L2 p) T2 N
7 \8 r( _7 [# ~( C+ @
Method 12
" f/ u+ k8 s' n/ q; P9 |=========
3 L1 p8 a" q; e
% U& Y' m) O/ y+ F3 [+ U3 |This trick is similar to int41h/4fh Debugger installation check (code 05 z# o; C; ~! L8 v! L3 n
& 06) but very limited because it's only available for Win95/98 (not NT)
4 g* P$ F7 _! v5 q$ ^5 u& N! m! Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* M; A- y( z, j
" V! ? R0 d4 o1 p$ f5 H
push 0000004fh ; function 4fh" Q$ x/ J4 Z. G |1 {# w: X
push 002a002ah ; high word specifies which VxD (VWIN32)$ _8 T& G# S6 |: [* H( r6 Y
; low word specifies which service2 K/ {( I% H5 o u
(VWIN32_Int41Dispatch)
- `: S% m7 i# \* P1 ?$ k% o/ F call Kernel32!ORD_001 ; VxdCall& Q# ^- d- m# _+ j! q. ?
cmp ax, 0f386h ; magic number returned by system debuggers
/ _% g. d; w% p jz SoftICE_detected9 p! X v# |9 W1 V
: r& I# M8 A& P- [( r! K
Here again, several ways to detect it:5 M, Z) `; \! `
" y1 }& i! s! s& t7 U BPINT 41 if ax==4f
+ j8 U- a" a4 n& [; l# _% k0 N' U- Z4 Y* ?# @( A1 \% M8 ^
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one* |' H+ G, i! q' k+ c2 k
2 W- h" G% A( Y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! k' a- h' M3 z3 f, G
; T6 ]5 C! n, H. [ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* J u2 O) [# L3 C4 M
; A* t* w3 O7 M% D__________________________________________________________________________. v N5 ]/ V1 b* @% L
" a; R+ w0 B/ e. T8 o9 D4 V
Method 13: j; ]8 y% | N K( D* h+ n- d+ p
=========$ e `# j; C" B5 z6 d
: F2 g3 x) q+ g. d. gNot a real method of detection, but a good way to know if SoftICE is
1 c# U7 x. A- ~. b' S$ f8 b5 y) }installed on a computer and to locate its installation directory.
/ _/ k! x0 @$ [! MIt is used by few softs which access the following registry keys (usually #2) :
% o4 d4 W) s4 d# N3 n7 k
- y! W7 ^7 x5 B" {; M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ~& c+ i' T& Z- J/ y/ G V1 Y- e+ h\Uninstall\SoftICE' [% O; u. h0 U, V# |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% {( T, ?) |! `5 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 e, U" a9 ^- m/ L5 X* v/ Y0 B\App Paths\Loader32.Exe
8 h% m" e' `; H) s
6 M1 a' ?' s' E7 t) b- _5 P# |. P0 _* M
Note that some nasty apps could then erase all files from SoftICE directory _. F$ A+ \( {& V
(I faced that once :-(1 w' [. L3 B$ U/ u8 {
/ @* u+ @4 `6 r7 y+ @& Z |Useful breakpoint to detect it:
. E+ e5 b' i: L- G1 t; d3 ^' e+ ~- h# T% ^; j
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# T7 }" u* X4 t! d) y
4 y/ m/ s. l' E/ H! s4 t__________________________________________________________________________
2 S4 B! j2 ~: C$ g7 t9 Y
; r2 g. s/ ~# a J' G0 d! Y6 T" |1 U% I4 l0 f3 h- m
Method 14 1 l. B( R. T& c V" ~
=========/ d. y9 q# w; w# f1 h
" F' [/ `! ?- c% z# P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( P; u+ r# t, s, R6 [
is to determines whether a debugger is running on your system (ring0 only).7 h* I1 j8 X6 B! v0 p; H
' U' _- w5 H) t4 u$ ~9 e: w1 I& L
VMMCall Test_Debug_Installed
! R3 [- @8 s1 z8 I# e je not_installed
9 W- c) B. q- a, o2 Q
( Y% a, t9 T% b+ m. _! qThis service just checks a flag.8 G6 E5 y q# i
</PRE></TD></TR></TBODY></TABLE> |