<TABLE width=500>* P3 N. ~- y; Z! m3 c( Z" U6 s
<TBODY>1 }( a4 @0 \& Y
<TR>
) p7 ]. ~6 z! X+ Y<TD><PRE>Method 01
: G; P L9 I* x# S0 A4 Y* E' Z; Y=========
: j2 Y4 E2 L7 \+ N) X. z3 e8 F& Y. I7 s* ]2 T1 W
This method of detection of SoftICE (as well as the following one) is) M6 J' i$ j8 b; T' T# i0 u# ?
used by the majority of packers/encryptors found on Internet.
9 e" U, z2 L5 Z: m7 ?; xIt seeks the signature of BoundsChecker in SoftICE
' `4 p4 R( a j( f3 C) C- B* `: l4 D7 t
mov ebp, 04243484Bh ; 'BCHK'
" X# a+ Y5 f: s y! H mov ax, 04h1 H2 ~ _/ `: v& F
int 3 , Q# B7 N1 K' H* U+ \& x1 ]" c# N
cmp al,4
# D! F3 D3 S, X# Z- d5 K jnz SoftICE_Detected2 L3 M B: p- ]. C" E$ e+ f: T
+ \7 w. y+ K' Y& d9 J5 U___________________________________________________________________________
9 F. U$ F1 C- I( g) N' q/ N p Y& H y
Method 02
+ E. b; B. {' a) @& i1 [=========: J, O$ u8 P* l2 ]# e$ t
6 d- t+ J4 E6 U- N ~; \/ Z
Still a method very much used (perhaps the most frequent one). It is used
6 ~$ @- y" Y( O) O# ?. I6 e, ?: fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ a, G. R% n0 M3 i3 V! Kor execute SoftICE commands...
$ e7 H- _8 q4 S3 zIt is also used to crash SoftICE and to force it to execute any commands9 G! C+ D$ }, n" R" T( Y' ~
(HBOOT...) :-((
2 p) g" d2 d. g' z
5 F9 C/ ]( y3 t3 _Here is a quick description:
3 n- o/ b, o9 c: k' {2 J" M-AX = 0910h (Display string in SIce windows)/ L. E2 K- B, P! ?3 w7 |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 F( Y9 k8 x. x& K, s2 v/ r-AX = 0912h (Get breakpoint infos)6 h' z5 r* z' |: s
-AX = 0913h (Set Sice breakpoints)0 L! D( S3 S! A$ C8 y# W9 l9 o$ d- P
-AX = 0914h (Remove SIce breakoints)
0 Q- J/ g' I, R5 |2 a" D" Y0 F' @% r/ J4 q# Q. K* W- T
Each time you'll meet this trick, you'll see:$ d4 a2 l8 P/ s4 W
-SI = 4647h9 v w0 ^) \' x( ?2 G, d
-DI = 4A4Dh9 k6 I5 }. t* ?3 t: |. c
Which are the 'magic values' used by SoftIce.' w3 ]1 Q- H! C& k: z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ V+ ~" t& e/ S* a3 Z6 g& s7 q" R
. g, c/ O! x( p: g5 lHere is one example from the file "Haspinst.exe" which is the dongle HASP
[$ a8 i) a \$ o; _. [: VEnvelope utility use to protect DOS applications:
4 T* U: p2 z3 @: j5 y# u% M" v% C2 P0 P! m* E: u+ ^" ^
) T: O- E6 X' M
4C19:0095 MOV AX,0911 ; execute command.7 e: b2 S' m: z5 d7 E
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) h+ Q% F6 I6 b, `2 Z4C19:009A MOV SI,4647 ; 1st magic value.8 T' i* w0 d& m+ B& ^: l# ?
4C19:009D MOV DI,4A4D ; 2nd magic value., O1 J3 N a: n( a+ q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)# ]' X* ~( [4 E Q0 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute b& e7 |' G; e) C/ A1 S9 c q9 q
4C19:00A4 INC CX' c% ^$ y% R2 e2 [, B2 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 [# N7 ^7 t6 T7 W: b$ i4 a
4C19:00A8 JB 0095 ; 6 different commands.
' {* z7 f2 N/ ^4 J8 B6 r9 ]4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 X9 Y: }4 U$ p+ V% y/ Z
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 \* n- m2 p7 N( w3 S! F4 B% L A b& t
The program will execute 6 different SIce commands located at ds:dx, which) v+ I4 v; U. Z, C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ I( q4 _( m- w% h
# G1 H2 q: F7 y0 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. f+ O3 [. e+ {; S
___________________________________________________________________________6 p2 \ A. p* [7 T
; D$ g, r1 j0 ?3 S0 B5 m
9 Z7 W8 c) ]8 B+ H, V3 [Method 03
! @' k( s- ]6 U# E7 s s( r=========" G" g* D, g/ r* c) X1 g
1 {8 i* N8 N' h" O0 N- f7 r" P: [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' D; ]- c; b, X7 R# L, Q(API Get entry point)
5 r% G1 f. `/ j, Q; Q2 j( t 7 {2 |3 W3 L- ? g5 n% C4 Y
# G- E! s9 l" k0 X3 E& y2 ^. k xor di,di
, A; V+ Q8 r+ U# T mov es,di' o4 w1 o+ S. g: E# i7 l0 @
mov ax, 1684h ) A$ z! L5 ]6 T8 }1 l' V+ S
mov bx, 0202h ; VxD ID of winice% D, M! g. V" A, L; H3 J2 ?
int 2Fh: ~1 B0 g- ^0 u5 Y. J! _& w/ g6 S+ V
mov ax, es ; ES:DI -> VxD API entry point' C* I: L& x5 u2 G$ |. f" n
add ax, di9 I/ ~5 j" ~* Z! G a
test ax,ax' o" ?- F+ U3 v0 g6 V
jnz SoftICE_Detected
1 a6 U& u' Z" }( E9 M" q& G# ~. @) E$ h8 u# M) J
___________________________________________________________________________
- |; K0 z, J6 v! {+ `$ i/ \" h- Y! S; \) [: ]! m+ G
Method 04$ m" x# c# i+ g: s" w
=========2 v2 y+ A3 i3 t# V
- ?7 S/ Q3 J1 z* m$ {8 i: s! V* C
Method identical to the preceding one except that it seeks the ID of SoftICE
7 H1 |+ S( t) u$ }GFX VxD.
! x+ ~3 K# g2 Q' u |
# P$ I5 j8 F3 V, x xor di,di& d% Y6 I5 R4 M i' Y0 j. k1 a# d
mov es,di
$ j5 s+ H9 E! ]" Y5 P* V3 w mov ax, 1684h ( E' J" a" _8 R* k, J( n
mov bx, 7a5Fh ; VxD ID of SIWVID
$ J' F. @, Z2 _ int 2fh
6 E* _3 B" e* f, h mov ax, es ; ES:DI -> VxD API entry point
6 E5 z* A# d% B: F% [6 W4 w add ax, di2 | i3 p7 Y w+ F& y/ U
test ax,ax
1 q/ J' x/ u* y- k1 c jnz SoftICE_Detected1 t; e# D8 r6 F# V
, ~2 V. s) o; w; B! |* K__________________________________________________________________________! P. J: y9 K t2 d- d! X
, {6 f# E) Q7 k2 z+ T
: f& b, z+ ]# R4 {$ bMethod 05# z' _4 J, q" X2 ]
=========
* b2 L7 v; T- p) i3 Q- c$ w: c0 M" P+ X. Q7 G4 m2 b) M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& c, }+ j" R- E6 w& kdebugger. It calls the int 41h, function 4Fh.
1 y; w. E( n3 R+ T& }: {There are several alternatives.
- Y( V S& w6 c: M3 |' K2 t2 A9 o5 j: q. L. A( Y5 H
The following one is the simplest:& T; H. w! m/ }; R! L3 Q0 w
\; ^' ?- M$ Z# n3 k mov ax,4fh# \" K2 y+ P$ p/ A- [9 B
int 41h6 e4 V' F+ ?9 m- ^2 q5 G7 ]
cmp ax, 0F386
9 c4 f# Z- x9 D, P5 F- Q jz SoftICE_detected
& k: i; J2 a8 I/ y7 s
: N* y) Q: s0 L9 w6 L& F' K
5 y2 b! S- }3 H* }Next method as well as the following one are 2 examples from Stone's
% [7 A3 y/ K+ q2 x7 t"stn-wid.zip" (www.cracking.net):1 B3 T; g6 l X) C& y
8 J- M" h5 R9 ?9 f
mov bx, cs% n! ?- {9 ?! N( P5 b' b- S( K
lea dx, int41handler2# O3 o2 C! [: T! P" d4 H
xchg dx, es:[41h*4]7 ]# g% a$ P6 f) G8 p9 A
xchg bx, es:[41h*4+2]& s( z) f- b! c* E0 ~3 o( A# v
mov ax,4fh
3 h) L6 ]0 O! ?( x" B! h( \7 _5 P9 H int 41h" @. U' e3 O$ [- n% S- o- D! |2 V
xchg dx, es:[41h*4]
! C: J0 ^( B, q8 |8 y: P) s/ W xchg bx, es:[41h*4+2]
1 C2 K" m* r& z1 t: M1 @9 I: v cmp ax, 0f386h2 W2 Y9 R) ^1 J" b3 S3 T
jz SoftICE_detected
, a: n0 b) L Y& W) J. [' ^! _# R1 k
int41handler2 PROC
( G( ^& v% A$ B/ ?6 U iret% S9 X: c$ |+ a* M$ G7 |2 H, [7 j
int41handler2 ENDP# W* |- n! b2 A* z2 ~8 \" Y
7 B5 R+ o. C/ {9 V
3 u/ c; P4 M5 d& a
_________________________________________________________________________
& N' @! Z2 A* U- x) H! V- [0 g5 C- r" E& h3 i7 @6 e" G
7 V8 e# h& Q; F9 UMethod 06" b! G2 F, I2 b( P9 v
=========- z t2 D4 T9 D, k& W
@1 n. l5 |8 r$ e. Q
* L( o% k M4 L& M7 B6 {2nd method similar to the preceding one but more difficult to detect:
# {9 n f# G6 d
' v* i0 r4 o a; `3 m! Z8 V1 e1 U# z. x8 F2 G
int41handler PROC
2 S# v# t% x \/ Q. m; }# n5 G8 T mov cl,al( k2 [$ a% `( S; b% D8 |1 H
iret% B( F3 U2 a% g& x# \4 g
int41handler ENDP
7 A9 |) P+ c3 B3 e4 Y' T, F+ P
( Y( d2 W4 x5 L
# X7 ~5 N3 j' T, w* S2 Y5 C' D4 z xor ax,ax7 U2 B& w+ ~# q! }
mov es,ax
! X1 j: J9 x& v/ z6 I6 n8 b6 [3 o mov bx, cs
. a9 q# ]4 V% s5 T* h# t lea dx, int41handler1 X }" {4 S+ B2 L/ @( w- P
xchg dx, es:[41h*4], }$ f, ~& |% a5 |! ? M
xchg bx, es:[41h*4+2]" `7 ?$ I, ?# `9 s7 g3 P. i3 j
in al, 40h
# a" k5 ^* c9 D7 D. w xor cx,cx" Z, ]7 `0 p, ^$ c; ?1 o
int 41h# G+ {5 v& @8 Z' {6 P9 J
xchg dx, es:[41h*4]
5 }: Z3 j# |4 ~$ A4 l7 w7 @ xchg bx, es:[41h*4+2]3 Z+ ?, ^0 g/ a- A5 u! l$ K3 \, |
cmp cl,al
& p& H7 X7 f& v2 i, E jnz SoftICE_detected$ t0 A& Y( K' R/ }& K) Z
; j9 _/ k6 T0 v2 q_________________________________________________________________________
0 _' ~3 d: `+ J8 {% y* A) D7 r* {6 j
Method 07/ V j# A/ y! j4 A3 c1 F
=========
6 t) y3 o) W8 s: J; D! M9 u# X+ H" ? p5 V/ w
Method of detection of the WinICE handler in the int68h (V86)
! i, Y/ |: a5 t; c6 W/ I
" s" c6 `+ \# q3 O. M- ^! l mov ah,43h* I- \. N( v# E
int 68h
: R u( B+ U: {% s: u N cmp ax,0F386h
3 a& g9 q# A4 p+ Q6 [8 F- ?7 C jz SoftICE_Detected# N. S/ r c4 G. m3 R$ ?
4 s9 I% I p* m5 o0 N
, a2 ~! `1 A% ^6 y+ y6 m( l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( O. f( s. @2 o/ N
app like this:
- a! \+ A+ v/ z3 A# M/ w& i3 i
% I& L& W8 s- a/ \' A, { BPX exec_int if ax==68& O% ^# C2 R! B9 h$ M$ y
(function called is located at byte ptr [ebp+1Dh] and client eip is
) E+ X9 m% C# c* p4 m7 h% ?& g3 k located at [ebp+48h] for 32Bit apps)
6 P/ D" W7 m, ]6 `__________________________________________________________________________
/ n( p/ c, P: l
( E- d( l( r3 X: R2 y- M+ ]4 q/ s
Method 088 e+ p8 G( |# @2 \& O
=========
- l. s8 P6 m) \9 r1 p$ R5 U$ k8 A
It is not a method of detection of SoftICE but a possibility to crash the& C1 `7 t2 p% S+ Y$ Q
system by intercepting int 01h and int 03h and redirecting them to another9 K1 f- k. w* E! o9 {
routine.5 R+ I6 I" q" D5 p2 \' {/ F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% l1 ?( q! `: lto the new routine to execute (hangs computer...) V$ }7 F( `) b$ ]% h) z& I
) Q: o; T/ U: d
mov ah, 25h
2 ]! R$ e* v: E3 j' o' y mov al, Int_Number (01h or 03h)
6 e1 V& u8 G( g, O. ^" d mov dx, offset New_Int_Routine
3 O% n! l5 X7 }9 O L t3 P0 B( } int 21h
3 V* \* `8 o+ Y
4 q: @0 ?8 i9 T5 Z1 p% E__________________________________________________________________________# I& a6 S% i+ `/ }. N
$ P0 j" s( L+ }Method 09) c9 P9 H( j: C$ N1 T/ n
=========
" v! T. P# E/ \6 M8 l$ j" A1 J3 z/ s) B) \3 o8 ?# q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; U4 |4 y& F) B5 [1 Y
performed in ring0 (VxD or a ring3 app using the VxdCall)." d& t+ c5 I( d" Z
The Get_DDB service is used to determine whether or not a VxD is installed8 G2 M; L6 q" B+ c9 K/ j" C
for the specified device and returns a Device Description Block (in ecx) for' G/ q, l3 u8 Y5 O
that device if it is installed./ |! s2 h. [ n
# w U5 w$ h9 i5 X1 ]
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- d! a' ]9 ~1 m9 k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-), d" q1 O) s: F R5 l
VMMCall Get_DDB
J3 g2 c; o4 H$ B4 { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( Y, c2 c5 P/ j; t: |( R
Y- W( C( ~$ P, @1 M5 V3 x- X. oNote as well that you can easily detect this method with SoftICE:/ `% j) B7 B- N4 r. K' u
bpx Get_DDB if ax==0202 || ax==7a5fh9 l& W4 l6 ~+ h- T2 |
- g D0 k$ s! _& f) {! b__________________________________________________________________________
0 b+ L* X W9 O y( {8 J( j! e- y4 l, G% q7 R, t) ]
Method 10
) r* s, U# L" o. h=========
0 E9 k" _+ `$ I, r6 r2 k- ?
2 H& B/ D* J2 J0 _=>Disable or clear breakpoints before using this feature. DO NOT trace with! n% i* c6 S. b1 N) n
SoftICE while the option is enable!!2 a" k0 [" n: Q6 k5 }# [
; M2 ?7 j: ]$ B) c, r8 V- cThis trick is very efficient:" K. h4 X8 g# ^, I3 Y# R' u; Y4 a
by checking the Debug Registers, you can detect if SoftICE is loaded
2 z$ f( K2 p, O' `4 _( ]; @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 x n" L, q6 H1 ?6 O. T& R" kthere are some memory breakpoints set (dr0 to dr3) simply by reading their& | R' o+ C3 J- B
value (in ring0 only). Values can be manipulated and or changed as well
+ _% d" N$ G4 C u1 K n4 k(clearing BPMs for instance): h! z2 c6 |' z! `
& m2 ~% o0 x+ N4 j- l$ b! a4 ]
__________________________________________________________________________4 |' q) C3 h: \( F9 P: f
3 x7 i) q/ i4 q; e
Method 11- O/ m2 B9 f2 E6 `6 E n
=========6 X4 j* @& O# G4 X& y3 q5 b$ \
) U0 c9 H" Z2 F$ g: Q7 d# y6 @
This method is most known as 'MeltICE' because it has been freely distributed* d y! h3 k2 b- l; s( G9 C
via www.winfiles.com. However it was first used by NuMega people to allow
7 I) f6 V: D7 i4 f& z4 WSymbol Loader to check if SoftICE was active or not (the code is located
2 x7 @9 _5 g$ A- u8 u1 Qinside nmtrans.dll).
3 O2 H1 d! j; j2 i" @3 U
( t3 _, W4 N: }) P& Y% H) O E v! \The way it works is very simple:
% T" g q' j$ e& t( vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" z/ d ^4 t* d3 M. C# o9 PWinNT) with the CreateFileA API.; V# r4 H' t# m7 S" [* U- Z
5 [& C# p/ _1 N) x
Here is a sample (checking for 'SICE'):3 ?' o. x# M: r2 O- g
7 J P) c# a1 U4 V* e! a( W" }
BOOL IsSoftIce95Loaded()
; S' C/ j& x( L. @# n! b{
6 m9 {. k N4 @+ I4 x& @ HANDLE hFile;
* B. c% S/ }+ v- s- ^6 Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 s9 g+ {$ ]9 m1 K" i; N4 k
FILE_SHARE_READ | FILE_SHARE_WRITE,
" S5 V- g4 G+ h% M% J% ` NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. t$ F% M1 a5 r) B7 A4 m, h if( hFile != INVALID_HANDLE_VALUE )
8 D4 }9 \ V- C8 W" K {/ `( z- q) w+ ^# o% F6 K8 d
CloseHandle(hFile);0 g$ _9 }6 `+ b7 |
return TRUE;8 }( s0 R$ s) n+ I
}! ~5 w) f$ e# d
return FALSE;
5 G% ~* H7 X+ _4 c- a}
: r% C9 H" u% }2 ?$ A3 O1 f. L- `5 _5 h0 {" T
Although this trick calls the CreateFileA function, don't even expect to be
+ w9 }; y9 U& E& \8 U$ w, [4 r, lable to intercept it by installing a IFS hook: it will not work, no way!1 F$ Y3 ~! i h5 M0 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 m Y" z5 G; }* m, i w5 v+ q, L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 a6 a6 z/ T8 q1 |6 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) r7 d! t @8 @) @% ]
field.: y7 L( G: t0 n& @: [
In fact, its purpose is not to load/unload VxDs but only to send a 9 X Z3 ?& Y0 n" T2 I+ {& F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, i) K8 h% Q+ d! f3 H( Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& ^9 w. f9 g. J( }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 q9 [# e; M0 \ L$ @, DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 c1 G& ]" ^" I0 Iits handle to be opened and then, will be detected.
* l; v5 W) Z& |You can check that simply by hooking Winice.exe control proc entry point
( ~5 j G0 T3 r( H2 i6 Wwhile running MeltICE.' U9 U6 e! w: q/ F* ]
% e. n# ~- J F* |. A- K' }" o1 w( z) X
00401067: push 00402025 ; \\.\SICE3 w. y& V, z; Y! D$ K* W
0040106C: call CreateFileA
9 t, A/ B$ s& j- `* m' J0 u" N% t/ s 00401071: cmp eax,-001
8 |" z; t5 L! }' Y! ] 00401074: je 004010915 m$ o' F8 u% H" Z, h8 Z. x
( y% V2 T8 T( K" @& [9 p4 R. l* b- N$ a
There could be hundreds of BPX you could use to detect this trick.; u& g- @& ^) p# b, C$ H8 {/ k
-The most classical one is:& h4 V9 B' d5 c: v- C0 H4 J3 l2 P
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- d3 A% L% x0 E7 d4 s0 V2 d4 N *(esp->4+4)=='NTIC'
$ P5 C9 u" Q: r9 C
$ t$ Z! Z( L7 e) L; V-The most exotic ones (could be very slooooow :-(- w: Y. ^6 f/ U5 T: O1 w' u& w
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 u; T6 d0 H' C2 L3 l4 L; r ;will break 3 times :-(
6 d! N/ F) B% k L" d/ S
* f! p( v4 |3 s' F7 o-or (a bit) faster:
& H$ `& \7 J8 W0 u, e' I BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 q+ J! }1 L% a5 ^5 ]# b: l' f: v% d
. h* d0 W/ C$ A6 V. i3 H6 _- P) j9 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! @; g8 _# y% K8 C
;will break 3 times :-(6 g* N% S, Q/ Y* m0 s* _
2 f$ B' v6 Q! s' ~0 B) ^8 f! V) A. n-Much faster:. x( O5 ^, R; c6 I, n! W' Z+ Q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( C& u) i% G, B1 s6 S
" ^$ @2 H* _7 o2 K1 N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, l2 p7 ] u' r1 k# g0 |
function to do the same job:, l# f2 E' u6 M* d
1 C2 F; P' [- C' Q push 00 ; OF_READ
; h$ C# ~5 F9 a" T9 z8 j! H& M/ J, v6 C mov eax,[00656634] ; '\\.\SICE',0% o3 h n8 A5 Y- W: y, ~
push eax5 T9 g% Z' p+ i& \5 k
call KERNEL32!_lopen. L+ m& ?$ l+ v) a6 x3 n
inc eax
8 }; z3 Y! a4 N jnz 00650589 ; detected; M' I, V: m/ S. L {
push 00 ; OF_READ3 k$ z" B8 @) r! i( o" f+ _
mov eax,[00656638] ; '\\.\SICE'& a9 e6 T& [, W$ Y# S
push eax# o. ^6 E% K+ T3 A
call KERNEL32!_lopen* y0 G: h& C+ m/ g# ]6 L
inc eax
$ J4 k. ^( U, f4 z jz 006505ae ; not detected
s* Z0 U9 t9 |1 D1 C n) e3 H( b# Z2 U
9 [2 X' M! ?7 W( c) F5 z( j& D( X
__________________________________________________________________________% l/ q& a) T9 Z4 ~
7 s( @" O$ s3 G& A( H0 hMethod 12
+ c" B& d0 m" `6 G=========
9 v0 u% N3 G$ b1 Y# }- m
2 @* n' B, F) f9 v7 bThis trick is similar to int41h/4fh Debugger installation check (code 052 T9 D6 A* @6 U/ O4 b
& 06) but very limited because it's only available for Win95/98 (not NT)
2 `: j ]: h: `( {- D& Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: G' R! e6 d! u% ~. H
$ |/ D( f" I; E& G" t
push 0000004fh ; function 4fh5 J* R4 j# Z7 ?& w/ f
push 002a002ah ; high word specifies which VxD (VWIN32)
- Y. v; _4 f2 a2 D% E! ]4 p9 t ; low word specifies which service
. N I, n4 [+ d a3 @; D (VWIN32_Int41Dispatch)# x; B: q1 B, x1 z9 y- G1 F
call Kernel32!ORD_001 ; VxdCall. U5 i" }+ E) \* |# U( o6 e1 t
cmp ax, 0f386h ; magic number returned by system debuggers/ S( {" N+ R3 n, g" ~
jz SoftICE_detected/ I; ~: i. y9 p, g
* u. m: j9 l9 j; G- n, W( z
Here again, several ways to detect it:: o8 [/ K; R" O; E3 W' t$ c) y
' ~ a; b' P! s9 O6 ^ BPINT 41 if ax==4f
R0 L; f" _: o6 B- C5 J
4 H# p& m, H# D+ ^( _ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( U" c: F# R F7 {1 D4 m+ |4 h7 g
% [& X- R" }9 R5 g# n6 @) \
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 u3 r6 Q1 ]2 R1 P5 A+ m' s/ Q0 B/ L
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! j2 i7 n" g8 v: {' Y2 A
5 L/ s1 K9 L4 B
__________________________________________________________________________
& A. O n+ O* ]! [* L) s
8 L7 G/ X# P% j/ |: }8 Q# d9 vMethod 136 P7 H1 A, c3 _" N+ `
=========
1 }: X; o+ j/ ^) L/ t9 k
$ F8 V1 N) K2 Z/ k; iNot a real method of detection, but a good way to know if SoftICE is
( w( h& t* `- p% g# Q3 f$ cinstalled on a computer and to locate its installation directory.
/ S3 H, Q5 |, l' m) ~; `It is used by few softs which access the following registry keys (usually #2) :
& e7 S# n5 I. u5 L- o( G; Y% V' }9 c9 K" _. m" g/ e. ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 h" X4 A" i$ X! ]
\Uninstall\SoftICE F* ?$ x/ n) A& ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, [7 I6 n4 j+ k! j. Q6 s$ ^5 | i1 o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* i: `2 o' H( M9 W9 @( a\App Paths\Loader32.Exe
9 g7 J: e/ C4 { u8 r9 s) I$ E4 m! ~! @; D) ^( n3 U
: Y9 G$ g$ [( S
Note that some nasty apps could then erase all files from SoftICE directory
% V" s7 y$ p& o8 X% s0 y! _(I faced that once :-(
8 Y' u$ ^* X) q9 ~3 }* U g8 _. t; A! @7 d$ O. M
Useful breakpoint to detect it:
! N. X" n- a9 s5 \6 H w. ]: m; p& o9 P
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'' \: S4 h9 d" Q6 w
* F ^8 W) x7 h: i# c. x: E
__________________________________________________________________________
/ [0 m; ~# |& R8 o$ W) ]5 v. y
' x+ R$ |- f' T+ G3 y s: L
4 {6 ?! d4 ~9 o Y% A7 J+ U- p, ~Method 14 & U2 q4 X. O& {. w+ v
=========
8 |7 n+ m7 |" C/ v* A
4 v2 `* ^" e; l/ U+ bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! N" E5 ]3 w! q( W. ^% l
is to determines whether a debugger is running on your system (ring0 only).9 j8 J$ w. b. u% k
& |0 `$ ^# F v0 F
VMMCall Test_Debug_Installed
8 A! x) D, `" p7 Z# J je not_installed
" k1 ?3 i) t5 z0 E9 q& b( Q3 S( o. s# j* ]# a, x
This service just checks a flag.
" J* i7 o- `5 R' U5 O</PRE></TD></TR></TBODY></TABLE> |