<TABLE width=500>! f! y/ x5 {" G) o2 F7 |; M
<TBODY>
# d% Y3 n" }+ g P: j& }<TR>
' ]! ~. N# [* \: O: U+ ]1 X+ N<TD><PRE>Method 01
8 G+ X3 Q( c0 R, |* e. p=========
9 i7 f. @# P: Y7 H
6 U6 P1 g4 G2 _+ rThis method of detection of SoftICE (as well as the following one) is
) Y$ t9 X- J8 z9 v9 Q7 Aused by the majority of packers/encryptors found on Internet.' p+ O4 ^& \+ @1 I3 M' I% W5 ~6 I
It seeks the signature of BoundsChecker in SoftICE
( U: I4 G8 Q f6 f
7 k. `. @0 V- z, `+ @& H; r1 O mov ebp, 04243484Bh ; 'BCHK'
( `' x- ~2 ~: }. p/ G" _ mov ax, 04h8 h7 J# L6 n& K% Z. I% T
int 3
9 W: U# O/ T! l0 ?6 x2 ~% @ e cmp al,4 L: y0 n7 \# m5 c7 m0 J, Q
jnz SoftICE_Detected3 d2 W; R9 ^% a
% U; b6 F; _# Y+ E5 h! V___________________________________________________________________________& F9 g# G# ]% c I; n" f |
$ H* h2 B5 G. zMethod 02* _1 s2 B$ H, m$ f- @$ D0 D( P
=========4 d% a2 K% n2 Z. t
. t4 A/ [2 ^: R0 P7 ?; y% tStill a method very much used (perhaps the most frequent one). It is used
$ ~) V p% c2 h l }) f" U2 c- Z, cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) g3 a3 c5 n N( W
or execute SoftICE commands...
7 c% Z4 [8 Y; TIt is also used to crash SoftICE and to force it to execute any commands
% G5 j8 ?4 E4 S( f, G. }(HBOOT...) :-((
- s# K( U M( ~+ u# O
% ~0 C d% }% _3 t4 l4 ZHere is a quick description:
0 N& P% I! P1 l: Y: [& l% h* A8 m-AX = 0910h (Display string in SIce windows), s" q% C9 |4 v$ @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); r; ^+ S8 F# b) \2 M
-AX = 0912h (Get breakpoint infos)
' r9 I, i# r$ b) t-AX = 0913h (Set Sice breakpoints)7 L/ \: F6 w6 ]
-AX = 0914h (Remove SIce breakoints)' ~4 ] p. G1 f! j% C
" T# d) D6 j8 t! q% T3 [* H5 U* n
Each time you'll meet this trick, you'll see:7 i% @ s/ n; e/ c
-SI = 4647h. u4 H* K; u) k9 R. f
-DI = 4A4Dh6 O+ e+ O6 l3 W: }) y+ a" r' _$ N) `8 Q
Which are the 'magic values' used by SoftIce.5 O4 h! K1 F# } U" Y) S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" ?6 X: G+ T0 N" J+ _6 i0 K5 Z. A2 w$ u7 K$ m6 W& m, d
Here is one example from the file "Haspinst.exe" which is the dongle HASP c7 T& |4 x* f% A/ ^
Envelope utility use to protect DOS applications:
& r9 g5 j- G b8 f) m+ _- |/ v, k' o, b' Y1 S. O) C! E2 [/ d$ d. b
* c h0 q9 u( f
4C19:0095 MOV AX,0911 ; execute command.& x) B% F: }& v! {6 w* L( @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 `) f! M1 N6 o( v7 i4 `: U
4C19:009A MOV SI,4647 ; 1st magic value.
* D/ |, Z6 M0 j& c4C19:009D MOV DI,4A4D ; 2nd magic value.
( t6 j9 Q) \8 S& |$ S4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 ~: P* h' m6 K* `5 i7 o. \, E2 P. [& Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 H; J. S M! d# w4C19:00A4 INC CX
1 G5 v: A7 h: L& [1 q5 z' V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% @; P7 V& c; x4 }& s" H3 j
4C19:00A8 JB 0095 ; 6 different commands.
/ T! w v7 L' A! I4C19:00AA JMP 0002 ; Bad_Guy jmp back.) ]7 r. s# a- c; r1 {- y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 U. i3 G1 B1 {+ j2 C% v1 K6 g$ |3 S8 [0 ]
The program will execute 6 different SIce commands located at ds:dx, which- J; }- B- Z# Q' D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 X+ v1 F' ^ \' t
. w, w4 Q' {9 s+ W4 M* O; [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ f0 d) A0 T' {___________________________________________________________________________
; ~. d7 r" S: f
: Y# N/ p8 g6 Z7 M0 X: B' v
5 N6 m+ l. ~+ Z6 J- cMethod 03* M, {. c3 B; `. O- m! W c
=========
0 Q1 ~, @- ? g Y) P) Y
7 B% a: k% s+ L7 `+ A8 zLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) L% \/ E( C8 Q2 Y6 j3 n(API Get entry point)
) ]" }" b3 g/ g3 U- m
5 n. Y' a+ ^& F1 R7 Z& m* |9 z* `
& o* g! m7 p& |% V# {" M; q xor di,di9 y" A( t0 ]7 p+ l, g. |
mov es,di: N+ J4 {( a& |! W# Z6 y
mov ax, 1684h
3 T" X; b O: m. E2 C, G mov bx, 0202h ; VxD ID of winice
/ B" ~+ v: ?; Y, M6 u int 2Fh
/ a/ k) I! [) E( L4 @9 k) L: m mov ax, es ; ES:DI -> VxD API entry point* E* v; X( Z& u/ ~5 _
add ax, di
0 H" C: P: u) ?2 O# D test ax,ax9 M- R; M1 G# w* i- e
jnz SoftICE_Detected/ r2 [5 c) K7 |% n1 w' g& I
* [2 J# r: x3 Q) q___________________________________________________________________________
! O% B! |: @" m# X" r! c5 `( n% p' n! _5 j) \8 Y( S* { y
Method 04/ b4 v0 n6 z5 P
=========2 w/ v1 P9 z! `; r' \. r1 i$ X- N
8 f) S8 {5 |7 p* ^2 MMethod identical to the preceding one except that it seeks the ID of SoftICE
' O1 p7 t: Z" r L& fGFX VxD.
$ @( ~7 _3 n0 L# |- v! P0 t$ W
2 I( C7 e3 T+ [# O' N* v xor di,di0 \ a! _! c$ V- ~; s8 \* a
mov es,di
2 E8 D1 N7 J+ a5 [6 t* n' q1 T mov ax, 1684h 5 p- ^4 B; s+ y. P( i, v4 Q( [
mov bx, 7a5Fh ; VxD ID of SIWVID& s* a' ~: ~, U1 i- z1 e; {
int 2fh
9 ]9 a6 U+ S+ |" v( H8 {" q$ {9 j mov ax, es ; ES:DI -> VxD API entry point2 `/ u' `/ C5 Z% @; g7 V. y
add ax, di- Q$ t7 q- S" c: Y( F8 Q2 r* S3 r" r
test ax,ax
6 C9 v9 S5 i2 [4 h4 |4 w jnz SoftICE_Detected
+ n6 e* m8 k: A' U5 C8 r$ ], b) R1 M$ k0 R
__________________________________________________________________________
# a0 v. \$ z' m; P$ E4 ^- s- ~( H) _% @
/ N9 s- }9 x$ D; e, l: y
Method 05
2 ?9 _& P+ I7 R5 Q4 n=========* m) A, g8 z. {- y/ F6 H% o, l
2 u- x! i- ^: lMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 ^8 u" m* {. g6 K- f6 h
debugger. It calls the int 41h, function 4Fh.
1 d8 U* a& H$ g! ^$ {There are several alternatives.
/ K8 U. }3 J7 _+ K- u/ Y0 d: n' w2 o( M1 @
) Q, K8 H$ H1 r6 y% SThe following one is the simplest: X$ J v; [) p" [
+ M0 k+ W( [, D( L mov ax,4fh1 x+ x! I" A! R; g- N
int 41h
& ^( S; S: d$ [; n cmp ax, 0F3863 D8 g7 ~" F4 q) |9 W
jz SoftICE_detected, Q" Z1 d! k# k( ~# }' Y4 g
4 _' J* u- Z# `0 Y" k5 D4 K
/ w" n3 q' v: T+ S1 YNext method as well as the following one are 2 examples from Stone's 5 q% ^( N* {) G; F
"stn-wid.zip" (www.cracking.net):' l- q A7 X& [ v
. o# j; } z5 W. N3 b) c5 }
mov bx, cs; {. ]7 i7 l/ K$ ?2 ?9 T( R4 b# g
lea dx, int41handler2- @" ]; |9 c) T) Y6 u
xchg dx, es:[41h*4]
4 V# ? E2 v. s0 F, x2 t xchg bx, es:[41h*4+2]
8 c# @) v6 }" P5 i- t/ e& | mov ax,4fh
& l0 ?) r* E0 i+ P: G0 I$ T4 [ int 41h" v+ ^2 n, u/ u' b% Q+ ~
xchg dx, es:[41h*4]- F0 j. [, M8 t# p7 O$ h; z2 _
xchg bx, es:[41h*4+2]
2 l+ t) n# J) F1 f cmp ax, 0f386h" \4 ]& ~7 O0 ] a8 S
jz SoftICE_detected) K" f3 s" P3 |& Q
: X9 S. R5 F5 C; N- }1 S
int41handler2 PROC3 g+ R" Y0 ?! g; l7 @
iret
5 x. I; i2 C- l j8 j3 [# y8 K2 Yint41handler2 ENDP
' B/ F `( u+ U; \6 W
3 _8 R+ c* X8 H8 U$ M) p& a, T8 r, D! A- G" ?
_________________________________________________________________________" F/ q& Y5 R' N
, Y' F) _9 u. a# q5 G. D
& j ]2 a& t; R% d9 x, D9 Z) a7 XMethod 063 h2 O% \" V8 F; |1 o
=========
" |3 ~7 Y. U: t& s0 `6 T7 u, B/ u5 L
- U( Y# }+ K3 u$ \4 g2nd method similar to the preceding one but more difficult to detect:
. z" Z C( N4 h4 f7 J! n+ I: n' j, j
A( ]: `: M. n* o7 }! j
5 V/ v- `! M. a) Eint41handler PROC2 [: z' i3 _+ z ]2 B
mov cl,al
- y$ T ]- `+ b+ p iret
6 ^, n" M% F8 q( R6 T& {3 Aint41handler ENDP8 P1 E. }+ w3 B3 t& K
9 _2 r' k* ^6 T
8 I3 m; H4 B' C. E8 } xor ax,ax$ j) a: l- h7 T* p5 b/ H
mov es,ax7 _0 o: R# q/ i+ ~
mov bx, cs
0 U+ W" M* I( ^* p lea dx, int41handler9 M' J& d: p1 E# m
xchg dx, es:[41h*4]
. E" E7 f4 W+ U- U1 b/ F" H xchg bx, es:[41h*4+2]. J1 W5 b' ]5 q4 [: B j
in al, 40h
1 G% B$ Q0 c* ^+ i* ` xor cx,cx. b1 O& J% O, }% r( c' H
int 41h
6 j2 Z6 a0 k" A" v xchg dx, es:[41h*4]3 ~; Y& d$ i$ t
xchg bx, es:[41h*4+2]
/ u9 V& r* {# A6 ~$ n0 i" S cmp cl,al; [% J* |, T# d
jnz SoftICE_detected
- M: N' V! D/ o8 a% K5 z9 s! D! a$ _) N; Z- ^, p
_________________________________________________________________________
& Q C* ^; I) |: r1 t3 U3 `1 A9 B% w; L: G4 x
Method 07 T' B/ I8 _% Y, z4 \+ R9 @) r) k
=========
. W% A# i. `! J t/ s! d: q
$ T2 u9 G3 t7 t, J* ^4 `' w2 g2 U$ ]Method of detection of the WinICE handler in the int68h (V86)
5 P N7 I. H7 ?8 D! e) x/ S# w- K# p3 k4 F/ X# K, h( b; O
mov ah,43h( [- @( b2 p; n% D8 y4 T" `
int 68h
" O# p4 j( ^3 O# c" D5 O: U cmp ax,0F386h
9 S8 y6 x" Y$ {# i x4 E jz SoftICE_Detected
* a9 {, b7 K3 W2 H" L. T1 W7 }$ l: g0 G: s
& I( `) ?( V- o1 k" X2 c
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& U2 @% |! C% T2 L# B9 r. S
app like this:
4 ?+ s" y8 S/ p
. e c- m2 I1 Y! E BPX exec_int if ax==68
3 @- l# N" F2 c: d( i3 e0 ?3 _4 V (function called is located at byte ptr [ebp+1Dh] and client eip is
8 B1 K- [: x5 L2 C+ k s1 l located at [ebp+48h] for 32Bit apps)6 R: U- Q3 r* _. c4 ]; J0 j
__________________________________________________________________________; e+ p$ X% `2 `" F( v$ ?5 q9 M
, Y! S7 _4 a' z' m8 Q* N4 |
/ |# c b: o6 l# CMethod 089 h" E7 Y+ ~. v3 ~' `' j/ Z4 F
=========) Q. \0 x. i* _
6 g9 `6 q1 s9 Q$ {5 b, Q
It is not a method of detection of SoftICE but a possibility to crash the
3 g6 z, ]( I [! T) |system by intercepting int 01h and int 03h and redirecting them to another, q, W& u% j4 I! E" X
routine.( _( [- O4 V. }7 C5 u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( V9 O% X, D) I4 ?to the new routine to execute (hangs computer...)- H$ ?$ t( Z% N& s. w: j
* A g" K1 T, k) ?3 E4 u
mov ah, 25h
" e- n9 U' ^+ G+ R) n mov al, Int_Number (01h or 03h)
& W+ Q3 z. F2 ^6 M# ]$ K mov dx, offset New_Int_Routine) S p5 D ~$ m6 j/ L
int 21h5 w* n$ W. n# a! A L- G8 F
+ ?( }$ m3 @$ v( w' j E! r__________________________________________________________________________
2 L, [+ D6 q) c! w8 I" k/ G, S' Q
$ f* j! [3 t7 E7 v Y5 y! `Method 09: a3 q1 [- ]4 B, q0 r9 U
=========
4 E" S" c7 C- U' D4 ]) \/ V/ e. P4 ]2 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 c/ I3 O/ @, B" y, c1 N
performed in ring0 (VxD or a ring3 app using the VxdCall).
! `3 j0 u2 g8 `9 IThe Get_DDB service is used to determine whether or not a VxD is installed
) w% [0 v" x6 B4 |for the specified device and returns a Device Description Block (in ecx) for! J' p# U7 F! {7 \( u- y
that device if it is installed.( v( J% N: g3 g' D
. n2 J8 G: ?" f b% G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# Z1 o7 L' g9 V9 A
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 l/ U+ [8 W/ V" l$ u+ t, t
VMMCall Get_DDB
: ~5 a- O; F* G# I, A& v% t8 Y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* N% O5 d* t, B! e3 e" {' J& e0 ?7 N3 A# W/ r6 z
Note as well that you can easily detect this method with SoftICE: ?1 y% z" T% P: Q; \* P7 H
bpx Get_DDB if ax==0202 || ax==7a5fh) v/ }9 F$ D r1 p) X0 u* Q
( y: S' g: J5 I: D: Z! v$ A
__________________________________________________________________________# {' L( `+ u `% ~+ ?) W D% r5 |
3 @# S0 `6 x AMethod 10
; w; g7 @4 \5 l u9 I& G=========6 p1 ]( L U- u# B, z6 L
" T$ k- Y0 [5 n: Y+ l# H0 l; h: U; w. l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ {1 X% [/ F$ m. T. z8 O% b SoftICE while the option is enable!!
/ W6 A, H5 p% H. P2 ?2 x; O' d1 M8 j5 M/ q
This trick is very efficient:# w" n- [# m5 P; J, A0 X( M8 y" F
by checking the Debug Registers, you can detect if SoftICE is loaded" m; }1 y6 V& {/ a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ v- ?- \; A: f# i- cthere are some memory breakpoints set (dr0 to dr3) simply by reading their& A6 @- p2 c; `% C" [4 ^: A, i8 y
value (in ring0 only). Values can be manipulated and or changed as well
5 ?- S3 \2 Z( L; P' R2 b2 r3 K(clearing BPMs for instance)
1 y! ?; F! `; \6 t8 f5 @) @
% W1 {' K! d9 U* P! e$ A$ b+ u__________________________________________________________________________. i. Q) a$ r$ C5 c0 N
# U( P% ?2 e9 Q7 {6 uMethod 11
% `# T3 W3 T# i7 D8 C, z+ @) ?=========& p5 g$ V' V. h( Z* M8 ~% W4 Z
! g1 h" y# i; _/ [0 H7 Y* E
This method is most known as 'MeltICE' because it has been freely distributed
: p4 @& V% A6 n1 N& ]: gvia www.winfiles.com. However it was first used by NuMega people to allow
2 O% w1 q$ E u' q& v/ e+ p/ SSymbol Loader to check if SoftICE was active or not (the code is located
; X! x0 m1 k. }# L: w% _inside nmtrans.dll).0 p# n$ [4 ~4 {0 R) @9 A4 T- Q
+ s* O& d- _9 O# K- y
The way it works is very simple:0 d a; J+ z. f' s7 A0 ~) Y$ U/ y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 x: q/ B/ k* X$ UWinNT) with the CreateFileA API.; }3 S E7 x$ g8 G5 i% z
8 S% o O0 T0 [% \
Here is a sample (checking for 'SICE'):$ ?, m" ?" ?; N. p- i( h
- u* c0 }4 p0 C4 n( ^
BOOL IsSoftIce95Loaded()/ L, m- s& r; y' L3 v; s+ F
{
. O" ? Z) x/ B* y2 H+ i1 Q HANDLE hFile; 1 w4 m1 h% B9 g5 i1 R3 q& E/ j, g4 E/ e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( G( X+ {4 n0 L: W FILE_SHARE_READ | FILE_SHARE_WRITE,( j. z8 R% ^ B4 J0 E) ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 w; F$ O" y' w
if( hFile != INVALID_HANDLE_VALUE ); m# e" I! E$ N' k) s% C( L
{: D7 B; U7 q" M) x' o, q; v+ {
CloseHandle(hFile);
0 m+ ^( U+ A j1 A, Z) m return TRUE;8 G" b8 l4 c: |! g U
}
6 {( Q: f7 X9 ~ W( V# L, y return FALSE;
" C/ h4 t( E5 L q% ^/ [8 ]# X+ i}$ k, t# x; B8 |# a( e
: _) V# O) a# M8 L3 O
Although this trick calls the CreateFileA function, don't even expect to be9 }' E5 S- A. F+ [2 e, [' r$ c/ D
able to intercept it by installing a IFS hook: it will not work, no way!. ^; ?8 Z+ E9 O1 ~- ?) e" m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ I, ^8 u8 v3 `9 ^" G( sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* D' R$ T3 Z& \- G4 O" Y" p, t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 k, L2 E! w' ]' ^
field.3 n) b, i; Z- {: |0 N$ ^
In fact, its purpose is not to load/unload VxDs but only to send a
0 Z6 _) f5 @/ m$ M8 L$ t4 vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! T5 ^2 k: Z; G) {3 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 O- U. [( k R; b& e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 K, u: }. }7 [
If the VxD is loaded, it will always clear eax and the Carry flag to allow( c% P. Y# `0 b0 q
its handle to be opened and then, will be detected.2 A0 v2 j- z- q, c6 M' c
You can check that simply by hooking Winice.exe control proc entry point2 }" I- \0 S- O4 T/ @% Y+ F& [
while running MeltICE.
; i0 l7 @! j, f- k5 G! L
# C- o8 r: D& f* s& w; Y/ z/ n6 K5 @& I, d/ i, ]& ^% d& F! Y! q
00401067: push 00402025 ; \\.\SICE
! q- k: ^% W3 R6 y 0040106C: call CreateFileA
& Y% n5 P7 F, C/ k1 R) r* n 00401071: cmp eax,-0010 W v, S1 j7 w: `
00401074: je 004010915 H, q" f4 t) t8 K! C. g) \' S
+ _# d' K% P1 |; }& L+ N9 W# Y
# c9 k. W, _* x! n d( G* E$ p) R' _# y
There could be hundreds of BPX you could use to detect this trick.# J9 A" k* Q1 @% v4 n4 T3 G/ U/ k& r; G
-The most classical one is:& r7 s2 @3 T7 M2 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- m; H' r' o2 P. |; }+ n6 b
*(esp->4+4)=='NTIC'- Y! w: Y# V, F3 t
; ]% F$ c" D& I M4 o( k4 \
-The most exotic ones (could be very slooooow :-(& ]- @ e B% c) y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 j$ `& Z' s' ]$ Z$ M ;will break 3 times :-(
6 O, V$ s V& y# E; c/ ?* P/ W! y( d2 ^4 a* ^% R: r
-or (a bit) faster: 7 e* {' Y$ U8 Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" B* }5 P2 V% a% `
# u2 d4 g' d) k; x. n BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: V8 C1 p" y/ G/ p, U% U; } ;will break 3 times :-(
0 A: [. P* p' b& Q5 | F. J5 n1 R1 S0 s) P: _( j* \- Q: t3 `: t+ l8 ?
-Much faster:
6 t2 F% U/ n7 B$ z: B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ L5 k; M2 n, i- b2 ~: a9 |$ K; J8 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' D' `; Z$ C- O4 Q$ s& j6 e5 i1 Sfunction to do the same job:2 N; Q, n, u, c* N5 O5 c- J* m
: Q1 h3 U2 z, n4 b5 z9 j+ m
push 00 ; OF_READ
8 \: `' r" o& @& }$ _1 v$ V$ i mov eax,[00656634] ; '\\.\SICE',0 ^/ ~0 h( V$ R1 S K! l0 R& B
push eax
4 c* V8 S' s; @0 i) y1 N% [ call KERNEL32!_lopen$ g- `+ U! E' ]
inc eax4 F" h+ v k! F9 `4 q
jnz 00650589 ; detected. O3 L' x% B7 R" S4 |
push 00 ; OF_READ7 L: v3 ?+ c6 t. U) E
mov eax,[00656638] ; '\\.\SICE'( d* [) ~, d- T+ F, p
push eax
" Y0 I& C( z) C' c% p call KERNEL32!_lopen
" x1 E# v9 u4 X* e# J0 w inc eax
6 @' m( \& e2 P# s: | jz 006505ae ; not detected' p6 d7 _4 ]$ \' B4 V9 c* ]
6 @+ `; K ^9 Z$ ~1 r# t9 g3 z
0 {% J$ H2 G8 o, }6 p__________________________________________________________________________2 ]- s8 O: Y5 ?0 N
4 k8 D5 X' G# w( a8 e1 C7 kMethod 12, t: `0 o' J3 m6 M1 Z3 x
=========: T% W" j8 u' b( w% K
9 L2 |9 l' d( L$ o5 _6 Q" E
This trick is similar to int41h/4fh Debugger installation check (code 05 C! j6 C% X" L
& 06) but very limited because it's only available for Win95/98 (not NT)
9 q* B, |7 o2 F* z3 Y/ V# k6 t- pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* ?& i: Z4 V* H- v( U9 V0 ~- K9 H3 l
& w( |5 q+ Y# x+ k% P b2 E
push 0000004fh ; function 4fh9 x3 i3 |% W" l/ C* k
push 002a002ah ; high word specifies which VxD (VWIN32)# y p% A0 U0 s8 C3 N
; low word specifies which service
" z; _4 L7 \, ?. u0 y! I (VWIN32_Int41Dispatch)7 l' L# E) T8 {- g
call Kernel32!ORD_001 ; VxdCall x5 g3 s9 W4 M3 f* M5 z
cmp ax, 0f386h ; magic number returned by system debuggers
" t( Y& i/ R; u7 t jz SoftICE_detected2 v; S5 y% @% i$ ^6 n! m8 t( y
# l7 A$ ?- F9 y/ g
Here again, several ways to detect it:
# s' \ ]1 a( @2 f6 R0 b: c, J
5 r2 `9 R) j; M3 a BPINT 41 if ax==4f+ O* W! j2 M# [! S! L" \
% P$ \$ j2 t0 T+ x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; i4 E \7 F/ E% K0 l
: [3 j0 {. p {' D9 s3 @7 U ~
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 \" x, i% s6 E9 n& m5 r* C3 B" o5 H7 Q- [) Y+ e g+ X
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, R, C! M* {3 V, X3 k6 B+ @3 \3 B- g
__________________________________________________________________________
' `" }2 ?7 u3 L# u
7 i! S1 s2 P9 H5 _Method 13
; v2 X! _# S& C+ |=========+ x, x0 Y$ m( u1 K0 s- D
# j; J2 K/ |2 z2 v7 {' }6 A! z. e' J- \Not a real method of detection, but a good way to know if SoftICE is
# F! l$ G- p- l3 vinstalled on a computer and to locate its installation directory.- V3 }: B+ s0 I+ p/ |
It is used by few softs which access the following registry keys (usually #2) :
3 X/ e! z1 G: t) s5 j; O0 R8 G4 _% ^9 z, C/ \) C6 r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# S. K4 v! l( B\Uninstall\SoftICE7 x4 i5 L3 A5 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 d. j1 N$ d7 D- f8 o ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 P, g' c" ~4 `9 N g\App Paths\Loader32.Exe
, O9 `6 o2 A9 k/ a* N* b) ~5 D$ e5 m
$ x% D0 M& G! X+ D5 g( s8 B& M/ d
Note that some nasty apps could then erase all files from SoftICE directory" @8 M. e+ S9 ?: \ P9 U
(I faced that once :-(/ x& n: v5 f6 d! S
& b; W9 k- P3 w- D- o% \+ f5 }/ \
Useful breakpoint to detect it:
% y7 q- s& G+ I1 \- ], K2 K2 W1 l# L5 S! O) F) U
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ E1 I* Q' z2 A% d$ D
& P5 K* E1 D) i( X__________________________________________________________________________+ \: [, S6 |6 s$ l5 d c
$ b9 C& O: }; @" H" \5 G5 _ a) M2 Y, D3 n8 Y2 y7 t
Method 14
; t1 A5 H3 z2 n=========6 v9 s2 F; w+ u0 e! k! B
5 c. N$ L: u) e0 K: k7 \/ t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, L" D. d* F* M
is to determines whether a debugger is running on your system (ring0 only).
, Y! y1 z" |; _9 A. ]) X& y* O' x2 g4 O- L9 m' \
VMMCall Test_Debug_Installed6 d+ W/ u% l( |4 e, V7 A
je not_installed$ C" X C9 b: D
0 H' O: \! e' j4 _. r U3 U9 Y* T
This service just checks a flag.
: C$ B; O- T+ C6 o5 }. \" r7 A3 j</PRE></TD></TR></TBODY></TABLE> |