<TABLE width=500>
1 z1 U1 f, d" D' T) z<TBODY>
* c9 M; C$ g* d1 {" v8 W<TR>
6 }; J9 \3 n4 |- m: @* h# J% a<TD><PRE>Method 01
1 S' w. u/ x. ^=========3 F7 [, e+ R& s$ z4 ?5 `
, f) [: c; c- Q- q$ ^
This method of detection of SoftICE (as well as the following one) is5 w" T: P" N; p2 f$ n- F
used by the majority of packers/encryptors found on Internet.
3 M& @% `) I1 V b; e9 q, k( }, {It seeks the signature of BoundsChecker in SoftICE2 t4 [6 `4 u; p8 Y( ~
: V8 B2 L, b8 ?) ^5 {: W( c
mov ebp, 04243484Bh ; 'BCHK'0 c1 k' U3 w6 Z% w. b2 t" |
mov ax, 04h0 V* S( D7 t4 R: D+ l$ x/ g, f9 C0 {
int 3
0 y" Y R. X/ @6 Q" w& Q cmp al,4
' h$ \6 @9 ~% ^* t9 d( M% M( l6 W jnz SoftICE_Detected
6 V7 F; _/ s: k5 t, R/ k ]8 H G" b$ Y2 i( B
___________________________________________________________________________7 o! N9 |/ r6 D3 s T
M: B$ [/ u- G& B( {Method 02
; X) {4 ?1 x( O2 b=========7 k) U; [7 y8 Q% s! r4 M# C
& f, l9 M" _1 S$ l+ Z9 _Still a method very much used (perhaps the most frequent one). It is used$ G7 q. {6 W, `' b/ j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ A1 v# j' `+ ~( k, g& `! g
or execute SoftICE commands...' c! ~" ?4 w4 \* P" Q
It is also used to crash SoftICE and to force it to execute any commands
4 r' v. i) P% b# Y+ Y(HBOOT...) :-(( / Q" e; e3 I! A* j, a8 a
2 H5 B+ f! m# g* Z O
Here is a quick description:
. s& F- Q: _' K9 y; r-AX = 0910h (Display string in SIce windows); Y- @( l/ L9 i1 I, _/ k; u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 L% j( t7 q# C$ O0 ]-AX = 0912h (Get breakpoint infos)
. m" V! C: L1 v5 K-AX = 0913h (Set Sice breakpoints)
# D' C0 X: L" P6 f) j! E-AX = 0914h (Remove SIce breakoints)$ M' c- w0 M4 g, n! P6 X$ f
. `5 l* a- v4 H! o. `- D2 s
Each time you'll meet this trick, you'll see:+ x# G1 o! F7 r0 H$ a2 S
-SI = 4647h! A4 s" j( m0 M; W: e, r
-DI = 4A4Dh* N0 T7 I. J4 S; J* ]
Which are the 'magic values' used by SoftIce.
( v; K" v0 f- ~0 M9 a0 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% F" w" f+ t/ v2 o Y$ U9 U: w; c' ]8 n: H6 d7 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP( x; e. ^% h0 S! h
Envelope utility use to protect DOS applications:
' c# r V" K/ z B/ O2 ^. x; M* w* {' I" Z. b
9 L$ o7 v0 h2 o X L
4C19:0095 MOV AX,0911 ; execute command.
7 \& A) K7 [3 p' ]! x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
5 Y1 f6 w8 w, `9 G4C19:009A MOV SI,4647 ; 1st magic value.+ K# _3 `8 a2 ~ m
4C19:009D MOV DI,4A4D ; 2nd magic value.( g1 f* J) f: y, G& v2 N1 h
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) ?, l. e8 V! o @" Y% l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 a* V2 o1 T4 Z8 g E1 ^
4C19:00A4 INC CX
) n( ^0 }0 Y0 M8 ]% z2 V4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; q8 X. B9 C7 q, h H( l
4C19:00A8 JB 0095 ; 6 different commands.
5 Y. F& ?# r& ?7 L" H3 r) L4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# n- `7 j7 x& Q/ E2 e+ Z9 W4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- Z2 b% `7 t3 ]. y1 @+ X$ X' m
. u$ y$ `% n$ ~3 N# V$ H
The program will execute 6 different SIce commands located at ds:dx, which& U9 J/ {, L9 p ~, t6 O" l. M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 N7 W$ y) J& E% ^# e( \1 N
+ U- J3 x8 r9 k( i9 @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X; k, e0 N' N' E) S3 `___________________________________________________________________________$ B ?6 f! K6 x; p" V: }$ f
( z% w4 v- F; K. e0 l
- ^" m$ _) N' a" PMethod 03
, q. K% t; D1 [6 G7 t# o=========
8 s' c5 C$ q* l9 a( [# A8 E
: T4 D. M$ u) S. J0 Z3 y. g3 yLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! [: ~- V* `+ B. M+ p5 I8 {
(API Get entry point)
$ g9 f1 _- W$ P [/ [
" W5 e$ h9 m, @8 m
, X7 i' o0 J# T. l/ Q xor di,di
6 u0 O8 F4 k& I3 t2 W: x# _ mov es,di
& O% h$ T$ r1 ]. D$ Q. c mov ax, 1684h . N- p3 L2 p6 L: q9 d7 l
mov bx, 0202h ; VxD ID of winice
4 V9 F8 q6 R U% ] int 2Fh
# k- e, t- `( c3 B mov ax, es ; ES:DI -> VxD API entry point$ f$ ~9 Z. ?0 b
add ax, di3 V8 U# I+ v4 x9 R; I* i$ Z/ s
test ax,ax& |2 Z5 r2 P1 w! A1 l" \8 r
jnz SoftICE_Detected1 O$ X( Y1 N4 s7 K5 X9 r q/ i! j
& L$ W+ q& D+ r4 j
___________________________________________________________________________
3 k" e! J, L2 L7 Y& l9 ^8 F+ Q: L8 i8 M( [2 M3 A+ L
Method 04$ z3 Q6 b8 h9 ~+ w6 D- F
=========
! q6 g _1 V: t& f* n8 }/ I
' Z% m+ F& x7 J8 C! XMethod identical to the preceding one except that it seeks the ID of SoftICE
2 x, r) x; i: n; UGFX VxD.+ G3 @$ K# t$ s) M# _3 n( J
6 M' P, q: K; M, O8 \
xor di,di
" x; i$ y" ~7 o8 C/ k2 c mov es,di! V9 ^% E4 v0 `( ]3 N: E; l/ ~
mov ax, 1684h
2 f+ G. \9 v3 X9 J, n% } V9 X mov bx, 7a5Fh ; VxD ID of SIWVID
) B( H- w" }9 R int 2fh9 t$ X/ Z. q7 F/ K3 q* A
mov ax, es ; ES:DI -> VxD API entry point
1 i8 ^. F' y6 d$ w0 L! g$ O! q- c% E add ax, di
! Q0 S& f$ X \; J$ s4 ^ test ax,ax
8 J m$ c+ H) a3 F- k1 \ jnz SoftICE_Detected! M. u2 N- J( o+ q! J2 V9 v
/ V) y! w/ B8 v4 ?& Z e& ~, H3 R% k__________________________________________________________________________5 L* f) {2 a) j& [& Q7 {$ r C
b2 K6 D p( M# E2 D1 c# x+ ?: U
. ^& z& [, v: \ y) v d% `3 w0 DMethod 05; F0 e5 B+ X. [
=========2 ^9 V7 k# L. @# d; @
- p( F% r* ~* b. X; SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% M3 B; r6 }1 K- c. wdebugger. It calls the int 41h, function 4Fh.
7 G; G0 y5 [' P; iThere are several alternatives. , \& g! z; _7 `. W A2 g6 g6 |1 P1 S
+ s& f5 Q6 [ V& ?& E
The following one is the simplest:
+ W$ r5 k4 ~' r" ?0 N% Z* l% V9 N
4 h$ x w9 L) o8 e+ t; Y# r mov ax,4fh# o7 B- c' J0 }7 R7 R. A, \ _
int 41h( U$ u& N( T4 q. j
cmp ax, 0F386! J k. B! }8 V2 l$ l: g0 z
jz SoftICE_detected
' W' Z* y3 k' P6 [* F0 j# N2 b9 S1 f" _1 k
8 N+ a1 ? x# U2 W( @: j( ONext method as well as the following one are 2 examples from Stone's
4 b* |7 a5 j; Q7 Z9 A; @, {7 S"stn-wid.zip" (www.cracking.net):
# k5 R" v9 z$ T3 w; }
/ S7 q) p! u% f4 q. _ mov bx, cs
6 y, G% @0 E' I- F# ^- k lea dx, int41handler2
) F$ ^ h& h# a1 @& I xchg dx, es:[41h*4]/ L4 R: D3 x) c5 c% W8 O
xchg bx, es:[41h*4+2]# H( e9 W" L l
mov ax,4fh& @- A: A9 [! Z) E- C2 ~% M/ |
int 41h M+ K4 Z( h' s) o
xchg dx, es:[41h*4]. h4 k$ F/ b+ Q/ i: |7 a s9 g$ ]1 U
xchg bx, es:[41h*4+2]& Q! f( H2 i* E, H, J- `( b
cmp ax, 0f386h; I k( G% l8 t: T
jz SoftICE_detected
+ k7 X" U( w, T \6 Y$ D, t
7 l9 P8 A( W9 l9 Zint41handler2 PROC/ t4 F- K' {* Q/ d
iret
! _* h' M/ ~; b; t& U* h8 A' P9 sint41handler2 ENDP
6 E$ |- S+ p Q% o& Z& S" m/ D; u2 W/ [( C/ y$ b
. g: W' H) x4 l, D3 W! V5 m8 n% t: H_________________________________________________________________________/ D1 q; Y, \9 Q
+ [/ P4 q4 x2 i: o9 x, W
' D2 I) Y1 q4 `. ^1 _3 l0 c
Method 06
8 l2 n9 X, G, m; y5 B& f) v. f1 v=========- Z( G/ w' v9 I O) t" T& \" C
" h& L* c+ m% s2 c1 P* b5 T
2 f5 J9 ?* D% N2nd method similar to the preceding one but more difficult to detect:4 v- B. q5 g" X" k6 l- g
% T( ]+ x$ t4 e+ }& X8 r6 n0 ^6 E/ b+ f
int41handler PROC: s) ~! L& O$ R1 Q1 {- P2 g
mov cl,al. c( C4 J; y, I% z7 a2 r
iret
' F$ J( M2 O/ ~- B( V4 Oint41handler ENDP* b% V' Q' S0 {& Z9 Q ?
! f% S! R4 _* `3 U% I3 W8 |
" _, [" U9 [0 ]5 N, t( i xor ax,ax
& D! V% p2 B. }# g' \: m# j* g mov es,ax1 |9 @! B% v Q8 N! c; m; O; \
mov bx, cs
, u& d0 c6 {3 O& j lea dx, int41handler
! y9 R* Y' n1 L+ X* X0 v! ] xchg dx, es:[41h*4]7 m- b, u1 `8 e" x
xchg bx, es:[41h*4+2]
" e) `* L B# h in al, 40h
, m5 W7 j1 w, F) d* d" b xor cx,cx5 o2 m3 g# Z9 c+ B
int 41h
0 K8 X* U5 V8 h2 }4 J- d! g0 I xchg dx, es:[41h*4]9 d: y: f* D( f! j" C1 S, {
xchg bx, es:[41h*4+2]
3 ~* G% x6 a( y& W2 |5 d/ o7 f t cmp cl,al
4 D1 `. i# D, e2 S jnz SoftICE_detected& r {, b/ I' c2 ^6 }3 Q
# x+ F- R1 x! k) Z+ a
_________________________________________________________________________
* L: l# ?! I, {2 Y% ?
* t; R8 z" @! p3 H2 AMethod 074 b( _; n, ]" o( P0 T. R* W4 d
=========
6 D- L( d) T t: l% a6 }1 B6 k' m& A: M" r( y5 u* N
Method of detection of the WinICE handler in the int68h (V86)7 {% j! E5 [1 G. v
1 h$ V) v: m' P5 S# ?
mov ah,43h7 a7 Z( g* @1 K# w, `
int 68h {9 R- |1 S" G* _. }8 j. z
cmp ax,0F386h7 N- I) w" R( A
jz SoftICE_Detected: e4 f8 X2 t# C3 m' Q
5 G* j- y+ x7 [4 a& j) l- U0 |) m2 O4 h5 w9 r4 J
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ^6 v3 V/ a6 m9 [ app like this:( Q* _. O( [+ m, T
+ o% a1 A4 ~+ C& x9 W" b' D9 q BPX exec_int if ax==68" B3 k4 [! h/ v
(function called is located at byte ptr [ebp+1Dh] and client eip is7 K9 n( G$ n) G6 E5 d! M+ |2 u9 S
located at [ebp+48h] for 32Bit apps)8 {5 h& Q; p: S6 {( j+ \' w
__________________________________________________________________________5 ?( k; l0 o, P6 ]9 M5 V$ Z) X3 R
' X: [" F" H" N1 ?# |! L! x' c# K: c1 k. m
Method 08
1 e- F! j. n2 U% b6 c9 g" v9 W1 Q' H; }=========
3 T' u/ t9 _) [! L1 }9 n: B8 v6 D ]) r5 K2 I) g& t# ^- f
It is not a method of detection of SoftICE but a possibility to crash the
% f, ^" Z& [6 B4 o+ a$ U0 F- w6 Ssystem by intercepting int 01h and int 03h and redirecting them to another
8 B+ a& ?& f& Aroutine.
: q3 L3 ~( _( V4 Y* R7 W4 c* gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 l3 q7 P: C) K- z D! @- m3 F5 B
to the new routine to execute (hangs computer...)6 _0 B5 E$ E0 v% x- p5 G
' ]; Y: }: z7 {5 j6 |; f6 \
mov ah, 25h& ]# e) r1 X# n
mov al, Int_Number (01h or 03h)
- x; u; B% u9 [( F5 K8 n mov dx, offset New_Int_Routine: {9 B! U4 X+ `) t* P
int 21h) B8 w) s! y0 q+ q1 [5 l
3 S; J1 ^2 \1 a; v) f! j. k# l__________________________________________________________________________/ `6 a7 l1 {& K4 e
+ I# r$ A4 E- g' PMethod 091 R. i- H* e, _: w+ H* }" R) p7 h
=========
4 W Z. ]: x7 B3 H4 A, z- q0 O1 j- \6 P+ `* Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% ]" h( d# v% ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
( t' E2 ?) d) ]& d, @/ ^4 i+ ]! d! nThe Get_DDB service is used to determine whether or not a VxD is installed
0 a) x3 z; q# F u4 T* nfor the specified device and returns a Device Description Block (in ecx) for
' D! p: k* ~+ ? \# d, G) f2 q- ?, jthat device if it is installed.
, L2 h& R2 C' u& T6 k( x
4 b2 h& t- l- @) c, l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 E- Q/ e/ k% \! u# b/ _, t) p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 t6 Y0 O6 `+ U! ~1 y w VMMCall Get_DDB
4 @) y7 m M' B4 @7 i/ D7 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, O, O3 c+ ~% w( n9 I1 z" [6 Y% F8 X, P7 H
Note as well that you can easily detect this method with SoftICE:( ]+ s; P1 s/ S" Z% k- e
bpx Get_DDB if ax==0202 || ax==7a5fh" h( o! P2 J% v$ ~4 ]6 F/ N' ?
& c( A7 ^5 V* [4 `2 ~__________________________________________________________________________7 @6 Y1 Q S9 q" X. f0 k
, O L) }) m) l% F$ x5 e5 A6 _Method 10
: o" c6 h0 \3 p=========
; b b- n( E& I* @3 _& l8 k \% M
=>Disable or clear breakpoints before using this feature. DO NOT trace with# ^& b7 A5 ?( b1 p7 `4 W
SoftICE while the option is enable!!: ~& P- }! H! @, b- {$ {) H
R8 ~# v f2 oThis trick is very efficient:
+ D6 h0 G/ A& q! s3 @by checking the Debug Registers, you can detect if SoftICE is loaded7 I m. n. T& ]* _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; K; ?+ b) M/ c" t4 K2 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! h2 o1 s" w% j$ c& k9 Bvalue (in ring0 only). Values can be manipulated and or changed as well3 @* Y- |( m" L, D9 v) c% u
(clearing BPMs for instance), K6 Y5 L; Q4 A* o& i0 L- y8 c
' {3 m n, H5 C9 g__________________________________________________________________________
: k& K* \+ u6 g5 r) |$ ]" ]( e5 X; ^7 I6 S, I6 U$ K
Method 118 M j: i8 K% Z* M$ g* c
=========
2 Q. i+ @) S+ W: A* c& m
8 L- J* f! |; I' u& m7 I4 l# t* DThis method is most known as 'MeltICE' because it has been freely distributed. B1 K3 Z G4 D
via www.winfiles.com. However it was first used by NuMega people to allow# x7 m7 x Q* e. d4 x# f
Symbol Loader to check if SoftICE was active or not (the code is located
) X) V {- E0 p( binside nmtrans.dll).
. A; @ w( B& n+ g( T! Z4 Y" u0 X; G) O: `% z( ]
The way it works is very simple:" c. r$ h" O& x$ x# V- s; e2 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 p( M- R) s( o% S0 MWinNT) with the CreateFileA API.0 O8 ?+ T f0 Y& r, V' T1 J
. F1 E& C1 ], U0 h
Here is a sample (checking for 'SICE'):
2 o9 ^- L2 N+ D% u- `8 Z& E8 g
& U7 A9 A' L6 _. cBOOL IsSoftIce95Loaded()
# H, G. Z) F, g5 ?. M8 H8 ~{- [- m/ T( {" L' d
HANDLE hFile; ) a' a' N1 z" O; p3 W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 J, r( Y' I7 t# x
FILE_SHARE_READ | FILE_SHARE_WRITE,
* n* Y, y1 u; T2 ~$ M- b NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" Y7 U( h3 g1 Z! \. } u* a
if( hFile != INVALID_HANDLE_VALUE )
* ~$ d1 K7 m; g. j/ j# H" `, W9 u {
0 i% r7 h, \! B. t3 b2 q* @2 i CloseHandle(hFile);
( X% F& L4 J/ l B" R return TRUE;
, P4 f, T( p% b2 F0 e; m9 a }
8 g }" c! F8 I: P return FALSE; D4 |" H6 K! t9 L# i4 V: M
}6 z" |9 p* L. [6 p# |
9 v+ f2 z, q# ]/ B/ l ~Although this trick calls the CreateFileA function, don't even expect to be2 A( g% `, o! T
able to intercept it by installing a IFS hook: it will not work, no way!7 Q3 x4 @. J- C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ h! I9 E9 w b0 C4 u0 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 n( d$ u K, m6 O1 j3 @& Y9 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; r. ^* m6 u+ L( q% j0 ?field.
) X0 H+ u* n: {: j8 H' YIn fact, its purpose is not to load/unload VxDs but only to send a
8 U5 p' f# a7 r' M9 |* eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 h. \+ x3 H+ o, K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* Q% h7 d+ S" |
to load/unload a non-dynamically loadable driver such as SoftICE ;-). M8 T. C9 }- r
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 U8 F# T2 P" G+ x, U2 _/ ^
its handle to be opened and then, will be detected.
4 O; J5 s- X: `6 E a+ h) r' M! i) aYou can check that simply by hooking Winice.exe control proc entry point$ `0 c6 ?' V; q5 ]' ^' i \: D
while running MeltICE.( f. O) r9 s- q$ ~8 c4 v4 w$ s q, p& x( V
0 l/ I& F( z0 X1 Q/ b% k
! l$ x( W3 o! H% T- \9 n) y 00401067: push 00402025 ; \\.\SICE* Y, V' @- c% `
0040106C: call CreateFileA
" y/ D% S7 J7 M. U 00401071: cmp eax,-001
) K7 C3 Z, q) \4 Z) t% e+ S 00401074: je 00401091& p f0 Z, I) {& t. z
3 D( k! ~" B* B, `$ I; Y6 _
, m. ~% ~6 A5 [+ y
There could be hundreds of BPX you could use to detect this trick.
) @# Z) M1 [6 ~+ q3 d! g-The most classical one is:' r/ W! p2 G0 e/ E @3 F6 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; |: `, n# r8 V, w: o9 Z: q
*(esp->4+4)=='NTIC'2 J1 R, [: A6 [( f5 |5 ?
- l3 Z3 f2 _, `-The most exotic ones (could be very slooooow :-(' M7 a) e1 P- X$ _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 p1 S, x* c7 F/ r; x. g: P1 j ;will break 3 times :-(6 Q2 F$ P8 S1 o4 J) f; \
' z/ E1 O, x+ v8 G c+ a; T-or (a bit) faster: 2 f+ v# W7 A1 \+ [/ M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 Y. h0 `7 Y* o' J8 b- w' B) y
3 k6 c# U- f) `3 f" ~5 x7 I BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 0 d- v; s3 H& o" B1 T
;will break 3 times :-(1 [# r1 _, {0 k8 v9 n: C. p) K
5 X! t+ Y. A' A- g) h- m4 I$ B3 H+ F
-Much faster:3 C% P8 ?/ A1 R. w6 k1 X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 D' @& `+ s. @8 q
+ C7 p, p, X; }1 d: o- a7 @) JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 I+ _$ l! l: C8 g( e, ]/ C
function to do the same job:2 ]# |5 e) c# N% Z& O- o' d! u
- C! E4 R0 ^. n: G& O push 00 ; OF_READ# k! J' j/ z% e+ n
mov eax,[00656634] ; '\\.\SICE',0) k3 T% n6 i( P; m
push eax
3 ?+ j X' Y% J$ @ call KERNEL32!_lopen* Z5 y6 g# q9 I/ `1 E& n* c- _
inc eax7 Z$ _- ^6 @: W ]4 E6 N8 X5 r9 _
jnz 00650589 ; detected4 n9 F# ?* ^1 @# p K
push 00 ; OF_READ# X2 K) h. k( I
mov eax,[00656638] ; '\\.\SICE'
% r- Z# ?: g/ I) m# t7 ] push eax7 }& ]+ T7 Z7 B- V
call KERNEL32!_lopen
; K2 N7 h$ m$ x/ b$ b# Q0 {; }4 Z. V inc eax
2 o, [) T* F! u8 m5 n+ J jz 006505ae ; not detected
- m, d) \+ W9 Y$ P0 G1 c. ]. a4 ~
, M( c' @7 |3 B4 s' m2 B$ s% ] `+ Z- s* L( T/ }1 H% g
__________________________________________________________________________7 J$ B- z& {7 u9 x9 O3 D2 e9 c
% q# V. N1 S5 DMethod 12
; E: _- g1 C$ c. H0 h% Z( h6 E=========
, t) }6 G: _# D6 D9 V" _4 j/ H3 p5 j/ ^9 e9 B3 q* y- w
This trick is similar to int41h/4fh Debugger installation check (code 05* P( N4 d8 P, d9 i0 u& @, B
& 06) but very limited because it's only available for Win95/98 (not NT)
7 z7 z/ r7 i# e# cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" b7 R5 @5 h+ Q- H& o" M! i3 n/ _5 \9 b" W) d
push 0000004fh ; function 4fh7 n! r+ h$ J6 u
push 002a002ah ; high word specifies which VxD (VWIN32)
, M9 D N) \- c ; low word specifies which service% A& {) i4 [* s3 Z' } a+ w
(VWIN32_Int41Dispatch)
0 y* I1 S3 _7 e8 h! J1 ?0 X* g9 t call Kernel32!ORD_001 ; VxdCall
: q! u7 k& u9 H; d cmp ax, 0f386h ; magic number returned by system debuggers5 p3 u: p2 H. F" V* G
jz SoftICE_detected6 l+ N/ Z9 K; M5 S* j
+ }* J/ \8 R8 E' M1 ?
Here again, several ways to detect it:
$ D/ \8 L% m! ?5 K- L( R$ _$ r+ w+ U( \) C( v9 y9 f
BPINT 41 if ax==4f
0 I9 u: E9 s2 L$ _: Z/ k% T+ w- A
; F# u2 A. }# C6 F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" q9 y U1 g; Q6 @# v
: h$ e7 U* V+ J! Z/ H) ^ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 P5 M: V+ {& \& g1 \
& w+ I; d' K7 X/ L$ G3 | m% p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! y+ }4 \6 P' w9 C: t* q- x4 K7 K3 f
% [ N/ C: X3 x5 I+ E+ V/ h4 ?
__________________________________________________________________________) ^8 D7 v$ M- A5 E
' W; N' k! R# v, I, Z R/ D+ wMethod 13+ S2 s' e! [+ M0 K+ @7 l
=========# {. q7 Q) i* w2 i6 U$ j. ?
8 i% a1 Q/ j" Q0 I; HNot a real method of detection, but a good way to know if SoftICE is0 ]5 J% |" |; C1 B. S. E; f
installed on a computer and to locate its installation directory.% T: @* _6 i& P. r- V5 `0 Z, I3 {
It is used by few softs which access the following registry keys (usually #2) :+ n N; x. j3 f- K. `. {7 N, u4 p
) Z5 D* O6 v4 L2 T% E7 f x1 H3 X' a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, c# _" h) q% R\Uninstall\SoftICE
* S( r+ @2 P0 p7 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; D* t* L$ Q7 P- C- I, X, b4 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 J! V' F x5 P6 G2 y3 W\App Paths\Loader32.Exe+ S K6 i: K& M+ T! z
5 Y! p3 a) Y2 T+ D
5 h* C* E3 e" ?5 MNote that some nasty apps could then erase all files from SoftICE directory9 h* s \! G+ Z5 S% q, j F
(I faced that once :-(
$ R2 z- R; \ }2 r. Y" n% f, {& M8 u5 O( J2 n
Useful breakpoint to detect it:3 z5 a, g }$ @' `
& U) D# j f! r' c3 J8 M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 _ i' H5 Z( U+ t8 G! i, q9 v7 W
__________________________________________________________________________. R- P& U8 O- n" f
3 X. w5 G N q x# n; w! t, O- X6 \
Method 14 - Q, e. ?7 U2 e2 y2 u5 n
=========7 R, K3 Y. Q# R
' P9 D! ]+ K- k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% d) e( \ z4 @2 C) L* U, ?is to determines whether a debugger is running on your system (ring0 only).
0 x) `0 K8 s+ b+ i9 I9 U, @
5 D: v8 z3 \: ?( t/ W* w j1 J# O% d VMMCall Test_Debug_Installed3 d" S( U/ }9 U: P8 c' L8 O
je not_installed; U3 u2 O0 e4 f$ b( m
+ T) a! t+ @& h! n+ Y0 |8 b& |This service just checks a flag.2 ?# G/ J1 \' W
</PRE></TD></TR></TBODY></TABLE> |