<TABLE width=500>: u* G7 o2 J& f" {6 ^
<TBODY>
- g) p! v+ w0 F6 {<TR>
6 A8 ]3 `5 j. n8 }8 _: v9 Q7 L<TD><PRE>Method 01 " Z N( S4 d" i8 f
=========6 u4 E% S" w! l; G+ p2 _
8 [2 ~/ w( c" H/ o
This method of detection of SoftICE (as well as the following one) is
& [: ^ o9 v6 N+ s5 {$ Q# zused by the majority of packers/encryptors found on Internet.* n2 @, m# q% V9 h
It seeks the signature of BoundsChecker in SoftICE
* w! J% r0 \& Y$ t
, u8 D% e( F5 L$ ~ mov ebp, 04243484Bh ; 'BCHK'
2 P6 k" h0 I" y9 M/ n! v& b% F mov ax, 04h
* f! U- t- |& R9 @1 I' b int 3
6 C: R' Y: E6 L( b# r# Y: { cmp al,4
: k) f* o2 N- N8 J. `' X+ b# h jnz SoftICE_Detected
9 e" L) e! H/ Z* N7 ~: O# i2 K+ @! K* r! e& e) W
___________________________________________________________________________) D$ I X8 C3 {: c
) Q T8 w* ~1 v; `/ D: f: c
Method 02
# p9 d! k$ Z: _4 R% F P=========- o' T9 [7 ^& S$ \1 \9 l% L+ p4 b
3 a8 q- z8 a6 F& D5 v% m7 a
Still a method very much used (perhaps the most frequent one). It is used9 m6 N- b$ `- P5 `7 m* n7 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- f9 W, |! x' q" v3 ^) b/ ?8 Bor execute SoftICE commands...
`4 |& x3 L3 W$ l; wIt is also used to crash SoftICE and to force it to execute any commands0 Q. C+ K$ j" q
(HBOOT...) :-((
5 b: H x( Q W+ u. L2 n! a4 d* H+ _1 c- b u3 @7 O! w
Here is a quick description:# K7 O9 z! B2 f- F+ _/ ~" h
-AX = 0910h (Display string in SIce windows)* ~* Z8 x0 F. P8 `$ M3 D
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
+ S9 H' u$ ]. W% T-AX = 0912h (Get breakpoint infos)
# q% ^2 f$ q# p6 A8 H+ e-AX = 0913h (Set Sice breakpoints)
- j! d" }- y$ f) n( ~-AX = 0914h (Remove SIce breakoints) f% \& \: e, @3 W, y
' Y8 k" V6 m0 w( T
Each time you'll meet this trick, you'll see:
7 j$ j, r7 I% u" d. A. c-SI = 4647h1 i) D3 d: F7 D! k1 a
-DI = 4A4Dh3 V& @# ]8 u2 l/ E
Which are the 'magic values' used by SoftIce.0 K" l4 E; @' j. `: }1 c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ n \2 Z1 n. x# t+ y! C2 U! X2 G5 Y$ U$ J1 g' K: D) [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' ~/ w6 T( p1 }Envelope utility use to protect DOS applications:8 Y0 e: E' \- [& _: b
# m2 L- C9 T: I6 d( _! H' B) F$ Y. u# z1 E( G
4C19:0095 MOV AX,0911 ; execute command.
' b, s) ~3 R/ g; J; U6 p1 N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) A* Q, `/ I6 J4C19:009A MOV SI,4647 ; 1st magic value./ A; U+ U% T/ v) l; E( a
4C19:009D MOV DI,4A4D ; 2nd magic value.
4 T. B4 H6 u$ V3 a1 @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* b' q G [: B( \. k4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, G% m5 q" k# w8 G1 m0 ?4C19:00A4 INC CX3 b; `' z. V) _+ W( L& X$ u3 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; Q* l% W! K; t7 z4 T4C19:00A8 JB 0095 ; 6 different commands. }: V# C% m4 J' v; {0 p/ S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 P+ z) Y4 Z/ Y2 g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)# X7 N# X `9 M7 \* i! S
* ^, Q u, f) y" l" O. f n; [
The program will execute 6 different SIce commands located at ds:dx, which
6 a% L! Q, X7 f! h" i3 xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT. P3 ^) e# y3 A$ u; H) J
9 I! L9 m2 u) h/ R; ~# t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- @# j: e' c) i, f/ i: q/ m4 g
___________________________________________________________________________0 l7 H! ]) T. \6 ~" N) |! S! T( l
0 m) f4 N% X! Z) c% ^1 C4 A' @9 S& n0 z' h
Method 03
# j! Q( `9 v" S: n=========* H) c" W! p: }$ {9 F
7 }9 p7 x) ]$ C6 s; I! y: u! Q; w) I
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ T- S: k" ?* q& |- |
(API Get entry point)
( v+ h$ O$ U, N 4 |5 [& g: o4 T2 r
2 ~: f8 ~. L/ C" J( i9 \4 o: w1 B. V xor di,di. p5 h4 i u- X
mov es,di
/ Y2 d- ]- S2 h3 z, d' ` mov ax, 1684h + i! A7 R5 c( X# T# k& Q' h1 I0 ^
mov bx, 0202h ; VxD ID of winice4 P& E8 Q9 K6 }
int 2Fh4 ~% J, N) N, j7 D; f( H6 c
mov ax, es ; ES:DI -> VxD API entry point |' z. U% Q3 ^' `$ R# s6 O/ F
add ax, di# ~0 a+ q3 Q( x7 N* f& a3 b
test ax,ax5 D( L2 y! y# H( [- t# x9 g; o$ a
jnz SoftICE_Detected- W7 p$ ?; W3 n4 B
5 |: ~) k+ Q0 ]4 [___________________________________________________________________________4 a8 ]/ b9 d$ v X$ Y0 n- y) V: ^
- ~! C: U0 L( W3 D9 g
Method 04& l# R( R- Q8 ^
=========( a( G( j: L4 g$ a9 Z1 G! I
7 [7 |% t' b9 f6 z$ ~' ]. b8 O
Method identical to the preceding one except that it seeks the ID of SoftICE0 _, ]# R, {9 C- V, w9 z2 l
GFX VxD.5 Q# ?2 ?) u/ d/ m
: U" O6 x; ]" p9 F; @% ^ xor di,di0 Z0 ]+ z( Q/ A& ?, q. ]7 M4 r
mov es,di& a/ \0 O( r$ c# Q2 U- r
mov ax, 1684h 9 [" {8 K% g% ~
mov bx, 7a5Fh ; VxD ID of SIWVID
2 b: n& S( l4 B int 2fh/ J, j' b4 j' K6 k0 G, p
mov ax, es ; ES:DI -> VxD API entry point, r5 P; B7 U+ j4 @% \# L) D' z
add ax, di
* j! ]5 |# B0 x7 Q; c# e$ l1 q test ax,ax- q0 q, k* K. J7 N# ^
jnz SoftICE_Detected
2 j6 z. i7 W' V3 K/ n( m9 ]9 l0 w" D) o% O; o" K0 ^4 `- X8 c
__________________________________________________________________________1 q& l) {1 t3 F' I2 J6 c
: h* V4 L+ [4 L$ C: V
: S6 U+ U2 ]& p q" QMethod 05/ V0 v" G& r5 Q/ b2 x# f1 B+ ^
=========
0 \2 A4 F! Z: n6 {% M" j; e- N1 R( R7 m6 `8 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system- X9 I1 k, R$ R$ f; T& n
debugger. It calls the int 41h, function 4Fh.8 ?% D' R2 T( a6 H! A Y4 U
There are several alternatives. - ]& E7 R5 Y" ]+ ~5 `1 c
. D, i o0 S; Y! v0 E0 b Y2 e
The following one is the simplest:$ q% B! c, J2 r7 b6 M
/ \. W" v$ ?# ]; r% s8 |
mov ax,4fh
% \, U' _& D8 D. D" f+ c& Z int 41h
! r" K$ r" N* J8 A cmp ax, 0F3869 n* ?& |2 B' K+ |
jz SoftICE_detected' C% g" _# |0 N* ]( a
6 u! V2 t6 u) ?- a& v1 A" ?4 a
# s& d$ {! Y/ m* B: t( ~( tNext method as well as the following one are 2 examples from Stone's ; x% C/ V" I: b9 e( q, Z; X! w' U# Q
"stn-wid.zip" (www.cracking.net):% | l! z: ^) |+ @' H# Q: i
( q8 X# Q3 j3 O7 S+ ?
mov bx, cs
; z" a& v. E( M) H( G3 h lea dx, int41handler2
; a. Y1 a3 W& T9 u( L* ~% q& U xchg dx, es:[41h*4]% Y! A, C6 O8 [, y( ^, `
xchg bx, es:[41h*4+2]( K1 M+ ~" t: z, p; u+ A
mov ax,4fh
5 I/ `/ \$ g0 l: x U/ A$ [7 T int 41h
1 I* ]" ]; {. F k- A' @) Y/ Y xchg dx, es:[41h*4]0 S& a" y5 j. [) I! W) d, R
xchg bx, es:[41h*4+2]
/ ^5 k; v1 B E T/ r% I cmp ax, 0f386h" J/ ~( a1 \- c4 Q9 V0 t6 ]
jz SoftICE_detected
. m6 s# [0 f% j) k5 d
6 k& F3 F# N5 G' ?- nint41handler2 PROC
# s7 Q* v; j3 d9 m iret
3 @% m A( u: B% }+ iint41handler2 ENDP* f+ r4 q. [9 ^9 l, l/ i' @& W% j
( }- @4 O0 u# h; U
/ B) |& W. \- e9 u. R2 d- ^
_________________________________________________________________________
) g# p* h* T+ D0 r& {1 ^6 J) G( J$ D8 o
' ?, [$ o: G! I2 G% I
Method 06* C$ n& i4 `5 i+ N, m5 ~" S8 k
=========
, S& |. v0 Q1 S" Y4 U' ?5 X( X. @. D
7 Z* {6 `+ h( u' R' w6 ]' H3 }2 s( _) k8 r k' R6 Q
2nd method similar to the preceding one but more difficult to detect:" O2 H# x# F* v. N% U: `
) }5 x8 ^, M7 _/ _% T1 V( y4 Q2 k
: p2 p Y+ y( ^2 ]6 d7 q! ?5 Y5 Z
int41handler PROC
# O. K3 @' E# E& `+ t4 X mov cl,al0 y e8 I& S2 o) ]( F% ]' ]# `; R
iret2 c' j5 O. r) T( ~* f; J
int41handler ENDP
. S5 R* M) B# g9 A8 l1 t* E- I6 B' E
) W* n; K' e1 [$ P0 P% q# X
xor ax,ax) w [. g; u& O9 O( P% u# p! f
mov es,ax
5 t6 m( x& g4 b( g0 E- s5 V3 y: ?7 A mov bx, cs
4 s4 m4 N, a q lea dx, int41handler4 a( H6 C! v( E' l: m" i7 R5 B
xchg dx, es:[41h*4]" ] t2 Z9 A) b3 s: }
xchg bx, es:[41h*4+2]4 X. {% B) x7 [
in al, 40h6 \8 x3 p# |/ y: y5 k. s( C6 X
xor cx,cx& S4 D' M0 Z# H: b4 d- a
int 41h
( Q- o) m( ]8 S8 u% x! Y! R xchg dx, es:[41h*4]
2 m) r- F$ h& p* t1 W xchg bx, es:[41h*4+2]+ C# Y- T* V: ?) i" s
cmp cl,al
" h3 Y8 y ~! ^1 _% Y jnz SoftICE_detected. d5 Z( o; @8 V# g# S
1 Q1 [9 E3 o+ G8 Z, [
_________________________________________________________________________& j Y7 |! T2 r ?5 g, O$ d4 ?: k) P
" U8 x7 C) W/ C; w4 q
Method 07
) N8 e' g8 H3 [( |=========
. G" i' a0 {% K. s9 v5 I
; G& f1 a6 b3 H+ U3 p7 gMethod of detection of the WinICE handler in the int68h (V86)# N* c- Y* T$ F V- z4 X
# g: X7 @! ~9 r mov ah,43h
/ ?, Y; P7 ~+ p& N c3 b5 k int 68h
/ _5 n; C6 B1 A3 n$ H cmp ax,0F386h7 E8 u% j" `' R( U+ F s
jz SoftICE_Detected1 l& n9 a* W& e
% O4 _5 B* h S4 p3 k7 |9 e1 n- V, r# ^; W; m! z/ g
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 j7 ?( ^7 o- o) e6 @ app like this:
' N- g/ w: @9 c$ v* g( r' I4 ?# g& J9 o2 m" G N4 A
BPX exec_int if ax==68
5 z) W) M7 m& {" u (function called is located at byte ptr [ebp+1Dh] and client eip is8 P/ p, L: g4 P5 k
located at [ebp+48h] for 32Bit apps)
; J5 c* a' b8 s) @! ~2 ?" M__________________________________________________________________________
1 J5 t. U3 X3 t( t7 _1 p u8 E8 B. C
0 Q' n# U1 z" v4 D2 s
Method 08# P, H. K; [' s7 x' l( n: b3 a. V
=========) ]$ ?9 a7 |! @1 u. P+ @2 g
4 k* _, J: G* o2 v$ ]6 H7 M5 K3 tIt is not a method of detection of SoftICE but a possibility to crash the2 B8 a6 D w& D% m4 G
system by intercepting int 01h and int 03h and redirecting them to another
0 k: e$ `0 u3 k) W; t2 Q/ ^routine.
! e2 W4 a* _/ c+ A7 L3 ~( h2 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" J8 R* l, Z1 E) ~( ?to the new routine to execute (hangs computer...)
# Q+ \! k6 G* x. f7 K% A
1 z( A, [+ \2 d: a6 u( ~/ P# K mov ah, 25h% ]( `- h8 u+ \" E& y$ r8 u4 d; {
mov al, Int_Number (01h or 03h)- C1 z" `" F( h5 p: ~, P& P% I
mov dx, offset New_Int_Routine4 M: ?5 O7 E$ V
int 21h
) L& p4 ^6 H+ J" F
/ o; N% s/ P# S2 c" ___________________________________________________________________________' ]& h1 P) K" ~/ h
$ f; Y4 ^9 I- Z* `% s& tMethod 09' a. T/ D% K& L8 m. m6 U
=========
8 \( W# t0 O' E( ?1 o/ c8 X/ ]' H$ b+ ]# \! F; N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, }2 N; h5 o3 {' T$ t. }
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 a2 @, w) K8 ]The Get_DDB service is used to determine whether or not a VxD is installed
$ v1 K3 H) @$ Cfor the specified device and returns a Device Description Block (in ecx) for5 f1 Y9 ]' d/ A% d* ?
that device if it is installed.
4 S) G7 p: c; u" Y8 \. `/ B. K$ }* z* j, U7 S, I. Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 R6 q( b7 j4 N* G( {9 j) O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" z( Z$ e, y& K( s/ S: h! Y
VMMCall Get_DDB: J5 y' L$ l. U; P; U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
9 O# D+ t* U; o
3 L- b# J( j& SNote as well that you can easily detect this method with SoftICE:
% r$ f! h: o+ J bpx Get_DDB if ax==0202 || ax==7a5fh2 \8 W, B. h$ Q {- b
# Y4 d5 S! m" s/ n+ x3 }" H
__________________________________________________________________________
" I) x5 _% j% W2 g1 ^4 p: T8 G( t0 p; L4 `' ~
Method 104 x; L) | P6 c; s9 X
=========5 \, H4 l- S- ?% ~( O; K6 t9 w
! n2 c1 z0 s8 e/ s1 ^3 b4 N% {
=>Disable or clear breakpoints before using this feature. DO NOT trace with5 E8 E0 l% n6 X. ~' x% K3 p0 i
SoftICE while the option is enable!!
$ e P# c+ p1 ?( C. z! M1 Z7 F* P3 g8 G$ L+ }+ u
This trick is very efficient:
$ f( a& Z) b+ F. dby checking the Debug Registers, you can detect if SoftICE is loaded: } z6 `! k1 O/ E- f( F. e3 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ d5 t# O0 P9 R9 b$ t0 N7 j) |/ Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
~: W- `4 K8 v4 K! ~ P' N0 [value (in ring0 only). Values can be manipulated and or changed as well; T! L' L* @" O4 o% p9 a9 g
(clearing BPMs for instance)6 m' T- l5 R9 L; a' U
( z% E/ W4 w7 Y5 c7 Q! v
__________________________________________________________________________
! k+ s- W7 W* x1 H2 B$ t @0 N+ R9 {7 W
Method 11
8 a0 q0 k* F7 e% b& Z=========6 v+ |/ K) k2 X+ ~' _
[7 N- }' D8 K3 B$ K( _This method is most known as 'MeltICE' because it has been freely distributed6 W+ Z& x c: ^" h. _
via www.winfiles.com. However it was first used by NuMega people to allow* m# X0 i1 _" t5 M4 {% Q" w( x
Symbol Loader to check if SoftICE was active or not (the code is located
6 I) c# ?+ |' X3 @5 R. f3 sinside nmtrans.dll).
. \; I$ h7 G w) I
* I1 D o0 y/ e( }& m7 ]. VThe way it works is very simple:
# e; r0 R4 m3 N- f) D0 w5 HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 @9 q* B F/ Y# n9 o
WinNT) with the CreateFileA API.
+ U7 }3 E' \( N3 ?$ e) Z2 Z8 V9 h3 I! e1 K: |9 p
Here is a sample (checking for 'SICE'):
]: A" F6 x- p3 |) _& ~! E. w9 B( }* g/ V; B7 T
BOOL IsSoftIce95Loaded()
3 ~5 A8 K% k3 V9 q b6 M+ S{0 w! |5 A' c* }4 L
HANDLE hFile;
/ k0 z6 e8 {+ [3 |* j hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# R7 }" T3 j( w0 q- p0 G( I* R* U
FILE_SHARE_READ | FILE_SHARE_WRITE,, E6 ]1 A* Z+ K& B$ j- p) W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 O6 j% |( c+ C: l! r- {% ^
if( hFile != INVALID_HANDLE_VALUE )* s! @4 T+ C% ?4 X+ O, |" W
{4 q( I3 V: D% B: W' m5 L/ [
CloseHandle(hFile);
9 c; [& Y# R$ s; E return TRUE;
1 |* z% ^) I3 i0 @( i }* Y0 L- ?' N! J
return FALSE;3 |% p0 E$ N! b& ]
}4 d" V; e8 {/ n+ ]0 Q- [
5 k+ o3 S6 v& gAlthough this trick calls the CreateFileA function, don't even expect to be
( P, I# [4 N0 ^) d+ R' Gable to intercept it by installing a IFS hook: it will not work, no way!
+ G0 o& B: k, _* C% }# n/ J1 f/ LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" a e( w4 l- }3 m: s* sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 Z% O7 ^# b$ n- Z0 u+ ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 N }- m! _ J1 \& pfield.
! g- C# M( x. o D7 A# X7 x- _9 jIn fact, its purpose is not to load/unload VxDs but only to send a
" e. a1 P# H& y0 }5 r @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 _+ Q$ @, f( V+ Q3 rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 ^+ i; G3 X: Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 E- i' Y* [) U* LIf the VxD is loaded, it will always clear eax and the Carry flag to allow. O% u! U$ L3 k$ v* m4 z- O) L6 @
its handle to be opened and then, will be detected.0 |, b" c$ [8 D) `( f; ~5 \
You can check that simply by hooking Winice.exe control proc entry point
3 C) |& H! c y9 V" o* a: swhile running MeltICE.$ e7 A( i: C+ f. t
& m& v' l# h. [. j4 w1 T# G
7 G: a. f* y9 X4 d |% U! y5 R
00401067: push 00402025 ; \\.\SICE
! s5 H2 R6 g1 ^) U$ ?* J( k 0040106C: call CreateFileA
; p) Y8 n# [7 v6 H% f F" M4 r3 z 00401071: cmp eax,-001; p! b2 p P: k. X' U& b
00401074: je 00401091
4 ~# P2 { ~/ _3 A j
) e; J7 i9 X& M) w$ W5 p
' G4 `( G6 K) ^2 @: NThere could be hundreds of BPX you could use to detect this trick.4 K% \" j6 g5 h3 O
-The most classical one is:) B- W* T3 `# y
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
- L" k) v: F: f7 s: i, T& e1 X L *(esp->4+4)=='NTIC'. |% y3 _3 J7 ~3 V( |6 Z a/ J' {
9 h2 M0 r/ n6 e3 g
-The most exotic ones (could be very slooooow :-(
( w! f; C2 k8 A, f/ b( _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
; l/ G8 d8 c, K) t& w ;will break 3 times :-(
; F: r2 y- ^: V" C
8 M4 t: Y9 U) y6 z! k-or (a bit) faster:
3 h" L1 V2 [- S. d) n' \ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: o4 Q# G/ H" {8 _9 g; h* ^
; f, t( C5 ?# }' l* |4 t2 ^ F BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / o3 }& o1 b9 m- z1 r2 ^8 S
;will break 3 times :-(
: a: g1 Y8 W& G
9 O7 }& ]1 f7 J+ e: h. G% e H-Much faster:4 G* V, D, |) _4 q) Q7 t
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* n8 g& R, I6 g' |, r
s' J, j4 V3 N4 X9 T% h( HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" b" A: `2 q7 o" `: y, gfunction to do the same job:0 i8 S; l2 t( j- {
' s9 T0 ~/ e1 F/ k push 00 ; OF_READ
6 |- l$ W1 ~1 { mov eax,[00656634] ; '\\.\SICE',0+ E8 ?8 E* A! v* O% h4 O
push eax% A- Y/ O% m, ?( u' s+ Q
call KERNEL32!_lopen# M1 ]* W! H) S( ?5 V
inc eax$ u& T j# A# Y- L
jnz 00650589 ; detected; n% C" l4 Y0 }9 m- V" L
push 00 ; OF_READ6 b% m! V& @2 g, A# z
mov eax,[00656638] ; '\\.\SICE'
9 c8 K5 F' t. K7 a push eax+ W q2 ^5 Z1 d* h0 l
call KERNEL32!_lopen" H: }$ O5 [$ x
inc eax6 U0 |+ B) E* k1 e, \& q
jz 006505ae ; not detected
; `# C# ^9 s c; z) n+ z# P, e# Y8 N/ ]. |# @6 Q2 u
$ K$ ^: w: k. D+ M; u8 `- `__________________________________________________________________________# l+ o4 v7 @$ @* n2 s) n
% K E) W- Q; h+ w0 c( U OMethod 12
7 H. @3 G; c% Z: h4 [=========
" m; q! W. ]. F N" J" |! O( H* S" [% @6 N7 G! ]# Y( I
This trick is similar to int41h/4fh Debugger installation check (code 053 ^& ~3 `; U, W
& 06) but very limited because it's only available for Win95/98 (not NT)
1 Q) }% s/ e' {# |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# M4 o- \8 ?% i; J0 r- u
0 r. ^: K5 u. R2 U) v, x' V push 0000004fh ; function 4fh
; \6 r5 e8 Q+ |1 h5 I! I push 002a002ah ; high word specifies which VxD (VWIN32)
1 X- w" d- u7 J ; low word specifies which service8 Q& L- r: L% d' T8 ~7 ]9 Z
(VWIN32_Int41Dispatch)
: }+ P8 ~/ _2 v6 F' l. B$ b call Kernel32!ORD_001 ; VxdCall- @; c* q) O4 h3 q$ ]2 x
cmp ax, 0f386h ; magic number returned by system debuggers
% n' k" v4 d( m0 i! d jz SoftICE_detected8 ~% e1 p. _# v; c# U! C
% R6 }' v6 D0 y) mHere again, several ways to detect it:
: g9 E7 _$ [+ S" a9 L! t( Z# `/ a9 u8 ?% g, ]. S! m @
BPINT 41 if ax==4f2 e/ y0 O5 r" [1 O/ y- w, q1 s
5 Y2 n( w2 M K. A( B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
7 j$ O: |% ^$ ]0 K. @& M5 v- q9 T5 U
9 ^! ~& N& L: s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# I! _* d6 _* k! U$ l
9 F$ ], `4 i3 x3 a9 r, q+ K3 x! q0 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
- r! }8 C i) J0 p+ [
^- G8 H* X% I__________________________________________________________________________6 d$ ~4 j! h _1 @
8 I" T6 M2 k6 DMethod 13! F. K: g8 I( ]0 b
=========
9 W* C% P" w1 b$ c' |- Q, a
* P; U' ] i: c) X+ BNot a real method of detection, but a good way to know if SoftICE is+ F/ c- v. F: h& a# x+ ?3 b
installed on a computer and to locate its installation directory.
# I( X/ m7 R8 b. Q5 e6 k3 KIt is used by few softs which access the following registry keys (usually #2) :
, g$ s8 ?) z5 | B3 q8 `7 A" l& L$ a& }2 R" ^7 Q8 U4 R- M' `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 O0 C1 ]* P( a6 j\Uninstall\SoftICE9 f- e& h' h5 h* m/ f, Q7 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 R+ P, z+ E1 r ]9 u Y4 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 }! B# c. R' U8 T\App Paths\Loader32.Exe
/ M8 {' p5 P* z. i0 s4 O: O3 R7 N2 W/ k; ~! P" a" G
8 b# j6 q( ~* }1 w, F
Note that some nasty apps could then erase all files from SoftICE directory/ R' e5 ~- ]0 ?+ r
(I faced that once :-(
+ c: z* y6 Q% L; {6 M8 Z: M0 N
* h6 c5 y7 b/ T# sUseful breakpoint to detect it:
- i& n" ]- Q5 o
, T9 O, \; A4 G. J1 Y0 z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& } b* G9 U/ r3 C& Z4 {
) o: N$ @/ K$ K* @7 {" S9 b__________________________________________________________________________
1 r- o: J) O/ I; L: F2 f" M" \* z6 A: s6 a
% c) B( `) q0 q2 y2 tMethod 14 \. b5 B) F) }7 q; N) w$ |' z
=========$ ^; x, J' k+ H; U; v; ~' m. e
C- ?1 ^' r! t4 i/ p) R8 e0 } |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 e, h: w6 L0 [. H1 D2 s1 }& M
is to determines whether a debugger is running on your system (ring0 only).
: p! F' q% b# I% J& k& M0 N% ~6 Q9 \/ r8 N4 r
VMMCall Test_Debug_Installed! r5 c& J6 w2 Z- z/ ?+ C* Q
je not_installed
$ N* u* O- X8 n: [! G: w2 ^7 f* _$ M- n6 f! R5 F* b1 K$ j3 x
This service just checks a flag.7 m4 ^0 r8 }. R% `- J( {! w& b7 H
</PRE></TD></TR></TBODY></TABLE> |