<TABLE width=500>
) {4 c5 D# c# N- s! I6 V<TBODY>8 A# ^ a4 d5 q/ ~) V5 d
<TR>+ V$ l: W3 M1 @! F7 l
<TD><PRE>Method 01
' b0 _. E0 E; c/ ~$ ?( Y. @=========- f4 J7 [7 r; V- ~# F% C
! {3 h; x. d/ X$ A) p( r: H
This method of detection of SoftICE (as well as the following one) is9 Q8 H( @% G( S& V& Z% R. B
used by the majority of packers/encryptors found on Internet.# N0 r5 x- T) c+ ~6 l
It seeks the signature of BoundsChecker in SoftICE( \$ Z4 P- Z+ @) _# S
' e0 ? R9 l; q [/ A
mov ebp, 04243484Bh ; 'BCHK'
$ X# `; h7 O2 {/ ^# \1 D1 E7 ~ mov ax, 04h2 U/ k& V1 ]) I1 K' R) d
int 3 / v; [3 n# o2 X# C
cmp al,4
" u! t! W* L0 e. j. T0 Q6 D' H, Q jnz SoftICE_Detected. V0 F+ y8 ] Z3 G- j) i$ B7 v
7 k9 A' H9 u3 X
___________________________________________________________________________" @ T7 w7 U9 i! x
. {, o( Z8 |3 {" m" @
Method 02# C* X# Q, n* d: }
=========- b! w+ q& d' j- `/ h* o8 m
4 n' w* I9 a1 FStill a method very much used (perhaps the most frequent one). It is used2 |- V+ n" k* n6 }% p/ q2 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* `% @7 s9 I1 X4 {# X
or execute SoftICE commands...
0 S; _! {2 O8 OIt is also used to crash SoftICE and to force it to execute any commands
! I* ^5 V! y% T% w( p(HBOOT...) :-(( * t7 d# D9 n! M0 W" J
; e5 j, w; l; e- N7 q8 w: RHere is a quick description:% P2 q$ u3 ]- E; i3 n" a- [
-AX = 0910h (Display string in SIce windows)
! W! `+ o9 E& S) ^8 Q; Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! b- r) a- {' l6 w9 E- U
-AX = 0912h (Get breakpoint infos)
0 |$ F( y% f8 ]-AX = 0913h (Set Sice breakpoints)- S1 S1 Z2 N8 n
-AX = 0914h (Remove SIce breakoints)
' C+ i2 j) s: B/ [ R/ I7 b" N, f+ R1 l H3 P4 o: P1 i
Each time you'll meet this trick, you'll see:
4 E* s: u& {' [- |/ e R& x-SI = 4647h. V2 d/ ~) I! T4 s" O" ^
-DI = 4A4Dh% A6 J3 p0 c1 H; ~% p( N
Which are the 'magic values' used by SoftIce. W5 J7 l: Z! _' O+ `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; r' R2 R) l+ W" V+ t$ m" e
2 r# a- N% l& r9 W4 r; yHere is one example from the file "Haspinst.exe" which is the dongle HASP" \. E& N9 L7 d- h' A z! X
Envelope utility use to protect DOS applications:2 h9 [4 C: c; Z. }& a* m$ c+ T
- B4 |7 f6 n) h% Z8 A0 x
, u9 q& r1 Y6 ^% q4 l
4C19:0095 MOV AX,0911 ; execute command.
" Q6 g" l2 X" j5 v% N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." Q3 U2 J" T; G
4C19:009A MOV SI,4647 ; 1st magic value.5 k; ^2 ^: T& g& X
4C19:009D MOV DI,4A4D ; 2nd magic value. S8 t8 r% Y) ~6 Q. F: L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ^8 y M5 Z$ V8 ~+ x: n
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 ~0 ?/ D) d M2 X1 y4C19:00A4 INC CX* V8 `& f' T9 C3 w
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
# W h- X" c$ Y* D0 [6 g, Y4C19:00A8 JB 0095 ; 6 different commands.& T% d; ]6 w N! M2 Y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
S3 K* S' F& Q. K% R* W# ?& r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
9 `) s+ G1 k: L, r' X* U5 @4 b
% ]4 n7 h- U4 R2 M' b- PThe program will execute 6 different SIce commands located at ds:dx, which; {; z. w/ z. n2 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 F- q4 C0 S- }! c5 g/ s7 U$ |
$ h4 H% ]& L! i4 D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 B8 A8 T: E$ Z, o2 t2 e, U; |8 n
___________________________________________________________________________2 c6 e0 l1 ?2 A m
3 p8 c/ {0 {0 H9 j2 e: |* A( \; |6 \2 j
Method 036 \0 A! J' f/ ]3 ^% ^8 y/ k( o. V/ b$ B
=========: a" D; w- f+ }# r" s4 m
, W% F5 G) X7 `" S( n
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 K( ~* l; ~4 E; Y/ B: ]. T* U! n3 a(API Get entry point)
. ~8 [# u' _- ?# K0 Q . Y& m# M7 o/ `5 I) Y
$ L, j. \' V& k, o [& {
xor di,di/ L: x' X$ @7 H. D+ L7 t' l% ^
mov es,di( s) D/ `5 w$ H0 o% s7 `
mov ax, 1684h " @* V6 Y3 e: y6 a
mov bx, 0202h ; VxD ID of winice
# a' m6 l3 @6 `! w* s int 2Fh% h _- U! u% S/ ]& O) L5 [
mov ax, es ; ES:DI -> VxD API entry point4 j; I* C/ T) C9 d; ?3 V& O3 |* p
add ax, di
# ^! K* I9 V5 l: y c test ax,ax
& g: D9 O$ g. u! u8 w$ g- A jnz SoftICE_Detected9 V6 o7 M4 \, _7 J* ?% F! @3 n2 V8 V
' \( l/ k' S$ Y5 x___________________________________________________________________________
1 |8 Y. Y; T9 s) o
3 D& R2 P7 M0 f! _1 i6 {0 h: DMethod 045 _4 [5 a3 U1 u% ]: g1 @
=========
: i( I! U) T( y4 z) @# {: }. p! F$ _4 j& z S8 r
Method identical to the preceding one except that it seeks the ID of SoftICE1 L8 ?$ ^ {1 r2 n
GFX VxD.$ Q' K0 P8 c s8 ]
( w9 C7 v: H5 o/ V6 \& p( _9 O7 E
xor di,di g2 @$ F2 p% D8 C* A. D$ }% b
mov es,di, \# X5 p% k+ y( y4 H
mov ax, 1684h # ~1 [" G5 j0 H5 h
mov bx, 7a5Fh ; VxD ID of SIWVID
; a: ]/ ^+ c- G' }# Q int 2fh
; A4 i, |7 b2 A5 G: x* B mov ax, es ; ES:DI -> VxD API entry point
% d& P' |1 [+ H- u9 s2 ?% J7 x add ax, di
- t: `/ s4 W3 \3 F test ax,ax
6 x" f1 m# ]* R N/ _! S# B jnz SoftICE_Detected {# m: n' U9 |/ A! V+ a
" y- A) U) v" i1 h0 |__________________________________________________________________________- |% l" y' `# o7 Q1 q, v( i* n; k
+ a# b _/ w6 W f& v
' r. U) X& K, b( zMethod 05
8 t6 c1 k- x. d1 ]( A# N. [) c=========! r$ L6 \( ?1 h$ ]; }
$ A& V$ V* Q; \. r: {0 Z& H* H- v1 J
Method seeking the 'magic number' 0F386h returned (in ax) by all system) L* f* t# c6 N4 m* y( [: {, r
debugger. It calls the int 41h, function 4Fh.
6 T' i4 n: |1 l7 k5 U$ ?* lThere are several alternatives. . ]( E, ^2 C: O6 i
3 D& h8 @0 K& Z+ Z3 XThe following one is the simplest:
. ]: C+ O5 [. Q% q5 _& e- h
5 T y# Y4 O% C0 V/ L( ~6 A$ E; @% b mov ax,4fh
3 r0 Q% k6 R# Y) a, J2 ]7 \) T int 41h! p) ^5 w; o# c8 |/ n0 ]* z
cmp ax, 0F386' p k& |( n* h# y% Q
jz SoftICE_detected* f8 ]: C* E! X7 x9 Y4 q! u* @
8 B4 ~% k, X2 p* i, ]# W( U+ D2 J: ^! @0 I8 m ]/ ^
Next method as well as the following one are 2 examples from Stone's % D. W8 u+ @$ j
"stn-wid.zip" (www.cracking.net):
2 n j V, t2 \( t2 o" S" `9 F
4 G: F" X! B: S! x+ {5 \ mov bx, cs4 Z+ ]" [: H3 s% |
lea dx, int41handler2
' q4 e# l" b" e7 ^ xchg dx, es:[41h*4], G5 f6 d# V$ ~- O) @3 i
xchg bx, es:[41h*4+2]8 R/ i& |0 m1 I& e8 [ i' K u, e# ~
mov ax,4fh' Z0 n7 M8 F9 E @# l* Z; q
int 41h
" k, J: e( x# e5 o" E0 I2 o1 G y xchg dx, es:[41h*4]
5 Q4 C: ]* | g; a# N xchg bx, es:[41h*4+2]
; ~9 i. `8 X3 V cmp ax, 0f386h
V+ H3 \: S# D. `0 u7 W1 c! i jz SoftICE_detected5 N7 ^- K9 l6 N* v9 x9 ^) \
4 G! S" q5 I' T# d; iint41handler2 PROC
8 a9 j$ v! M9 G) C( @ s9 ? iret8 ^4 C6 I7 g& q6 r: P$ X5 ~- X
int41handler2 ENDP
1 W# v* _. n, {, x6 I- j
! V6 @9 N: [8 O" F% w: \( F' }4 L0 d7 \ B# k) d, D" C' ~
_________________________________________________________________________
- j0 I9 A& U. U! E) l' \& s3 L
$ {' R) {0 |' m$ K& }7 } [6 A: R
; g2 @8 e& q {+ E, |% c0 XMethod 06
$ X" O2 n+ o* F. O' o% q: [- v7 W=========
7 d; V. g7 I8 Q& a/ b: w0 @$ X- c( T8 }" w0 W( X u
, Y" z2 f/ ~8 e2 V* ?0 r; E( ^6 `
2nd method similar to the preceding one but more difficult to detect:" D4 S% I# V4 E- {* ~* e5 \- P
* s8 E- Q4 A! s2 c4 j/ C X: _) _7 o/ s% [
int41handler PROC# @1 o/ p7 g3 p: q7 T: d
mov cl,al
8 y9 d* E: p6 c e# X' [7 o iret
1 Q# Z2 g' H8 p \' `int41handler ENDP4 ?# `8 B/ `% M" i
% [- C" e; s, y9 ^; a4 v
9 q6 v' c: [4 G
xor ax,ax( u+ @. Y+ H/ m8 Y- r# A
mov es,ax
: I6 q( m: ?7 l' S3 g/ ^) ~ mov bx, cs6 y1 |! \) ]* c3 h1 r) B
lea dx, int41handler5 b! @) V+ H! e; f# L
xchg dx, es:[41h*4]
8 N0 b2 E2 o i+ S i xchg bx, es:[41h*4+2]
j5 ^0 p. p7 X* | in al, 40h; H" y# S0 i9 v
xor cx,cx i2 j( X" ^+ n
int 41h
, ~: Q/ r3 S& H: ^1 y xchg dx, es:[41h*4]7 A: F- p: |' A0 D' {0 t5 _& U9 u
xchg bx, es:[41h*4+2]5 `* N. [5 ~ o# K! o: [
cmp cl,al5 a+ L7 u! ?$ _ K# m
jnz SoftICE_detected
; w% ]$ ]0 v# t" e: @& O9 a/ i! t/ `+ ], N
_________________________________________________________________________
" L; B. R0 O! I/ s
$ {1 T( p7 d, ^/ u, [Method 07, E, D* k3 T, g9 W( a
=========
$ A, X: X3 f1 G F' c4 k# k
5 Q9 v, H' }8 w6 |/ {$ QMethod of detection of the WinICE handler in the int68h (V86)
J+ o! ]! a P7 @5 i+ A/ C7 g2 D' Y6 ?* R' }% {4 ]1 D5 L
mov ah,43h
! Q5 [1 r( s9 N) O int 68h
& B* _& n$ p" P+ R! q: ?9 ]6 K+ g cmp ax,0F386h% l7 P J1 f. h; t
jz SoftICE_Detected
' y- p9 K# j" }( |& O, n g: u7 D2 m, G* O5 Y3 _+ H- o
+ o4 X$ C6 R% H+ s6 r, j+ v: d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. e G) H; @* i. d* J% w4 W# n app like this:/ S0 T3 l7 H2 z6 g# V7 v6 S
& O/ N' z" {2 t6 y, t BPX exec_int if ax==68. K- L: I0 U: }. d* J5 m: R2 N
(function called is located at byte ptr [ebp+1Dh] and client eip is" Q# ~: |0 Q) a
located at [ebp+48h] for 32Bit apps)
2 M7 e3 m2 i- G- d__________________________________________________________________________- p/ [6 T7 ]2 p6 d" _. Y
1 ?2 O" E; r. x# N% t
: E& C0 Y' n1 x/ G' ]* P' {8 u& GMethod 08, e6 C% x. N& D: O$ p2 u
=========
. s+ e8 J) J8 e2 J$ k
4 V; w! m& U" H6 H# lIt is not a method of detection of SoftICE but a possibility to crash the0 ^' [6 a. s$ g6 l1 S' |
system by intercepting int 01h and int 03h and redirecting them to another5 J3 G1 E: ?5 m5 h) H+ F
routine., V8 C2 T: Z9 ]7 e9 ?! }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 b: V e0 z4 {( C, a1 N) Y& Kto the new routine to execute (hangs computer...)
: M' s4 K v) ~9 B% ^5 r5 ^
6 ?: n5 o1 O6 X! K mov ah, 25h( I; L. t$ G. P1 B% B' B6 Z9 M
mov al, Int_Number (01h or 03h): U/ L( T. v0 ?
mov dx, offset New_Int_Routine! ~; z2 K% k' \% a' V b
int 21h
! ?4 N1 d3 X: G; T) K/ f6 d
: W" }2 D; w/ D6 n9 M__________________________________________________________________________* c$ C Q6 D6 }0 `9 a V- E
5 D0 _7 {$ ^( O3 A9 `6 nMethod 09' N1 ]2 Q+ g! y8 b' ^
=========1 p M- i& @$ N* z$ i
0 T. E' A9 y9 l! W& a% NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" N3 ?% l( b8 j; d
performed in ring0 (VxD or a ring3 app using the VxdCall).4 E8 F7 r1 o6 ?3 y( B9 Y
The Get_DDB service is used to determine whether or not a VxD is installed
% W6 a8 j- e; B- ?for the specified device and returns a Device Description Block (in ecx) for/ Z* [: p) r9 @" n
that device if it is installed.
% h+ H: C' w7 ^6 X" D9 K7 S& y. u7 j1 z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID! |$ O! {2 k! Q% g! I! E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 ?! D6 w: j# ?6 J% `( H, [ VMMCall Get_DDB
* j1 ^. V+ V* E7 r2 ]' H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed4 {9 k- J1 e9 z$ n
9 Q' g2 f, t5 m3 D- v
Note as well that you can easily detect this method with SoftICE:
1 y; Z! q) x" ?# J bpx Get_DDB if ax==0202 || ax==7a5fh
) R/ x; b9 O: R" Q% N5 c, V% m( _/ @4 d1 H2 O
__________________________________________________________________________
4 T6 R P% _/ B7 {% }
2 z3 S( [! `# b# |" q( z/ N1 vMethod 10" Y4 s$ M1 Z( Y9 n9 Z+ s' D
=========3 A$ I. M: F- H( @) E
- w- ]% t( j' U8 X) K=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 I( H) |) S2 G. ^6 d. A: N SoftICE while the option is enable!!' ], k' J' u. r: y+ @
0 n; P6 r" _" x. _/ M% F' K) L7 ?
This trick is very efficient:0 ^' j9 N/ e. [7 p t, z
by checking the Debug Registers, you can detect if SoftICE is loaded
7 k1 s) V5 f8 |) l6 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 B5 ?% l7 m: a# f: P1 d1 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- |1 O% O! ~2 y: W C% W0 B0 n1 A3 Nvalue (in ring0 only). Values can be manipulated and or changed as well2 G2 v1 H2 |! R4 I/ I+ l
(clearing BPMs for instance)' O3 B6 O4 e# M0 G/ J# g" L
* y& T5 f* o3 H% L+ |__________________________________________________________________________
+ z/ b( W% L; h$ @( Y
% W1 ]$ P6 X! O! \5 Z5 B( b+ aMethod 11
! l% u7 M9 K, t. A( m$ k=========
" X2 {. p" ?; U& E4 W I' m, Q" a( L2 J' r1 h5 K- o
This method is most known as 'MeltICE' because it has been freely distributed
: i$ m5 e2 t+ O2 [$ f* O* c" {via www.winfiles.com. However it was first used by NuMega people to allow
/ d$ Y5 Z N2 w. o! g1 }1 U) C! F. m% ESymbol Loader to check if SoftICE was active or not (the code is located$ b/ q6 R F, C8 K* P
inside nmtrans.dll).
/ i* R& L" y: Y. f* v0 j A
H% N$ j3 l; b9 H4 `! D+ v OThe way it works is very simple:
" I& ^% `0 c2 S) ]; mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 X4 s; v' [! t0 p3 f! d& o
WinNT) with the CreateFileA API.! Y. S# G7 ~; M( n; F0 i
, Y j; F) k# e2 n! r$ h; K, l
Here is a sample (checking for 'SICE'):
0 J7 W" L5 @- J/ E7 q u! M5 k
2 \% [" z, r5 mBOOL IsSoftIce95Loaded()- J' d2 Z( c( g
{
9 X- r3 \& m+ {2 a HANDLE hFile;
# u1 U) h$ P2 r& e! }" S* Z9 v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- I$ t( j) [' l, P* Q$ h
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 }3 ^- i. y' i8 T% G& V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' q- ^/ ~/ c" A$ @ if( hFile != INVALID_HANDLE_VALUE ); Z {4 f" R8 W! P
{
! h" Y5 C. s9 _$ H/ k) Z3 Q) V CloseHandle(hFile);
) u& N$ u6 R1 c* S return TRUE;# T5 E" r7 J/ f3 J( |* e5 Y8 W
}
4 |1 L8 L2 b7 E u m9 Z% K+ m4 N1 M return FALSE;. Q# j& M8 {* p4 D
}' k% c2 P; z2 |' x3 E2 b
- g' G$ I, y7 LAlthough this trick calls the CreateFileA function, don't even expect to be: o$ ~# k! e# h/ I
able to intercept it by installing a IFS hook: it will not work, no way!1 t, L: h5 U: d/ q" _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# }: q6 L' l, U' x( H6 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" I1 s! |/ R, n" ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) U2 K1 a/ X8 Z9 Z+ }! n9 [field.
9 |9 C5 q5 u$ B( H U% h5 qIn fact, its purpose is not to load/unload VxDs but only to send a
# N+ u( r; k% EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ m* Y( T* M# I* b- Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# x$ R) d, O3 l% a5 Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, o6 R6 W0 h, k u; Y( ~If the VxD is loaded, it will always clear eax and the Carry flag to allow0 d; v- ~1 F9 ]& l8 N8 {% e4 A
its handle to be opened and then, will be detected.
& Q& I% y8 v' c) q: `You can check that simply by hooking Winice.exe control proc entry point& c- P) b9 f( L) @9 G8 H
while running MeltICE.) b: w+ `& D) J) p! h& [% Z) h, k
) v* D% D4 ^- k1 Z8 @" k s* P
. n* X2 a* P+ m+ a 00401067: push 00402025 ; \\.\SICE& b3 [3 n6 s% v) t+ [& h# r. m$ Y, x
0040106C: call CreateFileA- N. ]; i0 n3 o' {& a$ {
00401071: cmp eax,-001; D4 R+ h E: O/ V S! S
00401074: je 00401091
0 i9 C+ J$ k6 _( i% j8 C! Q) g. U
/ r; j7 [# i( v0 e1 n0 H: ^) _* {: `# n
There could be hundreds of BPX you could use to detect this trick.
6 v+ D/ a. n# r8 _-The most classical one is:
1 w$ F$ Y# c) ?" ^ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 T- Q5 x5 }4 q6 b. t3 d
*(esp->4+4)=='NTIC'- ]: Z: s; B4 e" y7 p; ^
( \# i3 \5 H$ j& M& ~, M) g3 n-The most exotic ones (could be very slooooow :-(
7 G2 h: a1 R6 X5 }( ` \3 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
6 M9 {3 i4 v& l* {* O& g: j {) U ;will break 3 times :-(
7 ] @$ \ J& U' F
+ U* ], P) A7 T; U: j* d! t-or (a bit) faster:
* v2 y. s& @- m: y" p9 r* e, x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 H9 L# \3 z' ?: F0 {2 @5 J3 Z" a
/ q3 I6 D n* T9 f1 ~ }- r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' Q0 d% u1 j: V6 E q, c6 F' j
;will break 3 times :-(
4 L# x' t4 O% L+ @7 c4 d) d, \, _. b* E; U" T o( h
-Much faster:
# T1 {; W1 H5 K0 H' s5 |+ i7 k BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'6 Q8 I# W$ F. x/ m/ `/ o- m5 T+ t
$ K9 U5 ]& \8 S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ O" G9 s# b+ \5 X6 ?/ hfunction to do the same job:
6 |/ c* ^! h) ~9 R0 o) o- |& |6 i0 P
push 00 ; OF_READ
6 z9 Z6 L% A6 u# E- e! ^ mov eax,[00656634] ; '\\.\SICE',0
" D) S1 A# p9 K% k. Z" | push eax: o( g2 T8 s% s+ T# ~; l
call KERNEL32!_lopen9 b9 t7 ]. [! n" C' K* q* S% i
inc eax
" ]# C( c' n# z& V$ I! O0 S" O jnz 00650589 ; detected
- x0 G& [) W- U7 ~ push 00 ; OF_READ/ a) p3 N; \" m
mov eax,[00656638] ; '\\.\SICE'9 M' P9 g0 Z W! o2 Q
push eax0 F' _3 |1 F1 |" x$ W/ R2 b
call KERNEL32!_lopen
% E& Z6 K' f- i8 e& R" a inc eax6 m, x7 Y5 _ R' C2 r* [4 `9 N# l2 S
jz 006505ae ; not detected
5 F- N% u+ V7 M; l8 z7 Y; K7 Y L: y; p: @
# d" T1 ]+ S' h3 K1 L& e( D__________________________________________________________________________
0 Z* b5 B! q" R! k* J% F4 U. o$ h( Q! s8 _0 e- @5 T" ~
Method 12, E7 l l( o% @
=========, ^% V, X K& Y
, r; Q' ?1 u. Z( }This trick is similar to int41h/4fh Debugger installation check (code 05
6 ?! V+ I! V+ @2 Q. J1 m& 06) but very limited because it's only available for Win95/98 (not NT) X* i c6 \6 U( a" [+ f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. w+ V" Y+ ]4 m5 d& ?, _4 I
3 F, a/ ?4 g R( H; s0 B push 0000004fh ; function 4fh8 ~, b) Q; w* ], i+ \
push 002a002ah ; high word specifies which VxD (VWIN32)& X+ e; {# \! N: a* L
; low word specifies which service
6 N: M9 B- q7 m& P# X (VWIN32_Int41Dispatch)
) ]8 J( u' s% s7 ~- J+ ] call Kernel32!ORD_001 ; VxdCall; ?2 ? I) o" t u
cmp ax, 0f386h ; magic number returned by system debuggers
. g5 w8 W2 D) o- P! I jz SoftICE_detected
' @8 A8 |/ s1 G+ ]4 }( O$ k4 U- A
% B; Q: F+ J! {Here again, several ways to detect it:
, C( Q' j* ^$ X; r
4 }: G/ t% B7 [3 m, Q( \( u BPINT 41 if ax==4f' E+ S6 d$ C& B* e6 S7 T
2 X2 O/ h4 A4 D' ^6 w" i4 b: b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- {, ~' w) Q$ B" j% y2 |3 S
* ^, |( T( J2 u3 m5 |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 R" m t+ {2 g
' X7 Z- ^7 m: S* y M
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; d$ E/ J) W6 t1 X
$ v9 u K# ^$ z5 W3 y
__________________________________________________________________________
8 V }1 y& g% y: t0 b8 A' E# r/ z8 i. B* ^
Method 13
7 y) J8 r- ]$ M6 T% n& Z=========: I& @8 m( B, w; W: A |) O$ \1 U1 g
8 b7 i$ |0 a2 _( |' K, N- P. o2 w! fNot a real method of detection, but a good way to know if SoftICE is
* K( {2 N* o% T$ U4 l& u$ f vinstalled on a computer and to locate its installation directory.
& s4 ~' _; ~- s0 s2 }% T0 JIt is used by few softs which access the following registry keys (usually #2) :
+ Y4 m9 K i& Y3 r( {( o
% H8 d# K- y! R' W& _$ C X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ v( L' L4 g( E& _0 `+ j4 R8 h
\Uninstall\SoftICE
# c; _( ^( C8 v! S6 u0 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 K7 [" n, j8 U, b$ V/ ~ P K* ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) Z9 e& u4 F" d6 X, s; j
\App Paths\Loader32.Exe' l0 ]7 @6 N+ X7 p3 ~2 f
! e/ h' M4 j5 m, E0 m0 t g* J( ?( _
9 M/ \5 @ l1 D# J6 L3 ~9 zNote that some nasty apps could then erase all files from SoftICE directory
. M7 r& `6 T6 U4 q0 ](I faced that once :-(% l$ U% c# E9 ?' s* f3 T. Y2 g
. X. K2 I' o6 o0 [2 iUseful breakpoint to detect it:
, ]+ S" l' k5 [
* F& G+ e! a7 B$ }5 |3 e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* `# J$ b p7 j. U1 ]9 C
, J/ a a2 U- E5 W6 ]% T2 i3 G__________________________________________________________________________
, [- E+ [8 w( a/ `6 g2 o& F- E
3 s* \9 m' T* B5 W$ Y' f6 J$ G" g Q! {) l& ^
Method 14
. |/ o8 I1 {% I3 Z=========
. I; h# t/ p- \' s" P% Q/ j/ K8 x8 r, E( K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* b2 _$ c' U, l4 x( G# k3 c
is to determines whether a debugger is running on your system (ring0 only)., w- P) ?8 k" I& j/ Y
9 R8 l) S0 B7 X' X6 I
VMMCall Test_Debug_Installed n' P+ m8 K5 ?4 q6 ^- d. ^! r* k
je not_installed F' V M7 z5 R) P7 b1 h4 {0 Z t
: ~ T2 |( |3 \' S2 N( cThis service just checks a flag.3 B0 ?+ v$ x4 v) [1 s q! m
</PRE></TD></TR></TBODY></TABLE> |