<TABLE width=500>
( Q9 G V3 ^7 X<TBODY>+ m' N8 S0 y+ y- F% Q9 A y
<TR>& v; O2 K: \3 L& u" n) Y7 k
<TD><PRE>Method 01
* \4 b+ P% U1 y=========" y: [) O+ v! ^$ G) [
; w ^" C2 U/ u0 Z3 W
This method of detection of SoftICE (as well as the following one) is
4 x- p9 b' K# _5 d5 Dused by the majority of packers/encryptors found on Internet.1 }$ o5 m0 y6 x$ I% }% m" I' ^3 u
It seeks the signature of BoundsChecker in SoftICE
+ t y% I& j' e, [& ~0 ?5 G* C' {
mov ebp, 04243484Bh ; 'BCHK'
6 {$ a- f& ?% l. o1 C4 q mov ax, 04h0 r7 V0 z$ y9 e- d, D ~7 h3 z" U8 g
int 3 , S' n# W' B: i G7 B
cmp al,4
, c/ R( a% J1 g4 }, F2 ~$ J( z" v jnz SoftICE_Detected
, U+ n: p/ e; O, x+ e1 e) e7 a7 z. h& s+ }9 A6 E9 B/ v
___________________________________________________________________________
' ~: l0 q+ Y$ z: r i- R
/ k! C, }' e8 yMethod 025 S9 P9 @& G S% R
=========
$ v& r; S9 V4 q3 S- G }
# e3 K% U* b! y. sStill a method very much used (perhaps the most frequent one). It is used
* [3 W/ n; H! Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 H0 D* k- b( |% ~5 ~) T
or execute SoftICE commands...
. u$ `6 N2 c4 G3 v% c+ P* L" U1 B: `It is also used to crash SoftICE and to force it to execute any commands
; \$ a X$ ~ k& P; T+ D(HBOOT...) :-((
1 K0 s; S# B3 y& d. p4 H7 t
: y# q% W1 ], U+ A. e0 I# D9 W9 [( y8 D" OHere is a quick description:
- z. {5 f# I2 Y9 ^. Y6 z-AX = 0910h (Display string in SIce windows)+ _/ E' W; i5 Y3 w9 ~
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)/ y w" V' M. }$ c
-AX = 0912h (Get breakpoint infos)
6 q5 l2 w# X# m$ O3 g: ?-AX = 0913h (Set Sice breakpoints), @5 H0 \$ d; o
-AX = 0914h (Remove SIce breakoints)4 V0 ~1 A6 a$ b' Q! ~% c0 O+ y
6 V# F9 G( T+ w# Z5 ^Each time you'll meet this trick, you'll see:- M% [$ U. g* e% F/ m
-SI = 4647h
" r5 L( j( X4 s8 g) I8 u# d6 `-DI = 4A4Dh7 n% W Y- b+ r: t. @5 ^/ y3 M9 K
Which are the 'magic values' used by SoftIce.
2 U( ~% m/ j2 b+ [7 K2 T% y/ _: Z1 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 U2 x. K c) }; R9 j e4 y
; K% y' d; Y: V# s5 v; [: O( ?( tHere is one example from the file "Haspinst.exe" which is the dongle HASP8 c0 @4 d: i4 d1 T0 l
Envelope utility use to protect DOS applications:; a$ Q6 l/ Q& Z+ G" M X
1 B, X; n2 }8 I9 _% ^" u; v
9 n' a B& K5 L/ B' G3 ~6 d) n4C19:0095 MOV AX,0911 ; execute command.8 S1 C9 s$ j5 I6 V+ v
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, H; u9 ^9 ~3 _1 y0 u" _* l) _4C19:009A MOV SI,4647 ; 1st magic value.
) Q4 s! [+ S- A8 n2 a* e; `2 |4C19:009D MOV DI,4A4D ; 2nd magic value.
. t! k( p: \$ c4 _4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 f/ m1 S X0 w6 r9 s1 j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
# R8 z6 y9 @) x4C19:00A4 INC CX
( E0 p* w. \" o) f2 \, {5 N% N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 U3 }' a5 Z$ A
4C19:00A8 JB 0095 ; 6 different commands.# B1 [4 b8 x6 ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 G2 a8 t% S+ R" s; `' u: z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 r) c5 |! N; _" y& J5 T
1 Q7 M% h# d! c4 B' M) w( `The program will execute 6 different SIce commands located at ds:dx, which/ F9 R& g4 e/ | O5 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( S: C8 D, H+ }8 e9 h
0 G9 o( h3 {* f4 ]( K# P: |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ P; M( H& G! {8 w% ^
___________________________________________________________________________9 ^4 z8 X4 P5 f1 `& R. ]% [
$ \4 t; \0 E: N6 ] A" [: R
2 ~' G! L# }% A# m) dMethod 03
$ i [, Y$ o. h; g( e4 H=========
: Q b; A, `1 G! @4 D5 e
# M& U1 I/ q' C- ?2 O# e/ q/ ]Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: m) `+ P9 p0 Q
(API Get entry point)" ?9 G ]" v6 m" _, E x7 O
* _2 f) _8 }- w2 `. z# e2 l0 q& T% ]; _6 h1 {
xor di,di+ Q5 J8 i# [/ J; J# L/ S( Y1 a6 s
mov es,di
+ O, ^/ r* u: o- f mov ax, 1684h 3 X3 e# X3 A' d$ m) S: @
mov bx, 0202h ; VxD ID of winice
- ]+ k2 L8 v4 m. z int 2Fh$ m7 f( M( f) Z# l: a# a$ R0 E
mov ax, es ; ES:DI -> VxD API entry point
# x) t/ N# ]2 C& R add ax, di4 o+ _% P6 \" X
test ax,ax! K5 U$ a1 T. R5 K4 z+ N2 `& p E
jnz SoftICE_Detected
6 }6 J8 }2 M6 h! A5 Y6 d0 N* X. F" V: O" n ]# |0 f
___________________________________________________________________________6 t9 N& C M' a. {9 }
, v6 W/ O& T% h/ [" |$ RMethod 042 }8 U9 Y6 `, ?
=========1 X V2 M; \: m2 q+ ~6 K+ k
' ?" f: g0 L' f( N+ W( x8 |Method identical to the preceding one except that it seeks the ID of SoftICE
% _2 A8 |( Y0 N5 A- s% y# gGFX VxD.
7 P; T" J+ g& N7 h6 p N9 x# a/ n# Y2 D' I8 ~/ l
xor di,di3 J3 Z+ p7 B9 J ?
mov es,di7 N/ e2 [1 P$ L$ H" I3 ]
mov ax, 1684h ) x; z3 m1 L4 E& }
mov bx, 7a5Fh ; VxD ID of SIWVID
) Z7 M9 W0 l$ F/ Z' i4 \9 ^& z4 s int 2fh$ A/ k V+ Z6 Y% B7 ~9 Z
mov ax, es ; ES:DI -> VxD API entry point" t& l; J8 K" O" A# @
add ax, di( z3 b+ l6 C' h) N' w
test ax,ax! w+ w1 p2 d; v# A! y1 z3 o+ P
jnz SoftICE_Detected2 X9 U& \! e6 L! T6 i
& ~- g4 p# c+ [8 M/ ~. \
__________________________________________________________________________; u4 ^$ y8 l1 E* y
/ W0 j: i+ C2 L4 x( |/ q
& F7 s7 m- Z' b$ a! gMethod 05. |" K1 T" N9 A( c5 J9 ]
=========
& ]# a0 d4 y3 L5 l4 O. p( w! k% c E) N4 \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" q* t! O `1 ddebugger. It calls the int 41h, function 4Fh.
! ?# w- y' b: B% w- z( K+ eThere are several alternatives. 5 K! [# t; v8 F* \2 F$ |
: @( i0 q1 x) q6 W4 k; \: AThe following one is the simplest:- N0 g* K7 L, `- I0 D( h
1 [% G) G/ v2 o7 x# J& d+ s# l+ A mov ax,4fh" I9 o- Q. k4 a3 v0 C+ z- Q; L1 k) r
int 41h' V8 z/ t3 |/ ]+ v
cmp ax, 0F3860 c8 ]0 S3 x0 G- w& U0 c# y
jz SoftICE_detected
+ T5 M$ W- a' m$ K' O& ?
G5 C& T7 j o! Z) W$ _2 A
- r8 y7 V/ A4 R* VNext method as well as the following one are 2 examples from Stone's 2 O" Y8 {6 n1 }. H
"stn-wid.zip" (www.cracking.net):# z% H' g. J- A$ E3 p
( Q9 W, P# Q7 l1 a6 s1 I mov bx, cs" I: r$ h9 V9 |- @2 X: o* u y" E2 \
lea dx, int41handler2- g( O9 l2 O8 G
xchg dx, es:[41h*4]
1 Z' X* I% w4 I xchg bx, es:[41h*4+2]
" z, f/ s4 w3 p0 M4 x. `* f2 }8 [/ i mov ax,4fh# c$ u7 d0 x3 u. \2 Y9 p/ L
int 41h
$ V( l6 R- m0 [ xchg dx, es:[41h*4]$ o+ L% {# y0 I. s
xchg bx, es:[41h*4+2]
4 u# r8 H& r. [- L( V+ A1 X, N cmp ax, 0f386h
1 x0 q/ ^, o6 t3 @# e! | jz SoftICE_detected* g! D% f4 C! \) g2 n; L6 ?
# F! e! x0 P! c( `5 [& E7 Lint41handler2 PROC
8 C9 @) H: u% t0 _$ {) j8 \- o iret
5 J% \$ L- y; ~- a, F( j) T {int41handler2 ENDP
- P- J; f: k( H; V) u" P$ }. }6 R6 O7 A g; z2 P3 ^
6 H+ m, d; o2 c' V6 M_________________________________________________________________________. ~- t4 y- f* W! @
% P. I7 A" U1 x: K; U. |
3 j1 N: G2 B6 r5 R) o8 ^
Method 06
" K8 ?! ^. i8 D j3 ]8 W9 z=========) c) ^) O) _% L0 V' q" e
* J7 I' H" ], }* N* B& v
. |: G- O1 m( _6 ^
2nd method similar to the preceding one but more difficult to detect:/ e5 P5 ^4 v+ I7 v+ _/ X: f: ?4 ]
4 w: Y$ V8 {, f) x4 F
7 I5 q+ F: h* T3 K$ {! h# C
int41handler PROC
; S- a/ w; l- y' }# ?4 A mov cl,al1 W& P% Z" f, u1 _9 j5 v
iret2 d' R- T" i1 e2 I4 N- D' k3 q+ L" ]) z
int41handler ENDP9 [" }' R) l0 q3 A2 b
6 O- {6 ?7 ^& A9 h0 ?
% T) e9 ~1 z; h1 b- e
xor ax,ax
9 |/ c1 {7 h# x# K4 V7 o& w' f mov es,ax
1 e9 H+ a" u) U$ K4 p8 Q mov bx, cs
+ W8 k" b' R/ E: y/ y# R lea dx, int41handler9 j5 o, f0 R7 L
xchg dx, es:[41h*4]- C Q Y2 g3 y# r$ |7 E
xchg bx, es:[41h*4+2]
3 ?: y) K5 {2 d* A in al, 40h8 L A" s2 R" g8 ^* T, \* M, a
xor cx,cx
0 c5 _4 Y9 n3 c5 D: y int 41h
* N! a+ i( p5 h1 x xchg dx, es:[41h*4], S' ^5 c( ~% E) ?0 j- }# n7 I
xchg bx, es:[41h*4+2], v+ e0 h6 ~2 I1 X C! N3 M% i. x
cmp cl,al. C8 ]! m! @6 {5 v
jnz SoftICE_detected
' S% d/ X$ u) }6 m3 I) h% n6 M0 L# {
_________________________________________________________________________
1 B9 H& ?2 J% [1 w
4 V' I) ] T2 @9 `; b0 q* l5 N0 bMethod 07
8 F$ j! C, Y G; H- Y=========& v# c4 U/ }2 [6 P1 b8 ^
8 @. {( ]% b7 n$ M* Q* }9 R
Method of detection of the WinICE handler in the int68h (V86)5 T" H$ M; |4 B H
A) r J8 y ~' O6 J mov ah,43h
, ^5 m, D; `1 {% |0 O" H int 68h( u1 ]! x n1 j S R- Z
cmp ax,0F386h5 R* ~2 w4 t! M+ T2 n; J
jz SoftICE_Detected
8 O0 J0 P! D- G2 d' E- M- }8 t3 [$ n7 @6 w9 [9 p
: E% Z U# a8 N/ I5 b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 _% ?2 k/ w4 i app like this:
B$ r, a& Y+ {% M. Q6 i2 q& ~2 [9 T6 ]# P( |5 g' i
BPX exec_int if ax==68
( I9 U$ ?: V; }6 U y: A (function called is located at byte ptr [ebp+1Dh] and client eip is
% w! R/ q* G7 s) i2 ^ located at [ebp+48h] for 32Bit apps)+ Y, Y4 n4 H/ \; `. g' |
__________________________________________________________________________% l% h0 r1 Y% M
1 l. L- Y* x1 [. m5 p9 I& L$ h ~1 ]" e4 Q! `* _
Method 08
9 {: k/ y& R: k3 y5 X=========
. Z2 V" W& M F. ?8 A/ \$ v! v
$ M- b6 ]3 m1 V3 @) XIt is not a method of detection of SoftICE but a possibility to crash the
. C D5 s$ z: ^# y1 f3 a3 Lsystem by intercepting int 01h and int 03h and redirecting them to another
3 x; C5 m5 d5 z, I4 |routine.
7 F; U |$ n( r5 BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. F8 J! w& v: R" u+ h- R
to the new routine to execute (hangs computer...)4 A! v! \ Z4 V% {, [$ R. P
8 [. s" c+ z4 H8 V9 N+ o1 L4 o0 C mov ah, 25h6 j) [ M$ Y. G0 @) `; p" ]
mov al, Int_Number (01h or 03h)
2 J. ], p- }/ Y* M8 u mov dx, offset New_Int_Routine% u0 R% y) K0 Q5 z' |3 d
int 21h
. r" ?9 c9 Y1 ]+ S& A$ ]' d( g. s# B( O: f5 K# T6 B, {7 S
__________________________________________________________________________
( H r7 j2 f2 H2 v8 K) Q0 M! S x
Method 09
9 C* w; a1 Y3 o U8 \( T6 a" V=========
3 x+ P$ ~& K8 V o. V
) d |: s U4 A8 i PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! Q m- F/ c# X! S5 ]) u2 [" gperformed in ring0 (VxD or a ring3 app using the VxdCall).; S% h5 s. e3 i! j' C* _
The Get_DDB service is used to determine whether or not a VxD is installed
& r9 @' E+ v$ d* K! L) ?7 J8 g4 w5 wfor the specified device and returns a Device Description Block (in ecx) for8 F; x3 E+ u0 h" c: y6 _4 J k& k3 [
that device if it is installed.
3 f* m6 @0 ]' F4 t: A) M- ?) H
! t* \' L4 j! ~# R) j9 B: ~6 o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( `9 r$ z& J9 Z& _0 o! s4 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 n, J R. ^; z3 W1 |
VMMCall Get_DDB! k( Y$ ?% g6 z0 k: _
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% Q1 C7 t1 U; }( X: k
& @2 x- l) l1 L: v/ c3 @, JNote as well that you can easily detect this method with SoftICE:/ A# K1 f2 ^4 {, y8 R3 x
bpx Get_DDB if ax==0202 || ax==7a5fh
5 H1 ^& |& x3 c- _- w9 `
' m: @# z9 Q0 `1 Q7 {8 ___________________________________________________________________________
% `- f3 ^ _5 s A$ g: J y! }* u1 _9 e, l2 r+ w$ k
Method 103 [- f+ l" p! P& @4 B$ y
=========$ C; \+ f/ a0 h, `
- [) c5 Y; K% K* E4 ?( L" [
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: }" Y6 s% j2 z! x, V SoftICE while the option is enable!!
" B9 N8 d0 `- b0 v5 p0 l6 r b% s) _ u# }
This trick is very efficient:( g5 ~- Q% I8 p' t7 }( ?' y( \
by checking the Debug Registers, you can detect if SoftICE is loaded5 |, c1 E- f& _& q+ r0 G3 X" y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 x% t' }1 G" M ]there are some memory breakpoints set (dr0 to dr3) simply by reading their7 y$ `0 h# F$ [; e
value (in ring0 only). Values can be manipulated and or changed as well: Q! H: x) f/ R7 E
(clearing BPMs for instance)( H* ?6 m# }% M) m1 [/ Q
* i+ [4 l+ k1 `/ x$ d9 B/ T# j
__________________________________________________________________________
8 a+ k# e3 R& H- g
9 x1 g, o& R/ P) oMethod 11
5 ]2 I2 N$ _9 W2 J! v6 P=========
# y5 c+ g' r2 C
! A R6 R$ n) l& k6 D: f2 i1 C5 ?This method is most known as 'MeltICE' because it has been freely distributed
: z/ R5 _# ?, F, z5 dvia www.winfiles.com. However it was first used by NuMega people to allow( H5 K) c5 F* F- o* Z
Symbol Loader to check if SoftICE was active or not (the code is located
8 L5 Z+ V) F4 ^3 ~9 c7 `* Linside nmtrans.dll).6 e" W0 n( \1 O& r: P
Z: D0 L* I3 q" ?8 A2 C9 b, P9 qThe way it works is very simple:
& ^* i# F5 f! tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: x& G5 F0 |2 d& {. h$ p6 P
WinNT) with the CreateFileA API.
" o7 {/ v& Q g9 P- h' ] O" u* J
) ?" ?* U' k( ]9 a2 _7 ]) i$ r bHere is a sample (checking for 'SICE'):
0 t: A5 B+ R- @% M
8 N9 S1 \1 d- [5 I1 g6 uBOOL IsSoftIce95Loaded()
. b( u; V0 l" l( P8 L" @& D{
; k. P* O" E# _ HANDLE hFile; 8 [% O/ @- @: U9 Y1 S( A" I0 h
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& J D5 J5 l( F/ X, H5 ? FILE_SHARE_READ | FILE_SHARE_WRITE,
( Q, H$ y7 D4 N2 |. r, A: E2 K NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' m* D9 `# ~4 s9 @6 Z }
if( hFile != INVALID_HANDLE_VALUE )1 C: x+ ^ ~6 Y4 \. _& ]) c
{& F- `8 o. `: ~+ }- ]3 ^9 E. k
CloseHandle(hFile);
) ]8 `; I; b( v return TRUE;
( c, D/ U' x$ `4 L }( L0 r8 g& ~4 N; P5 F) p
return FALSE;
! Q' ^$ f& D: k/ g0 I6 i# x}# `6 z* d: m/ r: V1 r
8 U9 A( R0 H8 P' G2 Y
Although this trick calls the CreateFileA function, don't even expect to be5 [4 h4 ]( e# D3 `9 _1 h G
able to intercept it by installing a IFS hook: it will not work, no way!% w+ N# M0 s* l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! e. `9 q/ C4 x3 B( t# k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 l4 m% F. g% N9 a! X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 W$ R( j% ?" W
field.
& D6 F+ ?) A8 [) I. a8 G3 @In fact, its purpose is not to load/unload VxDs but only to send a
9 ^& }, @( C6 F4 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); t- f% e" P- s% O1 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. s9 @0 }. i1 o$ I$ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 R: Q) H6 H) U# z1 ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% P1 S/ ], ~) V! `its handle to be opened and then, will be detected.
: q1 d" w m! ~2 L3 {* K7 PYou can check that simply by hooking Winice.exe control proc entry point
2 B ~4 l- J& o& }while running MeltICE.
9 f( U# n3 a1 i9 Z: E' F0 j) G1 O _+ W
( K Y) b" U$ t+ u2 ^- a 00401067: push 00402025 ; \\.\SICE, ]: v6 t) l3 J G E
0040106C: call CreateFileA
( D9 U+ b$ b8 F 00401071: cmp eax,-001. a5 B' S% D( t" a
00401074: je 00401091' c& e2 w$ c+ `$ B8 V6 m* @' l9 A
y( ^+ u( C: [) C" V0 j) N
" y" {3 C: N& W+ v$ |! [
There could be hundreds of BPX you could use to detect this trick.
9 t# n( R7 I$ @$ e-The most classical one is:, Q. Q3 G( |) b+ k9 s2 ]0 c) Q5 K7 B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ S/ M$ m ?5 S- _ *(esp->4+4)=='NTIC'
9 B- A0 r9 o9 F, V1 V8 Y6 S
, G- x9 ]- [9 ]6 x& O @: l-The most exotic ones (could be very slooooow :-(
& T( F; q1 e( F: {. i+ s% Z: D- R2 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" T' Q# x& v. n) \! X2 z% U! g ;will break 3 times :-(
. P! f* D* c6 _2 A l
4 z, F% t2 T0 v8 ?-or (a bit) faster: 9 x3 u+ j% S9 h) v4 {& h! u. o5 z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# V/ Q j$ b$ `/ C& s$ F
& i+ k t/ Z) A" O4 b" E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 L+ B7 [; o: W; a* [2 u8 e ;will break 3 times :-(0 _" O* @8 g8 w9 Y- M; W- T
, l) {% ]/ h. ` c
-Much faster:& w0 n a. z4 T9 W) j, U# a' |7 f
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'8 j* T9 Y3 P5 P+ l
1 Z1 C- V# H" x0 U% iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ @+ `9 ~! \0 ~& m6 r6 b& L9 @" xfunction to do the same job:
4 v( p3 s6 J. e' |. e) ]+ T4 x8 ^
; X& h, Y4 d3 t push 00 ; OF_READ
" ~ }7 X7 M- y# s9 m' s mov eax,[00656634] ; '\\.\SICE',0
3 h/ B7 l, Q) s: X. a- X push eax
# B( x3 _$ b- Y7 n+ N call KERNEL32!_lopen8 s) D8 }$ f5 `: Y9 [
inc eax' Y" J6 d, I4 Y& n6 |3 N1 _ S2 r
jnz 00650589 ; detected
# F4 P3 j5 k7 v, j push 00 ; OF_READ
/ q$ w2 h6 G; g9 {* \ mov eax,[00656638] ; '\\.\SICE'
9 ]$ Q) Z% ^# [) Y push eax
( R+ m$ P+ P' J" q% d7 B call KERNEL32!_lopen. v( |" C1 \* f- L' z
inc eax( F( w! b8 g5 S! K/ u
jz 006505ae ; not detected& @% K/ \6 Z3 I1 g, N/ ^6 G& q
: s5 R" `6 ^& A0 _9 K" F, b' d& L( n: D* F" f4 D& X. l
__________________________________________________________________________
) W5 N) v5 r2 @' d1 W
, K% S( u! d5 l8 \! m1 w& rMethod 12. c n# r1 K6 P7 z. d
=========9 C& V# S$ V$ M! B& I/ [
9 U: X6 A6 ^/ v9 @6 r, E5 y
This trick is similar to int41h/4fh Debugger installation check (code 05
, X/ S0 a+ T, d% ^( e& 06) but very limited because it's only available for Win95/98 (not NT)% Z* r. h( |" R( E7 Y; Y( t: g% M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 q; S9 Z6 u- a! Y
+ w( l' A. |9 ^& s1 u | push 0000004fh ; function 4fh
- o! H. K" P( U- c4 { push 002a002ah ; high word specifies which VxD (VWIN32)
6 N& w7 ^# W" o, z2 z9 u ; low word specifies which service( E8 u* `! u1 x* j$ G* n' F
(VWIN32_Int41Dispatch)
7 k, U6 |! w. f" ]# J call Kernel32!ORD_001 ; VxdCall
* k5 Z7 T, I+ k+ Q cmp ax, 0f386h ; magic number returned by system debuggers" ~5 e; r1 s9 e- I8 E) M9 I
jz SoftICE_detected6 n( |2 g8 N j, B0 M
, L' G5 E+ W5 X1 AHere again, several ways to detect it:
! d. H( f4 z4 E- l$ G/ m3 d; K; a$ X; r- a
BPINT 41 if ax==4f( L1 M8 q+ |0 m2 k% V( G
0 G3 _+ G3 |6 S* z BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; q/ v: E& b/ N: J
2 q7 F, G9 v4 j. s0 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 X. E- |8 h( E: p5 P+ M
- g' ]8 b4 A7 p9 |3 r
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) M1 ~; K8 t" m" W$ z, _% L
2 }+ V2 K" Y4 I+ ~5 N$ D; w0 m( ?__________________________________________________________________________
3 Q1 o- C/ @& D6 p2 ^8 x
4 h7 r$ e8 v5 G" V- x+ OMethod 13
8 w5 A1 M8 T( y- s- Y$ x4 y=========
, D/ R& R2 ?, |% k# ~ m2 N: P' h: O( _1 o2 h
Not a real method of detection, but a good way to know if SoftICE is& j4 |1 \4 d* m* w( [+ ?
installed on a computer and to locate its installation directory.$ f! B4 f! b/ i8 b1 p$ Y
It is used by few softs which access the following registry keys (usually #2) :: { S* j! n( A
$ P- s) ]& p, }; c% e$ S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; i+ H3 Y. {& I
\Uninstall\SoftICE' q, Z: l+ S; i- c: S2 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 J$ ]% _5 G+ E" G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, {" Y( c! y' @( i0 ]1 x\App Paths\Loader32.Exe
0 p- F/ l5 Y1 r% f
& ^/ d# M/ f+ R9 G
0 S2 {# Z2 ]( a' B0 o. fNote that some nasty apps could then erase all files from SoftICE directory" ]* |+ H& m* ?1 i2 e8 I
(I faced that once :-(5 }' i$ C+ {8 j W+ _" t
- X* d8 w1 A5 j/ s4 K4 K
Useful breakpoint to detect it:
" r8 w( H# p0 x5 j% I. ~+ D) J' S2 Y" g2 M; a j' `
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ E G: l: q1 G/ ?" {( Q b$ H$ M v( l, B: b
__________________________________________________________________________
) @6 y% r* g# [) U2 f4 A2 z* u8 u" \6 e
) b4 O& j0 d: eMethod 14 ! _" D& G8 q7 v5 B# W% ~2 w9 z
=========
; G. c' r0 S* _: L0 w) u2 m
8 ], x! b M- d* WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 {7 ?5 `8 C# o4 k+ N" |$ G
is to determines whether a debugger is running on your system (ring0 only).
( R" T6 K! V' Q: ]" i& p+ g5 O3 b
: i6 o) r& X7 W1 C5 g VMMCall Test_Debug_Installed3 S: h9 T8 Z6 G g. w# ^: H
je not_installed
9 `4 \8 o; g; B
+ m6 ?& T( H; R# h% Y6 qThis service just checks a flag.! \& q2 ]6 t; f8 _9 d& x
</PRE></TD></TR></TBODY></TABLE> |