<TABLE width=500>
! f2 e! `! S. I. N2 `<TBODY>6 C+ V& [ s. C& c5 ?9 m1 t/ ^
<TR>2 b& E$ P4 F8 `9 f( Y) i
<TD><PRE>Method 01
2 N( k2 v2 r. [=========9 n) f) O; o- E) ~
2 n/ |* i% e( Z4 B" e
This method of detection of SoftICE (as well as the following one) is& N/ G5 O5 W# x: C- G0 R* P
used by the majority of packers/encryptors found on Internet.! M* _" e: S3 x
It seeks the signature of BoundsChecker in SoftICE4 b; B/ `6 m. G& U+ r8 h1 f! ^
& A1 ^8 S {, L* U
mov ebp, 04243484Bh ; 'BCHK'
8 f+ {: b, O! u mov ax, 04h
# C, v1 R( L$ `, B; S int 3
" W( Z- F6 ]* X4 a# R8 S. w cmp al,4
8 U0 k/ Z1 E8 t jnz SoftICE_Detected8 {% Z3 T: C2 \9 F$ c8 C* t4 r0 N1 [
% `2 u' `+ R% x4 O. x, m0 X___________________________________________________________________________
3 V* T6 v& O o+ ?
5 M+ F/ z! B. U% ]; r6 W0 wMethod 02+ q3 j |2 ~8 e7 N# c. s
=========
/ J3 D6 @2 Y$ v# C9 B; v5 U% q9 [$ `8 B& R: [# n
Still a method very much used (perhaps the most frequent one). It is used
( y) r+ V9 k4 R- H4 O: ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,; b' D% G2 R0 [; d0 C6 Z3 F
or execute SoftICE commands...
6 X! s! ~ w+ U, PIt is also used to crash SoftICE and to force it to execute any commands+ L" }* W" }/ f% E& U9 }. w
(HBOOT...) :-((
$ A, D: r$ Q @ D
/ N0 ?6 V; V: {& \9 jHere is a quick description:) ~$ J7 l0 _$ |+ R, T/ J7 a
-AX = 0910h (Display string in SIce windows)! [4 f9 N3 m/ T3 R0 L3 Q, c4 S8 x0 ]
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; f& @, V; g4 t-AX = 0912h (Get breakpoint infos)9 v# P& J' w/ N1 O( X' i# u1 G
-AX = 0913h (Set Sice breakpoints)$ o( y _& k' @3 s$ j
-AX = 0914h (Remove SIce breakoints)7 ]' R0 ^0 I1 r* _6 r8 |/ C4 @4 G
; i- r) U% |. l t- {8 I; K# l
Each time you'll meet this trick, you'll see:1 O( Z, J4 q! Y3 Z0 m! a
-SI = 4647h0 f6 N/ k( O. u0 g
-DI = 4A4Dh0 {8 ?$ p) F7 V9 O# H7 k3 s
Which are the 'magic values' used by SoftIce.5 { E6 P* g8 M( U" @. u5 j+ V& X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% X; F! w6 j9 r
" S8 `" i; X; B/ S" s( FHere is one example from the file "Haspinst.exe" which is the dongle HASP6 S$ a, \ a4 V- T
Envelope utility use to protect DOS applications:3 {+ J& e+ v5 Z! F+ @
2 U4 t7 G; |6 o' z# N
# @% j+ z$ j; F w4C19:0095 MOV AX,0911 ; execute command.
4 z- h! u; ]$ R9 Y$ ?$ F/ G- `; K+ D7 W4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* F' E, P: E% Y% `: f
4C19:009A MOV SI,4647 ; 1st magic value.
( b* ]5 x- O, g9 S+ P4C19:009D MOV DI,4A4D ; 2nd magic value.
4 j* q0 z! I: J" \: `! K$ ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( C7 |5 ?+ G8 o% C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
; h# _8 Q# _% f2 ?6 J, r$ ^) m( C% H4C19:00A4 INC CX
9 a8 l3 [( F/ \# M: [2 i/ _4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; t$ e2 W4 h" \4C19:00A8 JB 0095 ; 6 different commands.
6 [: e& d4 _- ^, N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
b# s1 @6 a% H+ F0 Z9 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 M; H$ W! N4 K+ f
8 X: v) \* f6 |; f* j2 L. Z) a. JThe program will execute 6 different SIce commands located at ds:dx, which
2 x B8 L( e" A1 S% y# O* g' @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ r" i d# r4 G4 p' r" Y* q
( g$ N7 _& @+ M5 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& s, {( T# R4 @( ~: l. A. ^% q7 }
___________________________________________________________________________* q! A4 k- h9 V3 G* ?; L+ P$ [; O
8 n$ q0 I( a* B8 S3 T
$ I y+ ^) b& Z% Q2 C5 x- V* f) eMethod 034 Q/ y6 E o8 U
=========
% _ {" J: F9 c& i% i, m( z4 r" @1 K1 ~! z$ D2 y2 {0 h
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, i F" E1 r, l+ D- L8 R0 \(API Get entry point)8 x0 W d& D( _5 D
5 N; V8 v; [' L8 l/ W/ h- b
6 i6 O- K2 ]0 ~, I( T* W$ |. f
xor di,di
; s& T6 H9 v* f/ ~1 s0 i mov es,di
! [7 E }7 Y& \% L0 O; u mov ax, 1684h
7 f& j' G4 I# V$ t, X" p- Y mov bx, 0202h ; VxD ID of winice1 O2 T9 H1 N% B/ ~% f) ]. X
int 2Fh$ {) i& S. f$ y1 {; I9 D+ W
mov ax, es ; ES:DI -> VxD API entry point
% Z" F7 _/ v( L( J& f1 C- O add ax, di- D" g$ h+ f2 |+ i
test ax,ax
" K# U2 R2 ~/ V* V jnz SoftICE_Detected
* U+ I0 z3 P) I; Q
0 h( s2 u+ n$ [4 P1 T! B( y C___________________________________________________________________________6 \* |; j3 L% x9 j5 n! Q8 Z
& L* t. O6 t+ |2 YMethod 04
, N: A/ Z2 Z/ h [: X=========
6 N; b8 _2 G1 U$ f4 _+ W7 M5 j1 M
Method identical to the preceding one except that it seeks the ID of SoftICE
" Q; j1 ^( {* O; O% B2 H+ D7 tGFX VxD.
/ V3 z1 O; W/ _+ S/ y: T
# r+ L& \8 c% d% {1 p' r' N xor di,di7 O7 A( x2 W. x0 A% q* ~$ n
mov es,di2 G. y, d- D( `. _3 @" i
mov ax, 1684h # L1 c" m5 w* l( v9 d7 ?+ E' E
mov bx, 7a5Fh ; VxD ID of SIWVID
! E+ Q0 o3 j/ M int 2fh
8 Z/ c7 f5 M, v) w/ v( @ mov ax, es ; ES:DI -> VxD API entry point
" j# x3 J2 J5 a2 B F' Z% P add ax, di
: i/ h! @9 K; Z; [ F( q& p test ax,ax
( J; {' F% ~# Y jnz SoftICE_Detected
- {+ k. g4 s# I' W$ y
; y* k3 [. V( b__________________________________________________________________________
* q( U) a0 b1 b6 r# P! [; Z! Y, y8 f; _. M' Q4 k
! v+ W8 E2 d. L" ? Z! hMethod 05
; ~- z0 u' I. o=========7 u2 ]0 i: Z) w" x: g
4 Z+ g/ P" Z. f3 ^! H( Q2 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system- Q0 x0 M- j% S- S$ c
debugger. It calls the int 41h, function 4Fh.
! Y) g L6 K6 }5 X7 Q5 qThere are several alternatives.
4 H1 _3 [4 i3 X* u7 U, L& y5 [1 H; `! F) B5 e% A9 O6 H2 m. [) l( d
The following one is the simplest:
1 w b8 \- p6 \' c" `2 @, M* m' d
4 @, [3 `+ D. D$ @8 E2 q9 s, _ mov ax,4fh* Y9 l4 k! ^8 s, K) B
int 41h
1 o" J) L4 n: W0 U* o+ L& ^ cmp ax, 0F386
% I1 y8 u- X8 ~$ v jz SoftICE_detected6 J0 l- ?+ Y1 ?8 @' j
5 M! Y: Q! H) H0 n0 Z7 U- G) Q
3 w2 F5 F F# U# X) B
Next method as well as the following one are 2 examples from Stone's
5 ~9 m! m/ K& Z8 X6 C"stn-wid.zip" (www.cracking.net):
, b' C9 a/ w/ v) x- i, W7 v0 R/ O5 }# W4 j& P
mov bx, cs
( F4 S0 A. y7 Z2 m, L lea dx, int41handler2- Y0 D4 e+ }$ U0 ~- P0 E& r4 Z/ ~+ U
xchg dx, es:[41h*4]- u1 X7 U, \8 ]2 K* |/ {
xchg bx, es:[41h*4+2]
/ A4 }% `& P. c/ s9 n mov ax,4fh: y' b! Q- I- C: h1 j
int 41h
1 A' K0 {. @ B2 g0 B) U xchg dx, es:[41h*4]
) ~9 e" U5 |& z2 }8 T xchg bx, es:[41h*4+2]0 q0 `4 [( |4 x3 [
cmp ax, 0f386h
$ g5 N% L& q. V1 P; H; v jz SoftICE_detected3 U9 M# ^7 N- R$ B& t' o* w3 M& K
; C; x: U9 B: I$ u" l2 j
int41handler2 PROC4 e2 T. m# n) G- r9 G+ p
iret
; g, }) p& y1 p, n, bint41handler2 ENDP7 \8 z- n0 r7 g
) ~3 ^9 K) G+ k* U/ u4 I" c
* T& j2 _. o! m- V+ ^4 M_________________________________________________________________________7 q8 c/ m ~; Q5 v
3 M7 @/ F9 V7 d H9 h+ x
1 G* h1 p+ @' j5 h2 O. D z
Method 065 [' {* X: O* x! j2 U8 B
=========
8 O0 o1 z, p z) a: l, i) R5 }5 {* R- |* V# }
3 h% w' Z/ v6 A6 N2nd method similar to the preceding one but more difficult to detect:
8 {6 T% E+ R% w' G5 y* o: H& [$ o- A0 u
: {) @' h7 q; u% l6 uint41handler PROC* V! h/ v4 Q' g! u) `
mov cl,al8 @9 {; a/ v) m9 O- q$ c
iret
) K7 {8 R) I. B, n/ d- Wint41handler ENDP6 ~) X" ?4 C! m' v0 V& m( D% ^' T
, y* |9 R- C% K
) t M2 |% a! h( q- ~" P! D e
xor ax,ax
# n; G% I, v- {: S5 O' j mov es,ax0 D% h, O! }7 }6 Y) Y: H
mov bx, cs
+ T: z/ b; h+ P. w- e lea dx, int41handler) M4 U! u0 J/ x/ t' ^3 e- i* L3 A. _
xchg dx, es:[41h*4]: U/ v, y* s, z2 }8 c- C
xchg bx, es:[41h*4+2]
& H1 w& w! _ g* K! X* T in al, 40h
0 ~- v4 e( }5 p, s/ g* E3 m xor cx,cx6 d* o7 Q4 j7 F
int 41h
3 k! h+ s' g% G6 M xchg dx, es:[41h*4]- s" p3 @ k. T. F d6 O
xchg bx, es:[41h*4+2]) Z: n+ \; z2 I
cmp cl,al) d) \; r5 E1 }/ s
jnz SoftICE_detected
! W7 s P; O& _8 A$ x( U, e* n5 }% w' w( D* s+ g
_________________________________________________________________________
, l5 c- Q6 c+ m* K& n J6 Q8 v5 T, K. w
Method 07
2 g$ q% a1 A$ U0 U=========. ^2 G2 \6 n6 l S( F
: Z) L5 Q: a" M3 Q; |3 A; [
Method of detection of the WinICE handler in the int68h (V86)
' K5 L6 o' n: V& E/ K5 n' S$ a/ r) @" | D$ O( [( q
mov ah,43h
+ c- d9 ]- l/ @: T int 68h2 b5 g6 h$ t) R4 o8 R% O
cmp ax,0F386h
) N: I. T5 f1 d1 p( T: }2 f, N jz SoftICE_Detected9 e5 Z5 L5 C7 n4 g3 s# ~
& ?/ n& { m- U; H( k/ h
. T* @$ A: Q6 `2 o2 a# m$ B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: K" `7 n: U2 G/ k! u* Q
app like this:0 C) s+ x$ Y6 y' f
( c0 V2 r1 w) ~ A
BPX exec_int if ax==68
8 Z O( G& K0 z6 R" {* w. } (function called is located at byte ptr [ebp+1Dh] and client eip is
7 b# a& M" q$ z2 r; Q: o% V9 o located at [ebp+48h] for 32Bit apps)
. {4 ~9 i6 I8 x4 @5 X! j8 m) h, Q__________________________________________________________________________
8 p9 {/ I- W- u i* }% k5 l4 A! [9 N
" |' B5 U( A0 T, C3 p+ x: T- K+ j" Q9 ]3 w; w9 F) M
Method 08
h6 h6 O. f: i=========
2 s7 b/ d% I! C4 \4 x! E) E4 s; U, V2 Z5 O4 ]# u3 W
It is not a method of detection of SoftICE but a possibility to crash the
5 {( B/ s7 D1 N2 nsystem by intercepting int 01h and int 03h and redirecting them to another
5 z6 Y0 a! {" Troutine.
5 A8 X& D3 F9 a/ P: tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( X! @, v" z' D; F
to the new routine to execute (hangs computer...): B( M; P/ n% A3 Y4 c4 ~3 v. G
5 u" a. s9 k5 s7 V. Q1 | mov ah, 25h
! e5 r6 p& g2 D3 G# y mov al, Int_Number (01h or 03h)
0 i& g3 @0 R& e1 g/ {0 [7 a mov dx, offset New_Int_Routine
* _- x2 u, N: O2 F% Z0 h int 21h" Y; a3 m, F6 S# i: U
) Q$ W" V# l0 I& k9 N* a
__________________________________________________________________________8 e* I' ]) K8 }6 s
) J- q0 W. _9 A6 ^
Method 09! ]/ x9 |2 {8 w
=========
" x/ s( L+ ~9 q% n; B
7 z# G, s' o6 I6 y4 b- G6 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only d* d: x4 P8 u) i4 N8 M
performed in ring0 (VxD or a ring3 app using the VxdCall).
& T4 f3 M% O8 M' Y1 U) T }" U# l' ^% zThe Get_DDB service is used to determine whether or not a VxD is installed
& U3 ]4 f( _) H9 H1 b. ifor the specified device and returns a Device Description Block (in ecx) for
- B2 ]$ X. _+ T7 ~, q7 ethat device if it is installed.; }$ a' x/ w! w3 J: U
5 L% y3 F; {9 \+ }" t* U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Q. \9 ]3 a5 x mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ |" R* M2 i0 t$ D: n* _, y1 r( w( p
VMMCall Get_DDB% W" a, |! \* Y9 S
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 S/ O! f! ?% d' v+ z
; b. o; R' ]1 S& p9 UNote as well that you can easily detect this method with SoftICE:
1 q! F+ j# w' | n: V bpx Get_DDB if ax==0202 || ax==7a5fh7 m8 R/ D) e+ D7 \) W
1 f5 P! d1 M- F__________________________________________________________________________7 O* w o2 D% E# f1 @
+ K2 {" C: o+ Y9 v8 oMethod 10
6 o" O6 @" C6 E- C {$ N=========6 A+ ]2 g6 r. N8 H" r1 _1 e: o
. U# }! E0 m& Y9 ?& P=>Disable or clear breakpoints before using this feature. DO NOT trace with$ y! k( f+ @" f+ n, A6 v
SoftICE while the option is enable!!5 u6 d+ m* s/ f0 J5 a7 r. H
/ c% v }, L- h0 V. @0 K& h. _4 x. oThis trick is very efficient:0 c% y7 P S1 T" K0 D& Y. |
by checking the Debug Registers, you can detect if SoftICE is loaded+ c" v E. e0 z, `3 T( y" T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& z! u" S+ `+ }- V6 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their) P3 |$ k. B! Y. @
value (in ring0 only). Values can be manipulated and or changed as well
8 a3 l5 L( v, \- M3 Y/ }0 y(clearing BPMs for instance)" z. ^5 {1 o, P4 {6 d& @ D0 j9 o8 ^
* |3 P; \$ {: }5 g! m
__________________________________________________________________________
. R5 D6 u8 J: @2 @; e) k
, P! l4 N' L) @2 ]Method 11
. Y# E6 I1 s& K0 F; k4 [/ M=========5 p) @2 V& E( S; d3 ]
& I7 F% z- R* K# H8 _: jThis method is most known as 'MeltICE' because it has been freely distributed- Y3 X* A7 `5 C7 u- ~
via www.winfiles.com. However it was first used by NuMega people to allow: w& ~$ E& n6 o1 |% Y- b
Symbol Loader to check if SoftICE was active or not (the code is located& p1 F* v* r1 ~ c0 Z$ q, m
inside nmtrans.dll).$ J C% ~$ M9 f8 e
2 `/ ]9 ^* F; Q+ i. G. lThe way it works is very simple:2 o% l9 _1 i% h: A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# w& M/ r) _, G' f( ^WinNT) with the CreateFileA API.
4 ^6 J9 F" |: i2 b5 t# O7 U
2 P F4 E( V8 \8 DHere is a sample (checking for 'SICE'):
3 X) K0 s8 o7 r
0 V- {$ }, D, ?* m |/ RBOOL IsSoftIce95Loaded()% r( |1 E n" R+ {
{
+ w5 w! q6 g& m$ T. [ HANDLE hFile; ! @" _7 x# _, V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: O4 n5 P4 `. d- |' L FILE_SHARE_READ | FILE_SHARE_WRITE,& j, j; ?( u0 A) |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 n" z' Q7 e9 |. R
if( hFile != INVALID_HANDLE_VALUE )
, [6 i" n8 w2 e" i9 T3 C {
1 B' K" I5 z1 n; C4 `" }/ K CloseHandle(hFile);
5 d1 F z: G7 e# F# V# t) S return TRUE;" L( `" g* t5 }
}
1 u; y7 V" i6 d2 m! A* J return FALSE;
1 e3 m( j( {, S/ @( P( o$ L}
$ I# V# i* ]0 v$ S$ v; l$ Z3 O( H2 H7 o$ Z: N2 }+ }- _: ?# A' k
Although this trick calls the CreateFileA function, don't even expect to be/ \4 V4 G* Y8 r( F! c
able to intercept it by installing a IFS hook: it will not work, no way!3 @8 D. H$ H2 [ V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ R6 O( f1 y3 w, d- L4 h! d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): V2 y& \* a3 D- u1 G( {5 g% k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ a. t4 p4 X* ]# [- L% y( T
field.: p9 F# S- U! T) a2 g- y6 N
In fact, its purpose is not to load/unload VxDs but only to send a 5 }8 f% N/ h$ }: d4 B5 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 e- t7 F+ {8 Y: q: k. U" m" T5 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* D2 Q- ^9 h8 c* g0 Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).. M3 i0 k# x) x1 v& G9 L" L
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 b" ^6 b8 S3 i5 R J
its handle to be opened and then, will be detected.& d9 ~# j& a: x5 `, U
You can check that simply by hooking Winice.exe control proc entry point
1 S3 y0 m( I6 F' y6 l% l& d# [0 pwhile running MeltICE., _6 G" U* U" x9 U
8 H! m7 _5 U' Y5 E( T% u
' l1 F' U3 c* L, C# F9 b 00401067: push 00402025 ; \\.\SICE
% C" ^- T$ i8 n% X: x 0040106C: call CreateFileA2 x, u4 l# f, O* L B f
00401071: cmp eax,-001
+ x: e7 Y2 ^0 f# S4 T4 h! o 00401074: je 00401091( E1 g; r x' O/ M- V) [$ y6 h
- u6 |, `, A3 J' S6 E& W% {
* A) h* J& n" L- C6 }. ^
There could be hundreds of BPX you could use to detect this trick.
/ d" H7 l- \9 ?-The most classical one is:: g+ P* D$ e% _3 V! d
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ c0 C/ t: s' [( h* K *(esp->4+4)=='NTIC'6 F$ X& K9 Y- i. T
1 { F) G! V; W) \1 u-The most exotic ones (could be very slooooow :-(
. N$ o- c9 Q+ U* m' s BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
/ _& e4 k. [4 t( K: k7 d1 A ;will break 3 times :-($ j* ?+ j$ z+ _+ q1 n
5 }, ~* ~# i, J4 j-or (a bit) faster: 0 g7 t, J; V, d6 g8 g2 g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- {5 I$ ?" S7 w* \/ M( Q
0 h) d* z. H/ g5 y. Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 D% W8 }) B# K ^+ q9 d ;will break 3 times :-(
1 f8 z& @/ K/ m, A3 `% T) \1 q7 W2 C" K9 a9 x& ^
-Much faster:, V( V5 |9 i% ^3 Y8 D7 {
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& u s: W0 k! {' x# S& w' c
0 S, s) m$ W6 Q+ A Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" A2 i" P7 V9 A+ `9 V9 m5 xfunction to do the same job:+ j7 v" Q- P0 |7 m7 _- G2 |( E% K
$ u j1 h% G8 r3 Q# u- v5 J2 D) a; }
push 00 ; OF_READ/ q: c: W: Y- m0 m( j9 I
mov eax,[00656634] ; '\\.\SICE',0
1 p9 L; I+ ^' g0 Y) u# a2 K push eax8 P! v7 q- X# T0 c" p/ R! S$ V
call KERNEL32!_lopen1 g9 [3 J8 s, ]5 Y# b$ X
inc eax
+ f- F- x# ^' c3 q1 ?% N+ ^8 w jnz 00650589 ; detected* {& p, ]% b/ S8 Z. U$ m7 o+ ~
push 00 ; OF_READ9 \& O* q/ o& Y+ {! A" |6 }
mov eax,[00656638] ; '\\.\SICE': U, _% d3 d; b" T# m
push eax
, L$ D5 c s. F& h call KERNEL32!_lopen
2 |" \* Y' r) ^- W inc eax" }' b$ z. h8 m1 I# y( t
jz 006505ae ; not detected
5 ^% R. E/ Z4 S5 Y% `' \0 ^5 ]
4 X$ {7 |% C4 i
/ M% H3 a: z- J4 t__________________________________________________________________________3 S- G1 ]' w" m+ a* g* t( H
+ ^+ u" O8 o: h0 i5 N. X$ C; x6 n; WMethod 127 E( v3 a1 E8 a& P$ g+ u$ C; k
=========9 e' g$ o' k2 c+ N$ p
+ s) M; t d5 i+ w9 v, R) \9 Q0 jThis trick is similar to int41h/4fh Debugger installation check (code 05 a0 I7 M/ e- X/ ?
& 06) but very limited because it's only available for Win95/98 (not NT)
# W& d% v6 V3 k" n4 G9 `$ Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. K/ ~$ w, j5 [8 Z+ a) t% v/ |, i, I- k i% h
push 0000004fh ; function 4fh7 r9 X; K4 w' Q1 x; I
push 002a002ah ; high word specifies which VxD (VWIN32)
5 G" L9 F: V7 m2 V# b- T0 ] ; low word specifies which service
8 d5 s: w& E% P+ Z# B2 W& } (VWIN32_Int41Dispatch)% ]3 w; Q: [0 w, D; [" X
call Kernel32!ORD_001 ; VxdCall
" b6 E$ N% J- q. o: e cmp ax, 0f386h ; magic number returned by system debuggers* [! U3 m4 {% B# R; C
jz SoftICE_detected D' `6 h6 o. m2 I Q6 ]
4 \& B: n% d! @Here again, several ways to detect it:7 n+ V# }( V# V7 T9 @( e
2 W, J- a& [- I: a, x BPINT 41 if ax==4f; X2 c8 A6 k& P3 N. ~
& Z+ u: {1 d5 Q+ C0 q4 q( I BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 p6 x- u' a0 a9 O
) ?1 c' I3 E$ {' U1 n& ? BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
E% \7 B# w7 q) n: r2 Q
0 A. v% [( Y3 m2 b2 l6 V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; X+ Z# S; m2 Z0 ]- w9 E% h5 i& l3 B
) c; |7 H# ?$ x- W__________________________________________________________________________0 |: C; Z8 i$ |* j' M% T
# S# U8 q; g2 M' g1 h$ V
Method 13. a0 w7 q. D5 c' \) a
=========
! z+ W% O6 p- w- \* Z0 D8 Q/ N: \9 r& i0 t" ]8 U0 @5 h7 @
Not a real method of detection, but a good way to know if SoftICE is3 Q9 l' K' z, _8 P( e
installed on a computer and to locate its installation directory.1 ]% d! O0 K; V, E, T' x
It is used by few softs which access the following registry keys (usually #2) :
, t4 a- r( b. a4 {
s2 r. v* p! y& M1 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 A* \4 `- x8 \5 S6 _" ^+ x4 o
\Uninstall\SoftICE- h8 O% h+ ]6 q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# [( g- l7 ]+ G2 t' z* ~0 `; |% N0 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& {; i) M* I( ? e1 h# {6 V\App Paths\Loader32.Exe
/ _" M2 B) D% v7 u& r
: x5 l* w& ^8 r3 T7 r$ x. ~4 P/ }: w- i/ _3 q
Note that some nasty apps could then erase all files from SoftICE directory) F5 A( q2 T( k: Q' e" [2 q5 @4 q
(I faced that once :-(
9 D) [2 ~, n& Q7 n# W* q' |. ?; o0 y
Useful breakpoint to detect it:
( R$ R0 T& K7 e* H2 X% P( T O" s+ ~. f' _# ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) r' n4 v& A2 {$ w5 I2 Q) F! h$ z5 f7 m* k/ l
__________________________________________________________________________
6 [: m g+ d) I) Z/ Z! M% u' H
9 r. C, d3 h: `6 z/ ]1 kMethod 14 : w: D1 Q( p* J* B, H6 f
=========9 ?- _! v/ S2 R7 a7 ^% c
; |' ?5 V( H6 r$ D7 K1 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" J: }! v: ]2 r8 ?! N( K V2 @is to determines whether a debugger is running on your system (ring0 only).8 f* }! C$ @. l8 z* d X( c
( o3 V6 U" w) ^! [/ s/ L. b VMMCall Test_Debug_Installed
. V" O) c4 v' Y- y6 Z8 b+ r) v je not_installed
* t: v; X1 R/ R! u+ u8 T
: t; L" |* J2 m# H7 A$ ZThis service just checks a flag./ }* ^1 T2 C0 ~% ^- d6 E
</PRE></TD></TR></TBODY></TABLE> |