<TABLE width=500>" F A& x1 U& K% V8 |
<TBODY>. x/ P1 i" w2 n% I* J- u
<TR>
% ?) G5 ^7 |& g( X9 |<TD><PRE>Method 01
$ |' F0 F, Y8 F=========5 I- i3 C) o, e- V8 S
2 X0 V, ~; }8 d; P. KThis method of detection of SoftICE (as well as the following one) is3 S3 V0 s/ j: H$ ?+ S9 l
used by the majority of packers/encryptors found on Internet.
6 e- y: _, w7 g1 i8 }8 _/ \: AIt seeks the signature of BoundsChecker in SoftICE5 c( U3 q; G9 k( F
$ y; ^$ J# |! |8 {
mov ebp, 04243484Bh ; 'BCHK'
& X1 l0 r2 z, c( Z y, H+ _ mov ax, 04h) r- ~# c* I" _3 H) W
int 3 + q6 E: n; ~* c: Y P- C7 r' a3 L
cmp al,47 J3 j+ m/ X4 t; ~3 d) @/ ~7 K: c
jnz SoftICE_Detected
3 P4 ?* E7 g g+ ?( H4 B I0 E/ O3 Z" j
___________________________________________________________________________% s, B6 D4 y% S( @- H
& v0 `# N* s7 j* c& \# p) Q& xMethod 024 g! B7 [& R% {" p7 @
=========' g5 T; ^5 P9 R/ a" ~6 ?2 k
- v Z! ?" s$ ?- N9 _1 }- Q2 rStill a method very much used (perhaps the most frequent one). It is used
4 B9 G- [( S7 Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( `' B& e7 H! u5 `* {- F1 {
or execute SoftICE commands.... m7 C) Z3 F/ q5 ^5 Z! T
It is also used to crash SoftICE and to force it to execute any commands/ n* a- c7 G1 w, A
(HBOOT...) :-((
# R. M3 a% }8 \5 c7 ?
. a; r4 O: A! }5 [( m6 b: p! kHere is a quick description:) Y# X) {9 u" l" l2 e
-AX = 0910h (Display string in SIce windows)- u' |2 {! u! [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: ?1 N# Z* j& z1 Q5 r: }4 P-AX = 0912h (Get breakpoint infos)
- h0 i7 B% d0 U+ p- @) Y, G+ S-AX = 0913h (Set Sice breakpoints)
$ z2 c- C1 ]: p6 r# Q8 o-AX = 0914h (Remove SIce breakoints)
+ ]; \& J, ^ ^# x+ j
: K& P! c. a. S! P* v) F- \7 q' c3 ~Each time you'll meet this trick, you'll see:
; K6 S" }: k- ~# R' D-SI = 4647h
- ]- ^1 d% H; u1 d n2 B/ u-DI = 4A4Dh
8 h' v( y/ r: ^! g6 n/ d9 x& |3 l" qWhich are the 'magic values' used by SoftIce./ E' @- [- e" H# V2 l; B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ Y) I5 z( F8 v6 F! v( @% ]
" ^% J& O$ @6 k5 QHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ H4 F' W) [3 Z7 B; FEnvelope utility use to protect DOS applications:6 F6 ^7 m8 Y* F" h9 p, j4 L0 O M- O
: g2 g" a0 r0 a/ ?( k4 {
/ Z, k: i( w( \& g9 H2 ^4C19:0095 MOV AX,0911 ; execute command.
; `: f! ]1 T- A V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
7 H& Z5 J6 U& x1 F4C19:009A MOV SI,4647 ; 1st magic value.# h2 \7 f+ q8 L3 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.
- [, Y0 E1 X, ~( }6 A o4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; X) ~ u7 ~. c' Y) N4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 V' S# Z1 t& a0 o: W4C19:00A4 INC CX
, o3 C( c6 E* x9 A C4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( K+ Z$ q7 S" i2 w1 ?" p# B4C19:00A8 JB 0095 ; 6 different commands.8 D7 j* M( J+ m: z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 f( V+ z2 } v$ U1 Y) { k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 H O, V; `# X- v$ `* F2 r
/ O* `( d7 U5 g/ B
The program will execute 6 different SIce commands located at ds:dx, which
( H9 \) n% L; I9 p) Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% d# }$ ^7 \' n& q) y5 h Z
3 b! i& E5 ]" v, S7 e5 R# Z1 J' i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' J F7 ?2 z4 n$ A. T; u
___________________________________________________________________________- @% V* j9 v" U1 d9 @
# }1 q2 L4 G5 v. q2 P3 w7 U' _8 r
7 Q4 g: q, a9 J7 |( FMethod 03
+ b8 |5 S# b; v: a+ ]=========) X3 _+ o+ r- b/ D7 l% h9 T
% D, X, j0 x& S5 {Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 P( t( j+ C3 G
(API Get entry point)+ C) T, v+ D/ j4 L) t
$ u; a6 [, D; e: M( z0 m' c6 o+ ^; i. k( N$ v
xor di,di
. \: P* {$ h2 n+ c+ t$ p mov es,di/ t! E+ y/ S( T+ M
mov ax, 1684h ! B+ |9 C' M& g% F! K
mov bx, 0202h ; VxD ID of winice
0 {! |6 l' m2 A6 l' [9 h int 2Fh. o: \9 I- e+ ?
mov ax, es ; ES:DI -> VxD API entry point
/ H" l# q& w" L' J/ `# ] add ax, di
" x- Q+ ]- V% o. { test ax,ax
0 D9 l: l5 q! ^# S( }7 c jnz SoftICE_Detected
2 e) F( |9 G2 w4 q5 c* ?4 K: H& k/ W/ Q4 D" l. j0 D
___________________________________________________________________________0 y, h. ^' ?. @+ g* C( j% m g% W
4 M6 a x; b- r5 qMethod 04
. h! H) ?$ i0 j/ n========= K2 p; e X2 b8 p; K3 r& f+ q
+ _! o- o* [4 q9 X" o) WMethod identical to the preceding one except that it seeks the ID of SoftICE! ~. |; o: z1 O& X( U, P
GFX VxD.
( g$ r7 @9 n) X% y" i# `: J0 w
5 F; B0 Q+ X, d% [# ^6 E) @ xor di,di
9 ]+ j* y9 b4 f7 ~; m, J, ~ mov es,di
7 g" ?. E4 S1 U" l mov ax, 1684h 8 K# ]2 [0 `9 Q: i ]4 p
mov bx, 7a5Fh ; VxD ID of SIWVID
0 j) V' J6 h8 X int 2fh
* [( i& S% E* Q+ [4 d; @9 K7 ? mov ax, es ; ES:DI -> VxD API entry point
% U1 X1 T: O: V/ `4 U _ add ax, di; q9 n6 M C! m& i( T
test ax,ax8 Q1 t& j- o8 V E) F! R
jnz SoftICE_Detected
2 u& @2 n# j! M4 f2 p7 y! N* i% }8 v, z( T
__________________________________________________________________________
: M$ w& z/ t$ Y. l: g0 t% z9 T9 |3 I) m2 u3 j. M" {
, R2 d- |) B* e$ ^! m
Method 05
7 [: i+ M: E0 _6 p( L% q=========3 E/ _+ z& w5 T' Q2 n
* S4 i& P. I+ t t8 R( F) wMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ a% V( q# v" f. D1 z) A* T
debugger. It calls the int 41h, function 4Fh.; Y3 f# C! W) h. d! ]* ]
There are several alternatives. 7 ^* x* c5 H2 D6 |
! [+ Q" f, E& Z! M# i
The following one is the simplest:+ [$ m- m: K+ ?# N& n7 i: Z5 Q: `
+ S. V6 k, Z3 e
mov ax,4fh7 i3 V& O8 v B( }$ A$ _" M* B3 F
int 41h; C4 x6 `! t" I& U* i6 h
cmp ax, 0F386( R, |6 P8 [7 L5 B1 m g% J9 W3 |
jz SoftICE_detected$ z2 Z. K7 h$ T9 w& |* \$ H X
! l5 w2 N: {; v9 K* Q
+ h5 f" c' z3 W5 @7 |/ bNext method as well as the following one are 2 examples from Stone's
0 Y+ ?5 ]1 Q) H5 I% e"stn-wid.zip" (www.cracking.net):! M9 }% l7 I2 e7 d. ~
# X5 o9 }; q+ E& d" n# Z- } mov bx, cs1 E) V6 ?/ ]' y
lea dx, int41handler2# _6 `8 c) i* ^
xchg dx, es:[41h*4]# h- S R5 C% @( U8 O! l0 u1 n
xchg bx, es:[41h*4+2]
1 V+ q7 h* ~" @( o! N7 A' l mov ax,4fh
9 Y- x8 z' ^8 B8 s, p3 \ int 41h
! E: \0 L5 e+ P; m. J& y xchg dx, es:[41h*4]
4 |9 h. g% c" b# n+ Z& x xchg bx, es:[41h*4+2]. f0 S- A* d; n* E4 c x
cmp ax, 0f386h/ W; j9 u2 U* z) v5 `
jz SoftICE_detected+ k' C' k5 d( c
f& c2 f- e( V* d) k' n+ }int41handler2 PROC
0 ~8 M/ V' p$ K3 o% K iret
$ B( a6 N, _* jint41handler2 ENDP) d/ W) t+ k2 [; n4 U- ~* V
6 @4 L; ?5 J1 L8 G* I
' ]( ~: y ^! [$ n$ Q* N: Y_________________________________________________________________________ @. A- W* j# _- ^5 x/ v, [. T
c0 ^& b. V6 E9 J) z$ G$ W
7 I% U- F$ q+ H8 O
Method 063 N Y& g! V# H) X' u0 q
=========: s* I& i! H' Y+ Y+ j2 P! n
6 `8 Z4 T& z3 \' g$ r
" U8 d' [8 U: z) O4 R% j2nd method similar to the preceding one but more difficult to detect:
& n5 ^: b3 L, i- x1 E& y" X4 ?/ ~6 D& ?) C1 P2 e
+ E" _9 C8 t% E2 K. N8 `int41handler PROC) n0 X- u. \4 Y# _( k
mov cl,al4 E/ j) R/ O G' Q2 U( T
iret
: }, |) L6 f2 hint41handler ENDP
" ^9 v' O* ?6 B: u" F8 x9 h. B) x
; h& o( w$ u0 T4 H9 [, l) X
xor ax,ax" S s# E5 _( X. J+ H
mov es,ax
$ Z* J) M; |& x$ k% B4 q# } mov bx, cs
' b7 V" P$ F% b lea dx, int41handler6 ^9 R4 l/ p. g( b, }& h
xchg dx, es:[41h*4]
+ s. o8 u! d* S' n; a% x xchg bx, es:[41h*4+2]
4 S* D6 V' Z ^- b: v in al, 40h" x# v. ]4 C/ n' ^) y1 Q
xor cx,cx0 c% \! H v% @1 N/ ~1 X
int 41h
# c( j1 B/ M/ Z* ?# ^+ U8 a xchg dx, es:[41h*4]
' \9 \9 L4 r- f/ B& W xchg bx, es:[41h*4+2]
K/ q* j! U S( X8 O' D cmp cl,al! f$ x3 ^( W& {! t
jnz SoftICE_detected
/ h4 t$ T; G# ?4 l, O6 K
" b. i- r2 n6 C g& __________________________________________________________________________
) Z2 w9 U- ?: D& c% R8 b. i9 X' B, R$ O3 V- Y T3 V/ \6 U
Method 07" R, \9 ]' V- o5 g3 n! b- T
=========6 ?: N8 y* G6 Q+ c' }% K
* m+ ~ g ]* tMethod of detection of the WinICE handler in the int68h (V86)
& L4 {8 Z$ E l. W4 G, d6 `0 i" }5 z. C7 x# ` E! `1 e1 f6 i
mov ah,43h
/ X8 P0 p/ [- ~ int 68h
9 B" ^- S$ ^. n: @/ \ cmp ax,0F386h" ?8 b/ q; m7 k/ Z& ~
jz SoftICE_Detected6 {$ O0 R) Y0 d- F9 H W2 f; y
" ?$ V4 H4 e7 F" v$ ?$ q
) l; _9 A0 k7 m. m Q7 E=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
A) \- Q: s/ l/ K9 f app like this:
, @* }- ^! G3 h
# x( p9 v% L* {' @# E BPX exec_int if ax==68
0 e% D/ x0 v( m) i$ F9 h" ^: C (function called is located at byte ptr [ebp+1Dh] and client eip is
) _: y( r" E) G7 j4 q4 U located at [ebp+48h] for 32Bit apps)0 [5 Q. Y2 B$ D0 F: P4 H
__________________________________________________________________________. b' _- K" b& [" u+ t1 g
. Y% b1 i. |9 c' |
+ W! }- D, x" D3 f% S2 ]4 W X+ P# s
Method 08; L* l6 o9 [ j/ ?+ i! b* T
=========, |# M( w0 J. I+ K
( g7 e2 }6 A. H* `9 u# k5 ?It is not a method of detection of SoftICE but a possibility to crash the
/ W5 L! Q. C& {. A) lsystem by intercepting int 01h and int 03h and redirecting them to another1 z+ x: K- O* b
routine.
8 n- i! e& B$ ?/ L. ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
r- j+ A4 U& @% B% Dto the new routine to execute (hangs computer...)
o4 m* s) d& Q. ~3 }2 P d5 |' Z+ a9 q2 G9 t# B
mov ah, 25h' P3 i; o4 K: f6 \
mov al, Int_Number (01h or 03h)% S# _6 x& h' b! S0 p/ E
mov dx, offset New_Int_Routine
) |, j3 S; h& ~# f int 21h2 l( I9 @+ u, r+ s5 k
4 i# n# `/ j9 v9 \. `__________________________________________________________________________9 M4 \4 p, X, d N7 w
& R# I6 J5 n* b! [8 I' `- ^Method 09' z" \/ Z/ L3 K3 } |
=========, l8 @9 N3 `7 _5 \$ T9 _& {% O
. C8 P2 D( A- H# nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( ?% @3 U2 ] C1 ~; l
performed in ring0 (VxD or a ring3 app using the VxdCall).8 U" J. P- ?0 x3 \4 {7 W
The Get_DDB service is used to determine whether or not a VxD is installed
/ [$ A( [( a% u2 l9 b- hfor the specified device and returns a Device Description Block (in ecx) for
+ Q) A% I9 F$ B. A3 X" j* Uthat device if it is installed.6 s7 v& Q5 D& t* C0 s# E$ G
8 e9 p% Y7 ~# q8 ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& r, ^5 x. T# m- B S6 P4 w
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- u5 v$ _$ }# b' g; i& m3 |8 \
VMMCall Get_DDB* M" n' D4 q+ X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ {; E4 U, ]3 Y( m5 I8 b
7 \* P, _! T, U6 M6 g/ r0 SNote as well that you can easily detect this method with SoftICE:% G* r3 p# s# z& a$ W8 k F
bpx Get_DDB if ax==0202 || ax==7a5fh' c% \3 A; V/ r6 N) d% U
m6 ~5 m' }8 Y2 }4 p8 s: H
__________________________________________________________________________
1 y8 p6 A3 S2 d5 l+ p' S- o; B
9 Y7 w( J. w, M/ T ?( R9 U- |- tMethod 100 u- Z( l9 t2 E, H$ i6 [+ N
=========) h9 ~; @4 e9 V- M; g/ d
$ S. L( X* w. o/ F
=>Disable or clear breakpoints before using this feature. DO NOT trace with( Y2 T0 q' b( r) P+ a) x6 _
SoftICE while the option is enable!!1 F9 S* {- X9 z! |" t4 p
4 P. B' N4 x; Y* I& e# F' `% }7 e/ ?This trick is very efficient: U- e/ c3 ~' g/ l# s# z
by checking the Debug Registers, you can detect if SoftICE is loaded
$ r+ R/ H; y% e8 W3 ^1 S! L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 ]9 }; L. B/ v! q( Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" l& @9 u* f R' `$ c* R" Tvalue (in ring0 only). Values can be manipulated and or changed as well
: a5 V, k. I# U. D(clearing BPMs for instance)
5 d' T( E7 C+ t0 E+ w) q6 J: |+ b4 x& s( Q
__________________________________________________________________________
1 X! R; X6 W( {3 ?3 V9 I6 s# I- Y# u5 l6 J' {2 b% V T- b+ q
Method 11: |" e; s) u9 p; Q! ~; E3 W" E
=========. P% q7 k6 L6 }
) Q ?7 B7 k1 x* R0 v, q+ xThis method is most known as 'MeltICE' because it has been freely distributed z' L/ G3 n. Z# H/ b
via www.winfiles.com. However it was first used by NuMega people to allow
/ j. D, ]6 X& F+ a+ m+ x# ZSymbol Loader to check if SoftICE was active or not (the code is located/ _- N8 O8 i9 _9 P
inside nmtrans.dll).8 X( ?7 {0 I9 w- i* r' D7 m; t
( C6 p5 c: y$ q5 b" ~3 WThe way it works is very simple:
& [. i* r$ N6 g2 e+ C6 ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) J5 {* K: j) k7 w: S( JWinNT) with the CreateFileA API.4 h% N8 c( S! l7 s! }7 r$ Y
2 Z! l9 X" w4 e$ mHere is a sample (checking for 'SICE'):. J. L. g b! J0 y# g, v9 v
; E0 ?, G/ j" J9 X. Q6 H
BOOL IsSoftIce95Loaded()2 A1 _$ Q/ B1 ]* ]% F3 A6 q$ G
{
* k7 X( Q9 k8 u1 u u B HANDLE hFile;
# m& S6 k: `" L hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% w% \' K% W9 e- y+ X8 T" M
FILE_SHARE_READ | FILE_SHARE_WRITE,1 Y9 O1 N- w/ D8 Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% ~/ J8 }7 n( S5 D1 y if( hFile != INVALID_HANDLE_VALUE )' K( K5 n+ R- g* X9 T/ |
{
% p& @9 n/ e- k2 ^; {( m; I% f5 M CloseHandle(hFile);
' X% r3 T6 Z* ?6 ]% |- B return TRUE;! O) S* j6 m, J$ s D# o
}
; z% g- B0 y" A) ? return FALSE;
! g. G. u; f# E}
5 P4 C; j7 b' o0 U" z. P* I
& F% M; Q) F1 ]6 ]& u7 U' d1 fAlthough this trick calls the CreateFileA function, don't even expect to be. r; r8 ]) z6 d; i( A# k8 j P
able to intercept it by installing a IFS hook: it will not work, no way!
- V. z N' z; p4 Q# e: ~4 Y4 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ T5 I* B' u% x6 \) iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 R& s+ D8 I( I2 b2 V* h& l5 Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: ^* [, b2 y1 a5 j$ e+ }field.0 r" N- }% j; V7 O$ d
In fact, its purpose is not to load/unload VxDs but only to send a
7 \/ Q5 ?+ H) f5 P" zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 _ t* d7 u5 e' U6 Z- Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( [# O- A2 U: w; r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 F, E8 c) o( i( U. HIf the VxD is loaded, it will always clear eax and the Carry flag to allow( |6 d5 I9 O/ N$ V, S; p5 `
its handle to be opened and then, will be detected.
# k, q+ Z/ H; i0 \$ BYou can check that simply by hooking Winice.exe control proc entry point6 r, Y0 Y6 c; ]) I! B! t# G
while running MeltICE.* u% c) o- N$ r) _* W& w6 b
4 D4 E$ \* Y x" U
. B' W4 F( U. l; B& l' M
00401067: push 00402025 ; \\.\SICE
7 H- {2 F+ f' z, H, f0 q) [+ h4 T 0040106C: call CreateFileA* n( R& w0 H% l5 ]
00401071: cmp eax,-001
9 q$ Q; [1 Y1 o( ^+ z. R4 E 00401074: je 00401091
( D8 I1 c9 R1 U' f
/ g& Y) v' N. }( v" v# b- \( v
/ M" G p0 W: d1 B, A/ ZThere could be hundreds of BPX you could use to detect this trick.
- N8 p9 ?! |: F5 I3 w9 g-The most classical one is:
( C z' f: c. u, ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% J, K# M; V, @) G+ }
*(esp->4+4)=='NTIC': j% h2 h+ c1 r- u1 p4 X& \. X
+ \3 |$ M+ Q0 V# j9 G( j; |1 }
-The most exotic ones (could be very slooooow :-(& h2 B3 T: `* _& { Q( N; K3 Y
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
2 X" n% ^2 ]" B) s7 I ;will break 3 times :-(
1 ^5 T7 u" M% i, N2 C3 E1 z; t, a+ y' |3 n
-or (a bit) faster:
9 D& d3 g5 |/ b! o( C) Q( o0 g BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; J# |7 v. p0 A; J! W3 Y+ O( h% Z$ V+ p1 y% M1 y* y3 F
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : ~7 Z+ O: ^1 J: j& X# S
;will break 3 times :-(
6 P& v o, v& C
% I- k. V' |& ^& B! b2 w1 ~ b-Much faster:. E* T4 V! P! R! j0 i% R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& z- f& Z1 {/ s( ~- J1 Y& e" I& p; M
4 I/ @* e L5 V; u3 K7 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 x& `/ Z$ ?% K% l
function to do the same job:
/ v; f! H6 a& f/ q5 i
& e4 r3 [& w3 ^1 g, h/ | push 00 ; OF_READ
( ^7 H* Y( e6 `5 Z3 `1 p& B" t mov eax,[00656634] ; '\\.\SICE',0
4 _# |* y9 I4 X' x$ v8 s push eax1 G0 g) _6 s8 m7 u/ t% H7 d
call KERNEL32!_lopen
$ I8 M) F$ d M. }$ A9 I. W: c inc eax
, q) R1 l' |- \2 s( \+ Z- [( | jnz 00650589 ; detected
2 }% {) v& t4 v push 00 ; OF_READ
( W$ y: D) H7 `( G" n mov eax,[00656638] ; '\\.\SICE'# l$ p9 O- g$ \
push eax/ T/ @% W5 A6 [- t/ s
call KERNEL32!_lopen5 y) j# W9 V/ @" R3 O
inc eax# J, T: w: F; ]: w, Y9 K1 [! b
jz 006505ae ; not detected
. ~* z h) H5 ]$ O" |; \" ]
% M. k1 n6 F9 n
S) Y' C+ K( y( V" A: T8 b$ ^ z8 S__________________________________________________________________________' C' ^6 t5 @) b) i9 L
5 A) I+ Q+ O& a( o5 N" K6 o; P& \
Method 124 ^ u) a% G! H$ l8 t0 k1 E; E
=========
. u) `: p& v- I* n5 _( j: g* D
6 b6 L9 C) u- ^" P4 q" B/ X& j+ {This trick is similar to int41h/4fh Debugger installation check (code 05
( B1 P1 V( X5 X0 o! q; G! K& 06) but very limited because it's only available for Win95/98 (not NT)) S0 g2 L. M* E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! A" w: w* R) `6 `: O9 w N
, p3 G6 U7 k7 B8 h push 0000004fh ; function 4fh
$ c3 d2 D1 m" `8 g _- _ push 002a002ah ; high word specifies which VxD (VWIN32)
0 m w0 S V( O) w ; low word specifies which service
" }2 k6 r, I$ c* f2 G (VWIN32_Int41Dispatch)
* @4 K6 J7 e# z& W& @& M call Kernel32!ORD_001 ; VxdCall* N' Y& o- o( q" o( B% h9 J& t, _
cmp ax, 0f386h ; magic number returned by system debuggers- M$ {# R. Q0 L$ q5 j- b4 {# P6 S
jz SoftICE_detected
' N! f, D7 p' P8 I1 O1 U
/ A2 g8 |1 P3 e( F6 K1 dHere again, several ways to detect it:
* u) i0 `9 E. {" u& f. \
0 o3 t$ l# E7 k& q7 U BPINT 41 if ax==4f
" u5 o2 R/ ]" n9 P
& u1 @3 R! B k5 E! b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 a) _; r5 ?" j7 n
! B" E1 C' D; d6 X. }# _ k BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" p: g( [4 `% X! D6 w" \' H B6 U1 V- E0 L. p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
( B4 x8 o$ @3 Z* {% }6 V1 L3 V
__________________________________________________________________________
' X7 @5 ^ I2 m# n- w3 V6 u+ E B+ I+ V' L
Method 13$ `/ {+ z9 b' ?. ], q$ u
=========
9 H' f; d' b% j; j1 T+ e \
& w: o$ q7 J/ k ?Not a real method of detection, but a good way to know if SoftICE is
; P2 }& N7 T: h; Ginstalled on a computer and to locate its installation directory.) K: G @3 @1 ]; D# h
It is used by few softs which access the following registry keys (usually #2) :
9 ~9 d' R: w4 S8 Y6 o; a4 o1 T% k
/ [1 m, y2 [ \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ Z' u, K9 @- y8 g F# p% I |\Uninstall\SoftICE Y F( v1 `7 l+ S* E5 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 X9 f" r& t1 H3 y6 P# F1 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- _$ {$ Z/ J/ ~( D/ _\App Paths\Loader32.Exe1 A* J. V& X* n9 P: b5 J7 A
: y. k9 i X6 P2 x: m+ \( w6 n
% c+ A" M7 C& d0 g4 h- ]/ vNote that some nasty apps could then erase all files from SoftICE directory
% \5 f. ^ A+ t: v' w9 B' h(I faced that once :-(; C/ m' L; D+ J2 n# j2 j( J
( w) E. }% q' B" N0 o1 s7 W& iUseful breakpoint to detect it:
, F/ `" P$ |5 C v1 E! K* H! A
6 |! y# @6 t$ D- X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- V0 N7 m# r6 N: N
+ H6 X( k: l- T3 `__________________________________________________________________________8 x/ X" e9 D9 l8 u* i
9 O9 G Y$ p5 U+ r* e! I6 g0 `
# I2 \8 i4 t5 X3 L1 f" g, R
Method 14 / j3 b* m3 d6 e2 ^- l2 r4 V8 P
=========/ u+ R' O4 v9 }$ `( F% c
- m2 ~0 p$ Y9 f2 _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ g3 Y B/ {+ j. ]% A9 pis to determines whether a debugger is running on your system (ring0 only).
+ P# y' H. \/ X" G7 c( `% f1 }5 n7 x+ T4 r P4 o) ?, A1 P; y% A l2 r8 x/ C
VMMCall Test_Debug_Installed* o& M+ n/ b% w2 R# b2 T
je not_installed* U! {7 J/ H" u
9 a9 {: e2 o2 {# H8 ]9 EThis service just checks a flag." n M4 `5 ~$ N: U$ W
</PRE></TD></TR></TBODY></TABLE> |