<TABLE width=500>. x) i. y6 D4 D4 H- v
<TBODY>
6 t+ x# s% D. N" Q) w9 [' o<TR>. e+ o5 |6 i4 g7 L v+ I
<TD><PRE>Method 01
$ n* {" c: N0 R" U4 |, I=========
2 e. [0 Z( r3 T2 x, Z( }& |' z
$ ^" m) e ^1 t g" L2 ?This method of detection of SoftICE (as well as the following one) is5 x8 U2 X; p% J8 F7 \
used by the majority of packers/encryptors found on Internet.
+ g9 }/ _, r% CIt seeks the signature of BoundsChecker in SoftICE
) k: N- f5 |. _7 g: Q7 w+ f5 Y5 g+ R
7 ^/ g) R% f1 F8 n0 G! N mov ebp, 04243484Bh ; 'BCHK' e0 }/ A& @( _& e
mov ax, 04h" w6 x) Z5 Q5 I0 N; ~8 F. u& C
int 3 , G* G% `, J+ g4 v
cmp al,4! v2 V2 W9 t/ q- [ D5 ~% [
jnz SoftICE_Detected
8 B- D( [$ q- D' s( z# l* \2 y0 I. `8 ?- r/ d
___________________________________________________________________________
3 l1 w, P- Q( g0 z/ B9 \) p* N6 B2 f: O3 }$ R' z4 E% Z
Method 02
8 U' C( @& S) M" y4 z=========# T- X8 L. L. y7 ^
4 ^, q' f6 r- W/ tStill a method very much used (perhaps the most frequent one). It is used
* W! R* S1 E" Z- t7 F Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ A1 a' l3 O+ O/ J& b/ Y
or execute SoftICE commands...3 F2 }) T3 C- Z# W( E
It is also used to crash SoftICE and to force it to execute any commands( k/ ~+ @" R( @# j5 [" _
(HBOOT...) :-((
7 r# r, ]- r/ ^) o7 B: U. X( c1 w, u6 Z8 f5 Q
Here is a quick description:( W6 ], o/ p4 T1 n
-AX = 0910h (Display string in SIce windows)$ W$ B S# N K: a: j3 o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& b! X7 x& @0 b( o, c
-AX = 0912h (Get breakpoint infos)6 \1 @+ I# [) p
-AX = 0913h (Set Sice breakpoints)* V+ b) E$ u( j' d$ C( t
-AX = 0914h (Remove SIce breakoints)
6 I. E9 z5 @# J+ D5 E8 L, d5 X. P- L/ D I: A: }7 j
Each time you'll meet this trick, you'll see:6 `- R* D, I; b: e1 }
-SI = 4647h
5 U$ \+ a0 W! S) G-DI = 4A4Dh
: X7 }& M1 r% G K# xWhich are the 'magic values' used by SoftIce.
6 K3 J8 a4 `8 P( qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 A7 x# Z9 y( ]" _# G% ?
. T- t) V- f Y; n1 g! ^" a
Here is one example from the file "Haspinst.exe" which is the dongle HASP. c& \& b2 ` I! e% O& U- w* n2 h
Envelope utility use to protect DOS applications:
/ V8 V- |/ @! G! a x8 x% g$ A m9 C$ f+ n
, b' ?; e% E. G* J
4C19:0095 MOV AX,0911 ; execute command.
/ I2 H. K2 T0 ^+ s) s; x; o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ K- V k4 O- b6 B; o) H, @- n
4C19:009A MOV SI,4647 ; 1st magic value./ g3 E; M" _/ m! S T7 H+ N2 [
4C19:009D MOV DI,4A4D ; 2nd magic value.3 y1 } J% E+ o
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 C6 d o8 Y5 Y# _3 m4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute b4 ] x- K. S% I3 R- ?
4C19:00A4 INC CX* k5 W6 ?2 s# Y- }
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 l8 K/ T% l3 }% O3 P) G% |
4C19:00A8 JB 0095 ; 6 different commands.
+ l/ A' ?6 g) H' \4C19:00AA JMP 0002 ; Bad_Guy jmp back.- j5 D0 b$ n; V8 Z! V, F7 B8 y/ f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% G( ?1 z( h, l; i. X
0 \( [9 g. R$ Q; B& zThe program will execute 6 different SIce commands located at ds:dx, which3 N. M1 I" Y3 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 l o$ [, @% j9 \8 h* D8 N4 X" C- f4 d$ k" [4 e: E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 ]# [# K( ~$ Q# H* X___________________________________________________________________________' L5 W+ O- J* ^
/ u6 Y- g8 V6 O/ O* O. y: L
4 u, I" H) f6 {* F* }Method 03) u9 K% \# E% { s( Z
=========; G; t5 |- }5 `* _* f8 S
" ^ m# u9 r0 m7 Q g; rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 q! G# n& A+ V(API Get entry point)- X' s! ~- F% g+ E( S. |
9 Z* }- e7 N* t+ H1 s
4 a! d! i2 H$ Q) H8 K) h xor di,di
0 r: f* d& x$ F; m$ w* x9 ]# z mov es,di
& ^$ k& n5 h' o* h+ @ mov ax, 1684h
4 l# {3 U$ j, B mov bx, 0202h ; VxD ID of winice
5 R- J$ s; P$ Z: M int 2Fh
7 F/ _" f+ Y7 \7 I, T6 @9 z/ [ mov ax, es ; ES:DI -> VxD API entry point
4 K& q. v: M8 W' Z3 L add ax, di
$ I8 Y5 c" |" K9 Z% Q test ax,ax
2 y$ c4 ?" W7 w$ F* f4 B' s jnz SoftICE_Detected' l! n" T3 v7 |
/ b5 o7 b- c. @ E+ I# R- r8 F___________________________________________________________________________, I+ a* x, l, L$ e: w3 x# i8 I- a
3 \9 F& s7 X6 U8 w% q$ Q2 yMethod 04+ c' K1 Q8 K( C) p- k/ r' u1 e1 W/ P
=========/ B3 Z( |8 _% j( Y# h
, y/ g$ s4 D- i# f6 s: j3 S I( PMethod identical to the preceding one except that it seeks the ID of SoftICE7 @# ^8 f' \0 |, u& o2 n, }
GFX VxD.
3 h$ k' l. m4 U" U2 h' {; D7 D+ E" F1 b, T J+ K% D
xor di,di+ m5 u& _8 h4 c, R3 Y
mov es,di+ J2 y5 R" }7 F: `+ f0 T$ T: J! u
mov ax, 1684h
& H5 \! ~& U p& G mov bx, 7a5Fh ; VxD ID of SIWVID, ], B, ]0 ~% A% }
int 2fh
& b4 z$ F: e( ]* U/ m' }8 [9 N5 r mov ax, es ; ES:DI -> VxD API entry point
1 w3 d2 z0 _, B. U( r* T/ R5 ~) S2 c add ax, di) }. m; a+ }! R
test ax,ax- ~3 X }8 }- U: ~4 G. s6 t. n
jnz SoftICE_Detected6 `" h+ a1 w0 q, r2 ~, ?
" w5 k% J6 ]( A' U+ z; \3 `$ i
__________________________________________________________________________
+ t4 `& n- N, } K$ {- F1 Z% \
7 ^7 ~: r6 J- F: k% t* P& B% A. L9 H) o6 h* C, v O3 j* v
Method 05/ G- k/ N8 t. h; U
=========6 M+ [) D8 b e7 R t& F% c
; d$ ~1 s1 r8 U- M- E) L( U& TMethod seeking the 'magic number' 0F386h returned (in ax) by all system; }, R. N' [) `/ T+ h' C8 ]8 \+ S$ ?, M
debugger. It calls the int 41h, function 4Fh.& z; P) [! w* c! o3 N
There are several alternatives.
# q+ t1 w& Q: `) y) m
% b: P8 g8 t F+ O& ]0 L0 fThe following one is the simplest:
- c P5 o! u$ M8 [. ?
$ M) |8 u0 i3 ?* {& j4 M6 G. O" ~ mov ax,4fh
: D* t$ |% K3 l, Y# v5 F int 41h
% W" N/ b- `0 H7 t' o1 M cmp ax, 0F386' j' U) @7 p; A1 u
jz SoftICE_detected
' I& {" v9 ^. F' t6 f
* ? t/ J% t& Q# x- w A o
4 M [/ B3 P" _2 T$ b, f1 N& iNext method as well as the following one are 2 examples from Stone's 0 g. _3 \# p) ^/ u6 e6 U5 B+ ]: ^
"stn-wid.zip" (www.cracking.net):
$ g: c0 N4 ~; B' \6 r+ F
8 s; o2 \' x; n7 r mov bx, cs8 I) c% ]$ p# b5 |- W: e/ W$ K2 |
lea dx, int41handler2$ b7 O9 _0 ~5 h. i8 w9 P
xchg dx, es:[41h*4]
1 g3 A4 X. C$ E9 i8 Z, o9 D: \" w7 { xchg bx, es:[41h*4+2]
1 L9 Y1 u8 {& p! r" Z$ N' M mov ax,4fh* G2 {% ]2 V: |3 c% a
int 41h
6 O% U s* e% y" o. ~5 u- i xchg dx, es:[41h*4]) y0 X0 U, H9 C7 T/ S- [& M. h% A
xchg bx, es:[41h*4+2]
) J9 \1 L' h* [: l( q7 l cmp ax, 0f386h1 T, p7 c9 J. X7 _
jz SoftICE_detected# P) R- V, C% n) @5 t) t
' k, H% r% C, d2 J+ Q# ?8 Q, ?9 ^7 C
int41handler2 PROC6 h: u" A ?, D6 Z5 M
iret
* C+ v. r* q. t2 Hint41handler2 ENDP; q" ~! ^, ]$ n; w
8 J8 u* U2 W6 [' @& b8 U0 s8 H/ n
5 q$ v% s5 m- ~( @6 j
_________________________________________________________________________* M/ s3 V6 {) @
0 O' P0 N/ f0 X- Q* G5 O; m! e- b. _; U1 W) ~. |7 j/ R. _
Method 06
" e- m+ V1 t ]: y=========
( m1 I, y7 S7 _8 s L3 J5 ~5 v4 u; U& r ]0 K, f6 e4 Y
: c+ @. j. o% ^ O, g) d* k
2nd method similar to the preceding one but more difficult to detect:5 w( n! C0 _9 v
5 Z7 A# h/ k* Q2 D: i1 q4 u
" u! V: ]% N1 X1 d2 d# h
int41handler PROC
; W6 c4 Y7 f9 Z: D5 e! ?; O mov cl,al
# n) E/ f3 ]: @% s iret
9 J9 R2 A: ~# P# pint41handler ENDP( P/ c1 L' x, }2 ]7 ^; I# _' l* |
, T7 [% m6 N& a C3 x. B; {6 R- q" y9 U- a6 S/ w
xor ax,ax- @- t% n# t# p. u7 x& W
mov es,ax
% v3 }' p) V2 g/ v mov bx, cs8 c Z# j" d/ c( }
lea dx, int41handler
7 P1 `. e) L& O: f7 G( F1 k xchg dx, es:[41h*4]
8 c5 @" J p% {7 L/ c9 y xchg bx, es:[41h*4+2]
3 O. i6 e. U* Q: I+ u$ s) q6 m in al, 40h' E* C) g5 _! o
xor cx,cx
6 S9 F# a% E9 d int 41h
9 G8 A+ L7 _' _; b0 x% U3 l xchg dx, es:[41h*4]: a) M4 p/ h$ z o1 w8 J* n
xchg bx, es:[41h*4+2]& y2 \2 J3 }+ E/ ~+ e
cmp cl,al
1 y5 p1 Q, o8 J0 c jnz SoftICE_detected
W' @1 [' m' ^: m0 F( _, _% f, L/ L( O1 `8 L3 R. q8 ?: z
_________________________________________________________________________
0 o7 n& l, |9 f) _- F1 \8 ]! a! M& T" I$ j" o$ Y- ?6 N5 q
Method 07/ ?& V/ H0 f$ Y4 Y- ]
=========
! g3 L0 |& O% T V4 b2 D4 Y, F
0 F) ]( b2 a9 N$ P( A8 d' [# UMethod of detection of the WinICE handler in the int68h (V86)1 K9 ?& x6 d ?+ o' Z
1 a2 N r# z2 v+ V! v mov ah,43h8 r# h4 [8 V! A+ x, m
int 68h
( F& {% P' K0 F* h0 ? cmp ax,0F386h0 t, H V9 k! E" k2 L
jz SoftICE_Detected$ ^8 K4 f: X9 p& s. q
, x, X# {" s" b+ `1 B8 O: q, r
; \/ a& |7 b' Q' P. F& Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- q1 m0 f: ?+ x- C) t
app like this:
/ e3 H- |. ?+ _/ Z6 ]; M" o- V$ t- q# w- M7 _
BPX exec_int if ax==68/ P; m+ |! U) m0 X" D6 H2 |
(function called is located at byte ptr [ebp+1Dh] and client eip is' w" W2 I* b: f6 ]2 `0 T5 K
located at [ebp+48h] for 32Bit apps) v* y9 M* v' M
__________________________________________________________________________: ?$ m6 n i G; k- o- T4 u& C
( w9 P }, ?% z! h8 k" e+ X4 Q3 Y3 x; M9 H* m
Method 08$ S8 G4 p3 u! Z
=========
3 d* c9 V' Q y2 L6 g
% a9 [, t& H5 l: ~2 K, ]5 R2 gIt is not a method of detection of SoftICE but a possibility to crash the
3 F; F% U) N7 Z6 Y D& }4 usystem by intercepting int 01h and int 03h and redirecting them to another2 N3 e- ]$ l, H {
routine.
* S+ c3 i2 l2 l( B DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, s8 x+ S3 B# `4 o0 S+ \* h
to the new routine to execute (hangs computer...)
" G& c( k1 Q; s1 Y* f7 G3 \% a# s0 h5 `, m4 a" z
mov ah, 25h6 N+ l2 e* g$ |. F
mov al, Int_Number (01h or 03h)8 i* V+ E8 S' s& }% D8 ?# a/ }* ?" p
mov dx, offset New_Int_Routine
/ O: c9 y* l* _1 Z! i int 21h
5 ~; C) q( U4 L' j7 ]
- F$ K, M; g: w* }8 q) `__________________________________________________________________________
9 I$ w/ O) I3 p2 G- v( w4 U' A$ N- E* _: K- t
Method 09, A2 E8 P% O# S g4 \/ E
=========
) f$ K7 z0 [+ {3 ]0 L1 P- C! }
; Y* |$ B4 \! B9 b0 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 O+ w) ?& W+ n% T* s8 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).3 Z- _8 I5 F* q# _1 {
The Get_DDB service is used to determine whether or not a VxD is installed* c! T) N. j4 u, O6 N$ A
for the specified device and returns a Device Description Block (in ecx) for
, U' J) }; m; ]4 z7 m4 Sthat device if it is installed.
% Q! \) j3 l6 R. l# G2 W4 a! U$ X% I! ]! o* q7 r/ M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 T/ N6 I2 R, _$ S4 \; V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; V3 ~+ }- V, R# S0 E( O VMMCall Get_DDB5 F+ ~+ @# a" b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 d j P5 D! M
7 }9 e: v0 o/ j2 a N4 Y
Note as well that you can easily detect this method with SoftICE:
8 D& r: V( x; _0 i8 v8 y4 j bpx Get_DDB if ax==0202 || ax==7a5fh/ s- D# H. I4 }
& Y; a0 j, ?( A# o7 E& y
__________________________________________________________________________7 a% T% q: j9 Y0 _# K3 @( q
$ G: L% s) v. t2 w) H+ YMethod 10
$ C( w7 x) n" ]/ K" j: i! f=========: x+ E/ \ n) g# y% t: L
) P* D, j1 s* b! t( l4 }( r% e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
R9 I( H' z7 d8 V" E4 e7 g% b SoftICE while the option is enable!!- m% ^) n- [* S2 S1 A& _
& R8 k0 i) B. EThis trick is very efficient:# g8 I# [ q6 y9 T2 ?) y# Z
by checking the Debug Registers, you can detect if SoftICE is loaded
- r% e3 S; _/ C% h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) Z0 D. Z) h) u- @! g
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 q/ [3 \ ?, l0 J
value (in ring0 only). Values can be manipulated and or changed as well
/ Y: B) m4 W8 v! |" _, F) q& [(clearing BPMs for instance)
# a- X0 n& B# c2 R4 M# v3 S {/ B6 | C8 s
__________________________________________________________________________
3 X8 X o3 d; e8 C
& Y% c* g# }2 y- L/ h* i8 L9 _Method 115 t6 _ a0 d5 t, ?+ D. f
=========
* ~6 C3 W" T4 A5 n& e+ d, O# j0 q" P0 ]
This method is most known as 'MeltICE' because it has been freely distributed
* B# d. Q0 z' u N3 y2 K9 ~via www.winfiles.com. However it was first used by NuMega people to allow
5 F; y$ Y8 M0 n5 Q- ^' J' w" CSymbol Loader to check if SoftICE was active or not (the code is located
7 K9 l8 j; D% o g/ z/ i- o) r+ t* Ninside nmtrans.dll).
4 G' a) V& ]6 B& N4 {8 p- a/ E6 {5 R8 J+ g, W' l; X
The way it works is very simple:* m8 I) S# k5 h" M1 y+ ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 u& Y$ A3 D8 g7 b, \) S' j5 q
WinNT) with the CreateFileA API.
. Y* L# P2 v- b, E( {7 F% D
6 N4 c' [! r/ c' FHere is a sample (checking for 'SICE'):! |0 I% l# _: J! X
0 f0 b7 e% T1 }6 p, B! k4 bBOOL IsSoftIce95Loaded()
) e* A0 e; U9 s$ q: T4 d( C2 s) @{
% Y q- H$ Z1 W6 c6 d8 i& S HANDLE hFile; 0 q# M3 q( k- H
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 z5 E1 O, O/ ]4 I FILE_SHARE_READ | FILE_SHARE_WRITE,( F i1 ~. U0 P* S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 w) d3 L. J( N8 I
if( hFile != INVALID_HANDLE_VALUE )# ~/ c. ^$ W* _* m Y1 S) v
{5 J4 [ X& n0 j( l4 w7 `; ?. e
CloseHandle(hFile);
$ a8 g2 l" k4 C return TRUE;
% t6 [' D- C3 M- a3 x& @( c& c }
6 ]7 {% `- u$ g$ }/ e return FALSE;7 O% P5 w6 R. O: n0 f+ g; R
}
* j3 Z9 v6 X! r" q
! Z- g1 v# h2 H6 mAlthough this trick calls the CreateFileA function, don't even expect to be2 d- h# H4 r1 P, O7 o% S
able to intercept it by installing a IFS hook: it will not work, no way!
* A& _, `+ y- O0 a# k; pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 Q6 _$ f4 C& n+ c, N% J+ J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# R# f7 g7 x. {1 }0 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h U# y3 F0 \+ D6 `. Hfield.2 F/ L; _2 r3 ?4 u" N
In fact, its purpose is not to load/unload VxDs but only to send a
! a: B4 K" S! N' ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" _) W% L; l6 A- r4 x u- k8 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ V' R& N% I& ^2 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: J9 [8 S/ G4 z! `If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ?" Q3 R' ^2 t! I eits handle to be opened and then, will be detected.
+ h- B: K( h8 N- P$ {* EYou can check that simply by hooking Winice.exe control proc entry point
' a' y" E6 R2 D' Xwhile running MeltICE.
9 _4 S+ b/ G" G8 ?2 q" ^: H/ `
1 s7 E" h2 I. X+ W: y1 k. f* K! L1 L
00401067: push 00402025 ; \\.\SICE
4 m- m T5 p* ^/ n/ ~4 t 0040106C: call CreateFileA' L, q+ L7 N3 R( f6 ~" \# b
00401071: cmp eax,-0018 [+ X3 r3 }* X3 P. W
00401074: je 004010913 `/ I# d3 R% X
6 x, w+ `4 e7 O* } P9 \3 ?
# m- K7 @% f' t% L' m2 w# jThere could be hundreds of BPX you could use to detect this trick.3 Z" |- V2 K9 T: h9 `$ Z# K: u+ o; l
-The most classical one is:
8 f6 K# I# j! e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ E7 x3 i" c6 e4 W$ G/ l7 s *(esp->4+4)=='NTIC' y4 n' Z# b7 t/ L0 {4 N8 c$ ]
5 q) G8 j" }! x6 S& n
-The most exotic ones (could be very slooooow :-(- O: ?- F/ V/ u5 B h6 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) d7 x1 K3 e. \, D ;will break 3 times :-(4 `% O0 ~; t: B. ?
: R4 ?- I, m( R
-or (a bit) faster:
/ J/ v# L/ d1 S2 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), A5 C" Y+ }( e* J, K
* `; y/ X m) H7 j
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 1 J) F3 Z0 q0 H. L5 M7 I
;will break 3 times :-(+ A6 |" P8 M( V, x
9 J* c! C9 Y" Y2 p" o+ t' I
-Much faster:, O* s& w$ Z9 _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'; _) J3 }6 [' ?6 S; F$ F6 o
, Z7 I8 Z$ ~* m. |* ]% iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ z$ \" \% u" w+ n) Zfunction to do the same job:
1 o4 ]: U: |; j0 P8 j- g0 l$ j/ c* m# R/ t( O% C6 a4 ~3 r+ Z+ a
push 00 ; OF_READ
3 C3 i7 r: e" [/ A mov eax,[00656634] ; '\\.\SICE',0
; ^2 h( ^3 A& x push eax r( x8 P& M% d. N1 i8 z3 _
call KERNEL32!_lopen
) }8 ^. d3 E1 D: p% J; Q2 \3 r2 O# w inc eax$ K6 F/ w# _% r8 k& t# {' o) w- a8 |
jnz 00650589 ; detected1 L3 n4 ~0 j# F/ _$ U2 m
push 00 ; OF_READ6 w# M, V, w/ G3 h5 o3 Y
mov eax,[00656638] ; '\\.\SICE'
: ?- ]' r( E# e( s push eax0 n |4 ]6 y7 J$ @8 m, h* ~# y1 L
call KERNEL32!_lopen. U @9 `& H8 z
inc eax
* b* ]! ^( Y$ Q; Y9 M# t jz 006505ae ; not detected! f! ~& m# b, U" r# H8 F
% K. _4 P& u2 C$ H' p
9 y; u+ ^4 |& B__________________________________________________________________________5 E& I& J" E1 I8 K
4 E6 o4 n* H9 F6 h
Method 12
5 {: @3 }" F6 G9 C6 H=========
: s0 ?& S, k; i+ N% u8 r( p% ]9 ^! C6 |
This trick is similar to int41h/4fh Debugger installation check (code 05) ]. C! P* M7 M1 b6 K% w6 y# C
& 06) but very limited because it's only available for Win95/98 (not NT)) g3 R: s) H/ T# F. [* i$ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ~4 ^+ q' Q( P. J# b: H% Z
& ]' ]1 G$ c- G: \5 V2 I- \) Z push 0000004fh ; function 4fh
6 g- A# C/ M: ]" C, F push 002a002ah ; high word specifies which VxD (VWIN32)2 w# t: K0 J0 E
; low word specifies which service
: [( J4 j5 f% v0 o (VWIN32_Int41Dispatch)
, T* I7 w! V$ j! i. P0 Y& U' k call Kernel32!ORD_001 ; VxdCall
8 v# T! f7 r3 D+ `) I& ?/ K cmp ax, 0f386h ; magic number returned by system debuggers3 H9 V7 U/ i S1 q k
jz SoftICE_detected
- |; H" r% q6 V% H" W9 b% N9 i0 O+ E) N5 T: J' k% G7 b) w' O
Here again, several ways to detect it:
8 ~; @7 P: ^9 f& e& m* i8 j& U b( L# I1 r# a! c/ v
BPINT 41 if ax==4f
4 l i& j2 E9 F- l0 S0 R# h8 F* z! }+ F T, {& t" r0 \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; j/ @/ u, J B# h
8 L, G0 l" g3 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 O' |! y; U' i
- C4 p. D4 g8 X/ X. ], |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 R+ C4 v% c/ D+ E+ o
2 ?/ u5 E5 s+ E& d
__________________________________________________________________________+ x5 h' }7 e, X
/ u. o0 ?& {6 J, s5 s; T
Method 13
+ R$ b6 ~& a. F- |! a=========
4 B6 ]& B) s# }7 h* v* k
# l! ]7 N7 O: ^2 N- T# i+ g, w& |Not a real method of detection, but a good way to know if SoftICE is* i7 t& b( B) `* T
installed on a computer and to locate its installation directory.
% M3 r6 S, @7 z7 _5 t! j9 x/ AIt is used by few softs which access the following registry keys (usually #2) :
$ U+ e, v6 q" `; O/ ]4 C
, C1 L; e0 [% i: Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- m) O8 k; G" F5 I3 }\Uninstall\SoftICE2 `' v% {& D1 n% o! H7 u4 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE y# \: U! `, h1 |8 r' p2 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ]" P5 I- @; T( D\App Paths\Loader32.Exe
# w1 G$ ?, _, Y0 c
( j4 p1 m" _3 Q# B2 ]) A# _: l) p
5 F2 K% g3 f! n3 H9 ?Note that some nasty apps could then erase all files from SoftICE directory+ _4 G. N7 }1 [/ K7 g
(I faced that once :-(
# h |9 @- Y+ ~8 I# j8 v$ f6 g1 ?/ j I" i- ~- r4 i. @
Useful breakpoint to detect it:! j2 l5 x u. S" h
$ u9 E1 @- _2 T( Y0 |7 s) B8 s8 a
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 g w4 ?4 B/ J8 T. T3 R f
# @( o9 ~7 [! [( ?6 `, x* _
__________________________________________________________________________4 Z1 F) s7 F! _, C, X
7 k8 E! P0 C' z6 Q; @' Y
+ b; z& e& O) l0 L+ GMethod 14 ! R. k3 w7 Q7 T1 e
=========' {2 t: e( \5 a2 l/ _
/ ^& i* b0 X3 [7 l5 P# U; v1 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 N4 K1 a! c3 d( vis to determines whether a debugger is running on your system (ring0 only).
/ a. e% w# R* h' f* _* `8 M# p4 W& l) b z
VMMCall Test_Debug_Installed8 s' k5 M- f( l( z- y
je not_installed
. r8 v! D1 G! W* p" ?+ q5 Q: h2 `) q$ E! N
This service just checks a flag.
% Q; X2 |1 b3 g3 ?1 p5 o</PRE></TD></TR></TBODY></TABLE> |