<TABLE width=500>
$ @. p, x$ q6 X8 M3 S" Z<TBODY>
; E& t1 d( D1 [: y' y0 V* X<TR>& \: b( [# X% Z0 [9 K- X
<TD><PRE>Method 01 1 X* A1 f& b2 O) R% h! v3 R3 _
=========
5 U3 Y1 Q( U# T
- F3 z# _% ~( r- @% h& C/ m- SThis method of detection of SoftICE (as well as the following one) is
: _5 b! ^- T- ]9 a6 O' {+ f4 Y$ A% \used by the majority of packers/encryptors found on Internet.
% n0 d* u( i# }; g0 |- R2 X* n0 yIt seeks the signature of BoundsChecker in SoftICE9 b# s8 Q, |! m1 Q- l& ?
/ v+ y8 d+ o2 o3 n* v3 @
mov ebp, 04243484Bh ; 'BCHK'
H4 R6 L6 S6 t3 \6 i6 e4 V3 i mov ax, 04h
* B E. n% P: Z1 | int 3 / I( P! H# V% }- z9 J: D) A* c1 K
cmp al,4( [. n& i6 u$ M1 y
jnz SoftICE_Detected
6 K2 l9 k n% R4 @# B2 |5 e! i) ]/ f: H- l& U
___________________________________________________________________________
/ t) R& s3 A- O' S9 |& k: m
7 P& A1 C8 }3 ^+ e, zMethod 02
8 X9 e" I+ V3 _0 R8 W3 g=========
6 P9 [6 U) }4 |' t3 T' O+ X
5 |- \2 ]4 D& N: vStill a method very much used (perhaps the most frequent one). It is used
$ v, y- T( ~& c3 [0 n( gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 a" O& p% |" f( D$ g8 q9 j
or execute SoftICE commands...
+ m" V8 u+ e: D$ j) k8 AIt is also used to crash SoftICE and to force it to execute any commands: a6 z/ h1 }/ Q
(HBOOT...) :-((
" |. `; c n( X- i6 Y- [
$ c1 U9 I! p2 g6 |0 E k) s/ YHere is a quick description:8 F# V( t5 H* n) B4 ~4 g7 ^1 ~) `
-AX = 0910h (Display string in SIce windows). e: r. |7 Q/ H4 D- o) B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
1 X& ~6 @& r. F7 ~-AX = 0912h (Get breakpoint infos)4 K$ F* c4 A7 K, Y- C
-AX = 0913h (Set Sice breakpoints)' k+ W# M" p: ^# t* `
-AX = 0914h (Remove SIce breakoints)7 D& D/ O( u, Z9 W- W* a" ]
* h9 C7 p! B9 r& [Each time you'll meet this trick, you'll see:! U5 g* s0 C0 X3 t/ V& s
-SI = 4647h
i- s1 ]) h- d* v-DI = 4A4Dh6 I( b- @9 w4 }5 q9 ~
Which are the 'magic values' used by SoftIce.
6 [/ i% V. {* [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& u. z- E5 b( A7 A6 v
+ z" i' |; }1 r8 `* {2 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 [- H' t5 p/ ^( G. _- ?5 o$ B- o; SEnvelope utility use to protect DOS applications:$ G% E; V% V- q9 m# n
B! o d B7 f0 F. {: Y! p: ]- A2 x7 H' |6 G8 s. w w
4C19:0095 MOV AX,0911 ; execute command.
! K( y# N1 |; F N9 @6 n9 z9 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 c2 s: `/ h& d4 f
4C19:009A MOV SI,4647 ; 1st magic value.
1 z( ^& _) L# X. o3 `4C19:009D MOV DI,4A4D ; 2nd magic value.
. |0 D0 M9 ?4 u- l+ B4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; B Z! G4 K. j4 w) \: K4 R4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute( L% t, _' l/ u m8 y/ x% ]$ L
4C19:00A4 INC CX
) ?& r2 ^( k1 K* e0 f( U9 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
& O' R. C+ T% i5 u4C19:00A8 JB 0095 ; 6 different commands.( o4 _* n$ w: A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 ^7 y: C4 p% S% Z2 i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' P$ Z9 y% h0 Z2 R9 F @
( J2 s# c6 R( U1 [4 S" jThe program will execute 6 different SIce commands located at ds:dx, which
, B# F$ _6 {6 p* d$ v* B4 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# T# Z% Z& Z9 S: r6 A
: }7 V- O& u: K: {: v4 F0 A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 I% F9 `/ R }, C
___________________________________________________________________________
* y. q6 Z0 C6 p& {" K$ @# S- ^, v# H* Q! |
1 L- n8 C# {+ D" f5 J ^Method 03' D h+ Z9 r* \8 r; V1 ^
=========7 ~% {6 [7 i) n, { d9 h$ ]
& l# N6 N7 h }/ T5 s( mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& `; i- z# Z4 j8 Z
(API Get entry point)
# g6 ]+ J. ^+ ~* T * {2 q4 x5 Y8 ~( A' ^3 }
$ |& F! f# s% o' e# F
xor di,di4 V7 d" F. f/ q6 L. ]' G
mov es,di1 X! R3 w( e4 J
mov ax, 1684h / Q: X* a8 O( Y' _" n
mov bx, 0202h ; VxD ID of winice- P+ j5 A2 w+ c" S/ w
int 2Fh
/ L: K$ }- N* d) ^2 O' y% H0 h mov ax, es ; ES:DI -> VxD API entry point
$ D4 U) s! b7 S8 f' b$ K, D add ax, di
, {2 j3 M- u4 r/ Q. s) R test ax,ax* L m# g+ N3 `# p- G
jnz SoftICE_Detected
. V9 R, ~0 X5 N* \7 n# i5 |5 R' V& J2 ?7 q: x, U, a h+ S/ v
___________________________________________________________________________# @# T- P% i" `7 b
7 n2 P7 i" f" E/ c7 [
Method 048 I) ?3 ?/ N v
=========
5 n9 V- M* w& x5 K. } b1 \3 O* x! z" N
Method identical to the preceding one except that it seeks the ID of SoftICE
; L$ k" V7 L5 p, F8 ^GFX VxD. @ t: K- C2 ]) Z! b
. T: v% o7 ]2 P) F' m+ ]+ l9 [ xor di,di
`+ O& P$ U4 t/ n1 q mov es,di! X% ^. M# G& k) m9 ^( k2 ^
mov ax, 1684h 0 H" n+ S& y! X8 D0 ?
mov bx, 7a5Fh ; VxD ID of SIWVID
9 ^+ m" h$ f- ` int 2fh1 u% g7 f7 ^/ H
mov ax, es ; ES:DI -> VxD API entry point
! E; z" y' K! g/ \& e& } add ax, di
1 Q/ U; L1 g& ]4 r8 [6 K# b' g: | test ax,ax4 O" r" L7 x1 A8 Z9 K2 N. _% g9 E
jnz SoftICE_Detected
9 ?) l; C* w' Y c2 q; s6 P
& ]6 q/ N9 E* B__________________________________________________________________________
% d3 x8 N- x" L7 e/ w6 ^
: [5 B% m8 w. A. ]) @5 n8 m8 I8 }. S* i; u% R7 I; V! w
Method 05
/ X$ ~0 U/ k+ ^) e$ {( E=========
7 E/ D: f) N8 x. i& j0 m5 Z* p. }0 M1 L! l$ B" H
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 r) n9 ^4 R8 w1 q
debugger. It calls the int 41h, function 4Fh.6 {# M" D% T3 M0 ^# b0 N# K
There are several alternatives. : p1 K+ N5 O! B- `4 }$ x7 Z: z
- |. Q* e5 j2 A7 U
The following one is the simplest:
' M2 Y2 R3 b3 o. l
: H9 v5 `9 a9 m' ? mov ax,4fh; t9 i# a9 I7 Z$ y8 y' v/ X9 Q7 h
int 41h3 ]8 ^9 q+ @: j4 C2 |
cmp ax, 0F3866 Q: w' Q1 f* S6 {
jz SoftICE_detected
- s. i. L Q/ ?- `0 |) e% n
8 c: v5 {) O# Z( x X
# j! D' O8 { Q/ z" E4 ~Next method as well as the following one are 2 examples from Stone's ) @4 ^ `/ Q; E$ T# g7 Q
"stn-wid.zip" (www.cracking.net):: y% O8 g: ?' s7 A5 P4 T
8 X. P- @ _0 H8 M1 P! z0 r mov bx, cs3 h7 J! y: v$ i- W: G
lea dx, int41handler21 G( u9 D7 C& R# J& T+ y
xchg dx, es:[41h*4]- y. z0 n7 o4 X& L' y
xchg bx, es:[41h*4+2]
0 Z* C: r' W; H$ p8 P+ b mov ax,4fh
# B8 L6 |$ S) c( n4 @% j0 [ int 41h
, w! ]. u2 G) s' E% i/ o xchg dx, es:[41h*4]* F; j8 M, ]) F% ^5 R
xchg bx, es:[41h*4+2]3 J* }, O7 h4 d2 B2 r& q: J6 Z
cmp ax, 0f386h- H) A2 V: h) |" i$ h. }7 ]) X
jz SoftICE_detected
8 i' i6 R) {0 R; F8 _* }- i# [7 Y' e
int41handler2 PROC& v( W7 n- m$ u8 K: E! P
iret8 N! b( w2 B9 Z; x1 N
int41handler2 ENDP
7 ]( U( u' n0 T/ [7 {$ f, E7 W, |1 ~9 L# y
+ P8 v1 i7 l) I, V" z" l) u_________________________________________________________________________5 h! e0 m. m: q6 b7 ?
9 M- n/ F5 @* E) h: ]2 i' o4 z
( o, A j8 m o8 `: b, ?. VMethod 06
, R4 x" R# L* e8 u, w/ n& }9 L=========
S3 l7 V4 S/ t4 o8 O% k7 R* N2 V9 u, k; h; w9 `+ {) S
! U; f: u9 O7 T% z, H
2nd method similar to the preceding one but more difficult to detect:
. W. E4 u2 v( \. F6 l3 Y1 Q8 z1 ~8 W
, v9 @5 ]1 C% V% A6 D% R$ z b. Fint41handler PROC
+ |/ g5 Z5 R; ` mov cl,al6 Z& f: d. [2 q! J
iret) d1 F: C; W0 U0 M
int41handler ENDP0 I) e0 B: R$ w/ j _
& j4 t+ t+ h+ C1 a
- `% T# h: k7 n5 o* i& u xor ax,ax- M0 N4 A' L. c( w/ S# t6 p) D6 T1 W
mov es,ax
. ? c; J1 P+ T" D" C mov bx, cs
$ l* y$ g8 Y {4 H3 ] lea dx, int41handler
- ]# Q" G, S% S2 R3 p* V xchg dx, es:[41h*4]
2 Q+ r- F: `! [2 T& ^6 T7 L: ^ xchg bx, es:[41h*4+2]
2 w- N* m6 V2 c- t+ O, { in al, 40h
: s9 X. F0 p& w( I* k xor cx,cx
4 Z& c% ~: H3 \8 y4 k+ N J int 41h- z' |% h. D& d& V5 g
xchg dx, es:[41h*4]
% J: |! Y% v9 U7 i xchg bx, es:[41h*4+2]
7 H* c4 {! m v8 e cmp cl,al1 L2 B( X! k0 q r2 r2 O! g! c
jnz SoftICE_detected
; _ [% e) \2 Y- c- s- Y8 | s- P8 C/ R
_________________________________________________________________________
I9 w9 R5 {: U1 Z: U8 p3 @( e7 W
! t: p' A1 K# O' f3 G$ c: }6 MMethod 07+ d% W O7 ]3 f* x# r
=========
+ G% W! X/ m- O5 x, z; \: ? D, k- M: N9 O! X4 L: z5 s/ T) D/ s
Method of detection of the WinICE handler in the int68h (V86), A) Y" ^) H5 l4 o
( o, T5 E& U1 `
mov ah,43h2 t) z+ w$ N/ T7 _
int 68h. L4 s7 k. j# j
cmp ax,0F386h X4 O6 {1 g% P# o& B
jz SoftICE_Detected
! ?0 o7 N& _2 M7 i: u' q7 _# T# _; N& K. l: |/ G C
3 Y) m9 E& W& I; ?
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! p ?5 n$ F: a( h9 Q6 { app like this:1 l6 N4 _. U) _% z, {: z, }# B
4 f# V7 Z T6 V: _ BPX exec_int if ax==68
" B$ T3 _6 @* T3 o1 E$ V: C( C' N (function called is located at byte ptr [ebp+1Dh] and client eip is! ]* P5 B$ ^* T
located at [ebp+48h] for 32Bit apps)
P: ]* o; P( ^; k4 F; ___________________________________________________________________________, k+ Q( [5 [0 e1 o: d2 [
9 |6 d6 W6 o6 J* s9 |4 z) l3 L' ~1 B& }$ O: a
Method 08
( L+ [6 l% j. f4 ?=========( p0 m: K, Z3 k; C8 @6 i6 U- R
: b$ i0 B8 f7 b) P k1 bIt is not a method of detection of SoftICE but a possibility to crash the4 [) D' D! s% e+ |: G# ?' Q
system by intercepting int 01h and int 03h and redirecting them to another# q$ e3 D/ \" w7 |% f- k
routine.
+ u! O7 G+ w; Y; ~. C* i' XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 r4 @/ E3 o V5 Zto the new routine to execute (hangs computer...)' `" d" E2 q6 k3 s
5 U2 l3 w/ {# Y8 g; u$ ` mov ah, 25h# b4 z# W2 T* |/ S
mov al, Int_Number (01h or 03h)
" m9 L6 j( O7 N" C3 Q# A8 J4 ]8 N7 h. D mov dx, offset New_Int_Routine
/ s5 T+ G4 F, Y# A int 21h+ V }. _8 q9 s" U
, W- r0 r* ]1 ]0 J__________________________________________________________________________ A+ ^' ]* ^6 f6 j/ l
6 ]9 T; e, o6 x8 C8 \, XMethod 09
. p9 v4 H- z5 u" @=========3 a m3 m1 ]% N
- n) p6 t# L( p: ? t4 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) ?5 x+ \8 x' ]2 g2 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
# a, G, k9 x; s. jThe Get_DDB service is used to determine whether or not a VxD is installed2 D# {) d% ~- i! m$ n
for the specified device and returns a Device Description Block (in ecx) for
7 V9 W( M$ x. ^- \1 kthat device if it is installed.
( h# l) {2 Y, A0 A$ D: `7 d1 h
# Q9 R4 Q1 U" }9 N1 w mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 F! V: y. t# z2 i4 T mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j0 P/ B" S) w2 k4 s: g
VMMCall Get_DDB
) U! w% |0 {7 S1 V5 Y, C9 n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 V9 a/ I1 Y& M- J6 I8 p0 n( { Q ]) c4 e2 \6 O
Note as well that you can easily detect this method with SoftICE:
* E8 W4 e& B) S% o1 n) B bpx Get_DDB if ax==0202 || ax==7a5fh
$ X( m% P6 Z7 a" a5 @ ^+ O5 o2 X! y5 ~ g3 A0 Z8 m
__________________________________________________________________________
! { z" K* C0 i& Z3 E$ ~, N+ K0 v8 j; L) Y% a( g
Method 10
5 C5 i7 ?6 }8 G, q, F& V% a=========
& k9 Z& ^3 n2 d" ` r; w( e5 k, X3 J8 m' F4 Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with* t- Z4 ]% `9 w$ j$ c! X: {. ^: Q
SoftICE while the option is enable!!6 j/ F/ ] A4 x& _% C
7 W- M9 r. h) p; i! q. F) U, zThis trick is very efficient:- v) D' s* m# a! E$ y$ D0 ~4 p
by checking the Debug Registers, you can detect if SoftICE is loaded
/ |# W. X$ _7 e4 J/ d0 }% E# g1 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 _7 n" L+ u! W# L6 E8 c7 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 A% J) o, F/ }/ \! S
value (in ring0 only). Values can be manipulated and or changed as well; g! p, B4 y" l8 x
(clearing BPMs for instance)( E1 ]- A5 N; e$ W6 y- ]
) v* o$ h5 M/ X" ?- d. ]" x1 k
__________________________________________________________________________
& V2 ], K0 D6 j8 u, ~+ ~0 ?6 N
8 w5 I0 ]+ p* |& z9 Z, A% |Method 116 m4 t4 D& ~' T1 Y) [* ?
=========
8 b% N# C4 E5 z; w) c; O# ?( W3 E' a }5 G# Z/ m
This method is most known as 'MeltICE' because it has been freely distributed. O2 O& y, L, N7 f! h$ n$ h
via www.winfiles.com. However it was first used by NuMega people to allow) S' q" K: ^8 [7 z) |$ |7 |- Z
Symbol Loader to check if SoftICE was active or not (the code is located+ d& z+ j+ U7 E5 o H$ P$ u
inside nmtrans.dll).8 Q F8 a4 V8 N1 x6 M
& w0 C9 P9 T. e; s7 P: e
The way it works is very simple:
1 S, n5 ^! o. n; W; U* [ ?' c( yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e+ j+ ], w2 Y. W
WinNT) with the CreateFileA API. z( e: A. l' p; L( p
; j- ~! j N4 M
Here is a sample (checking for 'SICE'):; Q! N1 W5 l: H; a0 D* m' C2 t
+ a. _* W* O# d" {0 J& q+ lBOOL IsSoftIce95Loaded()8 O" o V6 Q- B/ X
{
" n0 o, w7 C0 {9 h* F HANDLE hFile;
0 v) H9 i8 `: `: e. s! C% } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 B4 r3 K/ I& ?3 U
FILE_SHARE_READ | FILE_SHARE_WRITE,
+ e4 Z5 E2 P: y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ y0 v' E% n% w1 P* K- M+ M# I if( hFile != INVALID_HANDLE_VALUE )
, l- L4 [# h2 z" w# d/ `( O4 y {6 q) h) q( L8 O8 G% z
CloseHandle(hFile);: L. ?; a6 V6 s4 S' ?6 ?2 z
return TRUE;3 T1 `5 f; f+ K4 Q" }/ c
}1 \3 [5 V# `, B2 l
return FALSE;* Q. K J, a6 N# d% j; N
}
+ x& O, F) D* t9 m m2 J+ q
0 t) z8 ^; M( e9 T% sAlthough this trick calls the CreateFileA function, don't even expect to be
' B- x4 V5 V3 X2 C# T! R' hable to intercept it by installing a IFS hook: it will not work, no way!
& v( n* d; \5 M! i# {In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ a+ W& a6 t4 ~' R- h$ r! ~% V# w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ E/ |0 z1 _! T8 ~/ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 h& P+ C" d. I, D* f
field.
1 t7 I" \* Y$ v) c7 T) XIn fact, its purpose is not to load/unload VxDs but only to send a
9 a' Q' H8 `9 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 K, M5 i' [5 t/ \- Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* W1 w. R9 g; l6 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).' Z% `- a9 D" k- f' p R' r5 ~! t
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 ~ O. n0 T' I U
its handle to be opened and then, will be detected.) ^, R6 F% ~' I. {1 F8 T9 |
You can check that simply by hooking Winice.exe control proc entry point. }; \" i4 c, Q& K. c6 B
while running MeltICE.! @+ F0 u, }6 _1 t" x
7 j) l' y+ Q* ]; i% m" ]% V: K
$ k5 W& g+ b+ z: |. h9 j( M 00401067: push 00402025 ; \\.\SICE
+ v6 z( p: f; o; b/ x% n 0040106C: call CreateFileA+ L0 P# V. U$ r6 i7 K
00401071: cmp eax,-001
4 D/ `9 k1 [& b$ S# e- {# W) W6 C 00401074: je 00401091 `3 l: p1 d, g% f
/ S9 O% P/ W8 o
. B8 M, q2 m+ d, [
There could be hundreds of BPX you could use to detect this trick.
9 j: N* |. d1 _7 T. o2 v-The most classical one is:4 o2 Y* S: u7 C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' }( f' O1 e; N$ b O0 N" Q" e- b *(esp->4+4)=='NTIC'% ~! W- `; z) x
. P$ p, w& ?+ f8 U0 Z-The most exotic ones (could be very slooooow :-(
) ~) @/ y9 A. p+ O) x% z/ p8 j; u9 i' ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
$ v2 _* A- V2 a# e" Q ;will break 3 times :-(6 q) M# }1 j; v# }' P
* t R' ^. m S) w& r& d% A5 C
-or (a bit) faster: ( f6 F& z6 [5 @( v4 I* D$ j0 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 s3 y5 k5 {9 L; }9 h1 z! Z4 r! ~+ J# Z: `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
7 k# G5 l* D" m/ D# @: U ;will break 3 times :-(
/ o# }+ h$ y9 R0 a9 I% D5 L* ^9 ]! |& [2 Z- Y3 W, c+ g9 s, `" G2 l7 o6 |
-Much faster:
- _6 B2 H0 G6 h# x7 v2 ` BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 E+ D( c9 V) d' X$ W' z* a8 O
$ z0 O; K7 Y! S6 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& k$ G# ]( b/ o( e# C, \3 s+ mfunction to do the same job:
& n/ D/ K, {) A9 S5 S" N( W0 U9 ?/ }0 {* X/ ^# }
push 00 ; OF_READ
* A* b* V2 d' f$ ?( i mov eax,[00656634] ; '\\.\SICE',0
4 u* H( J: W- `! \, S: C/ p0 } push eax2 M' x7 j, y/ B) t# |6 K
call KERNEL32!_lopen
- V/ `/ a, c: @2 J8 q" z inc eax8 ~ T$ i9 w: Z5 u3 K# M" f
jnz 00650589 ; detected
* K4 k" x( ?7 W. n1 N push 00 ; OF_READ! B$ R/ P' R% M) y/ a
mov eax,[00656638] ; '\\.\SICE'- f0 U% E/ I* ~* I, l4 O- W" k
push eax
4 Y: s. ^0 X2 b) g4 S# C. b8 X; E call KERNEL32!_lopen7 @# A. Z$ r/ w- V
inc eax# z+ T; J5 n3 u4 d
jz 006505ae ; not detected
" ~9 ?+ H- a- E' ^& J' `
. ]) k6 S/ l" N/ i- Y$ V. z
/ O7 n- X5 y' W, Z__________________________________________________________________________" F! ^$ a4 D) o' k& \4 g/ u1 S
; e) R5 Q) D! c3 x
Method 12, T% Z2 t" @. x, q3 \! B& H
=========
* n; _1 W2 K& J) f8 V' @# S5 Q1 A4 `. o( w- }) ^# n _4 l
This trick is similar to int41h/4fh Debugger installation check (code 054 _' x ?9 W7 c% h/ H6 |5 A
& 06) but very limited because it's only available for Win95/98 (not NT)
7 @$ @% a7 G- ~- Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* K/ l/ r# M- }+ x0 _ {6 B) y7 o' ]- p4 M! H, W) p
push 0000004fh ; function 4fh6 K# P+ E. G0 D2 n! |. e+ W; W2 [
push 002a002ah ; high word specifies which VxD (VWIN32)/ x$ S1 Q* A8 s* N. D! J* Q
; low word specifies which service
( G, A. @7 h. v+ a& S; L (VWIN32_Int41Dispatch), _. d6 Q4 P% n/ {9 [ }
call Kernel32!ORD_001 ; VxdCall) v9 r2 j/ e9 j/ z- F
cmp ax, 0f386h ; magic number returned by system debuggers
* ?7 o+ f7 u0 v2 F jz SoftICE_detected
+ X/ V! g3 v! }& f3 [$ s- t7 l
) f7 n. w7 F$ p2 q% U/ g+ a fHere again, several ways to detect it:! D& k" J+ L# `
$ o4 A4 C6 l: M2 E4 L5 { BPINT 41 if ax==4f' G; T" e4 |0 o* g" y( u& A
6 s n; d+ }+ O# M9 d! H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& a8 O# k, i6 @% T+ E. E) W! l+ m* n: y
- g7 D$ F I8 N$ l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
( n% [! w' Z/ x1 z* y2 `; v. S! B+ ~: M" D4 x$ a. Z, B) t
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 O4 s' F3 F Y8 s1 E+ W7 u+ Z: M) f; H$ Q
__________________________________________________________________________
/ K; |4 z/ L' V" B+ w
N/ N9 |" T) k9 B( f& W# t! \Method 13
* e! ~: c4 o) b- B% l=========! l- u3 c8 E# A
6 Y7 k8 m C5 \, SNot a real method of detection, but a good way to know if SoftICE is
' p3 H3 L3 V9 zinstalled on a computer and to locate its installation directory.
/ V7 O8 w$ L+ Z3 kIt is used by few softs which access the following registry keys (usually #2) :1 N% e7 G6 D6 ]; b8 c, P8 ]6 b+ w Q
; j; {5 z: E, o- t/ S. X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; T5 N" k4 A* F4 z" `8 i\Uninstall\SoftICE
2 ]/ u8 N9 ]' d4 V1 G7 U# g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 w* D& p; ] k3 r/ F0 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 w+ L7 [' `8 f2 {\App Paths\Loader32.Exe
2 Q7 K7 ^1 G: y- D+ k% R/ S- K/ x& A2 l8 f' k! Y
. a* B6 p2 y7 O+ M8 NNote that some nasty apps could then erase all files from SoftICE directory7 r# W, _# b$ M0 e/ z2 [/ C
(I faced that once :-(
, `! t( }. K9 L) u% J) X. _' x/ o
5 h% s! P6 Z) U" D Y; m! DUseful breakpoint to detect it:; r7 `5 E `$ U
2 T- I& Z7 e- k( A& ? I l$ l3 s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% `7 J/ x4 Q+ c& }$ H: h7 {! f& z1 A: \
__________________________________________________________________________: O9 A7 Z5 |, }; b% l: s- a0 {
9 E8 z4 u: g s2 z
2 W: a6 E& k6 CMethod 14 / d' W# o& P) p, i2 i; k2 t
=========
" z2 V' j, ~. E' e- r; s$ Y" d$ i9 ~: y+ R3 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 Y. P9 T4 n. m0 Y
is to determines whether a debugger is running on your system (ring0 only).7 z; {9 g# E) ]. p: J
) s/ [$ y1 H8 ?) E# p2 R# X VMMCall Test_Debug_Installed. T* z- f7 G9 \' H) }, g9 y
je not_installed
' @* q* {" G+ u8 f. p x& x8 A0 \. r4 h" B9 ~- `
This service just checks a flag.9 l" t9 \: q, @3 Y0 g
</PRE></TD></TR></TBODY></TABLE> |