<TABLE width=500>
# C6 d2 X: V* c" p# O: K<TBODY>' X, M6 k( L0 I' i) F. a
<TR>
0 x/ r' l1 ?6 S j<TD><PRE>Method 01
) @% W3 E& b+ T2 {2 S=========
$ J% i3 T2 W8 t" c |. U# t3 ~* V; j- e5 G/ V
This method of detection of SoftICE (as well as the following one) is
7 J% z7 z+ a' Y, l) iused by the majority of packers/encryptors found on Internet.; z- | N0 C* {5 H7 j, k6 ?
It seeks the signature of BoundsChecker in SoftICE
+ c- Q. d" i. M# S# z. e4 v
I, b# r F' V. Y mov ebp, 04243484Bh ; 'BCHK'
& g, ]3 y0 a: C mov ax, 04h5 g2 n* k/ N( B, i+ _4 ^! z1 l) j. r
int 3
" e+ d& Z) x+ B# y2 F, b' q) C cmp al,4
5 D( O: W! [0 g% {5 B7 ^2 ] jnz SoftICE_Detected
( Z3 w: p+ t; G8 L# V
R2 E! \1 ]( I) Z1 H. b___________________________________________________________________________8 J9 c* b4 o6 ?
k, x+ W5 m! K- R' o% W6 b9 vMethod 02/ R9 {+ y: _2 O8 ]. v) W* _
=========: o4 }. N. q- }( O& u5 E: f9 Z+ k( i
+ D- Z( _1 C% n9 I3 q
Still a method very much used (perhaps the most frequent one). It is used
/ a' \* l4 K2 X8 ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 c4 ~& C5 E0 K
or execute SoftICE commands...
. `( \1 @) z- C8 X5 K/ P4 rIt is also used to crash SoftICE and to force it to execute any commands( F% ^+ Y5 W/ X1 W' O: g# b
(HBOOT...) :-((
/ u, K9 W4 g; A' |) |( ?5 Y& p
- l+ e, o5 o8 z; p+ XHere is a quick description:' V( E2 g0 J" H: N) X' H3 r9 O* e
-AX = 0910h (Display string in SIce windows)
( R- e% ?' y" T& ? Z- O9 [) c9 h+ _7 V-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)6 X8 }5 V8 r h5 p
-AX = 0912h (Get breakpoint infos) k' `1 f8 H" p p1 Q
-AX = 0913h (Set Sice breakpoints)% w" ~( W1 @% p0 {' }
-AX = 0914h (Remove SIce breakoints)
4 u9 N5 I6 Y# y* D. x n5 S. p3 K# Y' A1 W% ]2 n1 H- {4 i- [8 |' \
Each time you'll meet this trick, you'll see:
, x* _% |4 \' |, y1 P-SI = 4647h2 [8 f. s2 b4 [
-DI = 4A4Dh6 @3 G/ K2 Q& i& i/ E
Which are the 'magic values' used by SoftIce.) k* t. l& L2 I( H3 B/ F. |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; b) q6 ]. o' X: F$ ~. `
7 K0 t% V8 L' y) n6 N
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 [/ U q7 B6 p0 Y* LEnvelope utility use to protect DOS applications:7 h1 K. l7 C* B% O6 [6 R8 _# r+ j I
# V# M7 L/ s3 T7 w) ^- }% W
; E$ E! M. m3 ]! Q/ z- ~
4C19:0095 MOV AX,0911 ; execute command.3 l! c3 Y5 T$ I/ j9 C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ ]3 E- n( U- m: I' {% ]# [
4C19:009A MOV SI,4647 ; 1st magic value.+ ^! r* ~. c6 K8 A
4C19:009D MOV DI,4A4D ; 2nd magic value.
X/ f. Q/ V6 O# s# E4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ m1 X* r# G- |2 A, n6 P2 V( b4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ e5 N: j5 }) P
4C19:00A4 INC CX
% [: k- N( X' H5 Z' m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 N) E8 z& R' x. ?
4C19:00A8 JB 0095 ; 6 different commands.( h4 z' e. v1 B1 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& E% J8 ^; K( c2 o; [1 Q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: a( R0 C F, K5 _
0 q$ n$ p' {$ @" EThe program will execute 6 different SIce commands located at ds:dx, which
3 q5 u }% ], k( V2 A$ l" d* Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 _ g6 L9 R3 V
6 [" \7 U( x( l& q6 t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% r8 j8 X3 [- I
___________________________________________________________________________9 ^, ?- {7 P0 a. n9 ]1 V; Z
' I( {% K% j# d& n: @- @+ i
: M5 |! h- l: D- hMethod 033 m6 J' u F7 a+ F* H
=========3 q7 B; M* F8 ~, C8 J( p( J4 v
l$ g4 P i& T2 s( r( @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; b3 e3 A8 N6 ^ h/ |( {
(API Get entry point), p/ ]5 D8 s, O* F; b; P* t
$ ]2 ?$ w$ U. L/ P5 h# I2 [+ P: w* f) a; [
xor di,di
: V7 t) d* L. F, D$ [+ [ mov es,di
9 b& i" p# d4 z# }4 | mov ax, 1684h
- M. [+ r6 i# h5 p0 ` mov bx, 0202h ; VxD ID of winice r7 O- P% d1 a7 p/ e; O2 ]2 a t6 V7 V
int 2Fh
: n1 u0 p" O1 q2 L+ g mov ax, es ; ES:DI -> VxD API entry point/ }7 q/ S. u6 J
add ax, di7 H9 Y7 m4 u: j2 q/ m
test ax,ax
/ t5 j; q: K! S, y( V jnz SoftICE_Detected
2 e$ y& Q+ a- ^
! I! k" y8 F5 T. ^2 \! o' s___________________________________________________________________________
3 \ l* u# O7 B, V9 o }5 u
4 k/ i! d& F' |& |Method 04- e' \2 D5 _: B" E4 p0 H
=========
a* t. B- J% a& B% T2 i- g6 s
4 s' T3 t u6 B" A+ V: T' o/ {# WMethod identical to the preceding one except that it seeks the ID of SoftICE
) n+ Z2 \8 C+ f0 Z, s6 yGFX VxD.
. \1 P# N D3 ]9 U* u2 p2 P: ~9 ^- K3 i3 H3 @
xor di,di- E7 a1 L4 o+ M
mov es,di
" ?3 @: ?5 N( Y5 [3 d$ R E mov ax, 1684h
# l6 ~6 @. ~4 A9 Z8 o7 A mov bx, 7a5Fh ; VxD ID of SIWVID
& r$ t b$ {4 ?& c+ ~ int 2fh/ R, m/ h/ l' f$ |4 i6 E
mov ax, es ; ES:DI -> VxD API entry point+ M2 t) M+ N" X& N! _' ]
add ax, di
! U% X) N9 A* W# j test ax,ax
* D1 l" Z5 q$ x! x. L; u+ D3 Z jnz SoftICE_Detected
' r' N. t6 Q3 b' i8 i5 l' X
* R ~: w! _6 B% c" p r8 U__________________________________________________________________________# v0 H# X+ j5 l
" P( W# B! v2 m R _6 P- _
0 Z& w/ q- ?: c5 A) z% D8 q
Method 05
8 O; Z8 ^- a$ \6 ?+ u=========) N! }' ^, g2 {0 U- g* g- T
- c8 c6 v% B: m" \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) M: d+ ]1 {+ s. w* ]! V$ M% Jdebugger. It calls the int 41h, function 4Fh.& a" l2 S3 S7 T% V, x& O8 J. N7 i
There are several alternatives. 2 A3 ^/ L* I+ C
7 \. s% A& i) O: `1 nThe following one is the simplest:
2 ~5 J1 \! ~8 T/ p
0 R$ d G( P0 L& s6 h8 s mov ax,4fh
6 _0 X# f6 m/ T2 s$ R- W int 41h+ N: E1 ~- S E8 j/ V" Y" b8 q& x8 K
cmp ax, 0F386
! h5 N: J5 Z% M$ ?6 h* L jz SoftICE_detected
% N0 Z1 J$ Q! D" p% n6 |- P4 _ h+ a" x8 c z
! r6 A' T4 `5 Z6 S' \2 vNext method as well as the following one are 2 examples from Stone's
- N: n0 t' b+ o; S2 u"stn-wid.zip" (www.cracking.net):
, O% M7 O% [8 m% z/ z0 m* r, u. k( A$ W( N& q
mov bx, cs* v- A4 u$ m/ t, ~1 [
lea dx, int41handler2% q% o" Q5 s- O; `
xchg dx, es:[41h*4]
2 C5 M7 B$ V8 Q xchg bx, es:[41h*4+2]! \! O, w' W- P4 A# |) l
mov ax,4fh
' ]4 J* g/ p; t/ d. Y# ~) J# @ int 41h W0 b& l0 X1 O$ {( V
xchg dx, es:[41h*4]
& i, V( c" _+ W$ B* e( | xchg bx, es:[41h*4+2]
2 D4 m. B) V' c" Q2 d a cmp ax, 0f386h
3 f6 D8 h9 Z! ]' | jz SoftICE_detected# L/ g; _) ^5 v) ]. G, f
; l& B7 z7 Q0 N# r( p! C& Y
int41handler2 PROC1 q0 Z2 i g0 L# z5 K, m& r
iret6 V6 h8 s& H3 F. J" P' T
int41handler2 ENDP
" |+ T" Y7 F6 l; q! W+ D$ f! q* q1 }: K; c" H" k
* o5 d( o) k) b: a8 T U
_________________________________________________________________________
! o0 H Y0 b* B' q) X( n7 [& u) v/ w+ _! I* {/ z3 P; d6 Z- x! `
% I* k; l# n: a. t# u, P! w1 OMethod 06
* ?7 ^$ k" G+ f9 A: h=========
& V7 m) Y9 z1 u) @8 H/ t1 B* P5 L+ p5 p5 r8 y# Z/ }! ^
7 N) {2 ~3 W' l: J( O, p
2nd method similar to the preceding one but more difficult to detect:
0 A. l2 Y7 a; ]$ D# X( R3 E
* y. f S5 c' x& ]$ `* K8 ~9 b9 l6 ]
int41handler PROC6 C t& Q# D$ i) l* \& T' f5 {
mov cl,al
6 w/ a0 H" V+ s2 ~" P; f iret
) P7 r% R& I- C3 C" nint41handler ENDP5 k, i! \3 z- y; n8 i0 ^9 b1 R5 {
2 ?( k3 Z2 U# ^% z# q. I9 }, v8 m
, ?' M5 ~. p3 t* H5 A8 e5 k# R; V
xor ax,ax
; Z6 }1 ]" G' M& l mov es,ax
, L" Y/ t3 K3 P# u% r mov bx, cs5 |- I9 A! T, @7 x4 p' A T) a
lea dx, int41handler
- q7 q" T7 r: k R& p xchg dx, es:[41h*4]
5 e6 _$ l" k$ @9 }# B xchg bx, es:[41h*4+2]1 a% B- ]( z1 ]
in al, 40h9 M7 t. {8 c7 s+ U3 X8 L3 _2 }
xor cx,cx! K& y! {9 @4 I) T
int 41h* b& N$ ?; q' z! V) V
xchg dx, es:[41h*4]8 o D& j3 x1 E9 j+ F. `, Z
xchg bx, es:[41h*4+2]
/ V; E/ U3 Q) Q; i cmp cl,al
! C" f$ M9 d. l2 u* c+ h4 ?) N jnz SoftICE_detected4 C. g g2 H' E8 T2 n! e+ A; W6 E
$ _ I2 S' O2 E. J7 u_________________________________________________________________________
5 ?5 @; w" p4 v6 {8 g) g' W+ q, H1 |8 x8 z! N
Method 07
4 [$ v/ F ^& C' V: S/ }=========
9 G0 e* [( H6 B4 _: z9 x9 j; }
" ?( U5 O% B, O0 v* s( x% ~Method of detection of the WinICE handler in the int68h (V86)
0 m: A0 v# @6 b4 K h" @! l
# v; K" ]! ~9 {2 F: | mov ah,43h
, L4 y8 D( E* R. |9 ~5 r( \( G int 68h
; D) \: v o) b8 `' n cmp ax,0F386h, i6 X4 t" h0 C2 j: q! u
jz SoftICE_Detected
" S* z& f% w+ ]8 m9 }& j$ g% M
/ O Q6 t1 o2 J1 e) N* Q8 ~1 f Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: T3 c7 h" a8 B) q- U6 F app like this:7 |+ L$ K( m; v
$ u( W; D0 }9 T1 v( h# q BPX exec_int if ax==68
2 S, _: q! {: B$ h (function called is located at byte ptr [ebp+1Dh] and client eip is
; b6 `6 T1 z! h: X P! P# s% s' B located at [ebp+48h] for 32Bit apps); @0 n* A) c1 s, a* R: @
__________________________________________________________________________
" U5 z$ y. x9 ~; A- d6 R
: ]: }- R$ F" G2 f; V6 \9 n, l4 J3 [' x1 x& i7 s6 s0 U# @
Method 08
: v3 n9 f' @) @6 ?' }=========
( |( x: G; x9 i7 e
! d: V8 z3 [, y q: H. W! xIt is not a method of detection of SoftICE but a possibility to crash the
" S1 H0 e4 ?8 n+ Vsystem by intercepting int 01h and int 03h and redirecting them to another
4 ` T( i/ Z0 V7 f4 Wroutine.% n l: m6 P4 o+ n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" B8 T# z% W1 l" Rto the new routine to execute (hangs computer...)2 f: P) \3 b: r: A# I# X& _+ d0 y
5 |' ]+ b8 u/ e E% B
mov ah, 25h% G4 m% r0 O" w, V6 a; R# `4 D1 q h% a
mov al, Int_Number (01h or 03h)
9 ?3 S' m3 f! A2 m( Z4 u4 j/ Q mov dx, offset New_Int_Routine
1 g8 Q/ ]2 s, H' x* O$ ~ int 21h
5 e# G- H% U$ j& \: D+ T
$ U& h( s6 F( \. R5 B0 Z Z% S0 d* z8 h__________________________________________________________________________
) E$ k7 { O' f7 }$ j$ K' p' @
' O( S2 m) P5 \; x- cMethod 09# u4 D% H3 C5 k! G& D8 m( C
=========7 O: F" B& @% L* M
# a5 s9 ?, k# V7 {* s1 |2 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 U0 ]) R& m+ s' V9 |) P- uperformed in ring0 (VxD or a ring3 app using the VxdCall).
, ^* o) @* g- N; ^$ MThe Get_DDB service is used to determine whether or not a VxD is installed
* q- L# S: B' w& h( u5 k3 ~ \for the specified device and returns a Device Description Block (in ecx) for! V4 H7 `3 L) x" E& N3 c8 X/ X0 T
that device if it is installed.
" L' Q0 U I4 N1 F4 n) @; \ a; {9 @& Q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
K+ ]( ]& T0 [+ v0 z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ G1 q& x0 R, S, U& X$ k
VMMCall Get_DDB9 I' ~! k5 {% h9 D, t8 P/ M
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed Z5 L$ I. }# g# y( \% k7 U
9 k- z% F6 e: f, @3 F
Note as well that you can easily detect this method with SoftICE:
3 V& |3 a2 {8 c4 ~9 l7 d bpx Get_DDB if ax==0202 || ax==7a5fh
( ]' O4 D. [7 ~" \) m2 [9 c+ Q/ U. b; G' e A9 K: Q5 o" e
__________________________________________________________________________! }* e, e3 y6 p9 S( u' Z; F+ J
. f" d7 g( u1 h* ~; p5 X) }
Method 101 `3 l* r# B# N' X
=========
8 ^: k+ n7 v5 r1 S
# x# a0 M0 `- \=>Disable or clear breakpoints before using this feature. DO NOT trace with/ i P! O) q% o \& ~& K- N
SoftICE while the option is enable!!
) `' t/ ]! `2 S( i
5 C9 |" a$ |, l# U- y/ E. ~- B: `4 ~This trick is very efficient:% l9 c& b- R5 l- E; m# Y. A
by checking the Debug Registers, you can detect if SoftICE is loaded9 P! g. j4 u( X j+ |! z/ t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* y T+ F7 K3 E7 p" ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ F- B+ N' N$ ~1 H& G+ U# Jvalue (in ring0 only). Values can be manipulated and or changed as well4 @2 ~- ]9 c. @9 F* ^! b
(clearing BPMs for instance)
( v' ?9 L5 ]- i/ ]3 {+ C& f2 J* y3 s7 P! n6 q* M( ]( n
__________________________________________________________________________
! G0 |, z, q/ C( [3 u* P
& t/ w' B5 n4 n; [$ X/ |3 JMethod 11
- T) g9 s4 S B4 A% r=========
# Y) P' y/ H$ U- r% L
. c. q( D2 X- B+ j) o3 z1 b) ]This method is most known as 'MeltICE' because it has been freely distributed
" Y8 N: N( \$ @, Dvia www.winfiles.com. However it was first used by NuMega people to allow" M6 L8 D5 J$ k
Symbol Loader to check if SoftICE was active or not (the code is located6 T0 h( p* Q- O3 @$ Q
inside nmtrans.dll).: v% a# d8 b4 d" r7 \
9 W) f( E: F E: kThe way it works is very simple:
! B6 p# ]3 K3 ]5 E1 m1 UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& q' R4 F& ]6 S/ ^$ ]$ x/ }, y+ G* A
WinNT) with the CreateFileA API.
# n9 W7 n: ~: I% W5 b# m% f: E/ A$ l! X- C! `4 M
Here is a sample (checking for 'SICE'):
- t4 g4 `5 a- x! s
4 B7 O7 r; u2 h1 e3 B; M8 \BOOL IsSoftIce95Loaded()
, H8 F. O0 B$ C R{# O4 g% O. [! o$ o w
HANDLE hFile;
3 C2 V2 D- q# D, U. K1 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% V' Y1 Y2 O# D( g" X$ m FILE_SHARE_READ | FILE_SHARE_WRITE,
% x: i9 I9 b) ^- h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 h0 t: ~. i- B- x. |6 r* U1 h
if( hFile != INVALID_HANDLE_VALUE )
% j5 {% c" D: b3 l5 Y @! | {( o/ T5 f* `0 y1 j' i c& B5 A1 ]) ?
CloseHandle(hFile);
: y# j& {% I) e3 ?6 j# R return TRUE;6 ^6 H+ r& B8 E" \8 o4 ^
}4 d. g4 a9 Q8 R- T* d
return FALSE;1 i: j( P9 l. @& N2 u* Q' [
}6 x& m: d0 q! G. H
4 z; c; K. [" u" @" R W1 @Although this trick calls the CreateFileA function, don't even expect to be
H$ D5 N- w( g2 Wable to intercept it by installing a IFS hook: it will not work, no way!9 S+ v) |/ B$ \. u( |; C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! [+ b" K6 M; Q) }) Q7 jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! v: d, E! G: C" v- V0 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 W! n# w3 K# f- O( d: E' J; }! L6 H
field.
6 F+ k* E" r' n4 o9 P/ S+ z: lIn fact, its purpose is not to load/unload VxDs but only to send a ! s. l7 o4 T+ F8 ~5 q: u* |, y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 y$ |5 X/ ~) H7 @8 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 d, K/ S! @- r. | dto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 t- {, L1 F3 m9 ?! {$ @' f; R) u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* d ]6 B, M# }, d E0 Uits handle to be opened and then, will be detected.
9 J1 w2 N+ E# w. m @! ]You can check that simply by hooking Winice.exe control proc entry point2 G+ c8 v: _7 W7 I4 s4 H4 i0 c! k
while running MeltICE.3 q, W/ b( s0 R! S' `1 S! P
1 t( X! D$ m* o9 D ^6 R$ f% z
7 ^9 K W. M' x' r9 Y 00401067: push 00402025 ; \\.\SICE) E ~& @& O% {6 I+ Y
0040106C: call CreateFileA' w5 X& v0 M% P7 m' b
00401071: cmp eax,-001
9 k1 n; {; m# J( U& Y 00401074: je 00401091' C4 p) H" G- P3 f* n% r
2 |, Z) @1 {1 T% q6 Y
6 u& j" q8 C% ]( O w; ?There could be hundreds of BPX you could use to detect this trick.# }$ T8 r3 e! {9 S; K$ x
-The most classical one is:
4 _. r5 Y l8 q% c BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# W/ J% p w# W9 ~# F; d
*(esp->4+4)=='NTIC'! D3 f6 l; M% [& n' H2 o5 I6 M$ c
4 k J' f) o# Y6 z/ s1 p) o-The most exotic ones (could be very slooooow :-(
9 C, \. p$ |$ T# f* S$ T# ] BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& T$ _! Q/ S% ?* {5 t ;will break 3 times :-(2 @; D- \. J# ]2 s( W. K
* w& F, c5 K) ] e% K0 I2 X
-or (a bit) faster:
, E/ A' G9 x5 X: I# F8 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV') S2 f8 [2 }! @* h4 e
8 O8 i* z' U3 D* w6 Z" n- }, U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % K# S7 |3 c9 r& H
;will break 3 times :-(3 p' {0 ]" [0 B8 ]+ r7 \8 s
O9 t3 Z4 K: b0 ]-Much faster:0 R0 {/ B7 o0 X
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 i: f5 ~2 G5 f" u5 V. h+ @3 L/ Z/ @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ q% M( w: G8 x& p% t' \
function to do the same job:
' \! ]6 t+ V8 D- w/ f* D1 C) @' y, l6 f8 a( o) \2 Q
push 00 ; OF_READ
' y' x% u. i! A w: j mov eax,[00656634] ; '\\.\SICE',0
* S4 D- O2 s9 G/ w' F push eax. x; _6 i: p9 P1 Y& k
call KERNEL32!_lopen! o3 Z# o3 v* `5 n, r+ I8 P: L
inc eax
2 J9 j% Z3 ] V+ J jnz 00650589 ; detected
% p0 C; m' } J4 c push 00 ; OF_READ/ F9 Z" R- q4 D8 U
mov eax,[00656638] ; '\\.\SICE'
, ?; q7 o- ]( r8 p+ C, x' h* \ push eax
- `8 p" }; U. O6 Q# Y$ G! J3 @4 e call KERNEL32!_lopen
. u' _2 D+ B2 _* b% Z inc eax `; Z: z+ b6 l5 T. v. o( L
jz 006505ae ; not detected
, t! h$ }+ K6 h( ^
* H! n0 E% Z! Y5 E; ?# H; k' k) l A# U8 S/ v; ^* M
__________________________________________________________________________; `7 n, n. H' c/ ]
2 {; k/ Q8 z0 |/ nMethod 12
+ U4 T; `6 ~ T=========
, i: g8 T4 B# L1 a/ e8 ?
" ~9 X3 ^( S, [% e5 ZThis trick is similar to int41h/4fh Debugger installation check (code 057 A/ N- k o! J% Y, E- x
& 06) but very limited because it's only available for Win95/98 (not NT)
# D2 K2 b+ j! E7 F- J4 \, Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- p) n' Z- a% ~; N& R! X) w! \3 x, S( q* d2 P1 j; Q/ g' Y
push 0000004fh ; function 4fh
0 U* M: S% z( E5 B$ z$ E7 C push 002a002ah ; high word specifies which VxD (VWIN32)
3 M3 C5 g$ y8 h9 l/ }8 f% x0 B ; low word specifies which service2 p; F- Q2 L# r
(VWIN32_Int41Dispatch)! B/ o! E9 V: i/ q- v
call Kernel32!ORD_001 ; VxdCall4 P( z( I1 k% J# f" N
cmp ax, 0f386h ; magic number returned by system debuggers
\2 C+ f+ k9 |1 b+ A& C$ h jz SoftICE_detected
; L) z+ @2 i( G6 S! }4 g# X
3 `! T' v5 g0 W8 }Here again, several ways to detect it:
1 T) a; \! V+ i1 u& e, s0 w( q0 ~+ o1 D/ x! N
BPINT 41 if ax==4f
# ^$ v _2 O% T- G# ?5 j5 z
W# e: L' \- ^/ i1 c! q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" c- x5 H3 `& s2 y2 x/ A+ g; V
8 ~9 ?) [1 |. H7 W5 q! M
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- {3 L+ M2 g* r2 ]! u$ m% ~- B
& _2 B, D/ D2 Y+ i: m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; s( i! D/ F9 p( |0 }* e5 }
9 q# D9 D# _" z
__________________________________________________________________________
2 q k6 x7 k/ |% S
, n2 C( I- I5 l0 ?, _( \2 UMethod 13- `& t3 U' c# N" K4 r T
=========, C2 A$ k, w8 v" j
5 s4 c x* Z4 v
Not a real method of detection, but a good way to know if SoftICE is+ j( L! W) K# H4 G+ x1 ^! s
installed on a computer and to locate its installation directory.
1 T$ ]8 x2 x! x0 Z) G, ]It is used by few softs which access the following registry keys (usually #2) :
% p, P% ?2 k9 c/ ]9 F6 ?& S% u" D5 G8 C$ C# R! r" L9 @0 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 d7 P7 o V2 P
\Uninstall\SoftICE' V% _) f3 U* Z: s7 O" u/ m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 n' v% @6 p8 u* ^5 x6 q! y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 y, _% `7 `9 O3 z7 _, T/ n& d/ u\App Paths\Loader32.Exe
$ s. l4 `+ ^7 C2 i; E. a3 U
$ \& \, Y# @; S0 f
8 w3 H! B( v9 ^& ]8 j: [" n9 @; cNote that some nasty apps could then erase all files from SoftICE directory# O, S+ W& z% I: [ w
(I faced that once :-(
/ U- d2 ^3 I4 G5 z
2 M! f2 B0 y+ U; ?: E, ?+ S* g2 eUseful breakpoint to detect it:( O: B. M' Q8 R# ]* G/ e2 @
1 d" G1 K9 P& q" n; M1 e; x$ }! d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': c5 W8 L6 F) r: j+ F3 v, u" s
0 k6 |, U+ ?( F3 N
__________________________________________________________________________5 U- m$ M# o' x& { T
! L2 J0 {9 g% p$ X: y3 X: F3 `
Method 14
" H' @ L3 ^7 b, S0 G' }=========* G8 f" K, J4 k. A' t
0 `9 |* z9 d4 h! t3 i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 |" B; W7 u1 a3 b) s9 G' k% G) Iis to determines whether a debugger is running on your system (ring0 only).+ Y3 A* G7 j) U
' z ^; M% Q. n4 s( l# ]2 X2 O
VMMCall Test_Debug_Installed9 b$ I% ~5 G9 M- @. l
je not_installed
q9 M% ?" e( b: p, V8 t
1 x5 A g+ _# b6 c4 g/ ?This service just checks a flag.
7 S) S- K" x1 O( k0 n2 h. v</PRE></TD></TR></TBODY></TABLE> |