<TABLE width=500>
9 M* `! S- U: \( I3 P" f2 {; ]& |<TBODY>5 _. A7 d6 F# c7 J; P" T
<TR> N8 o8 x1 L6 H/ N% x, k* Q
<TD><PRE>Method 01
/ _" c% k+ \' _' l0 `=========
; m" j% d ` k7 B3 |; @! |, I* l w7 {# n/ \. Z$ ]/ l+ n
This method of detection of SoftICE (as well as the following one) is
3 M" T& Z+ n9 |! k# A! Nused by the majority of packers/encryptors found on Internet.
: p2 W& ?0 u4 ~0 H1 eIt seeks the signature of BoundsChecker in SoftICE. w& n c/ t6 ^( b$ E( x
+ i( [9 M: C) X6 \/ n* _
mov ebp, 04243484Bh ; 'BCHK'6 Z/ ?- F6 k7 `. T
mov ax, 04h
" x% a" d, u4 J. n int 3 2 s8 {9 {% S* o2 E
cmp al,44 X+ {% J* l* S5 _4 D
jnz SoftICE_Detected
9 u9 P* [: F) v, f$ N5 A; `2 _$ ~0 d% a, @1 z3 D0 r
___________________________________________________________________________6 o0 M+ L8 g# ~, `' M
: Y+ U1 a6 G' Z5 T; j
Method 02
/ m' e$ F) y+ Y$ e" u5 i7 b6 k' H=========" |# @9 {2 z" h) [9 G- H! A
0 c) N( z) X* Y. ZStill a method very much used (perhaps the most frequent one). It is used5 j, j6 N; ?9 r- h# p; E: K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) J6 L: o, g; a) P
or execute SoftICE commands...: ` Y! b+ R' W: f a
It is also used to crash SoftICE and to force it to execute any commands
* Q4 a- f( Z: O e* G. g(HBOOT...) :-((
2 H/ n" @4 L: n$ k& g+ Y6 G E9 B% g/ _4 }! `% v2 D
Here is a quick description:$ H/ q8 @+ C" t! u9 t
-AX = 0910h (Display string in SIce windows)
! ?. ~0 X4 w; H2 K-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( H+ Q& y/ {0 t) Z' n
-AX = 0912h (Get breakpoint infos)% i. q3 E8 ?0 z0 D3 Q
-AX = 0913h (Set Sice breakpoints)0 P$ T" F: V" B! ~( `- H `& }
-AX = 0914h (Remove SIce breakoints)7 l' a" S/ n1 u' D- |+ D ^$ B
$ a5 |' {4 I( p
Each time you'll meet this trick, you'll see:
0 k. }* Y- ~- _-SI = 4647h' K. j& @* ]5 x, G' y
-DI = 4A4Dh
3 c* J; F& R. C, H' I4 nWhich are the 'magic values' used by SoftIce.6 P9 Z* i# u# [' n9 L# I( A# C, s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ g/ E. d; g- G2 c9 \2 f7 J5 v) n9 U5 r2 c3 i0 G9 C* I4 q. O' ]0 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 u# x" q; j& y9 \0 a
Envelope utility use to protect DOS applications:# G2 i7 [/ j2 x u
7 y, n) d4 }/ | R
. m% O+ B0 R/ P5 s4C19:0095 MOV AX,0911 ; execute command.5 J; S- Z+ l* e6 E+ o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 y% E0 P" R f1 r4C19:009A MOV SI,4647 ; 1st magic value.
& W# y3 j" u' p4C19:009D MOV DI,4A4D ; 2nd magic value.
- z: W' P4 t, e2 M. u; q @4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
( R, Q5 c6 y" G5 r* G9 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 A( b! p, `5 E" D0 @+ Q4C19:00A4 INC CX2 t ]+ k5 d8 j
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ Q! D% m" r8 c: X$ o/ E: m# p% M4C19:00A8 JB 0095 ; 6 different commands.( Q3 S9 E/ p' o0 K7 o: v7 A; U9 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! A9 f5 j* X y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
F5 v# S. B" Z1 ~1 E) Y" c8 C1 N% i7 d1 F) ^
The program will execute 6 different SIce commands located at ds:dx, which' _: I- _4 ?2 Z( S6 t: B/ Z" ?& U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! }- c( t g# p; d
+ |2 N) U( M& z$ |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ N E; c1 `8 _6 e! K
___________________________________________________________________________3 G ^) D3 S H. U, ~2 S( L" a
& U: N$ N$ O1 n- @: J7 C0 _7 W
) I7 c/ Z9 l' [, X% b2 w+ DMethod 030 _' ]# ^7 P, U( J" T/ p& G
=========0 B: d6 e1 r( N u- f; n7 F7 t) G* N
/ Y0 S; J x: PLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' h0 ^/ N4 d9 h8 O/ V
(API Get entry point)) C( p+ Z, j5 r
: v% k+ N( W! N/ ~: d9 o
! a& h T6 U$ l7 z0 t4 V1 |& M xor di,di6 n6 e' m0 ]% k- _1 ]2 Q
mov es,di
H6 @* v/ g D6 z0 d mov ax, 1684h
" ~7 m4 m/ i& p7 k, {+ b- R( C mov bx, 0202h ; VxD ID of winice
8 w. E) x/ Q4 U: `, M. [0 ? int 2Fh$ i8 t( |/ Q# H
mov ax, es ; ES:DI -> VxD API entry point
1 _ o6 u- r* M$ s add ax, di
: y& U4 o' [( A1 _: z test ax,ax( {# e$ T b1 M& M
jnz SoftICE_Detected5 _( v; a% r1 X& Q2 o+ O1 U5 _
' d' G0 z+ @7 r___________________________________________________________________________
) e$ N0 R8 P- d5 X4 u
2 ^8 }: p4 v/ PMethod 04; x- E$ o% A4 ], t' x% i8 h+ E
=========- H7 \7 t4 U; {0 k0 p& `" ]; b
* j1 g7 z5 Q( F1 s8 G5 y, u" E
Method identical to the preceding one except that it seeks the ID of SoftICE
& ^0 G Z. _; L+ e1 \GFX VxD.
* O. |# g9 @8 D% x# j9 R& I7 J$ C5 y& B8 z
xor di,di f- }! O$ o' i' a' R& x$ R
mov es,di7 g3 A& r# b! l0 l; z
mov ax, 1684h
4 I$ o4 x0 d& C% Y- L! @ mov bx, 7a5Fh ; VxD ID of SIWVID
5 }1 G2 f) I1 k4 m( P( t2 d; H2 X int 2fh, `6 i& [$ k& |4 |
mov ax, es ; ES:DI -> VxD API entry point2 M/ t: X H1 q: e( w9 f0 N
add ax, di
S( H, Z& J- ? test ax,ax
: i3 u4 x6 n4 L$ K# w5 [: h jnz SoftICE_Detected" W. d; ]. h/ R5 P; m% V7 V; j9 G
, d* |1 v/ G# `# {2 c) M' V7 ~5 }__________________________________________________________________________$ ~& Z: }1 {0 [3 J# }5 z
. ^8 I9 ~% C- o0 g3 b* L [& A& X: T) V" m+ D
Method 05
* U: t7 p! U( r# w=========' S! \- L" k" m& U# I
6 w1 `' Q- C) b) P( `, e- bMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ I3 O$ R/ o$ [# h( B
debugger. It calls the int 41h, function 4Fh.
" T6 z9 P5 S6 I5 Q9 iThere are several alternatives. 0 { A' Y+ _, `' C$ `5 Q
8 X- V+ k1 r y2 m
The following one is the simplest:
: M" A# l l2 F3 G8 F# a9 f
3 M7 @/ W2 E+ a- A( f4 M; p. @$ v mov ax,4fh: S0 @7 {' T& u" I. a# E8 X0 I0 `, i
int 41h i. W. V- o3 S' t5 w# j8 G
cmp ax, 0F386: C* }6 }4 x6 I8 `6 N
jz SoftICE_detected# R# a0 E9 o# F8 b# G4 B8 J' e
# z8 o& J- X1 k( D6 Y2 C/ Q" z) D7 P! s7 d* B1 s# O! y
Next method as well as the following one are 2 examples from Stone's
7 x6 z8 v5 U- s- p"stn-wid.zip" (www.cracking.net):9 k8 h/ s- C4 D. N9 o
& y+ a4 @% ^* f Z7 ?# f0 l
mov bx, cs
1 P4 u3 W3 Y- X1 n2 n L2 b lea dx, int41handler2
/ K) @4 t4 K/ g5 R2 S xchg dx, es:[41h*4]
6 ]+ X |* N$ a& o xchg bx, es:[41h*4+2]8 P# ?9 u$ J- J' N# U0 \
mov ax,4fh( a7 {. G! _0 b9 N0 v1 N4 S6 K/ |
int 41h
" s6 k6 }+ P5 l0 W xchg dx, es:[41h*4]+ p$ Q. n& l: Z4 O C$ I$ a1 r
xchg bx, es:[41h*4+2]
* t' z) H4 w( ~3 t5 [8 u+ d' V cmp ax, 0f386h+ y4 s, |6 @1 r' V% g- V
jz SoftICE_detected' D4 E' S3 ~0 O
, j1 H1 t7 Y- }6 d6 ^& E4 xint41handler2 PROC2 ]% c+ ]4 `* }+ L/ W8 ~/ G7 c
iret
, I: n+ S3 @6 g9 O0 kint41handler2 ENDP
$ h8 W* ^* f2 H2 H6 E0 @0 v$ Z# d1 _0 s8 t% T9 |
; A' f) D @5 m# `_________________________________________________________________________
- r9 f* i3 L" ` V3 s) v( I# J' [, R$ i$ P0 U& U' h
3 _8 u$ L6 d& p
Method 06
* t) Y/ j z! F, O=========
/ d9 m- ~3 U4 p) z2 E+ P! _ `9 e# B/ S5 m! U& ]3 t4 h
' P8 a5 E" A: T9 y2nd method similar to the preceding one but more difficult to detect:
( @: `& T" p4 R; b0 \3 e" ?# e' L7 Z7 P2 ^& k K
& f' h, H+ E* W B' p* U$ m4 e+ j Rint41handler PROC
2 e- K- z, ^' n4 C mov cl,al
8 G2 N2 G) f( D" k3 C0 G, A+ e iret$ T; k( d7 y+ B: ?+ P
int41handler ENDP
; Q m( v i# H# c ?' \% u w" V' k( ?$ H
M- w# e: z) Y( r3 M
xor ax,ax
% a3 c7 J, p, _2 ~7 ^ mov es,ax2 I; B* M5 a1 f# r$ R' X- B
mov bx, cs
( [4 d3 v, t' c7 {0 I( J lea dx, int41handler
, c; c1 f$ w# M3 y xchg dx, es:[41h*4]
9 g6 L$ u. P2 h6 Q; {5 E- N* Y xchg bx, es:[41h*4+2]
$ ~. y( g3 ?0 s( \, l' V in al, 40h- n$ E) R0 ?" d- @! Y E2 d
xor cx,cx) Z; P6 k" a3 t- m7 b
int 41h
$ d5 ?4 O1 _+ [% A, K- s xchg dx, es:[41h*4]
- S' C7 `- X/ [1 {1 x xchg bx, es:[41h*4+2] }- C1 Q' T& X' S3 i; t8 E
cmp cl,al
8 R# s) ?" @' \# h9 I jnz SoftICE_detected! \$ n8 J4 v% w' Q- U# |
+ j) l e% z+ f; D V* _+ b- n. n_________________________________________________________________________! u* g4 ^% p# n5 ?: I p- T
2 D& c7 H4 X u2 V: L2 K
Method 076 \: \2 {2 q h: k U
=========
( @9 p, M' ~( y) E' b% F* ~/ ~& b3 j `$ p4 D, {/ d5 v1 q; _# r! n
Method of detection of the WinICE handler in the int68h (V86)
+ b W' J6 j2 O7 H1 ?: k% P: A9 v9 H0 P+ D X8 w0 k( L
mov ah,43h) P9 B' {4 F; S( x4 L+ z
int 68h
" h2 K: K7 j5 [: K$ J; ` cmp ax,0F386h
# r+ x* u$ q2 J/ M+ @ jz SoftICE_Detected2 D5 p3 O/ h/ n* q
: j& D: J# T" d$ b) o* B* M0 S, x- Z) s/ e* W
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 d* J# \4 i. y5 a. e) A. M3 Z
app like this:
& O9 c6 g* f! L) u) d5 Q
% _, z2 m2 S6 p) O! c3 i; ~0 c BPX exec_int if ax==68
& Q7 G) ^- W! Y" `! i4 }2 ? (function called is located at byte ptr [ebp+1Dh] and client eip is
7 U. t: c2 c! Q. F/ G located at [ebp+48h] for 32Bit apps); W' v. R/ I6 x7 h. p0 s7 r5 c
__________________________________________________________________________( Z3 D6 Q& t- o$ Q/ K
4 Z E" k, z _& m/ q- }4 }# ` h7 e; G, Y2 [0 ~& H
Method 08
0 {2 T! [! M5 B4 C& X=========# T, ^* O+ q( N ]! L3 i- G# V" i
3 J8 W B. C4 v0 ^* L3 y
It is not a method of detection of SoftICE but a possibility to crash the
4 e4 a9 g) Y/ k: g8 V! t: W Wsystem by intercepting int 01h and int 03h and redirecting them to another" p) O/ {# K6 M
routine.
/ Q" ^/ }; s2 d- n6 b/ N8 R4 C) @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* Z9 I, m: f2 B
to the new routine to execute (hangs computer...)( R4 \" r0 j, ]. m [+ ~$ H/ @
; h( `4 {; q# M9 t. h$ O- e: @ mov ah, 25h
( |+ T G& D* P mov al, Int_Number (01h or 03h). [0 t; U5 q, `, q8 v$ }
mov dx, offset New_Int_Routine
" h3 f3 |5 }' Z int 21h' u1 B; A& @ s/ P& |
+ h* P' ~# ^ p y
__________________________________________________________________________
B9 M0 d2 I( v$ @; t$ R& y' w( {/ N1 I# G: J; N: r; K
Method 09
) E: a* o9 }( S$ [8 l/ i$ i+ ]7 J: _=========
r K) B, U* p6 S) x$ p- A" I9 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 j8 O- L+ f0 d
performed in ring0 (VxD or a ring3 app using the VxdCall).7 q# Q( Y: B* o
The Get_DDB service is used to determine whether or not a VxD is installed( K9 P; {) J: F6 j8 R7 N: E R& S
for the specified device and returns a Device Description Block (in ecx) for
' N& z' c2 P4 U+ wthat device if it is installed.$ A" u- k; H: Z* |
+ k# p2 J# {6 _& I, q
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 C+ U, u' M( q; ^ X
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 o1 h/ J1 v! g0 H
VMMCall Get_DDB# X* |& D" r7 u+ x
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ k# _- K- n+ R$ }2 B, R# k5 H% r* x" [0 O! L6 b4 J. |. o
Note as well that you can easily detect this method with SoftICE:7 _3 _& D- W0 @ b( [5 e0 i+ E# K7 m
bpx Get_DDB if ax==0202 || ax==7a5fh
% k4 n' U4 h2 X5 w: ~7 P1 p$ f6 g9 N' {1 ^) X8 W" y M9 A. g
__________________________________________________________________________
1 p* g0 s" P# E" d# X
, g4 Z8 R! I2 c6 h7 FMethod 10
7 B; C4 K" Q" r* j4 |9 T=========+ i$ j' H; [9 A* z) `0 T% F+ J+ X
0 \) U i4 c9 z7 n6 a=>Disable or clear breakpoints before using this feature. DO NOT trace with
' q# v' g2 t+ `! `6 a- o3 k# L5 y SoftICE while the option is enable!!' K* u* {) G& H, ~$ W" p8 w x
: V/ t7 U" q8 Q; }2 l8 iThis trick is very efficient: n& j+ O0 V8 f- n! r& r
by checking the Debug Registers, you can detect if SoftICE is loaded; q, s5 M' y2 E, A' K( \) F/ ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* b+ O0 K/ a. T2 l" h* _, m( D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 s- M6 X% r0 o! A; |( cvalue (in ring0 only). Values can be manipulated and or changed as well
; V) L- s3 N; i$ ?9 }# n(clearing BPMs for instance), O" ^, m. Z; ^1 C+ K
0 b& Y G( ?! S( z* N! d0 W__________________________________________________________________________$ }2 B! Z0 L' Z3 K z. e2 X
; J# X3 M# I0 ?9 m D& N
Method 11
, J" r3 h6 I5 F2 B: U4 N, `=========
$ G. X' _$ h9 P3 X8 @# X8 k( H# W0 I/ ~! ]9 I: O8 U c5 X/ _
This method is most known as 'MeltICE' because it has been freely distributed& e1 B, d; |9 b! L' P1 u' {
via www.winfiles.com. However it was first used by NuMega people to allow) c9 l: c9 I! m
Symbol Loader to check if SoftICE was active or not (the code is located5 G5 e: W! G X; C, Z
inside nmtrans.dll).+ i0 r0 n& I2 a. U; P) ]
/ D k$ } s$ BThe way it works is very simple:
! X) @; L& z7 C! n/ C# g9 t+ fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, t: M: N" I' F" a( r4 X
WinNT) with the CreateFileA API., N G' c/ H9 ^0 d7 w/ V
4 g8 {( X& e$ r3 S* n+ T: v1 r: FHere is a sample (checking for 'SICE'):" o/ y% Q$ G$ U5 G6 g+ `
% J. }0 W% q9 Z, u7 DBOOL IsSoftIce95Loaded()
/ d' ]& L4 \3 }2 k' M& @$ r) L{9 Q1 \: P5 U: o+ S% b
HANDLE hFile; 5 s$ `3 M) V9 x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 E3 v5 m$ f0 } FILE_SHARE_READ | FILE_SHARE_WRITE,4 B% D0 z) Z7 d, J% u2 S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 F( X5 s) G4 q. L3 E4 z! j! @& [ if( hFile != INVALID_HANDLE_VALUE ): ?" D/ t$ [* K& D
{* ^6 X, Z0 |: R3 w: z
CloseHandle(hFile);
4 f6 u& ^; U- Q% C2 Z' O6 P return TRUE;
+ t/ `% F A/ ~( A% Q }% q$ O! _ Y" s# I1 P& T T2 J
return FALSE;" {7 c: A) ^) ~4 p! e6 H$ l
}
& n/ |, r' h1 g) z- p
8 ?/ F8 H4 `! B8 W. zAlthough this trick calls the CreateFileA function, don't even expect to be
+ F; d1 l, Y4 {7 Cable to intercept it by installing a IFS hook: it will not work, no way!
: z7 q+ ]' L; S1 ?2 [0 e; R7 oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 T/ q, M# I. \. e0 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 F) \+ x1 ~1 |3 |! V5 cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 q3 o9 I! s1 A* I3 f* `2 S4 Z8 ~8 ~field.3 O) B+ i& n e0 @3 v
In fact, its purpose is not to load/unload VxDs but only to send a 7 r: U7 D- a. H F9 J! N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 V% }* h. Y6 J8 p: c/ Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; {! Q; `. ~( z+ h2 gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m0 Z1 X+ S5 I4 l- L9 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow. u' z5 N ^8 }- C9 e2 M6 R
its handle to be opened and then, will be detected.& o. N4 d$ e, f: C- a1 }, u9 ~
You can check that simply by hooking Winice.exe control proc entry point. b& s+ U0 B$ N+ ~" c
while running MeltICE.
3 I& k8 ?7 W% e R* r6 h2 |0 E% K' M7 @" M) ]" h0 h; o
5 B( q- o7 J" A Y3 Y 00401067: push 00402025 ; \\.\SICE
3 ?9 b( f! |+ j+ r7 G 0040106C: call CreateFileA
& g' @8 V: w) `( d- l& }2 w" ] 00401071: cmp eax,-001
4 w7 r" v( h# U9 A3 h( d( g 00401074: je 00401091- c5 V. l( P6 y: J! O+ [, h
" D0 \3 V5 a' C: _, r
2 D9 s$ }" X1 P- s7 ]There could be hundreds of BPX you could use to detect this trick.
8 r. ^7 e4 y& Q0 B-The most classical one is:" W# ~# |. H" @* ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ i- l: q6 _" o! u1 N @! k$ Y5 J* Y
*(esp->4+4)=='NTIC'
% q9 ~9 j/ Y) b) b7 c4 s% v, l9 E2 B( V: _
-The most exotic ones (could be very slooooow :-(5 |5 P8 J% B# ?3 H
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& z+ M: y( I8 p* J ;will break 3 times :-(
! }. M. g0 F$ `0 R0 A! F, k6 d1 _9 y n
-or (a bit) faster:
7 N, U0 C E4 k& Q. d. a2 G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
W/ N# ~: f( o+ m. N$ [4 ]6 ^& s9 t% Q- c) L3 H/ |
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 G' L2 l5 \9 o8 R$ C ;will break 3 times :-(
+ V6 K# u- [( L& v/ ^% C0 Y: J5 R+ G& [* ?
-Much faster:, A1 g% L F# `# e% J0 D2 a6 a& v
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
. ?8 t: f! ~3 b/ M9 n$ J4 o& d' |7 @; B. T1 G& T, A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ `* k7 o4 |* N2 W2 R& E9 T& U8 tfunction to do the same job:
, f+ Q; K: ]7 `- S( E5 |0 E( ~3 D4 \" m# X2 k3 |
push 00 ; OF_READ% \. E4 |& x) O
mov eax,[00656634] ; '\\.\SICE',0& C. V, f9 n4 p. h( P% [& g! r
push eax
! t5 p. S( L6 q7 U2 D( O call KERNEL32!_lopen" W$ c4 q8 S, e% U8 k
inc eax
0 @; [8 e8 m. ~& ]% w" Y1 `& | jnz 00650589 ; detected
' T' j$ B3 N! n+ F- m! U/ W4 s1 g push 00 ; OF_READ
% a% r1 L' k! C' i) E r8 |7 b mov eax,[00656638] ; '\\.\SICE'
) d8 {$ y- ?' w% B& [6 V5 Y push eax$ A) H- v; \4 K$ M7 G2 T8 O0 E
call KERNEL32!_lopen, r+ q, v3 u' G4 w8 L
inc eax; t5 Z8 G* y% C% F K [
jz 006505ae ; not detected6 S/ x' E8 @ k# T
! h! h6 v0 r5 H) o
" m7 v& I3 v8 p" X% u6 |$ O__________________________________________________________________________" z) `, L! Y" `8 f8 u9 c0 V" c; \
; r) X. ~7 _% I8 B3 X& L6 l; I
Method 12
2 ]/ v1 n/ O/ r5 c j=========
/ d2 r) J+ I% \8 F2 e9 I- z% F1 k2 h m1 N
This trick is similar to int41h/4fh Debugger installation check (code 05
9 r: S; \% T; [: F" {- Z q6 P& 06) but very limited because it's only available for Win95/98 (not NT), S: f2 y6 J" ^* r1 Y6 ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% O0 Y- ^9 B& O
# j: Q) b4 s0 F Q% E6 i7 H push 0000004fh ; function 4fh3 C; @1 o: v ?- Z% x2 ^3 L, o) a
push 002a002ah ; high word specifies which VxD (VWIN32)( n1 s3 _' z" t* x
; low word specifies which service
6 e% E. Q! I7 Z2 p' T% O (VWIN32_Int41Dispatch)
3 ~: F9 `3 u5 b5 S2 ^ call Kernel32!ORD_001 ; VxdCall9 G8 V+ f# O. s* A# Q" U! ~
cmp ax, 0f386h ; magic number returned by system debuggers- o! S/ M! l0 ]1 H9 B. q
jz SoftICE_detected \! [! g" x9 C5 {5 Q+ {
) Q6 a/ B; E6 }( N6 n# F5 O/ nHere again, several ways to detect it:
2 |: r( _6 K) }2 M$ S, ^9 @# h: O" M0 ]% L2 n# _, v! w% @/ y
BPINT 41 if ax==4f
* B( v2 O. P/ A' c% M' t8 A1 A9 a8 B F' f. S7 x# h, [8 X
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- K- t" g: m3 k' L$ i1 i/ V! |
, p- n! ?: Z; R( @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A- z2 u8 q. {6 r& \! T0 Z
$ g8 j4 m8 g. V3 h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 w' J) W2 ~0 j
+ |" ^6 o6 @$ Y5 j__________________________________________________________________________
- s4 P, l2 E1 f1 X& f5 g2 k* n1 k5 N& g
Method 13: C) F& u: A$ G0 k3 w2 R j0 _
=========
9 A6 g5 |* {, K! |) i2 T7 @
) e; X! s9 P3 L0 t) G; K0 ^Not a real method of detection, but a good way to know if SoftICE is! [1 ^0 ~, U9 ?. m! O
installed on a computer and to locate its installation directory." r2 j0 T5 O; S# d$ ^
It is used by few softs which access the following registry keys (usually #2) :
/ p5 ~1 E+ L4 B9 w; N5 o4 A
' ^% B" k! y$ V6 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- h% u8 {0 W/ L; A\Uninstall\SoftICE1 W8 ]5 b7 J) r8 v) G1 |( _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 e2 T" L! Z9 T: o5 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 D6 O ^) s0 a' z0 j
\App Paths\Loader32.Exe T1 g' y6 l9 w0 z3 |& j( ?$ S0 J
) O( v/ U5 I6 y: Y C& B' b( i1 u) q" Z. I8 h; m$ c* @
Note that some nasty apps could then erase all files from SoftICE directory* ^. i A, |0 H& X6 V
(I faced that once :-(5 J7 p) w- G3 e
% b% f7 ?8 M% a% [
Useful breakpoint to detect it:7 }( p% p9 T3 s" o8 l( k
4 h9 l9 O: F2 ~+ k q6 C) q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! R3 r/ @9 v8 v3 n& {# @, O) Y+ u% l) y& G5 X$ y
__________________________________________________________________________
9 q9 j L4 V. j. v; B# n4 x4 u. }+ L- V$ v/ p
+ n1 M( P! `* `0 c# _
Method 14 ; K. W, i* s6 u8 l5 l
=========
2 O$ Z. u' B8 m. y( u% g9 n' N
7 `8 Z2 Y, ?- ~: {- tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 R9 _' I3 F3 R+ [) H6 O
is to determines whether a debugger is running on your system (ring0 only).
0 Q( d: [! d' W5 x
5 s4 r; y, t6 r! X VMMCall Test_Debug_Installed
: H2 \- e7 u( j je not_installed
7 r g/ [! O# ? m5 F7 a+ _9 f- q
* }3 I. k! D& C. `( YThis service just checks a flag.
5 V T: [" j8 i6 N+ w</PRE></TD></TR></TBODY></TABLE> |