<TABLE width=500>
9 ]5 Y* j% [* d$ l' i, D9 L<TBODY>
; b' T0 V) I( G% W, P4 U/ w" N<TR>0 |5 _4 p; r' y9 c K2 `' _$ L
<TD><PRE>Method 01
6 d1 o1 Z2 D5 c=========
# W( I4 [$ t. o7 b4 Q T8 S4 t) P" @' s
This method of detection of SoftICE (as well as the following one) is
2 b2 |% V$ g5 s5 K' tused by the majority of packers/encryptors found on Internet.
. H4 a: f1 ^. x7 ~6 W4 TIt seeks the signature of BoundsChecker in SoftICE8 q8 c( w! A3 o- ^" Q
8 {8 p2 `$ `+ p" A! O2 u
mov ebp, 04243484Bh ; 'BCHK'% F, d4 I; k0 D5 S8 E8 N
mov ax, 04h
{4 U+ N! W# W+ j: H/ j: A int 3 , s) C' N# z5 p/ O
cmp al,4% @+ o2 e: L7 z
jnz SoftICE_Detected
$ G7 @3 S. d. s
4 k/ @( D- A0 p7 T# d( I___________________________________________________________________________/ [2 U: `8 I* a8 b o7 O
1 v: j/ |& J: v; d9 D! n
Method 02# Q) R! c$ C- N* j) k
=========
5 ~2 M3 o1 S0 [% @7 i1 t' A6 w9 K7 Z* ~; m, L$ [6 D6 a1 E* _) @
Still a method very much used (perhaps the most frequent one). It is used
. k+ e8 @5 F) Q4 E6 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 b) ]3 a5 O; H' N! u- J2 mor execute SoftICE commands...
8 l( ]8 W- p; p# l- HIt is also used to crash SoftICE and to force it to execute any commands
' m; W- F- a2 ~% L6 Q(HBOOT...) :-(( A. _: o( ]# J& s
* `1 M. y# |7 Y% A* h5 sHere is a quick description:7 W$ m6 \* I( j$ ^
-AX = 0910h (Display string in SIce windows)4 a6 s* l: J+ t; u/ D, S
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
d0 X& b+ l3 b! o" y" k4 K* }-AX = 0912h (Get breakpoint infos)5 d$ ^& }/ }$ k# p# L
-AX = 0913h (Set Sice breakpoints)
+ L5 j( g- N. c# ]-AX = 0914h (Remove SIce breakoints) r3 i5 @9 H$ s/ l# E
& Z& o7 a; F4 ]: ?' B
Each time you'll meet this trick, you'll see:
0 o, x. X: _7 v$ [9 V) g! I3 Z-SI = 4647h
/ A* U4 H8 U t- x& E-DI = 4A4Dh
3 q+ K* }& J) B) {0 V9 ~Which are the 'magic values' used by SoftIce.0 _- \6 O( h3 k$ J/ C: g! q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
L% C+ K/ R" {8 F! n# q$ |4 B
0 V7 N0 W/ O8 y' NHere is one example from the file "Haspinst.exe" which is the dongle HASP! }) A/ c# f8 |8 j6 J
Envelope utility use to protect DOS applications:
+ j' g5 r# Z; Z: N. p, r5 _# N, c; x/ R
! _+ K9 j* k) ?. _5 I4 |4C19:0095 MOV AX,0911 ; execute command.+ E5 x/ a. }6 N- d' m& y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 c8 Q& L% J& m/ D
4C19:009A MOV SI,4647 ; 1st magic value.5 c" C/ ?9 ]! s. d& i
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 \" k3 f" c/ p. b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" B. X t( ~4 q4 P" ?$ F8 C+ g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: b+ t. @, i0 R& w2 u2 n$ a: m4C19:00A4 INC CX
8 V2 J, H" Z0 i m L4C19:00A5 CMP CX,06 ; Repeat 6 times to execute ?: V* r6 T& M1 {$ ]
4C19:00A8 JB 0095 ; 6 different commands.$ H7 c/ e# J$ _0 q3 E# w0 T
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 _; C$ V7 M5 A4 j' {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
- N# P0 k( \5 w! T M7 E, ]7 w: f2 R9 q' f4 T
The program will execute 6 different SIce commands located at ds:dx, which
: p- L% H5 _1 x! E" O* b7 c8 R+ P2 bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' N8 S) @% Q# r o, S; @
+ L. R0 K4 \% S7 X5 n" f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ?0 X' D0 @# Y# U6 Z$ z. G
___________________________________________________________________________- s3 w* M3 O) U# v& }1 C: n7 r& b
! ^: Z6 N$ k6 i: J- r( f8 S w4 k, L
2 R1 _1 X" i2 k9 [. CMethod 03
: K4 k- t& m* X3 I$ v6 \ s. i=========0 J* }' L2 w" \ y0 F: a
w1 A! x6 g7 ^1 U
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( u! k1 P7 _, P; c$ l" V(API Get entry point)* i/ y* ?& B# [: R$ ^$ u; p
0 }' I* E; P ]! v) T! r8 c! b/ H
4 k* }0 b& Y2 c( c D5 G
xor di,di8 i8 H% t) J: `1 h: I
mov es,di# Z& @$ K6 \' \& o9 ]2 S4 ]) R
mov ax, 1684h ' O9 g8 |# N- ?, P* {" Q9 ]
mov bx, 0202h ; VxD ID of winice8 f2 x" D3 h0 l4 z) `% k8 H0 |
int 2Fh
2 [7 l! _, ?% e* Z mov ax, es ; ES:DI -> VxD API entry point
8 Z+ ?* d; \+ L* O' J O, A add ax, di; q# j3 n u7 L+ M( Q8 Z( {9 j8 e
test ax,ax
$ ^- ?* T; @0 O. j$ h: ?5 e3 N jnz SoftICE_Detected
* e; M* s3 \ S+ d
% z0 K) Z- J- R% r, Y( }___________________________________________________________________________9 E. k8 Q" z1 q% v& X: \
+ b8 x+ g: o- _" F8 i5 `( t
Method 04
5 D3 R" R. h% ^) K9 c=========
, m( F1 c& }8 ^& {" G
5 t" S3 K, k( V* uMethod identical to the preceding one except that it seeks the ID of SoftICE
- o1 `1 H: T9 T1 R3 ]/ eGFX VxD.: G/ U' F: r) k, f7 f
|" Y1 e3 T+ t0 b% _
xor di,di9 c% V* |/ `& X2 ^) R
mov es,di
* v/ B" B8 m. u mov ax, 1684h " N2 f: C! h5 ?8 U2 t
mov bx, 7a5Fh ; VxD ID of SIWVID
- l( b) [: K7 q0 ~ int 2fh3 `# A5 F; U/ e/ R4 _
mov ax, es ; ES:DI -> VxD API entry point
& w/ u4 y4 V& ~2 R; @ g; c* F: H add ax, di5 T5 i& r; n1 S' m8 h1 Z x
test ax,ax% ^# Z9 h/ `5 l y- t
jnz SoftICE_Detected+ ]+ A/ f5 f6 }2 K3 n7 ~
2 ~9 J$ Y# I U6 j- ]) l
__________________________________________________________________________
( ? D" _# L) l/ j, {, k- {9 }! r* e* F7 ?
- l+ S# Y7 P1 Q* J: gMethod 052 r. D9 ^+ ?6 k& @; B
=========
2 k+ {/ b. ?3 s2 z
1 t6 @ W5 d% k7 e9 fMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 B8 f9 ]2 i2 V, u2 v) e( C
debugger. It calls the int 41h, function 4Fh.
% E2 Y# Z* y5 T8 P* RThere are several alternatives.
0 d" a% @- `/ E; d- A( h4 O9 g1 [6 i
- q3 s' J+ w# n1 d" X7 }8 @The following one is the simplest:; [; `5 W. I0 W) [+ m
/ K" J4 X+ T8 D: L mov ax,4fh7 {+ ]9 R/ J2 E4 Q1 x* {1 ]7 z$ Z
int 41h' Q- R( i5 ^8 }( q! v1 L
cmp ax, 0F3864 Z, @0 _8 H, [- q# `
jz SoftICE_detected- m$ O) z( i% v7 \9 }
5 G2 |2 T) w3 _+ L, a @6 e
s- a- s2 z$ x' a5 ]Next method as well as the following one are 2 examples from Stone's
; { G/ w, n4 C"stn-wid.zip" (www.cracking.net):
4 i& V! ~1 t; \) V* w7 d; v: ~' z' C: O$ b, X& q
mov bx, cs
1 ?- z& b8 a8 k lea dx, int41handler2; a. @7 {# H# F1 r
xchg dx, es:[41h*4]+ M O: {2 }, X# t
xchg bx, es:[41h*4+2]3 l! M; f& G! X1 L# b/ J, b# w
mov ax,4fh
8 M) X; Z& y6 W% a, k3 H" U int 41h
1 p8 w. o9 g7 [, u1 G xchg dx, es:[41h*4]5 i& C8 |, H: o$ V
xchg bx, es:[41h*4+2]
) G9 d$ [9 M! b9 S# w: I+ r cmp ax, 0f386h5 n! w1 I+ w2 J! G: M
jz SoftICE_detected: c5 J1 l, b8 m% Z. f
' k @& h7 c, w0 }int41handler2 PROC/ X2 E8 |/ s/ R3 i& X- m
iret
) e* J- F! M% @; `, L- m/ Uint41handler2 ENDP
) r/ x& d$ f- j. U; p0 J
5 ?- O8 S6 C% {: E* }6 s* j8 ]
, U# C4 u; `8 F& W1 }% k_________________________________________________________________________
+ K9 u: f a' |6 M. }1 S) p+ v, \) u3 q
M% E8 ?) v: s& M# }
Method 06/ U/ D0 W7 f3 M3 n! k8 [
=========8 p) o: S% G# _+ |8 e$ r
4 |9 s& ?+ Z+ X' O) R: x) M# @
& E) ~% f% C9 I, h8 ?' D2nd method similar to the preceding one but more difficult to detect:
5 @: z* L# h% k8 z t- b
' [6 ]5 g6 u d6 F0 V( u( r% E' b/ x, W
int41handler PROC: S4 x, K" ?) E/ b, T
mov cl,al5 M( o' ?# G; A% z- L9 J4 M
iret3 c8 B4 g; l6 r9 ?
int41handler ENDP7 E a6 [; G5 y
$ a' J! g5 b( N3 ~8 g% ?
0 T% a9 k; J" ~$ n: K6 s+ Q9 Z* M! J xor ax,ax
& p6 f, A+ i! P- K* n9 o mov es,ax
; G+ w& y S) S3 O mov bx, cs
! D* D, B5 K6 p1 S: c- x lea dx, int41handler6 D Y' M; x; _5 T) g- f
xchg dx, es:[41h*4]; b2 L, M/ n1 R8 }5 k
xchg bx, es:[41h*4+2]
: B* } }, w' s) K4 E0 N; X in al, 40h3 \1 a( D5 e3 v% N( ^3 O
xor cx,cx
& O+ j) F, x+ _% U7 j8 I int 41h
/ \* w( @/ {" h0 y7 _. } xchg dx, es:[41h*4]
0 Z2 v9 j8 W0 E# D# a$ y1 Y xchg bx, es:[41h*4+2]
1 [7 s3 `3 H6 e. b cmp cl,al% s0 m- Z( M! e- p, n
jnz SoftICE_detected, t2 w% c' r4 v# _
( ]9 c0 a6 e; p* O3 Q4 ?7 [; p_________________________________________________________________________
' V- K4 M) p7 j7 V7 Z/ r2 G' N8 }2 k3 M6 V! Y: ?% B
Method 07
) h- i3 o2 o3 P0 v4 Y. e/ U W0 f=========
( }( `( P: Z: s. j& U9 Z& ?$ p! a, D/ ~4 v6 { f. \9 t e+ M
Method of detection of the WinICE handler in the int68h (V86)
. R! F( `% S4 D+ U% b+ k" e/ x& s+ @+ m# e; {
mov ah,43h
4 A6 c+ z. @, c, Z: N int 68h, ^6 m, K. @. o+ v% I* |. k
cmp ax,0F386h
* w, A' p' f5 J: r1 h: l3 T jz SoftICE_Detected. ~5 k' T$ Z: ~5 c9 W1 K3 |4 l
! K1 W5 l p. u( H. m" B
! Y4 q2 i% y! F8 f* }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* w* n& T6 w$ t
app like this:- w' o/ R+ N; i9 G, v! M8 F( t
$ D) }; {2 ]* r! i* I! ]. `
BPX exec_int if ax==680 @3 M3 F+ @/ e& q
(function called is located at byte ptr [ebp+1Dh] and client eip is2 _9 C7 i O, @
located at [ebp+48h] for 32Bit apps)
- d" d' b0 ~0 |' e: }, x__________________________________________________________________________, W0 Z9 J3 V. [+ w
) p2 }) Y+ {5 D, _
+ U0 m% K. b- `! K- B0 NMethod 082 K( E2 V& }: \+ x' U
=========+ w, O& M% }/ H2 D9 E; X, P* m
V) W! x0 b& B9 {+ vIt is not a method of detection of SoftICE but a possibility to crash the
( m0 k* w8 p% J: ~9 a3 I9 Ssystem by intercepting int 01h and int 03h and redirecting them to another# X1 ^+ B$ ]3 N7 d5 k
routine.
0 \' J2 v4 |" N* BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ G% F7 h# y e/ ^; j& F! l
to the new routine to execute (hangs computer...)
# g4 G: {, W7 A9 Y/ r4 r8 F
5 n# E0 O. s# q' R$ K: ~) Y mov ah, 25h* S" e$ M4 k1 x- A9 L1 I5 q& _* X
mov al, Int_Number (01h or 03h)
7 V) b8 r' s' r+ q! q mov dx, offset New_Int_Routine$ C3 Z: I9 ~/ z/ D$ l9 j
int 21h
; i! G; }+ @3 R3 E0 K) E. j& d
# q* Y; K( r: h# i; m) Z% j8 r3 U" `__________________________________________________________________________
$ U8 `) f0 O& s! ]! y" M2 g
' @9 n+ ]# O0 q3 dMethod 09
: b; |+ X+ _4 s# `4 S=========
- e: J8 @5 Q1 K3 x8 N7 `7 ~
/ U! W& `% r* b) W" HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- Q7 m; g0 I& g$ ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ A& w& W( C1 B5 HThe Get_DDB service is used to determine whether or not a VxD is installed
8 _& N( S0 [8 c3 ~# M: U9 Vfor the specified device and returns a Device Description Block (in ecx) for H; b& G( B. Q+ I
that device if it is installed.
" e1 V. b |" e
( R7 A- W- s! i6 V mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID. Z2 C0 c1 C; ^# h4 e. s/ Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( K4 v0 d6 x$ [( D1 l4 E VMMCall Get_DDB/ w; j. m% G- }" {' Q( i t
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 H/ p" t8 o$ y. H, ]/ P z8 j O5 @' Z3 X9 `) ~& S- I' p8 X
Note as well that you can easily detect this method with SoftICE:8 x, x% M; @+ B6 M G# L9 \
bpx Get_DDB if ax==0202 || ax==7a5fh0 }% _7 i7 ~; p* ?! B+ S# A5 j
. l* a+ p( r3 ^( f/ K( `__________________________________________________________________________1 w/ O& s8 }3 ?' g
. j6 i( ^0 m' E# g; D8 ^) ]; L
Method 10
5 p. [0 U! b& r( Y4 u/ L=========( p7 }( y2 k6 c. {- `
) I9 q& T/ l0 B% Q=>Disable or clear breakpoints before using this feature. DO NOT trace with1 I+ c% m @/ N( e1 O7 @, W
SoftICE while the option is enable!!2 a7 W" o. w1 C( c& i
* e7 Q, H) ]5 U7 }3 k; `7 uThis trick is very efficient:1 D8 Z2 k0 p w2 d9 ]9 l8 Y( j
by checking the Debug Registers, you can detect if SoftICE is loaded1 L( C9 a. e r$ P1 D3 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; k) _& _1 x6 \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& z$ j/ b2 o- v) G- b/ Fvalue (in ring0 only). Values can be manipulated and or changed as well
4 b) G& f4 H2 d2 B' `1 z/ ^(clearing BPMs for instance)1 J- j6 b* Y) @. O
1 H" E. t! n7 _ w% m0 a# a1 ___________________________________________________________________________1 r1 Z" z" E. J2 C- G
7 b' p1 R- E( C" B. g/ XMethod 112 U7 h5 x5 i! {
=========- [, d4 j3 [$ g& |
; c8 E; _5 {! O3 {* P9 pThis method is most known as 'MeltICE' because it has been freely distributed
[/ d) s' C3 A$ mvia www.winfiles.com. However it was first used by NuMega people to allow
' f; Z; d5 ~7 G7 o# @: r4 h5 t7 @Symbol Loader to check if SoftICE was active or not (the code is located
& t% \9 N* D. z1 winside nmtrans.dll).- Q/ N' c' w% ]" R. t
+ A3 Q: i) p6 F/ pThe way it works is very simple:6 X4 b9 B7 ] M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% {$ i: E& f5 V# \, A; J1 S+ TWinNT) with the CreateFileA API.7 f9 V8 J7 N$ ~3 ^3 i
: o9 r6 e8 W. A/ y0 q6 F) I
Here is a sample (checking for 'SICE'):
6 o/ k( y; i) c5 q. S. }% p8 K* O
2 m" ^, v! q1 D! V1 u5 E) k; DBOOL IsSoftIce95Loaded()
* q1 _& Q% K. t{5 D$ g' M6 K# Z& Z% W5 P. a# \2 @
HANDLE hFile; " F7 Z# t7 Z) n# ?2 c4 `
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 g) n( u+ ?9 r; f* d FILE_SHARE_READ | FILE_SHARE_WRITE," T7 a( t9 M* t, Z& N
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. ]( Q' f% ~' S: ~ if( hFile != INVALID_HANDLE_VALUE )
5 \. R e+ P$ t/ N {5 [( r+ k2 _0 m) P" t
CloseHandle(hFile);
1 r% a8 j" o8 ]8 w% |2 H return TRUE;; Y% p$ a4 ^. }+ f: Q
}! q7 _' _3 L" N
return FALSE;
5 ~1 T/ b9 l+ Y1 J1 A2 z}0 A# @8 ]4 @; ]" C* z* r
$ R2 Z% g$ Z( Q- G) t5 J
Although this trick calls the CreateFileA function, don't even expect to be
* m4 m2 b6 Z6 m9 t- Eable to intercept it by installing a IFS hook: it will not work, no way!
/ Q. s, T$ P ^ n3 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F( R9 p( u9 r2 p, G S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 n% _0 X, k0 `# n% vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; A5 ^/ J+ d3 b4 h/ Q6 W/ kfield.' x6 r6 h0 E0 ^! m4 v* m: R8 }& |( ]
In fact, its purpose is not to load/unload VxDs but only to send a # \. B* p1 K4 Q" ?. r, ~" w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ P; \' K4 S, `- `! F) A5 s. M8 V1 n9 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 j/ p% M7 j: w m+ c: z3 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 M- p- A& B3 _# k' k3 v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- [, B4 T$ _, O! z7 X+ e Qits handle to be opened and then, will be detected.8 L" ?0 i* u/ a0 ^
You can check that simply by hooking Winice.exe control proc entry point
/ ~& C: d5 T7 }8 Z. a X6 c3 @while running MeltICE.
: n2 _6 t& Y3 K+ A1 [ k
4 ?% _7 y' i+ q& o4 \5 [
2 r; I) t& J3 R9 A( n4 k 00401067: push 00402025 ; \\.\SICE& }8 N; B0 Z9 z. Q1 Y1 G: y
0040106C: call CreateFileA8 t( a! k6 F/ E" l4 r+ {) I
00401071: cmp eax,-0015 G) s! s3 c) F3 q' d9 _
00401074: je 00401091
* A, U& V' m9 j& A1 D
$ p& E! L( ? R! N: R |$ y7 x; e) L# f" i, e& h r
There could be hundreds of BPX you could use to detect this trick.3 g; L! t4 K# \, o
-The most classical one is: Z- S+ N2 H1 k# ]' ?2 u( ~, q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 _2 n2 r9 f( j! H: F. A! Y8 U4 c
*(esp->4+4)=='NTIC'
& l' K/ @) [& [1 |% w# h% P0 Q
$ Q3 d& D5 F* t0 m9 K$ |/ _. I* m-The most exotic ones (could be very slooooow :-(
- A# q* d. R( a4 a; A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 m; B4 z# n- ?1 t; Z
;will break 3 times :-(0 h0 I5 V% q+ t! p" G( N3 ?: r: Z! t
; s- F8 I. g' F$ C8 E; y-or (a bit) faster: 3 g! d$ a% E+ Q& h1 \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) {2 V' m; g7 m( q
! i$ n' P3 q0 F2 C* U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, A8 F% l: D) V ;will break 3 times :-(, u i+ c4 z- J/ u; n( y! F8 K( g
$ a; c: Z- g+ X' T% Q
-Much faster:
2 I: ?2 B" X/ [4 z' U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 |" O& V9 F0 ^1 o2 m) w! p
2 N4 w8 o4 G5 {) `7 `3 Z, dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) P4 L" q+ z5 S6 s, Q! I
function to do the same job:4 @4 S7 N7 I: v) ~
% \' ^: k! n" Z0 j
push 00 ; OF_READ4 O" ` k% f) R4 C
mov eax,[00656634] ; '\\.\SICE',0 N9 t& h8 T# Q4 q+ G
push eax7 k4 N6 v d! ^1 y
call KERNEL32!_lopen9 r8 T3 Z( p/ G
inc eax8 u) s' s' {9 ?: Y
jnz 00650589 ; detected/ V, ^& n+ t3 y2 I; b2 R1 W
push 00 ; OF_READ
; s `1 F3 X- Z/ O8 _3 z+ P! s mov eax,[00656638] ; '\\.\SICE'4 N1 s/ w9 h! D0 ^& C
push eax7 p0 \4 v3 L/ G$ [
call KERNEL32!_lopen
2 ]' ?0 u! u/ \: L% C& i inc eax
3 G, K& j R+ ?5 _' \ jz 006505ae ; not detected$ j7 D3 C, d5 K `
0 ]3 _" z- d) e3 r) O6 g
6 }# B( d+ J* ]) y. }: C& L) z) [$ @) ?% [
__________________________________________________________________________
1 L8 L0 x% K K% D1 t! \& v3 R3 s R e
Method 121 R' p7 ~+ L. n* k2 S6 ?1 N( v
=========
- P5 p* v# W1 ^4 z
# O! N) G G7 W; A6 T8 ^This trick is similar to int41h/4fh Debugger installation check (code 059 J! c Z# G b
& 06) but very limited because it's only available for Win95/98 (not NT)
7 n7 T8 F* v6 F$ K( N9 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, s4 { l$ z/ C- k
; B, Y4 m: J0 \5 B. o2 g push 0000004fh ; function 4fh0 X7 i; H1 ^3 V. u |
push 002a002ah ; high word specifies which VxD (VWIN32)1 r, U# M4 M9 j5 _5 z
; low word specifies which service3 Q6 P) q' ~ o# J
(VWIN32_Int41Dispatch)7 z: i, P: z8 |
call Kernel32!ORD_001 ; VxdCall
6 ^: W$ q5 j& A8 G* b5 \ cmp ax, 0f386h ; magic number returned by system debuggers' G2 h- z* F/ u6 y; o# A
jz SoftICE_detected
# ]7 A* v1 D7 Z5 x
- m8 h1 h& X* \9 ]- D' f& jHere again, several ways to detect it:: T+ p j% t& l2 S- r0 D# G: D1 n
( X# m2 _+ P* J; q
BPINT 41 if ax==4f
3 W# N( g) W# ~4 u2 U9 f/ i. M9 P8 b9 N. z: I$ t* H% @
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% G, A& Y1 a# X4 t$ O7 L
3 i* n' T$ y8 \7 [ Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
" k) k% z: w6 B8 C1 M, @# Z; c. E
' \+ t# M" N( S X* H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!2 B% `; w6 h( W4 v' Q* h, d
2 @# v6 T! [; z* L& V7 R5 f__________________________________________________________________________- K, b- T7 w6 V
1 D( c8 U3 {: q; i% M* K0 R1 x
Method 13
$ s: j9 M# [" H' F5 |, T) t=========
, u8 V) h1 | M8 M& u
9 X" Q2 Z8 \) D& @& [0 t; TNot a real method of detection, but a good way to know if SoftICE is; m1 {* C6 p$ o. i/ ?
installed on a computer and to locate its installation directory.
/ b9 y% X0 Q& ]2 t$ n5 J4 n6 YIt is used by few softs which access the following registry keys (usually #2) :
# F1 k9 [% \8 w2 r2 [8 T* s0 X" M
& E, p8 o7 ^% C9 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 `1 ]) T& F. `& X6 x\Uninstall\SoftICE
7 M) o2 |8 m! N0 Y* e# P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 b7 w/ w [0 x& ~+ J9 O* O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 M6 k) L7 }/ g7 V' y0 A
\App Paths\Loader32.Exe; K- C& l+ z% p8 u5 o% Q
4 m' q' m5 _) u3 {# M5 k; K
. ^; [5 f" [4 ~: B1 s/ i* K7 U
Note that some nasty apps could then erase all files from SoftICE directory
' a# g# W$ ~6 @, ?(I faced that once :-(, W w$ C. o3 B1 K C+ @7 P1 n
2 X3 \2 A7 K1 @1 T
Useful breakpoint to detect it:2 l }5 E6 j, |6 b
* t: F- t3 h( [% u9 {
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) L. p: I5 e( ?3 J/ s3 b5 m+ V, D Y. ?8 i, k: {
__________________________________________________________________________5 Q1 k# ]7 [$ g: A6 q2 n% F
4 |- M5 O$ t! y( W$ S! G" S3 L4 S" ~8 ~# g+ M& L- C
Method 14
# E: U& a! ]6 Z) E=========
- y, f% M% d& y9 r9 d# R) Y
0 J5 u$ T( i; R# ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ?. Z# s. }. ]! x$ n, ]( [ K& ?1 gis to determines whether a debugger is running on your system (ring0 only).$ @% L* l# E, E) G% t( @
$ M4 A7 }5 N6 f1 y$ A& V4 u2 a! w
VMMCall Test_Debug_Installed
. n. } |% y+ w/ ^0 t4 v+ t: v je not_installed
- j& E8 }8 b. e- T' r
) S, b$ O) d* }9 H3 p; g3 {This service just checks a flag.
5 x; R8 o$ f* q2 A</PRE></TD></TR></TBODY></TABLE> |