<TABLE width=500>( Q9 X( h4 T" S* i
<TBODY>
9 Y- _- Q( [. [$ }4 G5 K# s<TR>
$ Z( V4 p8 a) p2 ?7 ]% X! P6 `<TD><PRE>Method 01
. I3 _6 M, { Q* N! j=========% p$ Y( \2 |% o0 C5 _2 p
6 N, h; X! m- ~4 b( E4 MThis method of detection of SoftICE (as well as the following one) is
( a' M& \ c; ?/ q' S8 m7 v; F6 Gused by the majority of packers/encryptors found on Internet., e$ n/ b% [, M: z& l% @1 d# T; o
It seeks the signature of BoundsChecker in SoftICE9 j/ ]( b3 u# R/ j4 z" Z0 \
1 Y" x8 {4 e8 X8 x3 v0 } mov ebp, 04243484Bh ; 'BCHK'* ~/ x6 y& k) G( ^) Z
mov ax, 04h
f. j4 B: x# X) e. Y! U/ s, n int 3
6 J$ I* e. u; ?4 e4 W cmp al,4
3 ]! e+ X' j; r7 C* q, N. q! A' k jnz SoftICE_Detected
& j, w- c3 Y& G5 U1 w: K/ D. f; Q8 ?3 m/ r" W
___________________________________________________________________________
+ h; C; [- V7 q) u5 Y( J! J. u
( k8 l% b# y- H! B* Y& EMethod 02
5 m) W% t$ I/ k+ q; h. l. A=========8 m5 g, q) _2 c7 o' k) y
4 B* ?) w3 }( A* s& _3 W( `Still a method very much used (perhaps the most frequent one). It is used
; g- {5 J) U7 Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% A! l! ^5 N& f+ C# {. |or execute SoftICE commands...
7 w, o2 E( c( x1 U" r/ m5 L% a# ~It is also used to crash SoftICE and to force it to execute any commands8 `# I, Y5 t* d2 x
(HBOOT...) :-((
" t2 k$ L; D$ N5 j, M+ l' d: q0 w# I& Y9 h6 ]
Here is a quick description:
3 |8 T9 ]' A% _" ~& G" h+ @, t-AX = 0910h (Display string in SIce windows)6 x9 H1 C4 _. |; N" Y1 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% X# S- {% p3 F: i' r( g! a; e/ g- f
-AX = 0912h (Get breakpoint infos), Y8 L- E3 R! r2 G' `+ i" o* S. `) R, D
-AX = 0913h (Set Sice breakpoints)* ^) V' ?% O( u
-AX = 0914h (Remove SIce breakoints)
' h# s! e4 c9 T9 B8 F' q
, n! w$ r1 [/ {& D; O' WEach time you'll meet this trick, you'll see:
4 |- V( m$ D4 ^- m! V-SI = 4647h
+ V9 j0 L: i& {6 R' `-DI = 4A4Dh. X4 i- h/ x" b+ T9 Q/ O+ j# Z2 D
Which are the 'magic values' used by SoftIce.0 H$ u2 [) [& D% B; h8 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- }2 i% Q1 O7 A5 y
1 A2 N& m' k% Y! m8 R, G" e5 O. `Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 K9 G$ i2 w# [8 KEnvelope utility use to protect DOS applications:! ^* U7 h7 M( o6 j4 a. Z2 Y
]- u, H0 n6 f, P
, z0 I3 d0 L- o. p; n7 J/ R
4C19:0095 MOV AX,0911 ; execute command.- V# E: d, H) K5 X; e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! p3 w; R; M- F" @- U4C19:009A MOV SI,4647 ; 1st magic value.
6 k3 I7 s' S+ ~3 N) \4C19:009D MOV DI,4A4D ; 2nd magic value.
; T$ }) S3 @: ?; k8 q4 Z9 C# l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! r& m' M. P8 b l7 x, O' K' n4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 X I' x- x6 L. I; h. T0 Y7 B4C19:00A4 INC CX( I( N @6 j a( f- ]7 J; q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% r4 o0 w0 ]. t* I# w7 S4C19:00A8 JB 0095 ; 6 different commands.
$ K3 i, y! v$ D' T9 W/ \4C19:00AA JMP 0002 ; Bad_Guy jmp back.' D& k0 o; E* s6 J l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 X3 Q: D/ h( h
2 d! U: m _0 P: q- BThe program will execute 6 different SIce commands located at ds:dx, which
. K7 I7 Q9 k; p2 k/ Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# l S1 B# M( m. I% a+ [7 N7 f; z
$ I5 w( d% ~0 J: ~0 V+ m! c2 u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' y. Y- a/ s) ~: o2 r6 y1 [7 ]7 f
___________________________________________________________________________
/ @% H4 @, U7 @. ?* J5 j! N$ i+ ]$ l9 p9 Y2 ]
# E% I) D/ C+ P5 g
Method 03
. m+ S: v' z; }. `' d/ H=========
/ d0 r; i- ?# d, i: o8 T/ E+ y$ w6 r8 q+ w
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 J0 ]3 g2 M; V1 u9 f(API Get entry point)* P% v; B9 N) Y9 k$ B0 y% H
" U( [) f3 x' S* I
/ I) V Q" w. H+ T5 W xor di,di
% _4 a8 L9 p T* h, a$ t3 a) J mov es,di
E' F/ e: }+ J, A s6 e mov ax, 1684h " @( m; z# J5 i1 f5 h2 d
mov bx, 0202h ; VxD ID of winice# c* A1 v& m3 }% ]+ d
int 2Fh
8 }& A( W8 ~" f& n$ q mov ax, es ; ES:DI -> VxD API entry point
/ X5 I1 w3 C, X$ _& f" R: T( f add ax, di
9 _, R! M4 {. q6 l test ax,ax8 h8 Z) e! h/ z5 m( g1 H2 H4 {/ v
jnz SoftICE_Detected9 k" [6 A. U- S3 d, w3 ~! ~
t# ~+ R& n% P8 ~
___________________________________________________________________________
& m" P% E: v# h* \3 f6 P( S/ q$ c/ V# w+ V
Method 04
' E" O5 h2 T, g5 V1 A& |=========
, I+ J# O: h3 X9 N
1 {4 S0 c/ T" mMethod identical to the preceding one except that it seeks the ID of SoftICE! n c0 e0 a* S0 e3 _' i
GFX VxD.
. y" F% [5 h$ B L6 N' S6 z$ k) ]. d# T7 V/ P7 J
xor di,di
' d0 D, c" F' j; w8 l/ T mov es,di
) b e1 o7 [% R7 k2 c( a) N mov ax, 1684h & f5 \/ |( `7 E; w
mov bx, 7a5Fh ; VxD ID of SIWVID
6 S$ O4 z9 G1 w int 2fh( w/ H6 \3 s8 p# l# j( t8 L) t; h
mov ax, es ; ES:DI -> VxD API entry point9 T# i N- P( H
add ax, di% j& d; e+ @3 E( w. J/ ^. l
test ax,ax
0 b+ D/ V: q7 Y6 ~ jnz SoftICE_Detected
+ D. A0 d3 F6 y4 a q8 y0 @2 Z7 {: i/ v9 j# j+ G$ [; I9 t
__________________________________________________________________________' o' p6 _6 F b1 a$ z/ s3 e
: d1 [( _1 J2 P/ `* Z# S3 Z. ~6 m4 V/ U/ f
Method 05, J; H% h/ r) ` h
=========
: C" g" t. v+ N0 |5 ]: @# Y5 J
: {/ ~1 s+ L1 F' dMethod seeking the 'magic number' 0F386h returned (in ax) by all system: |8 S$ W" a" G# X2 ^
debugger. It calls the int 41h, function 4Fh.& A+ X) o1 ` J8 c- p8 k0 r
There are several alternatives. 4 f2 S' o. O3 P% G$ X+ Z# G W3 D5 o
2 b8 r: C$ U( s! U5 jThe following one is the simplest:
" C5 Y9 T z5 ?# {& k1 |9 h/ Z0 V2 `% i& v& b
mov ax,4fh5 ^, H. i/ ` g8 h) F1 X
int 41h) y. H+ S* `0 D" x9 w
cmp ax, 0F386
0 R( h4 [/ ^# ~3 w# _ jz SoftICE_detected
" l; P" s! [( _( q9 c0 p/ v! E, K/ R% h" }' h" O9 R
$ Q' b) {, a9 v* v
Next method as well as the following one are 2 examples from Stone's 0 y$ U' B/ Y. A( h9 J1 U
"stn-wid.zip" (www.cracking.net):) l% {$ H6 n' G, h! Q
+ ~$ K3 w5 x& L' p$ {4 C6 u0 V: N
mov bx, cs& ?, P4 e5 c" K" t& @$ z
lea dx, int41handler2
: c2 Q& p9 m/ S$ b xchg dx, es:[41h*4]: |" ]- O S1 u. ^/ y
xchg bx, es:[41h*4+2]8 q! i0 J. B G" H+ _) S$ t6 |
mov ax,4fh
9 d% O- i/ d: M( P- T- a* k" I l int 41h, [( M$ z3 N0 i. d9 h# O8 R
xchg dx, es:[41h*4]# i" t/ l0 I9 }- Q4 A1 b: ]% r
xchg bx, es:[41h*4+2], q- E s) a- O) U. [4 V
cmp ax, 0f386h
4 t( m0 S4 n) R) b2 K1 A- C# N, p jz SoftICE_detected& G; S! R5 r8 ]1 Q
5 n8 z6 X0 Q+ P: K( V; q8 A
int41handler2 PROC! E( ~5 n9 B6 o6 d* N
iret0 y0 |7 L$ }# _( q
int41handler2 ENDP
0 f* V# v' p' E; z& k; W9 y E$ J! I6 ^
6 D$ T3 P4 @2 z; Q, B_________________________________________________________________________
6 W ^. d& ]8 j
4 o) ?6 J/ s- f. D- T* J% }+ y/ G
Method 06
1 c$ _- Y1 Q" M" s7 W8 j=========
) h( Z( A& l* m L3 H1 s+ N f0 b7 A7 a" G- W
6 O% [1 G+ m2 c( g2nd method similar to the preceding one but more difficult to detect:
7 A3 g4 X, o1 z2 |) W2 M# Y& p# ?( U! c
& j$ W0 }' R- o8 wint41handler PROC
5 V, h* l! |$ C* V# k+ `$ L mov cl,al, X5 k! b0 {2 G. w4 z$ z( y
iret/ a& K/ H9 V1 v% R. _3 W& b, m- `
int41handler ENDP
/ n9 w7 n" k& p w6 \& o4 n" A$ _- G1 @' f; }
& L. n% m1 W2 C+ S: u3 c7 R* _& F
xor ax,ax0 Z, p" \& m, s4 a$ G0 @
mov es,ax
0 G; v- D5 f# l7 w6 j4 q8 V6 y% G0 ^ mov bx, cs
* x0 ?* W1 S# L3 R; U, F lea dx, int41handler
/ }" R4 x9 A3 j/ m6 v2 H9 t2 a0 w xchg dx, es:[41h*4]
9 G/ L7 T! E9 I5 G xchg bx, es:[41h*4+2]4 n3 B P1 i) n- |& s. _5 [
in al, 40h
' D# q5 @$ X% W xor cx,cx) L) r* k2 f" B1 M- _" h) x" A$ ?
int 41h
( g8 S4 c X H; n ?$ z+ T6 l" W xchg dx, es:[41h*4]
, A9 p- B7 @6 n% Y- K1 L+ [6 ?- E+ c xchg bx, es:[41h*4+2]& K9 M: |3 w: O A* v
cmp cl,al
8 r" E0 r& B0 R3 D: n- b jnz SoftICE_detected
( N) r- m! y2 E' s# r2 r% P. S* I* ~0 h& H
' m1 ]$ Z' x/ a2 p6 O_________________________________________________________________________: E0 F' A T7 r9 w
8 U6 M3 h; y T0 a, i7 b/ XMethod 07
}9 M/ K3 q; _: [$ t J- J6 Y5 i=========. Z. I5 c/ I. \- E
- D. U; U0 Y! d' W% ?( G. k" ~, K# R
Method of detection of the WinICE handler in the int68h (V86)
0 C. h: |/ V q& a; \; H5 J& b% r2 I$ F. ]) d2 E8 e, i
mov ah,43h- {& S9 u+ q, g& |
int 68h/ P5 l" q3 p) {3 X+ p8 L/ M& ?
cmp ax,0F386h
" W( m, T' t% J+ ^1 D jz SoftICE_Detected. I' M z: R7 R
2 d- ?* t0 F; Q0 J4 G0 l7 ?
! j( ^; F9 l$ n! l2 \( J; R, R! U=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( ]0 F: ]; y2 f* k5 {4 Q: Y app like this:
" `! N; P( {7 R/ P* ?: w& Q2 Z! D5 n# F- [$ }3 v7 G1 f
BPX exec_int if ax==681 y8 r6 T' A' G0 l* x N0 w" G* w
(function called is located at byte ptr [ebp+1Dh] and client eip is) Y2 D! [* j) a6 B2 h. s
located at [ebp+48h] for 32Bit apps)
9 C8 o/ ?, H y__________________________________________________________________________
, |( O/ G' v' d* P5 B
, g Q. w( v/ t% p5 ~/ L0 }; A
3 X6 k/ Q% n7 u5 j& |; DMethod 08
E+ E4 Q+ s5 a4 \- Q+ d, W+ n=========# Y9 K6 F: a- U- C. }& q+ e$ u; T5 Q: u
5 V% E2 h) U h% q0 \It is not a method of detection of SoftICE but a possibility to crash the
- u" y3 i6 b& M5 W$ _4 w# b* ksystem by intercepting int 01h and int 03h and redirecting them to another( t1 G' R( E( T8 h$ G3 _
routine.
0 E6 i* a- b4 j5 h( E, VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 Q1 t2 }" r# K9 i/ E0 Z+ ~to the new routine to execute (hangs computer...)
& U v8 T1 Q3 F: F3 w8 [4 u+ j4 Y3 Y& s$ l
mov ah, 25h% X6 W# f/ Y2 v+ u. _. V& [4 O
mov al, Int_Number (01h or 03h)
) E, Z* r( Q. ~2 O mov dx, offset New_Int_Routine- W. i5 c" m! p/ R1 b4 E
int 21h
3 t3 |# e5 @) ^4 B% b' N: W
. S' K" @9 _6 c) R5 R. B__________________________________________________________________________
" b. y5 Z' q% m7 ^/ \. p5 s4 N0 S, a4 t8 P, C4 b' b
Method 09
; e2 U, j$ d9 E G8 l6 ?=========
7 _ L) s( s$ E0 `& B
; R* v9 r8 D$ T- g0 k1 a/ qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& t# E- n0 f9 z/ p
performed in ring0 (VxD or a ring3 app using the VxdCall).
. i F. R- C4 t/ ?/ AThe Get_DDB service is used to determine whether or not a VxD is installed0 |$ i( {6 \9 K: }
for the specified device and returns a Device Description Block (in ecx) for# S( k+ g( s' u8 m
that device if it is installed.
$ d- c" V, F: T3 Z8 s& [+ W
4 [: Y! z4 E' l z) U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" p9 z1 _' ]4 Z, z; Q3 @ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) \/ h% N J# S8 u) B. F1 }
VMMCall Get_DDB
. N: ?' Q( `' G r) o; ?7 l, k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed @3 I8 G2 j) C: _ E9 e; S$ T
5 n2 k, o! F2 @& J7 |: @Note as well that you can easily detect this method with SoftICE:
5 A6 s% Q2 W: D+ w bpx Get_DDB if ax==0202 || ax==7a5fh0 o1 A2 E, `: o, o5 i5 f) M
" V) e" e% c T9 e( i8 Z/ \, s! H( z__________________________________________________________________________
& T. n7 W P. f8 R. ?- \
( e4 C0 }9 S3 \1 E B+ r3 TMethod 10
& W5 x* g e4 f0 V; Q) `=========" Z; Y2 U6 I( W! A7 I
& o' D( v4 ?6 ^/ C3 @=>Disable or clear breakpoints before using this feature. DO NOT trace with
. S* s3 z+ C6 l' Q. v8 c/ n4 f7 f# g SoftICE while the option is enable!!1 I6 X0 v6 K t- d7 K* n
6 V: W) V. M [) B# ?. P
This trick is very efficient:
$ N; C* B2 j1 V2 V+ r0 `by checking the Debug Registers, you can detect if SoftICE is loaded
) I8 v& ?; ~- Z1 u5 T: x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& t) z$ h+ R' P E$ o- hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 F8 h5 v3 V, l% S: t Hvalue (in ring0 only). Values can be manipulated and or changed as well
: ], m% G+ u! s6 l- F( G c(clearing BPMs for instance)
, n. f+ v7 Y8 ~. }" I7 ~" d- I3 h9 Z
__________________________________________________________________________
5 W/ N4 V' G4 m/ i5 Y$ g8 W! L& \' Q
$ X% y' N. e* MMethod 11
e6 b' J+ ^/ h ?' z4 a& Y. m- U5 l/ D=========
3 I+ P7 Z; s& G3 e5 i; K; @$ G/ g" k" J8 w. k- A
This method is most known as 'MeltICE' because it has been freely distributed9 N/ e! P. L1 G B# }$ O0 S
via www.winfiles.com. However it was first used by NuMega people to allow* ?- a% l9 z# ?2 o. c% n
Symbol Loader to check if SoftICE was active or not (the code is located
* b6 Z; t! Q S3 B" finside nmtrans.dll).8 O+ x; K9 I! W) O" X/ _0 a3 |4 t
/ Z6 F, X& m1 t* q f
The way it works is very simple:
5 C! D" n' ]0 {' w/ k& S1 l, JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 X6 W4 L9 U" [. yWinNT) with the CreateFileA API.& e6 b6 ^& E3 m$ `3 J8 \
9 P2 B5 Y: ?. M& {' e9 P$ @% `Here is a sample (checking for 'SICE'):
) V+ B$ m# h. Z1 h' M* \+ w4 C& C- {5 d- P0 d
BOOL IsSoftIce95Loaded()
: l- p( n- {- w, x% N8 R{
! O3 i; ]; m; B4 A% O HANDLE hFile; ( O# J6 i8 A* H9 I0 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ x8 u7 c5 T8 l/ O
FILE_SHARE_READ | FILE_SHARE_WRITE, g: A( T, r2 ^2 [4 `; A. p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ Y% V+ D3 C; W if( hFile != INVALID_HANDLE_VALUE )
* s6 i1 m! e; c {1 N% p5 c2 o7 A$ f
CloseHandle(hFile);
, H4 E% }; M+ G return TRUE;1 I8 U& H, K; H! ]
}
5 U. o, Q `* m p& E% E return FALSE;' O) M8 }/ }+ J- X% P* ^: s1 L
}
4 B) _+ ~ o2 m5 t* ~! m1 W7 y" D0 l5 x+ D4 P/ Y" t
Although this trick calls the CreateFileA function, don't even expect to be
$ B/ o* z2 F# |& Kable to intercept it by installing a IFS hook: it will not work, no way!9 [" J- W: r8 L5 f# H+ y0 g/ I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 g, B' V% A6 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 F. n6 k. x/ V, H7 a* Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc! l" v: c# j Z; \2 w7 p
field.
, P2 f. x0 b8 a! B; V8 oIn fact, its purpose is not to load/unload VxDs but only to send a - y6 [) S2 y5 w! v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
~4 P* L$ u4 v; w; Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 H. X1 v+ z) h! |" c* W+ R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( w4 v- E$ u; ~* B- ^; TIf the VxD is loaded, it will always clear eax and the Carry flag to allow! f+ C7 T8 g$ H) e6 }: r
its handle to be opened and then, will be detected.
* ~$ {* P4 \% K; I" ^ xYou can check that simply by hooking Winice.exe control proc entry point' O) y0 j$ d- g+ P# k2 ? ?( o$ B
while running MeltICE.
3 I" ^ U: R/ r) L& `3 j( S/ H5 F' g D9 M2 ~
9 Q1 L; u9 V: j 00401067: push 00402025 ; \\.\SICE( J. `+ Q5 l5 o" v- B. g
0040106C: call CreateFileA
4 S) W* Z' W, [- i2 o* i 00401071: cmp eax,-001. ?# k3 V! G/ f1 y& |
00401074: je 00401091
d" n0 {5 H; N$ Y: U% `7 }( t0 T! T% n% X
$ ^( M* k% m S$ a( W7 [$ d* k
There could be hundreds of BPX you could use to detect this trick.% m0 k; ^$ {8 h3 Y: x5 @
-The most classical one is:4 |7 h5 I- E. |6 ~
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||' `1 z+ m& @2 B: q! q
*(esp->4+4)=='NTIC'9 f* M: g3 w1 w: {% q1 R7 R1 ?8 q
D1 i1 y& \0 V
-The most exotic ones (could be very slooooow :-(0 _$ }2 ` z+ ~: M# F
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
. J Y+ {7 \7 X. W ;will break 3 times :-(0 J# `6 \' M2 ?) \
$ ~0 \% u$ z8 E1 `-or (a bit) faster: : O$ H( Y9 o& _) S5 Q9 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 C) @; o) W1 _% G1 J
/ K, a* _+ p5 p
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ G% r' f( L5 Z3 D+ I$ p ;will break 3 times :-(
1 v3 c7 ^! ^) e& o, X# z, ]& m7 ^# _$ O" }" E! b0 s
-Much faster:$ | @4 a" i9 B$ `2 ?" R- F: L
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& H3 e [6 Y* B0 S$ P
0 |! T5 v8 j& C' X( Z# r$ }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 i9 R" o+ g% C6 h4 @( w
function to do the same job:: o2 M0 E9 c& ?/ g7 ?
, c' ]0 |0 K9 u) `2 f+ I% ] push 00 ; OF_READ4 H# g% A( s5 z
mov eax,[00656634] ; '\\.\SICE',0
" [$ i4 V* r' ~( E4 a push eax
+ d' a5 q$ z- H! i& G( S9 b9 d call KERNEL32!_lopen
% `2 T- G0 O$ q$ R inc eax4 G( f& z6 `" c. ?7 n! g
jnz 00650589 ; detected( u, h# a+ I. F
push 00 ; OF_READ
* m0 o$ X* Q+ h/ h: @% S" ~% ~8 P5 A6 o mov eax,[00656638] ; '\\.\SICE'5 B6 U4 F1 f | T& {9 d: N
push eax2 `/ R2 o# {: |! e2 D' W6 y
call KERNEL32!_lopen* e8 k( Y2 e* v& b" T
inc eax
5 a. p" X/ h/ l( v7 s jz 006505ae ; not detected8 j, d. R* e& {4 S# K& V: ?
( p6 e1 c2 q1 [6 |, o' C* q% w8 {) B5 v3 g$ R7 S) |# n
__________________________________________________________________________
9 W3 U+ j; w2 D4 U% Y- h4 ~7 Z% A+ g# V) z; B6 x
Method 12. @" y; K" p! X% q" d6 E' m8 u6 `5 o
=========0 l" r9 m2 Q* N4 M6 T) G! q- ^7 ?
% B/ M) B8 F8 O; W; _
This trick is similar to int41h/4fh Debugger installation check (code 054 p: p8 d& G% p: h, [$ r
& 06) but very limited because it's only available for Win95/98 (not NT); k! c6 N, p- A2 {% W+ f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., c$ L7 O+ M% c! R0 [5 s) _" M
$ Z2 L; k* E0 H, Q& k! S% R$ F6 N push 0000004fh ; function 4fh
0 X( i6 c- K/ [ E push 002a002ah ; high word specifies which VxD (VWIN32)9 k' C+ s0 \# U! ^; x$ L' s
; low word specifies which service- I/ [; ?6 H' u
(VWIN32_Int41Dispatch)
- q# ]% D' ]! g& I+ D4 Q" G call Kernel32!ORD_001 ; VxdCall
. S+ f% W4 ^7 O$ Y0 A: t) _ cmp ax, 0f386h ; magic number returned by system debuggers
6 ?( m* `8 G0 e4 f4 r7 L jz SoftICE_detected
9 O* [- o2 ?" U( k* y T$ y
& H0 R" @6 Y& B/ U7 {1 a: Q0 U r. OHere again, several ways to detect it:% l' V" G( C6 I* ]% x5 ~3 u" i
# [8 _ U" O2 l7 ~
BPINT 41 if ax==4f0 i* }; D+ V3 |/ a
2 A I- r8 Q3 B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 I% Y" f1 v D' N9 M
% d8 c. G' |, \* \! T& X' a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 O8 g, u. D4 r( T1 C2 [* W
3 E6 o9 X- R0 i% U) O" m BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( ?: x6 v! r' b) `1 T1 m9 c7 f
/ q' V0 Z) ~& ^7 O
__________________________________________________________________________7 o' \5 C, ^& S* A, L
2 e% F2 s6 k8 E2 ^
Method 13
; x% y3 j9 x( H9 X2 g& P% Z. k/ ^! Z=========( o2 s P; b- j6 g2 k
9 m `7 f* Y4 e$ ^$ @* q: g
Not a real method of detection, but a good way to know if SoftICE is
0 W) u) \0 y) b: |; binstalled on a computer and to locate its installation directory.
) W3 Y, c+ C# K# J9 }; v$ ^* zIt is used by few softs which access the following registry keys (usually #2) :5 Q. U8 V+ K& N% H
) w8 G1 g P$ C+ s, Z2 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* o( \* K$ N7 E: @/ v\Uninstall\SoftICE9 q6 \' a/ {$ q0 t; f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. U9 s5 Y) t/ H3 i9 T, D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 @* Y* W. f, z H n\App Paths\Loader32.Exe
! B/ L) G- F9 q: U
% B3 t: w3 `. Q0 p
; P Y6 b& E- l5 r* \Note that some nasty apps could then erase all files from SoftICE directory, u+ t, j8 J" A% u
(I faced that once :-(, n# L! i/ q: p. g+ y# Z3 M& M( e
' o# A. m$ F" R: zUseful breakpoint to detect it:
p5 Q- v1 Y1 i( |% }. C" v
* ~( A6 H5 ?. q9 G2 f8 {, K BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 \' U! N, {; `5 u5 o# ~8 f. h% p' O9 Z7 S8 u9 g1 R
__________________________________________________________________________3 {; E# y. W4 m7 n+ g7 P& I
+ b0 j. b* v& @
/ @7 Z* d# \% |+ b! w: q# O- EMethod 14
; G+ y+ K9 q' Z/ d8 D. ~/ Q4 R+ t=========
; l1 j2 l1 |/ [" I) r! x% }& D) R; Y! b7 P1 w4 {) g& a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ c8 Y" a# j- Q) @7 k0 S# |' i
is to determines whether a debugger is running on your system (ring0 only).
. H" P& U9 C- I1 @4 F d5 r4 b
# o2 \0 }# x# Y+ F- r VMMCall Test_Debug_Installed
; N3 V/ [# a9 q2 D" Y; Z& j2 U# K5 O. { je not_installed7 O4 p1 u' L, z/ [6 g) ~, T) [: {
# ?5 L# B7 W5 H0 b& @4 U) gThis service just checks a flag.
]! ^; H+ K$ ?</PRE></TD></TR></TBODY></TABLE> |