<TABLE width=500>; s4 ?3 H8 Y2 [
<TBODY>
4 z7 s) B- M* [<TR>) i% l7 c' P( ^: A* i+ W/ N) s
<TD><PRE>Method 01
1 Y, w8 d( ^- d* C9 ?=========3 n$ K$ m* q- \4 P& K: H- k* w
* ~$ \, K4 P5 }9 S# E
This method of detection of SoftICE (as well as the following one) is! k- S+ b& d7 Z; V( w$ y
used by the majority of packers/encryptors found on Internet.
/ @* ~ R; ~6 K0 ~It seeks the signature of BoundsChecker in SoftICE: G& }5 z7 K3 ]5 L
( S& @8 x$ Y7 v' h- o/ }
mov ebp, 04243484Bh ; 'BCHK'; N4 B7 Q9 g8 P: o5 b9 N L
mov ax, 04h! x3 E5 ]7 [2 z2 n( ]
int 3
2 p8 |5 O& s" { B: I- U cmp al,4
; i' |+ q- a' ]' Y! c9 t1 H jnz SoftICE_Detected: e+ Y. b; g' h# k
7 O. }$ Z* t4 K& _/ ^, H___________________________________________________________________________
! \' V/ d w$ i( R: U% _/ E, A# k) P- U4 f5 w k2 l
Method 02 | @" X- S* C9 T& H
=========
, f; C1 t& d- c5 ]+ M, e- u" ~ _) [
, A! E% d, m! D: {4 ^" x: JStill a method very much used (perhaps the most frequent one). It is used
& i% A6 ?: \, H: c+ \& [: Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# Q- A% x2 M: M' hor execute SoftICE commands...3 K$ ?- k6 A2 K0 U" a/ I# h+ P
It is also used to crash SoftICE and to force it to execute any commands
& r0 s8 o# o% i; t5 o. W* i(HBOOT...) :-((
# ?5 t$ b% ~, x; t$ f' t# m5 Z# N* Z+ }0 f! P
Here is a quick description:! X/ ~5 Y1 `8 a& b8 x4 J0 O
-AX = 0910h (Display string in SIce windows)5 ]) s. r; [6 S2 s1 I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
# B2 L' H- I& x) [) d-AX = 0912h (Get breakpoint infos)
" B5 ~2 |* L" \/ W-AX = 0913h (Set Sice breakpoints)
7 D5 E; z0 \" v+ Y+ B) Z7 ~# C-AX = 0914h (Remove SIce breakoints)- d- s# h0 ~) ]3 p# L( ~2 k
) g- ?& v4 o4 j( D
Each time you'll meet this trick, you'll see:* i8 V/ G6 o6 H" L9 `7 Z
-SI = 4647h: m( S; O9 D3 F/ w9 J
-DI = 4A4Dh: n3 N( P* x$ C4 u p0 B
Which are the 'magic values' used by SoftIce.1 }0 c# F; D/ n# R! u9 O( {2 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 S8 s2 R4 ` B+ ]7 k; \+ v
! B7 [) \, z; m0 K0 a8 t0 o
Here is one example from the file "Haspinst.exe" which is the dongle HASP- i% y/ S- a s- K8 v
Envelope utility use to protect DOS applications:1 W9 E/ \- u# S, y* i# N
) C# b9 z; ?* b) |5 q/ r5 ?- m) [, m; M; V5 ~5 R& i
4C19:0095 MOV AX,0911 ; execute command.- i6 Y+ a' y* |( p
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) T7 F6 s z) x4 p5 ?0 a& l7 Y' W4C19:009A MOV SI,4647 ; 1st magic value.6 B" f u- E* p" |' \9 g( G' h; }( k& U
4C19:009D MOV DI,4A4D ; 2nd magic value.$ Z2 r. u" A9 z+ \/ `
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), m2 R7 \% i0 G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute% b" u+ g- O4 Y$ v4 T+ Y |
4C19:00A4 INC CX7 H7 u( X- i* V$ \
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) v& j; Y7 a2 m6 K( X6 U& Z f. V
4C19:00A8 JB 0095 ; 6 different commands.( _2 b! X4 Z c: l) ^0 a8 }% |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.( R2 d8 p# ?4 L N& U* k0 @' [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 r, l. V1 `% w" i, ?6 p7 W* _- R- W
( f' X( P3 [% o) Q# E$ G: WThe program will execute 6 different SIce commands located at ds:dx, which* g( C5 {* [3 g- |( U* }0 u5 S- H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 L7 m7 U1 r' @* s! z6 ?* v" d% C: V9 e I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 w B! s3 b; b9 d
___________________________________________________________________________* Z& Y# q& I- C- u6 q- j E4 U. q1 R
! Z2 Z* U) P `1 T4 S0 o
) \& S+ K& b' M$ W9 w- W& B A5 YMethod 03" N8 @9 x( k( }, p6 T
=========2 ^: A4 t3 u0 z# O; v/ L
1 b) x# K) ~9 c' j) v0 B( i% l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! q5 k0 R0 S& y3 x) f G/ h(API Get entry point)
" Y6 m, L! {/ S' s # a8 z6 j4 m8 ?% {5 l) V7 P
6 D1 \/ `7 F0 U9 g, J xor di,di
/ v0 A: Y$ H, g* m R1 X3 g mov es,di/ x5 T0 r( ?" i# e' z% z# S$ R
mov ax, 1684h
8 H6 ~ N& b4 Q* |- `8 b mov bx, 0202h ; VxD ID of winice
' ~9 @7 u% f5 s) r int 2Fh& B4 c, m4 n: S% D; v# J2 [
mov ax, es ; ES:DI -> VxD API entry point0 _: ~ l: K2 U* a
add ax, di9 Z& W9 @6 p6 A/ C9 w% N# u! |
test ax,ax
2 e6 b3 I) z$ p" L8 |: C jnz SoftICE_Detected
1 Y. }7 ~. v! f: `. I/ Z! f5 X+ h, s* V/ o
___________________________________________________________________________
! S) Z! e$ j% O# |! k
) P9 g% g7 w/ |6 ^: SMethod 04
?$ i* O+ T2 m6 W0 ]+ S=========
( _8 a; h- v! _/ s% d0 q5 T% L( ?' H# q/ Z; Q" f0 A
Method identical to the preceding one except that it seeks the ID of SoftICE& {/ `- O3 }0 J2 K% _3 L3 h
GFX VxD.
: h) S# D9 J: e
$ d5 w3 b) g: G9 x7 Y, z: [: H xor di,di* m* o8 j2 M4 ^( d3 E" d3 W
mov es,di7 A7 r0 j8 O+ _
mov ax, 1684h
3 I0 {+ ~! l3 e. u/ Y9 o: P4 i mov bx, 7a5Fh ; VxD ID of SIWVID
1 a: I% m' W, F/ i int 2fh
; j9 W0 P% T z6 I) r' [ mov ax, es ; ES:DI -> VxD API entry point
9 e4 y/ `# h4 j add ax, di7 T# {* r/ J: i" P( {0 o
test ax,ax( w3 c/ ^! Y2 h9 b2 D
jnz SoftICE_Detected
0 a# J) u$ Z& Q( g( Q# q& C. A5 h# J& l5 h* n( R9 V* n* Q2 @
__________________________________________________________________________
# Y0 O9 P4 t! |! T0 k8 C: e0 I; c* o" W6 e
9 m, D* u- `7 Q4 \9 Z6 t" rMethod 053 T* E6 f7 U7 n% i( b7 W; Z7 q
=========
. o+ ]. h( s8 z' Y8 G3 K6 n: G3 o/ Y# f3 m& u0 U' Y p
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ f3 \) E1 w( N" f
debugger. It calls the int 41h, function 4Fh.- H7 N5 d. M3 ?. n! c5 ]
There are several alternatives. : l2 \, R* Z9 n: G g' @& ^
; y2 D5 Y8 s2 a' q, pThe following one is the simplest:: Z4 [" T6 l: E8 ~* @
# m/ W$ Y4 l( O a1 I mov ax,4fh
8 f/ ^! w) Q B9 w' S; l int 41h
+ M. ?& j- F3 H& |0 c/ g% C, E cmp ax, 0F386" r( m2 d3 Q1 v8 a
jz SoftICE_detected5 {; F6 b2 M& b2 `9 M/ m& D& _6 I
- j/ f6 r3 }7 K- @
- |% q, y# r0 g3 \4 v; BNext method as well as the following one are 2 examples from Stone's ( O* y7 Y+ w) T" U2 @0 x
"stn-wid.zip" (www.cracking.net):
; v2 e5 x, ~ {% W/ h/ d- R( S3 o! U$ F; e
mov bx, cs$ p, w! u: G, j, u8 b, p: D8 e% N. W
lea dx, int41handler2- e: R0 G3 G: a4 o
xchg dx, es:[41h*4]3 o+ ^$ ~/ i" E* u7 Q' e. }
xchg bx, es:[41h*4+2]
! T V' ~& T# X' i6 o Z mov ax,4fh8 m! z& t# Q O+ I6 u9 n
int 41h
3 W# E6 \, \4 D( p) E4 b8 J xchg dx, es:[41h*4]" j( c. f4 _2 P7 |3 ]- t9 z; H
xchg bx, es:[41h*4+2]
7 |6 u8 e7 K h4 F cmp ax, 0f386h7 c$ z/ j2 X/ ]: I- z# e; S j
jz SoftICE_detected
+ P5 Q4 E$ J# J1 f# t) @; [
+ W" m8 K% n8 F+ W5 i2 }int41handler2 PROC
! l* [& j. O* P: R% C iret. E+ h6 ?6 d- j- D' ~
int41handler2 ENDP
% d1 J- [7 a4 Y: n
# J. {% l1 n" H8 F" R0 g7 t$ M* w* f$ ^6 C2 Z
_________________________________________________________________________
9 Z6 y8 V) i% n' V; o d
% K5 e( ?8 |3 ?+ S6 a% D+ c+ s" i! {+ `+ Z- K4 i3 @0 C
Method 06
. W, x0 b, R2 t5 _3 _=========, n* |8 d) P$ W7 @ I8 p% U% ]
- }1 ~0 d+ g8 d8 n* c
! U; P7 F% S& C s+ \7 a
2nd method similar to the preceding one but more difficult to detect:. k7 {+ t7 m3 z0 F
4 a2 m0 C' P* t- n! S" c( ]
# i6 Z, C& ^; Y5 c& T9 \. x, s4 l5 Uint41handler PROC. e% K# Q# \1 U- C8 ~" O
mov cl,al# S1 V3 R3 s) U/ }
iret
; H# r2 }4 b5 q9 u' M) f y. |int41handler ENDP
% Q( L* x: j) {# {
/ T: |" q7 u' z3 N s f7 @3 S( P0 E! t9 C4 H
xor ax,ax" _& _" d7 Z2 J3 G
mov es,ax
2 Z4 G) ~8 n: t( l t mov bx, cs. H6 o# \7 f' k# ?+ M
lea dx, int41handler1 o7 t) g' Y1 I s' t4 J$ p0 U% ^
xchg dx, es:[41h*4]+ e2 S( [) t; \5 d
xchg bx, es:[41h*4+2]* F# \8 W4 B& w6 [
in al, 40h# w1 A- S9 Z1 U/ l2 ^7 |
xor cx,cx% a2 a1 Y' D$ F* q
int 41h! A; H3 C' h ?( a" \
xchg dx, es:[41h*4]
* ?" i, W& M& K- d xchg bx, es:[41h*4+2]- a1 F4 A' l( ?# a3 `8 y4 S
cmp cl,al& T# ?- d, R% K2 V1 Z5 _# |
jnz SoftICE_detected6 ^8 @: Y* \0 u1 G4 L/ b4 E
s; N* h5 Q/ r! y6 a: ^0 y
_________________________________________________________________________$ V) a2 |9 V4 |2 K6 f4 ?
1 j1 k U' p* Q r8 d$ _Method 076 t% b4 c: g5 b2 T4 v
=========
6 F+ z; T/ {8 g) b6 j: O# [% t( c) R1 P0 A: H
Method of detection of the WinICE handler in the int68h (V86): F: |5 _3 B' q1 T7 g
! k$ K. ~, F* ^ H: e# G t mov ah,43h
6 c# j' Y9 m2 l5 N, U int 68h
" O1 H7 o3 a) f8 b cmp ax,0F386h
8 E8 r, u) v& [! J( K jz SoftICE_Detected6 A# e- B2 N& s& U
6 @9 O# ]1 G- T$ Q. i9 [. B7 s$ _" V9 n- [
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ]/ B! D8 J9 ~9 ] app like this:6 A W5 F; U% q* B4 T% b
; `) `6 a/ z8 n% S8 o) W" s" e BPX exec_int if ax==68
' f: s: V) [7 t: k; j! z8 }4 t( O+ Z (function called is located at byte ptr [ebp+1Dh] and client eip is/ ~& |! n( l! a) B
located at [ebp+48h] for 32Bit apps)9 {# A# V/ U, y" ?" i0 K. ~& z- ]$ x
__________________________________________________________________________
3 S$ n) J+ k/ A7 h1 S
7 D5 d# o5 p: I- r. {1 ?
* c* G$ X( X1 O9 k$ J2 k# e1 Z# pMethod 083 _9 U- j& U& C* z3 V
=========
) J. s) t5 W% i1 ]4 a
( \! q, I3 R0 J5 M, y. PIt is not a method of detection of SoftICE but a possibility to crash the! x, n' {$ g7 g
system by intercepting int 01h and int 03h and redirecting them to another( w" g8 \6 J! b# M# C# L
routine.0 s$ ]: F: Q5 u: f/ f- h- L4 i# ~6 r4 C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ j6 R* p5 k7 V" s9 W! K
to the new routine to execute (hangs computer...)
, G/ L3 C8 ?$ [6 S+ z+ Q1 Y+ T. j# x4 M5 h3 e
mov ah, 25h; `$ G. `3 l5 g; ^8 T* H" `
mov al, Int_Number (01h or 03h)/ k- ^& ?. f# v2 I5 B7 |' h; ?
mov dx, offset New_Int_Routine( {( A1 z+ ?3 d1 `
int 21h4 W- }1 K0 F) X! g1 f9 W$ F' z
& q7 l7 F' ]$ O# B$ R__________________________________________________________________________
1 P, p) T; B" |4 \! \$ a1 y% { M+ y+ I; j- [! C" T. J. z+ k, _
Method 09# ?$ C9 U! M6 c/ M- q/ [
=========
k% A3 s2 D2 Q) [, [
8 k$ }5 |# ]8 D2 G% B& U4 E% UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ n( W p, W$ r/ b- p; w
performed in ring0 (VxD or a ring3 app using the VxdCall).
& b, u! k! G5 c7 Y+ }; L! rThe Get_DDB service is used to determine whether or not a VxD is installed- ^6 M( B" R t, \+ W V
for the specified device and returns a Device Description Block (in ecx) for
- B6 W" l! Y, e, D0 Pthat device if it is installed.
2 k* M; g9 q5 a& p& z, m T: o+ m7 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ _0 H* k: u) B7 @4 B9 G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% I( \: p: g F7 `& d VMMCall Get_DDB- g3 P/ P3 d8 U! v3 f3 P' P, s& G" j
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" w) V1 D5 W- f9 I7 |5 J
% L- H9 n1 W: S0 ^) {( xNote as well that you can easily detect this method with SoftICE:
% Q6 y! G& M8 V5 q bpx Get_DDB if ax==0202 || ax==7a5fh& H5 V4 V6 e# d1 g) j
/ j# a0 \+ D+ S__________________________________________________________________________2 C! W# ^( Y- b' _0 v) P- D) @
- n+ h" J+ b2 }1 ^) d9 kMethod 10
2 e# W* A5 u& x5 D5 K, L1 W=========7 i/ T0 u/ W& O7 B2 A& P# s
/ V# F' V: y% K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# Z1 P" T( k6 B: ]# x6 \- t5 Y SoftICE while the option is enable!!& D3 [$ U& S- b0 l, b& Z7 A3 Z+ i
7 B, ?7 R: y' T
This trick is very efficient:$ `/ q, c( I" I& n- S$ _# [. E% g
by checking the Debug Registers, you can detect if SoftICE is loaded
: Y6 m$ P# B2 a$ c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: `. @% r B. ]- P7 N* T: C; E/ ^8 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. R* z! H! _, E) I" Qvalue (in ring0 only). Values can be manipulated and or changed as well& ~# \0 c! A# h. n
(clearing BPMs for instance)9 N: k9 ~- N3 T3 F+ h& M. Y4 {
* _) ~# u0 H+ V+ ~__________________________________________________________________________2 H8 ^% K9 T' X- j
: H$ G! m9 a; [# J( G+ L1 Y2 K
Method 113 b% T6 Z1 H0 e) D' S& R& @
=========
8 ^) o; v3 a* e K" N4 l* [
2 _3 V1 C" k* QThis method is most known as 'MeltICE' because it has been freely distributed6 K; L8 C/ [+ V% v
via www.winfiles.com. However it was first used by NuMega people to allow G/ @# x# I! I( u
Symbol Loader to check if SoftICE was active or not (the code is located/ \7 t4 S/ ]( w& y" x& y
inside nmtrans.dll).
9 I( Q. X( g3 q& a: l. u( o0 V6 y. L3 a
The way it works is very simple:1 R/ |" G$ ]9 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' z6 s5 \& D+ ^7 [# e, k; g
WinNT) with the CreateFileA API.7 k1 c0 h: J+ F& v/ u$ `0 j
" `/ j9 h3 D7 U) ~+ yHere is a sample (checking for 'SICE'):
7 c1 ?2 x4 G; N( W+ u
* @: ?! Y& b+ O& _BOOL IsSoftIce95Loaded()$ g- P3 p$ d, @2 J- u% X
{* }) z0 L1 O5 j
HANDLE hFile;
# _, C6 Z q% Z% P2 g. A9 D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' s& U6 l/ }4 B6 m' I8 Z, N5 H7 h FILE_SHARE_READ | FILE_SHARE_WRITE,
" o& F' a4 ]8 @/ u9 {* q/ e$ n1 G% G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 _6 b( g$ L0 v8 o. R4 \7 v& A if( hFile != INVALID_HANDLE_VALUE )1 o7 X' E" D5 e2 m
{
1 v7 Q& e2 V! n, [! i CloseHandle(hFile);
9 `6 m( r: x: G return TRUE;
' A0 l) t# {8 C" C. g. U }
% z7 P: `- R1 @. i) } return FALSE;
$ M+ A5 A' b% \}
9 N$ A ]5 e! j7 u/ i
! t6 ^; ], I+ A9 Y& C( B2 LAlthough this trick calls the CreateFileA function, don't even expect to be# K3 l5 w2 z! {. v
able to intercept it by installing a IFS hook: it will not work, no way!! ]; ^" o' m0 [3 P0 X5 ~# W# A4 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) f+ Y, k: v6 S1 ?; A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 C- M! N8 j& O4 Y; a; mand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 e2 m N& q4 m* u/ h1 S3 {1 ]
field.% j0 @9 K+ t1 ~5 ^! q; J
In fact, its purpose is not to load/unload VxDs but only to send a
% j$ p8 G8 }1 V) [ r# L" HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 X$ f: A, N( s( q- _" l$ ]9 x4 {to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& z! h! C; e2 e. V) y2 n. `) ~8 p0 Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).# D. D2 i* Y& ^- w6 t. z& g% S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# O8 ~2 p6 ?: i/ g( f; N! sits handle to be opened and then, will be detected.4 |) @$ g6 j8 W1 R; A$ E+ Z- }. g
You can check that simply by hooking Winice.exe control proc entry point
- e2 E6 ~5 Z/ M! g0 ?1 bwhile running MeltICE.% J9 n3 i4 o8 M
$ E% _$ N: `6 ^ a" u2 B* u
+ [( D: C1 y1 X# Q 00401067: push 00402025 ; \\.\SICE' i) |9 F2 E- v" C0 x
0040106C: call CreateFileA
( w/ u( t. g O 00401071: cmp eax,-001
a; ~$ H! N- _. W2 f3 F 00401074: je 00401091
8 F- l/ P3 {6 V; E. P
P4 G% K/ ^# o$ g0 {) G( [; q1 _, j, R
There could be hundreds of BPX you could use to detect this trick." @8 B- K$ W) u5 Y# m$ Q
-The most classical one is:
9 h" Q0 S* @& f/ C9 n BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* u4 P: A: K/ W6 D9 C. X s7 c5 ? *(esp->4+4)=='NTIC'
5 k2 t2 k$ b. e+ s! j1 F: X
' Q7 U6 U: `0 t7 t-The most exotic ones (could be very slooooow :-(
# p5 @. s+ _" z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ' c( f2 A1 h5 ^ R5 _
;will break 3 times :-(% Q7 y& s/ U d" a) Q
+ w l$ V* k# P: V
-or (a bit) faster:
: t+ t6 S1 Z; V( u4 D$ D6 m BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' n5 k: |- a, g) J
+ f* P9 T& H$ a0 K
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 l2 L3 L4 ^4 m& j
;will break 3 times :-(
" k: T2 b- l! o7 x7 d1 w1 y9 K+ r$ u! n
-Much faster:
7 r5 ]* C9 M9 W8 Q! y7 R3 m( o BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* |. Y" g, m [* L" T. E$ _
0 {0 Q7 u/ W, Y7 I3 ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* X7 _! K* G& D1 g6 q* B( E
function to do the same job:
. L0 p) x0 L v7 z! D6 T4 Q) v1 E, H8 D# R" |& P
push 00 ; OF_READ3 V7 I2 y, C. U/ G
mov eax,[00656634] ; '\\.\SICE',0
: w8 x. ?8 y; g push eax6 M. P( Q1 b! w3 w, j8 X
call KERNEL32!_lopen- ^1 L! n" b9 \* k8 q
inc eax
% }# y6 z8 o- o3 @8 \ jnz 00650589 ; detected
0 a3 F! t$ M, s5 e. { push 00 ; OF_READ
5 {2 D4 O2 k8 r mov eax,[00656638] ; '\\.\SICE'
$ |# S) E1 |# x push eax
. Z# J; S2 t$ [2 z call KERNEL32!_lopen
! r7 _' H1 X! F& t' E inc eax
. k' ~: G: ]8 x: f! n. N jz 006505ae ; not detected
# ]; Q- Y8 ]6 c0 d( W* L! n6 y/ s1 i( b+ Z" q9 F# Y; }
C- w& ]. d$ o2 Y" {0 `* T& A4 O__________________________________________________________________________
2 O8 n( k u* j: C4 L- w' Y* O0 H. R8 I( k
Method 123 i& I, b4 s# W8 B
=========3 R' G0 Z5 U& |+ [# ~
( {. \2 a) U( e0 _
This trick is similar to int41h/4fh Debugger installation check (code 05
4 q G( P" j1 V8 X! [" S& 06) but very limited because it's only available for Win95/98 (not NT)
3 ]4 G) K) d" G9 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ G V3 R5 X' r3 P
( I- z; u2 C0 w3 p# z push 0000004fh ; function 4fh
: C: q: J0 q8 K+ P9 j push 002a002ah ; high word specifies which VxD (VWIN32)9 x# y! `/ a) P( ~# z
; low word specifies which service
) q. j: N% j3 D9 P! s' g4 t+ s9 z (VWIN32_Int41Dispatch)1 [6 b4 R j1 h; g5 e$ c
call Kernel32!ORD_001 ; VxdCall
) k, _# x# r+ r4 ?0 N cmp ax, 0f386h ; magic number returned by system debuggers
2 N* x0 l: A7 _% K P: K jz SoftICE_detected
$ G0 j) H! r6 _, ?3 e
7 j3 j1 d7 E2 E9 Z0 _( v+ j+ EHere again, several ways to detect it:) T+ ]( B" x8 c% ], R. ~! [
! B/ |* l" C6 T+ {, N3 O1 R' _/ y BPINT 41 if ax==4f
$ {! K9 E" [7 m4 z5 ?8 @2 d) a7 L0 A! e7 O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: `+ I% x7 p2 x1 _" h( ~7 a b
; Z6 Q4 b3 v/ r! }& L) H BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 P6 U* s; }$ `. n
3 C) L6 |" x& X' }2 @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' g' P0 c2 @2 H
# J5 j* K+ `) k- i6 N" n
__________________________________________________________________________( A$ C: t! H, E( B- ^$ ?5 D
, G' [# P- N# A8 N& R9 Z; pMethod 13& H1 E/ D a& {& i" ?7 R
=========
( B1 x/ d6 |/ A9 ~
! B: E/ P% L' NNot a real method of detection, but a good way to know if SoftICE is6 q: F3 S* Z' J' a, m t
installed on a computer and to locate its installation directory.; m4 S1 s9 L; r
It is used by few softs which access the following registry keys (usually #2) :) l7 z9 [& |- }4 G/ q5 {! v
K5 U, c4 x' x! P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 b5 W8 G0 @6 M\Uninstall\SoftICE- h7 A5 W- ~2 _7 S1 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ w9 q- Y0 d# U5 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Y) e9 u" C* _8 D\App Paths\Loader32.Exe
$ N) \6 F1 J" }3 x$ I" U% z, l# H, [8 q
) U4 ]2 g7 R+ H3 ^/ D" @' T4 ~2 r" w7 Y
Note that some nasty apps could then erase all files from SoftICE directory7 ]$ |8 |9 r( e- Q
(I faced that once :-(
# l+ o2 V8 W3 {6 Q9 p
; P9 C/ r' Q9 ?- l; ]; P+ KUseful breakpoint to detect it:
* u1 S" x* o" \! g5 R Q, `4 C! ]6 g/ r3 d7 ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
- J7 T# Z4 W5 t3 u) T y" _
3 [$ `! A3 Y6 l! K9 h__________________________________________________________________________, E8 E% v4 u/ ?7 q6 G; z, I' m
0 g- K" [- S! X
7 J* W0 ?4 E6 x8 r8 n' k: h' d
Method 14
$ ~; O6 W+ G6 k$ P5 S/ o- r7 D7 [=========9 k( N& f: x9 n& B
9 d( t; S' C# r, R% R( RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* R% b8 \( ?; N! p
is to determines whether a debugger is running on your system (ring0 only).
+ w S( O' X" ]3 B
/ _7 O4 y3 Y7 ~6 f VMMCall Test_Debug_Installed0 H7 D, }: s3 m- w" C9 C1 }' u
je not_installed! i0 E+ |1 {$ J; E' S
5 ~* I! l) u& }6 f ?& ?" g
This service just checks a flag.
2 I% U: r, }2 d# c. G2 z7 f( {</PRE></TD></TR></TBODY></TABLE> |