<TABLE width=500>
4 v' z) a4 Z; ]* w' [" ~<TBODY>
- D& ~6 F7 R! c+ _. R<TR>, q! p5 m X, X4 S3 {
<TD><PRE>Method 01 * @! o6 l% ~+ H- ?# x, j3 q
=========: W- I; A7 g) d% E1 o: b
, K( I1 K1 D. @! D" I8 M% t2 _% s
This method of detection of SoftICE (as well as the following one) is
& U6 r: y+ i; \4 \6 Oused by the majority of packers/encryptors found on Internet.
: e1 n# x4 e3 R& L; m" EIt seeks the signature of BoundsChecker in SoftICE6 W* G$ ?& C( I p5 Q* H" s
t8 w- G- Q% c( B j3 u9 l mov ebp, 04243484Bh ; 'BCHK'$ j8 J9 ^9 s7 Y5 B, U
mov ax, 04h3 e, u2 I Q; ~- E$ {# K6 ~* A! M
int 3 / K! u: _9 U ^9 J9 X; o
cmp al,4
4 m( f5 W P% r; y0 G+ F- G jnz SoftICE_Detected
7 z" o5 \! U8 ], B+ L/ k1 F
& @" [' z9 d) A- o) {/ X: [2 s, w___________________________________________________________________________
$ D, r5 n- _( n+ z& `5 Z; z0 K; q4 r E4 t
Method 02: \3 S0 k& V: t. O: w
=========
& I: `0 M/ v# l# |/ F" {
# J0 |4 w4 i1 f4 B; P iStill a method very much used (perhaps the most frequent one). It is used
. f7 p' g2 u# o6 g/ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 l6 i* J" x1 k; nor execute SoftICE commands... I3 E( ^7 w# o, h) _
It is also used to crash SoftICE and to force it to execute any commands" I) `- X: | W3 X6 W
(HBOOT...) :-(( , w, b" a S" _ ~
1 s. K! l5 C% s2 x( O% X9 qHere is a quick description:' t s4 {% r2 y& m+ z5 A6 q/ N
-AX = 0910h (Display string in SIce windows)% f3 @* o0 V& f% T3 G+ B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ `7 u$ m. Q' B* q& x3 }5 a-AX = 0912h (Get breakpoint infos)
% r8 u2 Q! J9 u! t( I) |1 y-AX = 0913h (Set Sice breakpoints)6 t4 r' d) V. _; E( C- T: J
-AX = 0914h (Remove SIce breakoints)
# y; ]8 o3 S/ w3 _0 H7 D# z1 V+ p+ X! P3 s# U( l
Each time you'll meet this trick, you'll see:; P+ E9 y p1 h# E
-SI = 4647h
- C2 [- ?5 ~9 f6 ?-DI = 4A4Dh! T' |) |6 \" C" {! o- Q
Which are the 'magic values' used by SoftIce.
8 Z0 J: q: { P+ O" ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 N6 z: c" ~$ ~2 r& y* j
8 C: I% D5 M/ c" K
Here is one example from the file "Haspinst.exe" which is the dongle HASP) r5 u$ D+ U% i! m; r3 X2 P
Envelope utility use to protect DOS applications:
* a ?, j/ j# `. |
% r. N$ E/ J5 p5 {, f7 m8 a) y! Z; m" L& a* u4 F" \& y3 m
4C19:0095 MOV AX,0911 ; execute command.- w$ t* G/ U! E+ C- `# k0 j
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 Z, P+ K. F6 d# Q4C19:009A MOV SI,4647 ; 1st magic value.$ j+ S: v) @& Q. l- A+ O4 `
4C19:009D MOV DI,4A4D ; 2nd magic value.
, m9 b1 J! S" R: f) n6 }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 C6 N1 y; r2 z0 l$ A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' E3 O3 O/ K) Z# T; n! @# I" h
4C19:00A4 INC CX
% d% [( x& n/ U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" J6 K. N8 u( t Y4C19:00A8 JB 0095 ; 6 different commands.
% V7 v, z+ _4 E" h5 b. N5 i3 i: S4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; K( Z* Y" ~; s% p/ ?9 r3 T( K- j1 v, \4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 x8 R5 f1 s, u3 B, |
* Q4 D7 [( N8 Z# L/ G( CThe program will execute 6 different SIce commands located at ds:dx, which
6 R6 b# h4 o- K9 }/ F% }! Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ y* \, O2 O* S* m# V
! a2 _% `% N5 S) ]( Y0 Y0 M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 {) D$ N* {" O7 q- [- c
___________________________________________________________________________
* i6 p7 c0 T: J1 z0 }5 l" w7 V$ p8 a) d+ ?: `8 ?8 E" O
: r; w& V% B; [+ W* A, ?+ hMethod 03% s& q: x7 J0 |) e/ [6 q
=========
8 [* W6 x" x) X% A1 l& X" d! I$ [+ a" t1 i' U5 F' Q- c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h y" X, ~' ~" G. h: m8 a' |6 n* C
(API Get entry point)3 D9 G8 ]0 w# D8 @
$ B; J/ \, ^2 [+ e3 K
6 G r5 M9 w4 l2 P# g
xor di,di
/ U2 i3 R& _. u6 P% v4 q- ? mov es,di4 }- C' P& R! l' r
mov ax, 1684h ' i7 }; U2 J- \* B) \1 @# Y/ I, ^
mov bx, 0202h ; VxD ID of winice1 L, d, P# a4 W1 F
int 2Fh5 T0 |9 I3 h7 K2 \
mov ax, es ; ES:DI -> VxD API entry point
+ x. C, T. w& m: O8 O* [ add ax, di4 n( }: s! S! R7 u
test ax,ax" {6 D0 J$ w$ X5 N3 s
jnz SoftICE_Detected, h" \# U4 P: r5 G% ^. K
* r0 r# K7 n9 K" H- ]
___________________________________________________________________________/ @) M4 F+ F7 a9 r8 _. U
$ N q- Z- m! T1 X" {* Y q) qMethod 04
2 T, T' k: q4 o$ t* _=========
5 C# R0 t' {, n
1 [% w. s5 z3 O% z+ bMethod identical to the preceding one except that it seeks the ID of SoftICE
/ E1 L9 |! C+ CGFX VxD.0 ~ h# Y1 J; \1 ~
7 i$ p8 t3 a: n7 t' x( t% Z xor di,di3 w6 L7 \7 E+ o. W" e
mov es,di
* D. ~6 \' {0 r: ] mov ax, 1684h
" Y$ U2 Z3 M, u# k: ^3 e; ?1 Y mov bx, 7a5Fh ; VxD ID of SIWVID
2 c, y- X0 }* d/ `- B1 j: ^ int 2fh
5 `, K/ k1 ^" m+ ]' p* ` mov ax, es ; ES:DI -> VxD API entry point
9 n5 f1 x J2 y- f# H( a* N add ax, di6 G9 ~" t7 ]( L6 m6 `8 f$ o7 i+ q
test ax,ax
: N6 u4 l/ M2 c; h, a jnz SoftICE_Detected
$ @0 o' b: h) \) e* z% p; S4 v% k/ `8 v8 H( |$ s6 p* y ?5 c
__________________________________________________________________________
, h5 S$ L0 i# D+ j! H) R E" M+ p) |1 t9 G+ L3 X
: G- r* U6 ~! ]7 M% b8 P9 |Method 05
) \& S% b/ ?4 o=========8 g5 |" a9 I; ~; U; I
8 o0 }2 n6 c3 J% B9 X
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ y" t/ R( h2 a2 p/ M- Y
debugger. It calls the int 41h, function 4Fh.
/ f0 s, i" V' P" ^* z6 }) z3 g+ IThere are several alternatives. 3 d0 s8 r$ ]- s/ |' L
* _1 I1 R! E( F+ z4 ]The following one is the simplest:& |$ O- F8 H2 `7 [
# E3 s6 d0 V, i2 f: ~ mov ax,4fh [, D2 r/ ]& e
int 41h
/ O4 e+ D& D2 a0 W* i2 T' e" h3 U! o cmp ax, 0F386+ e( f0 _0 G4 p! E0 f
jz SoftICE_detected& k+ w4 p; x% T3 \3 m' [, ]( L
# ~$ L# r4 e! {$ G
' C! f- X B4 l; S7 xNext method as well as the following one are 2 examples from Stone's + W7 M1 i+ D4 i* Y
"stn-wid.zip" (www.cracking.net):
b" R# C) ~* ]5 \, [4 J
* x( H6 ]- n, Q6 }, D& { mov bx, cs
) \0 j$ Y) U* w8 X- T& \ R lea dx, int41handler2
5 h x; p. }4 e1 v xchg dx, es:[41h*4]
I" [- H# r5 u: l$ Z xchg bx, es:[41h*4+2]% c0 ~2 V; t7 l$ U
mov ax,4fh
0 o* D! n5 y# }- m9 B9 R/ x int 41h
4 G6 d- U# g5 {! N- x xchg dx, es:[41h*4]
8 f5 r1 L$ V) u" _3 P/ P xchg bx, es:[41h*4+2]
2 _- b7 |3 K9 i4 Z7 Y* |- m5 F cmp ax, 0f386h
: N4 _, h9 ^% O4 z jz SoftICE_detected
1 [$ d8 m' i$ `. B! q4 ~1 c/ D6 k- @1 k8 W* }
int41handler2 PROC! ~) j! L5 f: M4 D+ Z$ w
iret, j, p3 r3 ?# |4 ?2 y
int41handler2 ENDP) x# V+ k$ P# z4 B, y% C( A: S
+ x- u" v' D! m' P; c) P [8 m
& ^5 O7 h* i; G* Q2 o* _. `$ p
_________________________________________________________________________
: @) c# I" d* E2 F, o8 o+ _) s8 X: s# _/ A6 x" u
% v9 B: L/ b4 e8 WMethod 06
$ g& y; p$ f+ x=========
) W- a$ o9 A; w1 n$ H
_) P* c9 [' E. a/ M, z
8 L" ~1 P+ N$ Q0 G# a. R$ n/ Y2nd method similar to the preceding one but more difficult to detect:
5 F, d% z( V4 y/ w3 O% _- p8 V- o3 I, A7 p* l
4 M! H+ d6 l! x
int41handler PROC
4 t2 [% J! L+ X) b; P6 H mov cl,al
$ A* h) s6 X* K/ M iret
3 U3 y" L# r( ^$ P+ ?$ B, ^/ eint41handler ENDP6 l! N$ R, d7 F' x
+ }; C# I8 c8 I. k9 \0 P ^3 l" `
T7 _: M& V- z" `. b" ]
xor ax,ax
3 r* Q( U$ i( b8 O2 ^, B: n mov es,ax1 V" Q; x/ ]5 @2 ^: U- @
mov bx, cs
# f. G' S) x* m h; N, P lea dx, int41handler2 z* I e( z+ R1 c0 m/ V# ^7 n# m! R# O
xchg dx, es:[41h*4]
0 j% D! n7 `- K' X- h8 m( q+ v xchg bx, es:[41h*4+2]
' e' ~$ }0 v! ?6 l9 j5 g2 b+ u: R5 y in al, 40h
; ~9 h* B( [6 L7 r; z: O% w4 \ xor cx,cx+ q/ `* @. J' L8 ^2 u
int 41h
/ A7 g( w5 ^9 Z+ H4 h) E xchg dx, es:[41h*4]
) J: |4 Y3 ?9 z. z j0 M xchg bx, es:[41h*4+2]
z. g4 W+ e) a7 `, a cmp cl,al
: I6 S! N" u3 K$ M8 j& {& X# P jnz SoftICE_detected
. y7 u E/ _' q, d E3 q
1 f* m7 S1 @( F1 L5 b1 T( B_________________________________________________________________________
, n: r* Z Z; w( B
* }8 v6 ^6 o! v* X4 e# FMethod 076 o: O2 s5 d; \! }
=========
* r- p9 U. B" e# J% R$ Y: l! j% a
: ?. j/ S$ |7 F- D0 ` F( pMethod of detection of the WinICE handler in the int68h (V86)
* V* y, e- q* e1 G1 H$ V# a4 s/ z
5 Q( H) x! f2 b mov ah,43h
- B% Y8 L& `( K2 p$ h7 d! [ int 68h7 T0 q( y1 Q; K& u% O. _
cmp ax,0F386h
3 A R" B) D# `* m# b# F' { P4 D8 X7 Q jz SoftICE_Detected
2 P* k$ B7 \8 N4 Z7 r: J4 C0 a! t) j
: r9 `' L$ C4 D4 [=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 a9 u6 Y* u5 [ q9 j
app like this:2 V2 [5 P! r2 Z% y+ x. n4 w
, |5 b, F" w" t0 [
BPX exec_int if ax==68
8 V6 ?: E+ T9 X' I (function called is located at byte ptr [ebp+1Dh] and client eip is
5 R4 A3 @: j) X# g located at [ebp+48h] for 32Bit apps); I" q4 v( l9 v5 E: g+ d
__________________________________________________________________________7 v9 \5 Q7 k, [" l
# P" A9 U. J$ F
3 M1 ]% P' m/ y( [; |/ X! x
Method 08
) q8 H/ s7 f5 m) ?2 I8 k ]- ?5 V=========
7 L( R! S' w9 W7 x* m
" e/ c) Z& m4 yIt is not a method of detection of SoftICE but a possibility to crash the, |) W1 l. J F6 ?7 X# K
system by intercepting int 01h and int 03h and redirecting them to another
! z6 x& u2 S3 ^* yroutine.
4 i8 }7 h9 w! g" q1 p$ W, Z- a& h) ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- I/ e8 W6 d g$ A0 U/ kto the new routine to execute (hangs computer...); Q8 d- j9 V4 \! i
2 s7 t4 i: n6 s8 @; M mov ah, 25h V& y v I/ Q* a
mov al, Int_Number (01h or 03h)
8 r3 R- k9 Q) X% { mov dx, offset New_Int_Routine( a# i; L. D. y8 ^" Z. q2 L
int 21h
0 d, X8 f# f2 }8 c. K# G: u8 m" l: q) i' n* v n7 @
__________________________________________________________________________
/ k) |2 |+ }- G: i q0 l% d) u: P, `5 I* g4 q7 k
Method 09$ t1 p7 v9 C8 U/ ~( w( V: g9 I
=========0 b7 d# b% ]- Q. W
- n2 E. j7 T& M0 g% [% ~; S; BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, Y0 N: Y* L+ r. s5 [; G; nperformed in ring0 (VxD or a ring3 app using the VxdCall).6 v9 K1 o8 q# {$ ^. j
The Get_DDB service is used to determine whether or not a VxD is installed. c/ V" z! z6 C, Z
for the specified device and returns a Device Description Block (in ecx) for
3 A( t0 T* \; }* s; o! _$ A: Gthat device if it is installed.
+ v1 W, i7 W9 ~8 ?0 d. H+ @* I$ {& Y/ G: @
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 ?& ?( ?+ S, ]1 q+ M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- S# } \3 R% Y" _ VMMCall Get_DDB! ^$ ~7 o n9 f! g9 _5 W3 K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 N) r, O& P7 k
7 G' b' @) q6 UNote as well that you can easily detect this method with SoftICE:
* M' E: s' q8 T9 b7 h bpx Get_DDB if ax==0202 || ax==7a5fh
! U0 k, `" p' [ G i: s# z+ s; v, S- `/ |4 b: G
__________________________________________________________________________; f! d0 `8 `- i
) |3 h# U. I7 V1 F
Method 101 Z9 v/ p* |+ j4 z' M4 L) S
=========
R9 i) @" x# P2 u0 ~5 s G
- H& F# F x e( n" I% u=>Disable or clear breakpoints before using this feature. DO NOT trace with
3 b$ p3 r1 i8 e0 {* M7 k) |1 s SoftICE while the option is enable!!3 `1 ] a- X" y7 J' B
; }' U9 c0 g0 h; ~This trick is very efficient:
}2 |" t1 R! D" K1 e; {by checking the Debug Registers, you can detect if SoftICE is loaded" p E6 `) W8 R: B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- z+ }! s! `. d+ k" T# A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! P, [$ n2 T; U( k. Zvalue (in ring0 only). Values can be manipulated and or changed as well: [- U( _- H; w
(clearing BPMs for instance)
0 \! e) S. e9 W4 j* {) Y+ D. w/ h8 @# O8 t' _ r* Y o
__________________________________________________________________________
" n2 _! p R! y6 V! ]. X5 H4 `, n% v! n; C1 f" Q
Method 112 F& g7 ^, a' _0 _3 u
=========
% ^4 `' b/ H. U
: [9 u6 _' m1 f* r7 h' tThis method is most known as 'MeltICE' because it has been freely distributed$ [7 K: Q1 p6 _, y0 t& D
via www.winfiles.com. However it was first used by NuMega people to allow
4 |" K s! b6 C# N+ C; A% @Symbol Loader to check if SoftICE was active or not (the code is located
+ Y8 n e0 w# h+ o6 U5 a; e: ^inside nmtrans.dll).
" H- Z; u. S# y% J6 B- h
8 `8 U% N" Z' A VThe way it works is very simple:
4 n: E$ l. c; c* R" Q8 SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
t8 a) {* k: F$ J' `- m/ v" @WinNT) with the CreateFileA API.
4 l$ _3 w# J% Q4 T4 q8 P4 ~# _ r% N% {6 T
Here is a sample (checking for 'SICE'):
1 Y1 {( o) D5 i7 Z
) B' Z; J5 F! X) b8 X3 G9 DBOOL IsSoftIce95Loaded()
, l; @! J9 e$ d$ @+ l8 S8 j{
! A w3 F/ |2 k& v: i% B) `; _ HANDLE hFile; - X# t( B6 u. t# t9 L- E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 W9 j, l. @- u# B FILE_SHARE_READ | FILE_SHARE_WRITE,9 M+ E( D8 D/ N" u) c% P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* @, Q5 A; K6 k0 n
if( hFile != INVALID_HANDLE_VALUE )
v1 m) M( p6 u0 o6 l {; r6 p. ?' y" G& o/ M l. P7 ^
CloseHandle(hFile);4 y! i6 W3 p$ w* |, m
return TRUE;9 m9 M7 Z# Z1 y) n! c! m
}
: o! @% d0 E# e4 A return FALSE;
% }3 a9 M/ ?4 o& A" y! F/ @6 L V8 n}
5 G2 G3 }$ p/ ~( J6 G% v( M6 |; Q3 l" a7 h; i/ d7 Q: X/ S
Although this trick calls the CreateFileA function, don't even expect to be
: ]' H' y* O, m. ~- |7 u) Y. f$ ^' xable to intercept it by installing a IFS hook: it will not work, no way!
& _ { M# i! u) EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% [* N6 d: ?# q! ^$ U3 Y4 H# T9 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 Y3 b- {6 J9 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 `& b+ C' ~+ \, {5 r/ ? [
field.
# Y# f6 y% j$ }( QIn fact, its purpose is not to load/unload VxDs but only to send a 7 u& C: O- j# E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! K! E* E U& K! l- ^8 C2 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# B: R0 D1 W6 E, kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 T' j6 ^7 F; o4 S0 k( B- uIf the VxD is loaded, it will always clear eax and the Carry flag to allow- |. m5 t& `1 ]' V. s; m
its handle to be opened and then, will be detected.$ E+ y0 X" d/ M: y. D, R9 f4 w
You can check that simply by hooking Winice.exe control proc entry point
$ t5 S6 L7 K( U! R' [7 Xwhile running MeltICE.
( e5 z) U: C" s# H2 M) M% `5 \ u B: p& A
! ^7 `& d/ c4 l8 f+ ~; n7 [
00401067: push 00402025 ; \\.\SICE
3 P- J, m; W4 x B; `; s: G 0040106C: call CreateFileA
/ p7 F' g' O; Z( u' j 00401071: cmp eax,-0016 C( }- |# U8 A4 J0 \
00401074: je 004010916 \! f6 t5 b0 @
5 W) N" D/ @) S* g% X8 J
; X; x7 J: B0 o3 t1 h1 LThere could be hundreds of BPX you could use to detect this trick.6 R, L) }/ G7 o0 s- A3 q2 B
-The most classical one is:8 T4 y- ?8 ^4 p+ `3 M1 g3 x* B
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. c5 W1 `+ S) Z3 ^
*(esp->4+4)=='NTIC'0 M" \# n0 O; s% ?, t6 T1 |; K
9 F2 }# ?- U; l$ M% p
-The most exotic ones (could be very slooooow :-(
7 Z7 z% L n' U5 e% p- F3 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . c% h& ?# K1 |% x7 V
;will break 3 times :-(
. U# j% R: [- e( o/ N8 c: K1 M3 Q/ B" b1 k q# f/ \
-or (a bit) faster:
0 m; |+ n7 P% q3 _( k* c0 J BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 d; u/ d6 {9 [9 S! d9 q# d
# w5 G5 Z$ e6 W8 K8 ~; ^: g0 h
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# K7 d8 {, u z, s& I+ ^ ;will break 3 times :-(
; P# E1 H5 w1 E- f
' W% Y0 ]& [2 q' |-Much faster:+ \0 ~$ n6 E$ o# x! C
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 c4 t# e+ x. j0 ^4 [) m) J
4 b0 h- T# A2 q. k; l( u* B* bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 y7 U" x; F) |* N1 g5 [
function to do the same job:
1 d- S. Y8 Q4 b$ |+ t( Z& L3 J% J
* e& z d: M* I/ }! G$ k& L push 00 ; OF_READ
: l0 }& v" g1 q, y# Z6 i mov eax,[00656634] ; '\\.\SICE',0
' l! ~' x0 w+ Z5 T1 @* s1 w7 q2 q push eax; J! J5 {4 E# S: U4 o% |+ \" T M/ ~
call KERNEL32!_lopen
, I/ h3 D8 }1 `0 ^0 T) k inc eax
& K5 |0 |' r" W+ K; M; O) b jnz 00650589 ; detected
7 B7 L' X: ?: s h) ~ push 00 ; OF_READ' g$ I* n& \( X
mov eax,[00656638] ; '\\.\SICE'
1 w/ f& n$ ?) k8 K push eax) |- K& N! g- r
call KERNEL32!_lopen d3 c: q5 w Z z9 d5 C3 R& C
inc eax
, L) ?8 ^/ X, b$ b& {: ~9 w# ]4 Y jz 006505ae ; not detected
6 z5 P; o: Q3 ^7 j: }1 b% U5 p5 O
* R& T5 P6 x7 B6 Z9 H1 }3 Q
__________________________________________________________________________
/ A- p# G# a7 V: y: V0 g3 [5 ]! @! B$ y! R/ f% t( r
Method 12
" n( I0 ^7 v/ }: R" e' R+ L0 u7 H=========
; T, e' h }; e' f* M
& ?3 A2 u' q& L) {! j# gThis trick is similar to int41h/4fh Debugger installation check (code 050 s* {- N' R6 q8 p
& 06) but very limited because it's only available for Win95/98 (not NT)
% o! u/ e- T: G* Q2 C& O/ ^9 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 y4 e; D3 D+ X2 f& W" c# w3 }
6 i& x4 U* s4 ^- o9 a push 0000004fh ; function 4fh
+ s6 F* }$ d2 d5 g- h# x& r! k j; O push 002a002ah ; high word specifies which VxD (VWIN32)
; n; v6 Q. \4 m4 }2 n# L7 W ; low word specifies which service
$ w$ @" i n5 y/ C: V (VWIN32_Int41Dispatch)
5 R w' g; |9 C* @9 a: H- k call Kernel32!ORD_001 ; VxdCall
5 w' o+ C( T6 W6 n cmp ax, 0f386h ; magic number returned by system debuggers2 E/ K5 \+ o, |2 B
jz SoftICE_detected/ b2 G0 u! Q! D
6 u! j( u# V7 v5 c/ O3 a0 Z/ F/ ~: j
Here again, several ways to detect it:) ? V; D0 I& P+ s/ e! Q+ F
& m9 f# ?; M7 t5 c9 M BPINT 41 if ax==4f9 X* W. j3 ^. {! P6 r
- ~% |. a, L* J5 T
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one' p$ H1 j4 y% w( H g' ^8 t
3 [) |* {6 ?5 W& L( \4 V/ q) n: R# [ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ V; H$ ?$ Q) [" C w. ^7 r; d d6 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 u1 a) C: V; Q# e
- a$ f. u1 _( m* z, B__________________________________________________________________________
% O) _% o' `4 a1 F3 a& s8 G7 h
0 \" P( a1 V5 M9 U" XMethod 13
# a$ w$ y, u0 I6 ^=========4 ?! u) q+ j1 j
+ Q! @. ^) l" ?( ENot a real method of detection, but a good way to know if SoftICE is
, b+ O8 G* v, U; l' ?6 m( \% w& o3 dinstalled on a computer and to locate its installation directory.
- [) n% X, ^7 w8 WIt is used by few softs which access the following registry keys (usually #2) :
% T$ {4 Z, x9 Q& b5 Y1 a% M0 V; [. M' {) d8 j2 P) E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 x3 [+ U: B) A/ h( @. k- B
\Uninstall\SoftICE
' C6 s# C) ^2 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ] e3 ~" J; n% B+ {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 B5 D/ p9 a U l\App Paths\Loader32.Exe
- D2 {. O1 ~1 R, Y3 i# z* Q d0 {
J7 {0 Y/ `7 B8 A5 J3 D1 Q, z- h; e% ~$ G) ^+ o; p
Note that some nasty apps could then erase all files from SoftICE directory0 G: B( l. Y6 A8 u ^* S
(I faced that once :-(& D/ k9 _; J0 D, f
! Q0 q' O. a3 U
Useful breakpoint to detect it:* H/ C ^9 P4 R$ b/ k8 K
. k6 }4 H% Q2 r6 b! H, Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 S7 r) s. E$ e" p% `/ H% H
2 |; t% V! I; A3 u6 P, Z__________________________________________________________________________) [/ h, S% Q( v8 w. r& R7 H* Y3 `" u% ~7 `
& |) A4 E- n% ~
$ O: k! O7 U7 W: v C# T) G3 oMethod 14 # J6 u* z* z4 T& d' ^
=========
8 a% k9 b2 S0 {& ^7 v7 I% f9 n/ o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: i1 n3 R3 G! h. G- p! B$ M
is to determines whether a debugger is running on your system (ring0 only).1 V( |8 E2 @: t1 c) L# J* u3 q
' w5 X) R6 ~/ j VMMCall Test_Debug_Installed4 _3 |1 O$ z3 d3 I4 {
je not_installed+ D/ l5 D- n& I; e# A# t& x
3 |$ k( k) p0 u+ fThis service just checks a flag." \" `" W6 t) h; X* h/ D- }
</PRE></TD></TR></TBODY></TABLE> |