<TABLE width=500>$ L- \; o9 ]& @
<TBODY>
* z5 Q! k9 E5 X, g; y7 J/ W<TR>
~ B% W' u& m" W1 L+ |9 @) ]5 }7 n<TD><PRE>Method 01 7 W6 N; F8 a5 w$ T
=========$ M5 G, v/ q7 L4 @4 z
- m& U% T( d# E9 d: F9 J; JThis method of detection of SoftICE (as well as the following one) is' R8 [$ V; l: w5 j8 x& w( e; ?; c
used by the majority of packers/encryptors found on Internet./ b5 _- Y1 S" x1 V( O6 Z
It seeks the signature of BoundsChecker in SoftICE% }) B. S; }8 o" t& F% D
$ n7 x3 y7 f) E# K mov ebp, 04243484Bh ; 'BCHK'/ s8 G7 o; i: y5 v$ `
mov ax, 04h! @# i8 }. [0 |! e; O
int 3 . K# a4 U1 T9 x& j R' l
cmp al,4
^; F6 \; O2 |& X! e jnz SoftICE_Detected6 s7 ^9 K6 X' H- g' B
5 W8 |' l! B- ^ B2 o3 x* r___________________________________________________________________________% ?! J8 \/ T6 h; u7 g7 [( ?
/ g( A' ?( W6 ?( I, j; k$ ?& u! c/ ~
Method 02
6 t" D6 Y7 D2 T6 P" W4 `* e=========
p. M" o6 M5 @- a: k- _9 J. o
Still a method very much used (perhaps the most frequent one). It is used) |( r9 ?. i2 Q* O5 e; U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," {/ B- w2 \: W* B$ T3 m4 J4 t* V( q
or execute SoftICE commands...2 h( V d8 X9 w# I/ G" g( V) B3 l+ r
It is also used to crash SoftICE and to force it to execute any commands
& z' R+ t! d( B* S; y. H) \$ V(HBOOT...) :-((
. Y/ ?* i+ G8 o& p5 Z0 P& d, ^/ o: `; o+ d: E9 @" V
Here is a quick description:
2 _$ i" Y# M/ `/ U-AX = 0910h (Display string in SIce windows)& @: J. z& \" |; o# `; f' b9 R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ _1 u3 l2 W# Q
-AX = 0912h (Get breakpoint infos)) l- n) [2 T" y r
-AX = 0913h (Set Sice breakpoints)
& X) }' Z8 I/ ~" g+ p: w9 [ ~; G, R- u-AX = 0914h (Remove SIce breakoints)
( p5 I# ~7 p" l& S# z5 c" G/ @
1 T0 J3 X/ v, j8 d3 SEach time you'll meet this trick, you'll see:, u# Y! D4 o* [* x1 }# _
-SI = 4647h
1 j- `: y+ @+ K$ h0 R, \-DI = 4A4Dh [: j+ d. G% j# d+ w1 W
Which are the 'magic values' used by SoftIce.
# h0 l F% `0 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ U5 ^% R9 {. t) j7 w \
4 W8 l( e7 H2 }" T8 J! `( `Here is one example from the file "Haspinst.exe" which is the dongle HASP
& v+ ]8 _+ K& QEnvelope utility use to protect DOS applications:0 L: M& b4 X$ `
! M$ ^/ z! P( n- ?
5 c% v* U5 v% E! ]2 H
4C19:0095 MOV AX,0911 ; execute command.* ^- y+ c4 j0 ]' D( R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 u: d6 |& `: T' ]5 f7 h+ w& ^- w% M
4C19:009A MOV SI,4647 ; 1st magic value.
( {& G0 ?1 F3 p# ]8 \9 u1 W* k6 u% l4C19:009D MOV DI,4A4D ; 2nd magic value.. _; Y$ e& n C$ z" H
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ ^5 l9 m) o% N2 N# ~9 z) s: y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute6 ~4 s+ o1 M8 n2 }+ U {/ i( J
4C19:00A4 INC CX$ R3 Y7 h6 o! n. K
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute7 ]: O# t1 k" X( S% ]6 z0 l
4C19:00A8 JB 0095 ; 6 different commands. u4 l r5 j" W# ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
# {6 v2 x3 b( O8 y7 G# @, E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 E( T( x9 `) e$ J2 z3 U' W
" r% C; z! t" ?* o p9 `; h/ _The program will execute 6 different SIce commands located at ds:dx, which
$ W0 i( t8 Z/ M/ T+ \: v/ p5 e6 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 }- Z) Y6 \ u
+ o8 X: c, }; B7 I1 F/ q' N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 M( d) z! D' c+ ]* e___________________________________________________________________________
) n, ~! @& m) e. W
- `/ F. I" m# V9 d5 d1 _6 I+ D/ P- ~
- d. Z1 T' U# n' YMethod 038 h4 H" }; B; G/ T. W# } w& v8 z
=========5 o; A! W7 o- s7 [7 Q
7 e# x" f8 O8 Q' CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& n, Y+ X6 t% ?9 ~3 }
(API Get entry point); D2 M, |6 q" b. ]9 z' v! e$ x; o7 |
8 V& m7 r$ c8 t4 W& |! p0 y$ z! i- j
xor di,di3 Q- a( Z. d# T7 e3 s
mov es,di
6 E- u" Q/ e- m/ Z6 J- u& t- u mov ax, 1684h 9 m _, A% q- D2 ^9 s
mov bx, 0202h ; VxD ID of winice3 K% b6 m2 N& w4 H
int 2Fh
1 {' d& J% o- R o2 m5 A* f mov ax, es ; ES:DI -> VxD API entry point/ F, I2 ?- s+ a, G/ k
add ax, di% r5 @( ?0 v2 i* }% @6 j8 ?
test ax,ax a; Z3 e* U" [5 c
jnz SoftICE_Detected8 {2 {- _# R& E4 I1 f$ ]
2 y+ s; j8 O% R, t% N
___________________________________________________________________________
3 x4 y' r: M# i# u Z1 i" |* Y6 @% B' p0 ^
Method 04% [ f& Y1 C. J6 _/ }$ U* g2 W
=========! b3 ?' _+ p2 _' h( c/ P
! S$ L( f5 q( @: c, U; M( Y
Method identical to the preceding one except that it seeks the ID of SoftICE( ~7 m! w4 E: Y7 s8 l
GFX VxD.2 ^! `5 a6 _3 y+ x
. ]" h7 X" A/ v
xor di,di
5 A) G: v, M: }1 T9 W; a% E mov es,di
n, Z7 t$ }2 `) X0 ? mov ax, 1684h
; Q8 U0 V8 `! w6 j* h4 k mov bx, 7a5Fh ; VxD ID of SIWVID
$ [3 v& C3 U& m5 W int 2fh
/ G# e' F8 l* |. V# s mov ax, es ; ES:DI -> VxD API entry point0 P: _- e$ W! U# ?# K
add ax, di
3 X7 P% B1 y9 V8 J/ T' T test ax,ax6 u% |; W! I& R. ^
jnz SoftICE_Detected
. @2 Q" a$ w2 y" r( R/ p; Q, `' } a0 q0 O( y
__________________________________________________________________________
- i# K. p; ~, o9 ?7 V' [3 {1 C& o5 ]
! j" U- Q/ D9 ?2 n4 ~# l0 o7 H: N% q1 ?; HMethod 05
3 T! b0 \# m: h( G3 ^' Z=========. M5 Q# o6 B' U0 Y& D
3 A5 g. E0 l0 EMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ f7 A! {1 A5 y6 r
debugger. It calls the int 41h, function 4Fh., N2 b$ t& U! \+ M
There are several alternatives. & p. f$ t1 g" t, b
( q* n" r+ K, f" D1 ~0 S Q
The following one is the simplest:5 z( p1 _. Q* m8 a( A! K( W
$ m, e" u- N5 b7 }7 x- G8 B mov ax,4fh
7 _! ~6 W3 ^4 H( }( T int 41h
# O8 \: A) O/ t D2 @, |1 c4 I. w) A cmp ax, 0F386
$ i2 q. L4 N7 L i8 h5 e: r jz SoftICE_detected
4 E( i' i) D4 b0 \' _
}& q1 |1 ^% j5 D2 E/ I
8 O! b7 `% w2 D* X, e) f# [Next method as well as the following one are 2 examples from Stone's
' q# `) |' m v2 O"stn-wid.zip" (www.cracking.net):% T7 e4 Q* }' G( i& Q- r5 E7 i2 y
) U+ X6 S8 \% j: Q5 V mov bx, cs8 g) p6 t; w5 X6 ?
lea dx, int41handler2
" y; J1 H9 o5 J' U* {9 I xchg dx, es:[41h*4]
; y) N+ O: g. @# b$ k# F xchg bx, es:[41h*4+2]
4 }& Y8 V1 W8 k mov ax,4fh
, U- ?7 n( ]& H' p, v% s int 41h8 T( r5 |* X5 r9 z( e- I2 A( B1 `2 c
xchg dx, es:[41h*4]
$ Y6 J; U$ m+ T# c! d" T2 N8 B xchg bx, es:[41h*4+2]3 |7 J& J2 y& g* g: _+ Q
cmp ax, 0f386h8 M& Y6 ?1 C7 J4 N4 P! e! U% H
jz SoftICE_detected
& f9 V: n- S+ ^* m6 r: P( u! I
1 i. c; l, V6 `. uint41handler2 PROC
% t5 @- |: R: o" @3 l: e iret' X: H. y0 V b+ ~8 ~# |
int41handler2 ENDP
: K* S6 m" B3 b$ u: w( m @" F- r& ~7 b D% ?% x
% S* A1 z9 r! z" D
_________________________________________________________________________
6 [% |1 L- ] j9 U( F7 O
. q4 h1 Y) \7 j+ {3 X: C& ~; O ?& E1 u) z; V* c. _6 C
Method 06, [( [ [5 r. S9 P {# H1 ]( l/ c
=========
# [1 _- K4 O8 C/ W7 m1 M _
* F5 h, }/ Q; k4 ]1 n, A( _: ^0 ^8 g0 E6 q+ w, X
2nd method similar to the preceding one but more difficult to detect:2 B# \/ ]4 g$ C- d
" N# ~$ \2 R: g w. @* }* z6 W6 I" }' ~5 R: ]: |$ J
int41handler PROC$ C. u7 L3 n& L0 z& Y$ Y
mov cl,al4 A$ z# ]1 p$ J( Q7 g: D* F2 `2 j2 l
iret8 D+ T0 X! @' e& V
int41handler ENDP6 W% J6 k$ H- U6 Q4 G! \/ I1 w# P \* `
( p# U/ f' k4 h; y! _7 M
# c& @3 N: g& Z9 ~% P xor ax,ax6 N+ p4 U8 b# L3 G+ A6 _3 V
mov es,ax
# G4 K) D7 @( A1 b3 E4 s6 j mov bx, cs) X( D- |9 T# x: W
lea dx, int41handler
4 K7 e: L/ L: R; s0 e; E xchg dx, es:[41h*4]
7 c5 _' \/ E0 y; y xchg bx, es:[41h*4+2]
% d' _. k- L1 S( w d! ^ in al, 40h
0 k' o6 V+ @( x$ ~, b xor cx,cx) B l( S# f5 n' V7 Z! ~& d
int 41h
1 w+ A/ x2 o+ \: n" S xchg dx, es:[41h*4]/ t3 U" ^* Q0 M/ i7 ?
xchg bx, es:[41h*4+2]
9 a4 D. p5 l* O' q cmp cl,al! ~" w0 Z9 B7 |1 k/ u* a1 R
jnz SoftICE_detected
: x; [1 O5 _+ R! B% |2 S0 e/ {$ U; Z7 J, `& [' x# | |
_________________________________________________________________________2 T4 a S! J5 Q2 o, y! S3 q6 \7 m( \
, h9 e* ]8 `- |( e0 d
Method 07: |+ t* S! ^( T d c1 ^; g& v
=========
/ r% o- S6 ?9 | m5 D: m* Z6 l2 k3 s9 [/ X" r+ e2 F; g3 {
Method of detection of the WinICE handler in the int68h (V86)
5 Y, P O9 C$ u
9 O" [1 e. ~7 I$ D5 P: N; X mov ah,43h b* M, \$ C/ S# R3 q, f
int 68h
( {. y4 J4 Z, S* X cmp ax,0F386h# D+ e8 {5 {% }/ O* a8 g! D7 Q
jz SoftICE_Detected! F- y. x" U& n( ~4 z
j3 w: Y5 m# s6 h/ j/ Y% Q
, m( ~# L. `/ j0 [' }6 f! l=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 `- {" x3 @( r! v+ W
app like this:8 c* Z' Y' a7 g
2 Z; H. N9 n, o* t% e6 t BPX exec_int if ax==68
7 } I" a6 H: `+ @ (function called is located at byte ptr [ebp+1Dh] and client eip is2 r, R+ N& l: j6 k, F
located at [ebp+48h] for 32Bit apps)/ v6 g: f2 [# x5 X6 L6 i% ?
__________________________________________________________________________
# ~8 |- S& }5 Z% z9 `
& k+ J6 f/ e: p# o4 w
4 i! o% y2 B' f' j/ nMethod 08. r* Y7 t. d5 U3 y i
========= M4 r' l2 a: R( V6 _) c2 ~4 J
O) z8 `, w \- e+ j0 J/ hIt is not a method of detection of SoftICE but a possibility to crash the
: [) I( [+ J; `8 q" Dsystem by intercepting int 01h and int 03h and redirecting them to another
% U9 s9 v0 ]( q- w6 U1 Wroutine.2 U* B- w0 V6 w, v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' b6 Q* a$ g9 P: ~+ B/ a1 T4 D/ ito the new routine to execute (hangs computer...)" V/ @7 ^' Q: ?9 L5 i
' W) e4 N! ^4 g/ R mov ah, 25h, n+ S, Q+ q! H6 }. B" H- ?7 P
mov al, Int_Number (01h or 03h)8 H1 h/ h" x+ W# e7 ?& a# }3 t
mov dx, offset New_Int_Routine4 i, u8 `# V& \& ~
int 21h
! `; i- L' @) e6 p3 ^
- B9 c. n/ ^# P1 Q; j- h+ c__________________________________________________________________________" q6 D2 K+ V+ Y5 [! a3 j
$ Z& H" G4 i+ e! p9 D. R" O7 }1 J
Method 09
, k4 G. ^3 @3 @" _! H=========4 D* ?% R' }2 s$ c! d
- l3 a9 a7 }4 V% q+ S+ l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 v/ e- W& `1 Z. C4 _* g a. bperformed in ring0 (VxD or a ring3 app using the VxdCall).; k2 W4 N- g+ R) ?- e) v
The Get_DDB service is used to determine whether or not a VxD is installed
2 ?# z# y* B* `( V: ]! ]& w% U" xfor the specified device and returns a Device Description Block (in ecx) for5 ?# l2 [/ c' R
that device if it is installed.; I: Z" |9 d {7 p" ^
3 b* \0 r0 X1 w9 q' R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 X Y ]: X5 L5 B; N1 A; L mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 O) v G! n1 M3 D' f
VMMCall Get_DDB
. F) _# Q/ m8 e; Y% i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ |% }% K0 w, H% X& i5 K
9 H* \0 `/ B8 M+ r7 \
Note as well that you can easily detect this method with SoftICE:( m6 m- }1 i& U
bpx Get_DDB if ax==0202 || ax==7a5fh4 z4 L: |) R1 G E) s/ O
' I7 u. p; _6 L__________________________________________________________________________
% r, D! l6 c5 ^& K: Z8 h6 k Z1 I+ H7 r% ?. N s' N, u5 B: L9 L3 O) i
Method 108 `% G+ p: @! ~& }( {! ~
=========
% c8 z J @) {: v. H) |
8 M9 m( \/ v0 |/ Y( z/ V=>Disable or clear breakpoints before using this feature. DO NOT trace with. B: u7 E7 @0 G3 O- C7 i
SoftICE while the option is enable!!
* w D( k6 q; w) h# _' B8 Q% K* `! \: ^0 v! X( n
This trick is very efficient:
! \0 [& ~# g' O3 \- Y( Kby checking the Debug Registers, you can detect if SoftICE is loaded
0 L4 n6 t; ^* N" K6 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 r0 [. M. v' C% P
there are some memory breakpoints set (dr0 to dr3) simply by reading their6 O3 E) n: I1 W# Z- k2 n" {' B( n) q
value (in ring0 only). Values can be manipulated and or changed as well+ N$ n4 f `$ r
(clearing BPMs for instance)+ Q1 j# E' L7 z9 e) I# H
$ K s* ?% X& N; x__________________________________________________________________________) z; H b; G* d+ S! B* `$ M
7 E& J5 Z: K* w! K/ ~Method 11
. h+ Q+ G: v$ o/ S, H1 X, e=========6 Y, J8 \, Q, `8 U& V
9 H, V- a; L2 aThis method is most known as 'MeltICE' because it has been freely distributed
2 ]% w0 @# \6 K, Y1 g: ]3 f% _via www.winfiles.com. However it was first used by NuMega people to allow
7 I% D n! X8 ^& ?2 j0 M: hSymbol Loader to check if SoftICE was active or not (the code is located
$ J- S8 O$ B% m6 ]) ]" Ainside nmtrans.dll).
5 Z6 w* [5 i$ F; w) |+ J+ A2 _) Z0 T- J ?) s
The way it works is very simple:
) \. D+ ~' M" mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 f! Z% A4 C4 M3 c& u
WinNT) with the CreateFileA API." O2 y R$ i' q0 p. u7 l0 `( O
2 e$ ~# [8 @1 J3 k5 q/ c% ]" _
Here is a sample (checking for 'SICE'):
$ ^$ Z8 _- n$ c( w5 _6 \
9 {! m5 W5 [$ iBOOL IsSoftIce95Loaded(): V3 L- u- d8 X# p0 r
{
( X a# r8 I# p6 U HANDLE hFile; 0 {" f6 G1 @" F; M! h7 b3 ]. F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 @% @/ Q; K/ R3 s e9 j2 t FILE_SHARE_READ | FILE_SHARE_WRITE,7 H$ |& J; x0 D6 ?; l- U" ~
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 F! Y, N7 u5 }4 S9 B4 r+ D9 k
if( hFile != INVALID_HANDLE_VALUE )
! s. Q$ ?' s4 O& v {
# K* J* v$ L2 g/ Z4 N; g/ Z; c" m' J CloseHandle(hFile);( e W) }7 w+ \, y4 ~) q8 [( q! n
return TRUE;0 J0 `+ C, e: N& q3 R5 c& ?. d
}
, J: H7 H R2 ^ return FALSE;1 r: d4 G1 \# h
}$ ?! E" [" f# w' F- M
* c9 y# E8 P5 z& V6 s3 V* r' P% {Although this trick calls the CreateFileA function, don't even expect to be
; Y5 D+ ^( z% _+ M& }4 Zable to intercept it by installing a IFS hook: it will not work, no way!
`6 x9 T x" { I/ U B fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ N7 b3 S) N# }- Y9 g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ ~2 M+ L7 \0 A% i$ C
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- B" F2 f( c2 E- Y" ofield.
% k ?. l$ `9 h: N NIn fact, its purpose is not to load/unload VxDs but only to send a 2 P' ]4 D) K& V$ S3 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 x' ^4 H; I0 q1 d% F9 h3 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try" v' o: ~1 U: o" O( }- R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* q; t! T: J- W" w# WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# z. N6 g/ W# I7 F8 i* K9 `! ], N( O' Aits handle to be opened and then, will be detected.' c+ b8 D M+ f: c; z9 I# G
You can check that simply by hooking Winice.exe control proc entry point, [+ N4 [5 J1 R5 X$ ~
while running MeltICE.9 C0 P5 g+ w* w8 V. p. Z; r z
' {8 l, z$ x+ d" @; ^% N" k+ K8 B6 j% Q# Z, |
00401067: push 00402025 ; \\.\SICE- }. P5 S! O- i: R# ^ q
0040106C: call CreateFileA4 {8 u2 Q, V" w
00401071: cmp eax,-001# R0 E" M9 p: _1 G' N
00401074: je 00401091- r0 Z: a* Z1 J( i% p
, ]- |$ l8 o, _5 e1 n
' Z( r$ k& T* p6 S* rThere could be hundreds of BPX you could use to detect this trick. l/ h* _. x% O3 l* z' H
-The most classical one is:- I6 o ^) G8 K
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 z. D; x, w8 q# d+ | *(esp->4+4)=='NTIC'
" M6 j% D5 d0 t! I7 L3 |; p0 ~ u4 a! a2 y
-The most exotic ones (could be very slooooow :-(5 D3 V |" v+ i$ E, @1 g
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( I' u" k( h6 G+ o
;will break 3 times :-(
, T& B( c' M ^. ?9 x' b1 }3 o4 `0 w' Y" S& o" D
-or (a bit) faster:
2 B, q. [% i5 C, P* {. ^# a BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& N& V0 I, R: S- K3 q. S
1 X9 D6 B9 }9 ? f& C* g0 W1 E BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* [( F1 S4 L7 ^+ U ;will break 3 times :-(" X+ z' g9 T- W# ~
) o3 T0 B# ]* \; ?: t* d3 W& [
-Much faster:3 J' A( u6 r3 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ ^1 `+ _& Q2 u1 {8 d9 p
) R( q; L, r r; i& ?6 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" }. R% J3 y) U/ w; m z
function to do the same job:# G2 }6 D6 v$ L, X- M% D
. o% L7 i5 P4 ^6 ^7 J% {, m, h push 00 ; OF_READ+ ]" ^' m. B) }) h5 f
mov eax,[00656634] ; '\\.\SICE',0
; r& G7 p9 s( g# |* o push eax3 w; B( u$ b) v& i5 C$ m
call KERNEL32!_lopen' F! G% m& x* Z! n
inc eax; W/ r- k( M- `- b8 ^ `# ^) f% N6 {
jnz 00650589 ; detected
0 I) m7 Z% P8 w( y( \# `% ] push 00 ; OF_READ
8 d) O' {6 j) q3 b* B mov eax,[00656638] ; '\\.\SICE'
& ?' G9 U+ J& z9 A4 y) ^ push eax
0 {; I# k' \1 G call KERNEL32!_lopen! W; C; u. Z$ v) B! v
inc eax: C- i* v. Y! X7 `
jz 006505ae ; not detected7 H; Z! m! f( e: P+ j3 o
9 O$ o$ l1 c! s% c. _( ?
& P. e- ^; N/ \, j4 R% W" D
__________________________________________________________________________
1 p# ^0 W7 s$ U& O& o. ^
# x' ?! _: l1 w$ U: E" MMethod 12
/ ?7 W9 o& J- |$ |+ b6 ]- }=========
8 h; K, g2 W0 P7 n
5 U4 D$ `4 ` g9 GThis trick is similar to int41h/4fh Debugger installation check (code 05
% e4 r2 b ?. F7 E( {, {& 06) but very limited because it's only available for Win95/98 (not NT)+ [7 i. D4 Z+ Z9 ~; k! q' i! c# ~% o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- s! W+ J8 v: b, }# f
0 U% ]" ^) d7 s0 J push 0000004fh ; function 4fh% O, b4 V! j ?# Q! Y, h4 b
push 002a002ah ; high word specifies which VxD (VWIN32)' j8 ^/ s% |8 I7 A/ n( M
; low word specifies which service/ d- j% | g7 M9 w0 l# ?
(VWIN32_Int41Dispatch)+ P0 r! O1 ]& x& h
call Kernel32!ORD_001 ; VxdCall% ?+ D5 q' Y8 p4 |
cmp ax, 0f386h ; magic number returned by system debuggers
& j% V# O) {$ [ jz SoftICE_detected! u, }" b; @: m& j
/ H2 {# d1 C- M% A: u: E8 vHere again, several ways to detect it:; d0 B4 {# t/ I
( e' z" `: f: v0 w# b6 C2 Q BPINT 41 if ax==4f8 S- k6 e- N4 R+ G5 n- {
# ^& R1 b1 w" t: t* y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ b4 k. Z3 x) {. R5 w8 S
* J% ~$ k6 g: Y; |2 L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ Q3 m. y& c+ ?3 a R7 v
& A9 R' U( Q' D$ U$ I
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
" R1 ?! G: O7 t3 I+ k7 v" S
# \) b; [' h& C1 F8 A__________________________________________________________________________
) ]" ?" m9 n: z3 W
& l5 v# g+ g, G. sMethod 13
. d, F' a0 _9 c% q. u* p+ [=========" ?5 {$ ~, q3 p( C8 Y3 s4 K( w
! S5 X8 w( }$ z$ M2 l$ fNot a real method of detection, but a good way to know if SoftICE is
d1 ^$ z- |5 m) V# zinstalled on a computer and to locate its installation directory.
" x4 [1 N2 O/ xIt is used by few softs which access the following registry keys (usually #2) :9 H- V6 M0 }4 I4 p" F3 S% @5 o, g; F. {
! v& \" K3 X/ w/ g9 o0 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* b0 H/ v5 ?; c1 F' n% H\Uninstall\SoftICE
) h1 i' W8 s8 H3 M S2 B5 q- ]. c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 _% D# w3 C4 ]) A1 X" R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, m/ I$ M/ |# r" \6 l\App Paths\Loader32.Exe. ]; P d( ?, n% L! u+ A
0 _4 B. L2 `/ |* x7 r
, W4 T/ S$ o3 L+ V a6 LNote that some nasty apps could then erase all files from SoftICE directory5 D) O7 g. a3 Y' X* Q
(I faced that once :-(
5 Q8 x2 U& y4 B0 y" Q& _* `# a& Q: M1 g" p( D9 }& N
Useful breakpoint to detect it:3 r; Y L: B, u9 m
4 y2 Z0 T2 Y! i) g! @
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 e& r0 m# x$ r, s" @8 Z, C/ } z* l
7 x7 g, J: ^, _. ?* h* ^5 ]__________________________________________________________________________: Z+ Z; Z/ w) L: ?6 P3 O, a, W5 ^
# Q6 Z* U2 {5 R% ]5 g& Q+ N# A9 T% U: Q9 J
Method 14
% |) C* w% i8 W* \) ~! m& \=========
5 U" {% n$ i1 M6 @, s
/ ]4 [7 z- w5 p: z8 hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- M2 Q% q: m- K4 {% S, z3 P
is to determines whether a debugger is running on your system (ring0 only).' t$ M0 s5 K( \+ ^" J' e' |& ]
9 O# ~0 O8 I" Y: S6 j6 I/ r+ a: G VMMCall Test_Debug_Installed$ Q0 L' k! }4 Y7 p+ ~$ ^6 X J4 w
je not_installed0 |$ n7 V1 A$ Z5 z
) e( T3 r" ^( x
This service just checks a flag.
4 w1 f% \8 U. I/ ^, f6 ^</PRE></TD></TR></TBODY></TABLE> |