<TABLE width=500>" E8 N6 ]$ e8 s% N% a
<TBODY>- O# Y$ @: G% q. w4 |% W
<TR>
6 m1 e/ a, n Q' ]" n% p! V6 Q<TD><PRE>Method 01
4 g' x5 S# b) B6 n* H4 C=========8 Q) q* [. R; R) @3 C& L
9 `1 H9 j8 ]( b- u7 Z
This method of detection of SoftICE (as well as the following one) is& S" U$ F. x. f% [9 g4 \
used by the majority of packers/encryptors found on Internet., [6 L/ R/ a9 y4 e0 X
It seeks the signature of BoundsChecker in SoftICE+ E. [" x6 o# _+ z" p' l- V" d2 R
1 o( A! s ]0 B" a v6 I mov ebp, 04243484Bh ; 'BCHK'. L: h1 Q3 z0 y7 v6 F; H8 g
mov ax, 04h
' x& R* A8 g' U! I' k int 3
$ C v- w, a! I7 I3 K4 W$ x cmp al,4
, m! Z9 V* z" j, z1 J& M; c# z jnz SoftICE_Detected# ^( z) ]5 K$ {$ G H
' W% _. a% V0 e2 k4 p___________________________________________________________________________& Q; `& d3 N- r9 e
6 Q# s' l" K6 \
Method 02- E' Q2 E; R# m- }
=========7 f- m* y9 F' j" u6 ?
% e9 r9 y/ O0 Z3 \* I& I8 G
Still a method very much used (perhaps the most frequent one). It is used
8 ?+ L% S- m( \# r/ T: l7 u v9 vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' Q J3 @' p1 b+ ^; i
or execute SoftICE commands...
$ g+ h" w9 j+ C( K4 oIt is also used to crash SoftICE and to force it to execute any commands. u4 A; Q. A3 z2 F
(HBOOT...) :-((
# r% ^& p$ y4 G, Z a4 z6 R$ v
$ [: T ^( r0 q, d" f1 L4 cHere is a quick description:: T5 \3 M4 v: U6 i/ C/ P- f- [9 y U
-AX = 0910h (Display string in SIce windows)' E8 h; F0 x6 ^. f5 P
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
F& X( e7 R& u* R& U+ ?8 c1 o3 Q$ s4 l-AX = 0912h (Get breakpoint infos)4 A+ A& j; l$ s5 ]( J
-AX = 0913h (Set Sice breakpoints)
3 i9 h U8 {' d9 h: K8 x0 z-AX = 0914h (Remove SIce breakoints)
6 c' H \, t$ \- ?
6 }+ w- S4 b. n7 A7 G- XEach time you'll meet this trick, you'll see:; ?6 b: ~ [3 j7 F0 V
-SI = 4647h
* k, k) W' I4 B( s1 Q-DI = 4A4Dh
: ?$ [+ Y" n3 s" I# t& D% q9 C2 n5 L. JWhich are the 'magic values' used by SoftIce.
% Z, L$ H) X6 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. v5 c% Y7 F# n7 L. r
! a, {! t, u8 F: t4 D2 {: d: T
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 k, E3 S$ f. H/ i; `3 S' k9 K* O
Envelope utility use to protect DOS applications:
! ?6 @2 F; W7 V& I8 n/ R( `& V% c3 r( [1 h& L) R" i
$ @7 [6 K {1 U' w, z: G/ n7 a5 C
4C19:0095 MOV AX,0911 ; execute command., [0 ]0 q" Q. `% ]/ M( D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). V! [! r' X O ]$ `, V
4C19:009A MOV SI,4647 ; 1st magic value.0 @/ Q7 a _# g- X
4C19:009D MOV DI,4A4D ; 2nd magic value.: K5 p# v8 Z) a
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `% J8 P5 ]7 z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- Z% P1 o6 z4 b3 {0 E P; z* {
4C19:00A4 INC CX- Q9 k4 Z- D- h' Q
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 n. K5 ~2 c( V' v% ~" W
4C19:00A8 JB 0095 ; 6 different commands.
& q8 V W( _/ n5 x; ^0 k0 s7 l4C19:00AA JMP 0002 ; Bad_Guy jmp back.
1 ]; k4 g+ _3 {5 F4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' Z2 V! c4 v( p+ D9 w, p: U! S1 D* k. x0 w
The program will execute 6 different SIce commands located at ds:dx, which
6 a; C# y8 B7 n' c3 p0 Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! Q5 g" @5 c' l% F! M \' U( A
2 A3 U/ J) Q& b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( h8 C3 X0 _% u6 C
___________________________________________________________________________
# Q; ]7 O5 K) O1 Q2 e) d7 w% ~
" ^# [9 y: t$ T' w7 m4 p8 J/ a# S+ y* b
Method 033 U# l% V9 i9 F8 w! s
=========$ l% Z' y8 p9 w; C% a% ^5 k4 R
/ o5 x: C0 `! ~6 Y5 j1 |" c8 X4 TLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; K- E; @$ `0 z0 M# s1 c
(API Get entry point)
) D: j0 K/ r. S0 q
% ~( R! U5 l" I8 g0 _( T" p a5 b+ L& [ t X* e
xor di,di
' E) {* J! R/ i4 R; J+ g$ g mov es,di
4 A& g% v4 [% D- j9 D mov ax, 1684h 5 G+ @' {7 z( I T& n' W
mov bx, 0202h ; VxD ID of winice& d1 g- Z8 L4 q* O
int 2Fh
- H5 z: ~0 P3 p$ { J mov ax, es ; ES:DI -> VxD API entry point
) X4 u, R3 e4 G. E. Q P; ^ add ax, di2 {" ?; G6 }/ X& U3 X
test ax,ax
9 V, G) g3 r. V jnz SoftICE_Detected: L8 n1 _# r3 p" L1 Y
0 C, T0 `0 \$ \( f7 r___________________________________________________________________________
& T) d5 Q4 v% y
# z1 s7 P5 K4 e: A" B: y" q7 jMethod 04
4 L! h1 h6 [9 P2 H# w# U: d=========7 a9 e6 E; T5 T3 |, M8 m) P
: c9 Y1 h* r3 J
Method identical to the preceding one except that it seeks the ID of SoftICE
- y5 h Q! Y+ Z$ Y0 _6 LGFX VxD.2 D: V' ~" K9 [3 v7 y. R4 P
; o5 x4 U8 W, d5 U1 l
xor di,di
" Q, H! q8 V# ?3 e# ], D mov es,di0 O0 D+ k: Y9 ], H+ O% Z
mov ax, 1684h
# o- _* J0 s$ I7 l mov bx, 7a5Fh ; VxD ID of SIWVID8 t4 J7 @0 [: \- Q0 X3 `3 l
int 2fh
7 e# ?9 D Y& l mov ax, es ; ES:DI -> VxD API entry point) l$ ]* P( I+ u/ E3 f8 B
add ax, di2 P; V& q8 f0 R! f3 j
test ax,ax
8 ~& @$ m: C' N2 `/ }4 @ jnz SoftICE_Detected1 @) f5 _9 t2 i$ e4 T
" p( k( Z. F" P! L2 r" h& @__________________________________________________________________________
4 H' E9 \0 F$ l1 [$ F" \
( ~$ {1 @ \6 @9 i, ^" V
, [ o5 a9 g" D e% }# }( NMethod 055 H/ y0 V) H; n1 ?, C/ l
========= _8 s3 L) N8 _% Z; f' G/ n
8 c+ I# w4 _1 H. M& vMethod seeking the 'magic number' 0F386h returned (in ax) by all system t! R5 L- ?: b" N* c
debugger. It calls the int 41h, function 4Fh.
" \ o6 q8 n9 x# q9 rThere are several alternatives. . M' r6 R5 Y" R' i" t7 I
" r8 j3 N) t" G. x4 X. d
The following one is the simplest:+ t( ^, {# m# E3 R2 t/ d9 r% w- c
" L7 [7 O5 U Q, y3 N) n mov ax,4fh
K& u5 o2 P9 |5 {# X+ w Q8 W a int 41h
?2 Z( ?$ X6 N3 ?/ z' o, X" N2 H% w$ T cmp ax, 0F3866 i+ r4 _! P) W% O; @
jz SoftICE_detected# Q, `$ g. o6 f' u* @. V
# V% f" G" h6 l5 A. [$ C/ u
: {4 x$ h" f- P8 i# _% u: _Next method as well as the following one are 2 examples from Stone's 6 N$ ~2 z; E! o0 O
"stn-wid.zip" (www.cracking.net):
, H5 _# h$ f8 K' K, a* T0 \+ U
$ h$ S0 C) {8 @% T mov bx, cs
& I5 Y; m2 ] M7 G' P& N4 d lea dx, int41handler2% O9 z+ u+ `. l, s% p( x3 B+ {9 k+ @
xchg dx, es:[41h*4]
+ z/ i9 ^" n& B xchg bx, es:[41h*4+2]+ [- j4 T0 F2 z4 J8 j, x# a. L
mov ax,4fh4 Y0 |) i# w; y; X0 B5 d+ t, b
int 41h
7 t8 O8 C" m8 N& K0 f$ I xchg dx, es:[41h*4]' l! Y- L% [5 `( q
xchg bx, es:[41h*4+2]
% q3 j! I/ |4 I1 m3 n3 T cmp ax, 0f386h* |* c" ~7 d% r8 K. S# }: }
jz SoftICE_detected
8 `3 P+ P* E: H r. J
' m5 G( j) d/ Z8 r/ l$ G- C2 a0 mint41handler2 PROC! @1 Q \, L9 n* c0 y m
iret
2 Q$ D8 O0 [5 R) l8 B2 ?7 {8 lint41handler2 ENDP
! b5 \! {, f- a1 G! o. _6 k6 C' x& b8 z! s+ o1 \1 O
# |7 H. Q" F2 A8 p) v
_________________________________________________________________________
3 B B! N$ a4 _& @0 A6 P, P
8 v1 Q3 F4 j7 n. C
8 r! x% D% T; O4 W5 ?2 M; ^& g% |Method 06
3 I$ e5 c) J! o& ?$ ~) _# i=========
. |6 M% Q$ O4 o7 r0 P4 r. o$ ?3 L; E1 p
/ V5 L( y8 ^0 W2 @3 [% B2nd method similar to the preceding one but more difficult to detect:% G: ~' ]) N: N2 `$ S7 {- e
' C) v& {/ [3 ^! V+ C+ m2 s5 U1 a& @; t4 u. _
int41handler PROC4 K+ b7 n/ r4 {2 N1 z
mov cl,al5 x0 g5 e* L* z2 e: p" A2 v- Z
iret
6 R( w4 W; y. w) Y* [2 F6 q6 z8 Mint41handler ENDP i$ _; m/ ~) @& b
# k! z( h3 v$ w( z( { `, [# T
4 N! A$ o4 i, C7 f' y1 _
xor ax,ax+ Q1 W7 E/ P& Z5 J: _8 d# p; ?4 N
mov es,ax
) g" v( Q. a9 E8 G3 b- C mov bx, cs5 `( b# I1 P! A# u) a I( A- F
lea dx, int41handler3 ^8 E* b8 }0 B, f- T5 d
xchg dx, es:[41h*4]. B( l7 x( c0 L! `3 B
xchg bx, es:[41h*4+2]
0 m+ U+ Y, p+ C in al, 40h$ r- G% K- [) P
xor cx,cx- C6 p$ [( l+ k4 j* S% y- r
int 41h
& ~2 S7 G0 }% g; \ xchg dx, es:[41h*4]/ O; h1 i" a* x# n. Z
xchg bx, es:[41h*4+2]- F4 U/ B) a( X$ k( U9 K
cmp cl,al1 X% h0 e* c3 f; H( g# F
jnz SoftICE_detected: V: B, h/ W0 e) G" S
3 v5 p, k! R2 J+ v, P_________________________________________________________________________' C& w8 c7 D: Y, A" N$ i
: |7 d* P5 q- D( J/ l6 p
Method 07
: j) ^$ Z& i w7 g* P, \=========% T/ m7 W9 N* X
7 u9 N, Q1 t/ D Z
Method of detection of the WinICE handler in the int68h (V86)
% s: a2 |% |; R5 e# K( x4 y3 p! p' U
mov ah,43h
. e3 ^& U0 ~9 W int 68h' J# Z( p/ h6 ~
cmp ax,0F386h( V4 e- f7 I* f/ v
jz SoftICE_Detected7 z5 T8 @5 o) _" N c8 G% i
9 J. s! v, p1 ]" u4 x5 W
, ?$ k" T8 o: K- y: ~3 B6 [- O
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 a5 D- q" C* D app like this:1 u' w7 u: D7 v
* z: a. w, _/ t7 ~. T* `0 Q
BPX exec_int if ax==68
$ w4 i3 Q- Z+ d b' U (function called is located at byte ptr [ebp+1Dh] and client eip is; U, G$ x( Y; L5 P$ E; x
located at [ebp+48h] for 32Bit apps)9 v$ T9 f: O9 q& l1 G9 Y0 y
__________________________________________________________________________7 U) i C, Q# N7 I' Y( I) @
* u Y7 ~. M2 ?$ e3 j
" `' b* o) @2 ?( ~Method 08
0 ]* H$ q y) i3 E7 I=========8 N% J) E6 x. @5 f( Z5 `
! i2 Y! z4 p! b7 p
It is not a method of detection of SoftICE but a possibility to crash the
% c& r. K% L% `system by intercepting int 01h and int 03h and redirecting them to another
7 \! b7 Z2 W6 r3 q# Eroutine.6 l2 d* N/ f" u% l9 z; y- l$ ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( w" [! c+ w/ e: Ato the new routine to execute (hangs computer...); t( k, w/ m8 f- M& Y' H$ Z
. \+ k- [/ z+ D# f$ ] l mov ah, 25h0 L9 C" z/ S m& E) q1 B1 d+ v: b
mov al, Int_Number (01h or 03h)0 J, h# o0 r# H3 [ L/ L
mov dx, offset New_Int_Routine5 G5 K. x% _& V/ L/ [
int 21h/ u7 H( F! q% |- ^4 Y, n; q
* r7 O1 x) Y% G& F z7 K
__________________________________________________________________________7 [& J, q# i; d6 N# A( z1 i2 M- e- @
0 r+ ]; i7 k6 r& y% aMethod 09
! s; H" g/ X. H3 [0 Q: @=========
- b4 a- e' i: _+ o q
- e. e6 m# p dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 F/ e, P) l2 S% Y& L7 }& O
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ F2 p& U$ \0 g7 U' \& x( eThe Get_DDB service is used to determine whether or not a VxD is installed8 {6 |4 o: q& k# b3 F, P9 D
for the specified device and returns a Device Description Block (in ecx) for1 p% H* F5 }! D- [5 j
that device if it is installed.
0 j3 M! i: h& F5 s) M5 C9 ], W% ]8 w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) Y- }" w$ |$ ~6 d: g! Z
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* E0 U7 O+ ?: O
VMMCall Get_DDB
% L5 @1 ]4 A9 u9 u* g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed! G" K+ F, Q4 s# d7 [9 I# x$ q, a
1 j* N' C9 x9 z$ O# s, x# E+ V
Note as well that you can easily detect this method with SoftICE:
, R% D& _& T6 h0 L* X0 f$ [ bpx Get_DDB if ax==0202 || ax==7a5fh
$ z7 R( N! Z; Q* u# c" R/ z5 [. d% F+ H4 B& ]/ H' h
__________________________________________________________________________
) {: U9 _2 L* U. ^( s( M* o; F" w" [2 I- \6 b
Method 10' F' G1 l! | k8 o! C: r8 k+ N& x& j. @; u
=========
: O' h6 O% |8 n; R( I( s0 ^$ [ ?, G: R% g" O
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 s, l! {; q4 H
SoftICE while the option is enable!!- y1 q) P& C2 z2 {: R7 l
$ ?7 F ]9 I% r. s b
This trick is very efficient:
# \6 }8 X0 A! H _' A7 J6 jby checking the Debug Registers, you can detect if SoftICE is loaded
- X7 `" Q( A8 d+ N& ]" Z! I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 h3 p: r6 O3 H% e
there are some memory breakpoints set (dr0 to dr3) simply by reading their% v+ Y0 E% W4 w0 Y5 _
value (in ring0 only). Values can be manipulated and or changed as well
! H4 P/ J/ B: e3 l1 P(clearing BPMs for instance)
! d: j: K7 b* k6 a# n" Q/ z0 R, {% T. q, [
__________________________________________________________________________( n u6 ^) _( ~: _# ?
6 a& m0 {% a1 _3 gMethod 11
& e& K3 y6 t9 s* F7 p; _=========
8 ^; @5 F/ {9 T% {4 D! p! s6 N
1 ~- ^. l& @4 d: gThis method is most known as 'MeltICE' because it has been freely distributed
5 r7 `/ U8 R' Q8 r' {. H1 qvia www.winfiles.com. However it was first used by NuMega people to allow1 d; N$ H0 X" i- {
Symbol Loader to check if SoftICE was active or not (the code is located \5 q/ U% ~, [
inside nmtrans.dll).
" U2 I4 R: b, q* x( D, Z' @5 I* D& `+ |0 f/ V3 e- z2 Q
The way it works is very simple:
9 Y6 l* L+ U1 s) D3 k( q( DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% _- i1 L- |& h8 e7 j% `9 M3 @
WinNT) with the CreateFileA API.
! q( b4 a6 u$ {/ l, P5 I7 j$ l* d, ~6 Y$ ]. J! d" r2 |9 I! \/ F9 }
Here is a sample (checking for 'SICE'):
; w# X# G5 Y5 W7 t& ]5 p
/ U l% f: _- P9 V0 N" L) s2 S# NBOOL IsSoftIce95Loaded()9 R* x+ t6 y7 d3 ]$ ^% b
{* l5 L* Y2 B) O( D7 _
HANDLE hFile; D; c& x! P# q6 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ v% l! d: W& ^% Y5 f3 Q
FILE_SHARE_READ | FILE_SHARE_WRITE," B: C7 Z* L; Y* ]# z
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 s# t, U, h6 i1 q) P0 C
if( hFile != INVALID_HANDLE_VALUE )
: I$ s# q: b* g1 q% `, p, V {
4 I$ ^! `4 i, t' v6 ?) L CloseHandle(hFile);
) D1 W2 A* t" T" J" t* w: J return TRUE;& t, Z2 d8 e; ?
}: K: U% V/ L0 S2 m1 e" T8 P" |6 ~4 w( x
return FALSE;
0 P3 B: T& n3 @8 P, l2 \7 |}, [! J0 V! t! I; G& \0 x
4 e8 T0 I ], H9 t9 G0 E
Although this trick calls the CreateFileA function, don't even expect to be2 }+ f( F* j: k: ~1 f4 l
able to intercept it by installing a IFS hook: it will not work, no way!6 }7 q8 c3 ^) t$ X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
H- }: O+ T: `3 fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ q7 c% [; G- l+ `) T3 N/ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! K4 N, v9 O3 p, ^field.
g Y' w- a2 Z: C4 zIn fact, its purpose is not to load/unload VxDs but only to send a
u8 O2 t* R9 V/ `8 `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 Z9 f+ T, f" d6 v1 d1 P& Y0 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 C. g& K o# f0 k! ]+ V* N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% e9 Z6 U6 V$ Y0 C8 a, kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ h# k: r2 T' F M" `" l' |, Lits handle to be opened and then, will be detected.- Q4 d! y$ {& W. M
You can check that simply by hooking Winice.exe control proc entry point
& |5 E6 [6 ` M1 g h& M" gwhile running MeltICE.
, y1 E9 l5 L" a% R3 M* l, d3 U2 s& F5 I4 u- G% Q. n4 [! J
: j8 w" D5 X; i$ i: K' D# E 00401067: push 00402025 ; \\.\SICE
" ]& V9 h7 {* s 0040106C: call CreateFileA
- k- W! _& C# @% @* a) s+ s9 x5 f 00401071: cmp eax,-001( @) y% M$ e6 |) s* N- T0 ~
00401074: je 00401091- W3 p0 w q3 i- H6 @3 W
/ q/ t w5 \7 t# _, j- _9 x7 P; t
2 \2 ?5 D2 Q8 t
There could be hundreds of BPX you could use to detect this trick.8 W4 U5 ? A: b
-The most classical one is:
! F: f( ]! Q1 ^; ~3 x+ w) x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; {& q& ?' |+ Q2 a# `( s2 o
*(esp->4+4)=='NTIC'( b/ p* O' N2 Y" [
5 }$ Q4 @* k9 J" S: V# ]2 |# l
-The most exotic ones (could be very slooooow :-(
" Z# {0 _/ I+ B/ F6 ^- U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( W3 c3 h( E1 {, `& } ;will break 3 times :-(. p. @4 Z. ~# o3 o( Z
( h, n0 N% T* u& q
-or (a bit) faster: 7 H- N; F( @! e" _% ]
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 x" Q& u$ V4 J
) L0 A. ?( l: n( L" R, C/ e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- b- t6 Z3 M& W8 f1 x# ]- W% B ;will break 3 times :-(
9 d% A) J, B' k2 T9 k
, }' x s' O3 k* \" T-Much faster:2 B/ l; O# N$ c* d! R+ E
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', T$ n+ i; K! n/ n
; J1 o! w8 j, Y$ ]) H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! ]6 V4 z1 p8 ?; K* s1 G
function to do the same job:
' j, f' B* i3 w. L5 _( s/ n2 x1 R( F( p
push 00 ; OF_READ- A: U& D/ x0 Y4 \$ d
mov eax,[00656634] ; '\\.\SICE',0) F, k/ M& B3 x( h1 L, O+ Z, B6 X
push eax
% b; w$ v# k& |9 a( X call KERNEL32!_lopen- t2 ]4 C- n6 h2 H; y
inc eax
* \5 s) h5 g& T7 z- j1 C3 u jnz 00650589 ; detected
; w& n2 i- k7 I; C# ] push 00 ; OF_READ
6 N0 W/ z' x: k8 E$ z mov eax,[00656638] ; '\\.\SICE'
( ]6 ?& V$ E3 U4 J push eax4 W x# C% z$ x) g
call KERNEL32!_lopen
9 g) x7 y; O3 _; c+ ^; i inc eax6 H' {& t/ d {* X7 x
jz 006505ae ; not detected& z7 m+ W* E/ N$ X" {% z
# t7 n# D! r; [! }* k+ P q4 S" w0 X+ ^& U% v; I
__________________________________________________________________________
; z6 }0 ]' Z* o* u! [3 S- ^( ]+ B$ L- R V5 w3 A
Method 12
4 \* t+ U: I1 _) G. @5 J=========
* g. J+ n5 e; _) A- ^$ T$ T( j4 K1 k. o+ h; [0 e0 o
This trick is similar to int41h/4fh Debugger installation check (code 059 F+ z m/ M! g& L! p% b( z0 N
& 06) but very limited because it's only available for Win95/98 (not NT)
% }5 `3 _0 S! {% I( r4 }& ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 u0 i6 b* Z2 I9 [ N* T% Y
: R' ]0 K% N. ~: b' Y' \
push 0000004fh ; function 4fh$ k7 C- C7 o2 d( X' r
push 002a002ah ; high word specifies which VxD (VWIN32)0 |. h* d4 _- }3 s$ B# ^. K
; low word specifies which service, J: I2 K; K. j9 `
(VWIN32_Int41Dispatch)8 z( K1 k) t" `" R( @# }* [
call Kernel32!ORD_001 ; VxdCall# g/ ?, Q8 C0 k0 _/ S9 H2 m z
cmp ax, 0f386h ; magic number returned by system debuggers4 d: j& S- `$ f
jz SoftICE_detected
; ?: _: i/ P& @8 }. E
* s! G( b0 `/ F4 ] n1 zHere again, several ways to detect it:
" B; ]' _! ^9 @! e9 S! q" Q
% v0 @6 s& i. z. l6 K! |" p BPINT 41 if ax==4f
1 I$ d: V; q3 s! [4 B# @! _
) `( i2 w5 c, @* x% s/ B BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" l6 p5 H: g5 a6 L# J" Z7 ~: F
o4 u& O$ p3 G. w) [. c BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" i4 k$ n% x; x* h+ |; g6 L
# o' G" H( A4 ?: D. n BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
1 D/ a2 c; E& y( K. k. e: n
7 B% p7 A' n: T! G/ q0 {6 J__________________________________________________________________________6 ^$ k2 J* i$ p& ~- [" \
2 D* j" Z6 Y% g$ P2 _Method 13
* s9 o9 ], Z7 t8 v1 I; G$ m=========7 ^& q! ^! b7 A6 X' \& O. Z
/ _/ A; A& `- C8 YNot a real method of detection, but a good way to know if SoftICE is3 E9 R$ {2 B: P' t8 M6 c2 H& Z
installed on a computer and to locate its installation directory.
% n9 f2 S/ Y5 G. MIt is used by few softs which access the following registry keys (usually #2) :0 c& u, Y1 u% Q; d) }/ G9 X: Y1 i
a L8 I& ?( W/ h/ x$ z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ t( [& a' X1 k6 c$ `! g, J\Uninstall\SoftICE1 v- R5 u: B; w( I+ `2 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- R8 _; r1 u& k/ r8 L! ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; V& k) ^7 `7 X% g) l7 A, f& x ^
\App Paths\Loader32.Exe# J9 S. m" ^* s0 T3 @' B
0 s* {. w3 E- `* `* x2 y
+ ]/ N' m$ T. a0 |2 }Note that some nasty apps could then erase all files from SoftICE directory9 b3 d8 ~; e, v
(I faced that once :-(% ^% }0 X1 O [: N C! W* {5 V
9 J+ a7 q6 [. [0 E! \( ]' w9 jUseful breakpoint to detect it:! @' J0 \5 ^3 v+ I# Y/ y
. v0 Y: d8 ?: a$ {, h* a# @% b/ [% G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'$ x7 \$ E$ ]5 A z" k
% `4 g& o* S" H6 X9 X0 T3 g__________________________________________________________________________) s. H1 I2 J. F
3 `7 V7 w% d- l* Z9 } `# ~
8 w! ?5 b9 g0 ]$ |Method 14 / o0 c d3 {( G! g, j
=========
' ?, C4 q( B1 k1 s# p& @0 g! t& t1 c! p. a D* v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) q+ L! m" q- Ois to determines whether a debugger is running on your system (ring0 only).( ]0 C0 `5 \$ R; M% `
/ Z: B# n# C) Z8 V VMMCall Test_Debug_Installed
9 Z: i( z e0 v! C/ t. c je not_installed2 X4 Z+ t# E0 b/ D
7 Z0 X5 m& l- ~$ e! o3 L
This service just checks a flag.; K6 k+ w, G( U) m: \# a8 s
</PRE></TD></TR></TBODY></TABLE> |