<TABLE width=500>
: ]$ m- p% ~+ S<TBODY>- m3 J& ~ y! ~, D# x6 ?- d3 |
<TR>
' l" p1 U1 y$ j$ y" R<TD><PRE>Method 01
- f" X7 j; {- d=========: K+ _5 M+ {8 g# h/ O
1 ?5 M/ q- V1 G2 C) I2 a6 l3 j! C/ j) qThis method of detection of SoftICE (as well as the following one) is
8 T( B; t* R5 s1 q% C, uused by the majority of packers/encryptors found on Internet.3 S- T4 P; R$ u7 T; B
It seeks the signature of BoundsChecker in SoftICE; V0 G3 X! E) |" j
3 `/ ]: z9 ~" D+ y3 u' E1 c( R
mov ebp, 04243484Bh ; 'BCHK'. I" m- J. J/ g+ T* t4 Z
mov ax, 04h
& h% m; E$ k$ F! N; v" @" _ int 3
1 `# r4 a" G m; s8 p cmp al,4
0 F! w% H7 F# L( n& c( \0 _ jnz SoftICE_Detected3 _7 w% K& S3 [* g3 R2 Z6 f( M* S
: ^2 s2 C8 e o
___________________________________________________________________________4 o; I) c- a% y2 Z8 l; }, o! P
" w$ a$ m( G4 m1 a" \9 t) MMethod 020 p" Y6 C; u6 a
=========5 Y6 {" ^) V: i9 _$ c: v: T9 r" r+ G
, i' u% A8 m" x; ?2 u0 X9 d
Still a method very much used (perhaps the most frequent one). It is used8 l! S3 |1 W' Z5 s \+ n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% c& Q7 {5 [% ?
or execute SoftICE commands...! J. }5 g! k8 M$ z9 ^' k
It is also used to crash SoftICE and to force it to execute any commands+ M+ U/ } W J) j2 Q
(HBOOT...) :-((
, N: Y8 A# N! T: P3 v+ \. c# ^0 B( i% G
Here is a quick description:
2 k1 d0 W1 v9 \2 t/ L* S& {-AX = 0910h (Display string in SIce windows)1 }" c; O& s1 m$ l, S# O4 O
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
7 k/ }. u: m: @ o# q* l-AX = 0912h (Get breakpoint infos)" {& F e- b: t7 X
-AX = 0913h (Set Sice breakpoints)6 W% p" C6 G! H* H( c& t0 p8 {
-AX = 0914h (Remove SIce breakoints)
+ u k2 w6 P7 Z- o7 P# K9 t
; J# [( H' B% ?9 r& }( _0 Z3 EEach time you'll meet this trick, you'll see:9 B0 I# [; Y0 @) |& x- I8 ]7 O. O
-SI = 4647h
( x$ i, o( t/ _% @. Z/ Q6 ~-DI = 4A4Dh
6 J3 b% f% ~# N z' qWhich are the 'magic values' used by SoftIce.
4 [' {; X; j* w0 oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& g9 {& c; M! Q( e7 h
i/ ^4 Z# C {( C3 p4 x% i0 PHere is one example from the file "Haspinst.exe" which is the dongle HASP [) p6 m+ t! @4 X7 j
Envelope utility use to protect DOS applications:
& A1 p: M7 I1 O( |4 R& l. @
8 x* Y& [5 M: Q3 v4 A6 V
4 G( y! i' l9 R9 l/ g! c& C X4C19:0095 MOV AX,0911 ; execute command.
0 Q: L2 F# j8 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# `7 H! Z% g9 `7 j; ~4C19:009A MOV SI,4647 ; 1st magic value.
( `+ p, P1 H4 ?' i3 @: D4C19:009D MOV DI,4A4D ; 2nd magic value.
4 p( x( E2 z1 x' j, I, R4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ ^3 j9 n' \# B$ L" z- U$ g2 P4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 \. y6 G$ `$ c$ d8 ]) M/ W
4C19:00A4 INC CX+ T L; G; B5 z& L. r8 g
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' r" }2 s4 ]8 }+ J2 Q% r4 T# Q# M4C19:00A8 JB 0095 ; 6 different commands.% x0 _, Z& r4 h
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 q: y7 F1 E8 i( I4C19:00AD MOV BX,SP ; Good_Guy go ahead :)* w7 @- j6 U; u& d3 d1 q& E5 w" H( l
- ~; r( h+ w) O8 U: AThe program will execute 6 different SIce commands located at ds:dx, which$ ]$ Z5 A% A/ F- o) J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 `! z3 F+ i3 W" ~ l$ S' m% a# j/ }9 i2 L+ w3 t# W! ^& ]: S# _0 I: q( `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 d3 |: K" d+ ]4 t% O4 _3 N___________________________________________________________________________5 s% R+ D$ I6 C+ n/ l; m, x
7 I2 t2 w8 W" q
0 v+ Y+ I$ {! N
Method 03
* j) n' |" y5 c=========7 V8 l' M$ K5 f/ J
& c+ J0 E8 i8 Y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 f d" J: M5 s: u8 h% f, X% E0 J4 w
(API Get entry point)
7 c+ _7 C+ i% I + A% S& H n: K1 r! W9 u
; n4 l7 q/ }) T. o$ W0 E
xor di,di! ~% A; F/ k6 R
mov es,di
: e$ e5 L) c9 C6 V3 E- R mov ax, 1684h
# r6 M3 t3 }7 u mov bx, 0202h ; VxD ID of winice
* k6 F9 n' W3 s int 2Fh
. o# X6 C/ \1 T! @ mov ax, es ; ES:DI -> VxD API entry point3 t# L! E) F! i% t- z
add ax, di
6 |) a0 R- v. A! b8 s9 t! D test ax,ax& h5 |/ y+ V c+ m5 S* `' Q
jnz SoftICE_Detected& p, |# E" t8 i9 M
) X6 o* A7 h1 ^1 g9 K___________________________________________________________________________
8 {8 W# ^) d0 X0 I
: ?1 v5 b3 r" l, [* E2 IMethod 042 k0 y* v+ A/ B1 p# L* P2 i0 m0 T8 Y
=========
9 g' |/ Z% c: q, ], q& L' B- w5 r& L3 v: ?
Method identical to the preceding one except that it seeks the ID of SoftICE
^9 M+ T; l6 u8 {GFX VxD.% i& E; s- {( k. C" j; w9 n0 C
2 M* M- e" |4 c3 D9 u, m5 D/ b% @0 i xor di,di `8 @$ \0 q& a8 U
mov es,di
$ F* L- u7 M8 a1 s/ D" p a* K mov ax, 1684h ( v" O5 `# O6 E# Z2 X3 O5 Y
mov bx, 7a5Fh ; VxD ID of SIWVID% W3 {! A5 b* B+ Z7 L9 b' s
int 2fh
$ J$ k5 b/ U+ Q) s& E+ R) W mov ax, es ; ES:DI -> VxD API entry point
: P) a: \) [0 d3 l add ax, di' B" }) `. L5 J& ]! U1 P
test ax,ax. G+ H) e0 b- w: F" |2 r/ b' T
jnz SoftICE_Detected
3 N2 s3 R, d' b
( @& I4 c5 p7 G5 p/ O6 T__________________________________________________________________________, T+ o3 M: e/ a! |( A
% `) l: \% D$ i- C# U% U6 p/ t' k7 e; l F' n( F5 Y% l3 V2 t
Method 051 e* a5 u I( j9 c- R: i4 [
=========1 T+ ^$ Y7 Z: A
. K& T. d, V1 u% |6 ^1 d- MMethod seeking the 'magic number' 0F386h returned (in ax) by all system( I$ w0 y) B0 K7 O
debugger. It calls the int 41h, function 4Fh.
0 @ f* u9 b Y% `% mThere are several alternatives. ' A/ ~1 ]( [4 o4 D3 x$ v
" C2 ^" b! B# q7 Z1 d9 H
The following one is the simplest:8 N% W8 ?- r5 {
- q1 c$ K; ~# p" A6 Q' [ mov ax,4fh
1 n. D3 Q( ?2 d8 F8 _ int 41h5 U3 x' n# O0 b) s' Q- f8 j3 X
cmp ax, 0F386
" s; j. Q9 d/ C" @ jz SoftICE_detected1 A( o. }2 h! v4 V. L
. C: ^6 _$ k6 c% t2 \7 E
% E1 x2 T. G5 o8 b0 R
Next method as well as the following one are 2 examples from Stone's 4 S# b, J% P" d" T6 ?: o V
"stn-wid.zip" (www.cracking.net):
! E. A( e1 `/ l+ P
5 l5 z W" {; a6 g/ ] mov bx, cs
: _5 P6 {( D* W; u7 \( _( I lea dx, int41handler2$ R8 e- y; x$ X6 q2 H9 r* S: D
xchg dx, es:[41h*4]1 n4 Y$ S" _; `8 j& z
xchg bx, es:[41h*4+2]
, t3 k; _1 E( l; l, W+ \% Q mov ax,4fh
! _! G5 w* ?* G$ ~: n+ ^# i int 41h s2 c8 H& P: J) O) h0 I( L7 K
xchg dx, es:[41h*4]0 i( f7 i5 H- v3 V* @8 w4 \# B- @ b n- S
xchg bx, es:[41h*4+2]
: a9 @0 `; u3 s$ s! Q; @' F& }. l" P cmp ax, 0f386h4 `( j( j2 p7 q- s: g4 H7 D, S8 X+ S/ H
jz SoftICE_detected& U- P8 w# o6 K; K6 Y4 l O% Z& n7 S
! i( G4 x0 S6 V( X8 u; }4 b0 c
int41handler2 PROC
; Z$ }7 Z( C/ ~, J iret
1 N% J1 }& R7 v$ n+ ~int41handler2 ENDP
: G. O& F& M; g' {
% i& K. I H% Q- Z. H) X
J" _. T3 g* T4 U$ o7 ]; |_________________________________________________________________________( S H* X5 _8 \0 U$ G6 E
- H' l$ n* X V! Y& Z5 O1 e; G* _$ P( S% C% G
Method 06: W% \2 o0 z* A& M8 M! e
=========. M9 k# U- x7 H5 e8 G1 Z
4 C3 Z1 N. G/ |6 S: V, Z
+ P" q$ w! D2 @* V8 }
2nd method similar to the preceding one but more difficult to detect:2 q4 g) ]0 N+ S) e- Q" }* p8 d9 ~7 l, u
( z$ q3 t( l: ~0 D/ V( I: r, N9 P( Y
int41handler PROC# t7 {* v" H$ M* v3 o
mov cl,al
7 M9 M3 \/ _1 o3 u8 B iret
, p$ M, l6 R) [' I9 M1 b1 P5 ?2 L# Fint41handler ENDP
2 i/ A+ [$ t5 E% Y( Y2 i! }: H) M* i- C' V# Q7 {" \. @/ P% _
; P+ X. k1 b4 [' X xor ax,ax9 e( Y' F9 \3 a& }$ S! C0 P
mov es,ax
2 b- \9 J4 N# W* d mov bx, cs
, x# h- Z; B7 }8 ?0 m- Z0 P4 O lea dx, int41handler8 ^' J6 a! y/ Z( _' m" L
xchg dx, es:[41h*4]0 E$ @8 |0 Z( x# L h
xchg bx, es:[41h*4+2]
8 R2 W6 M! J* c' u in al, 40h
6 P$ \: @- ~; z- B! h xor cx,cx* f- P- V9 L3 l) S
int 41h
0 Q( i. H1 _: ~5 R* k& F xchg dx, es:[41h*4]
0 ?/ K5 K+ W" K xchg bx, es:[41h*4+2]
' ~( s: r) O4 N8 r) ~ cmp cl,al3 I2 d% {# m" ~/ K9 Z0 \/ _
jnz SoftICE_detected
/ ^# k. c( o- G) t9 x
" G8 H, `! @9 w+ }8 X8 |_________________________________________________________________________9 H4 |. ]4 `5 O! I- p# x" f/ b
{. ?8 u( R- q
Method 079 u: o* Z0 u. T* s8 `
=========
" W4 l. n2 ]( V1 f/ B$ Q# f
' |7 E" H9 c( y* K/ E$ v8 d9 E2 tMethod of detection of the WinICE handler in the int68h (V86)$ J4 B9 i+ R/ B. u5 @/ w6 G
+ z- V# q* C/ C. M( E
mov ah,43h; N1 P" }7 E5 j3 }" X2 }
int 68h
. u+ v: S" |* J7 i: s* E cmp ax,0F386h
! I+ `4 F, H" Y6 d jz SoftICE_Detected& |6 g5 c+ N0 u% y* I
$ g7 @* I* y0 k/ I8 p% m2 H; z" |, _5 t1 s$ T8 ^/ i- m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 k' I! T: r3 N0 t- S% z0 e. i app like this:
; s5 C6 |9 O. n% `" Y. B7 T% Q0 y* |% c3 |8 r+ O- A4 P
BPX exec_int if ax==68
( n; |- O1 i+ Q. X8 t' ?* B (function called is located at byte ptr [ebp+1Dh] and client eip is: O3 \) F; n: B7 G, J: ~0 j
located at [ebp+48h] for 32Bit apps)& q7 v6 t( m0 O( Z; e; S
__________________________________________________________________________6 n G: ?2 u- b- E* x8 ~, W1 J
2 l& f" y& a4 w
8 y7 A7 \% D+ x/ K5 S4 b% ZMethod 08 T- ?9 g% V7 j7 U
=========; y9 l) l* A$ \4 f
+ Y9 O7 L! k0 ^It is not a method of detection of SoftICE but a possibility to crash the
! N2 o' K7 v$ r2 K3 M. dsystem by intercepting int 01h and int 03h and redirecting them to another2 j+ ]+ F0 y7 A1 \! S
routine.* i, n% a1 k; H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" a) d3 l; w0 Y
to the new routine to execute (hangs computer...)7 j9 s. u k% e0 [ f8 W8 S. s% I/ L2 k
0 p) p8 Z0 n5 h" l6 o' n4 i
mov ah, 25h
* t8 K! Z8 n: U: T mov al, Int_Number (01h or 03h)
9 [+ @2 w8 j) \1 r mov dx, offset New_Int_Routine
) ?4 e1 I+ C4 `0 F int 21h4 @4 x i7 W( h3 E- ?# } J/ {! X
( F1 t1 ^0 x0 V4 N( O I( G& H9 q
__________________________________________________________________________ a% x7 ]* e( K
$ `$ C$ t( {, h; bMethod 097 J2 q% P& U& ?5 z. W
=========
+ v$ K: ^; q6 X. m( G' ?
. ?3 [: X+ d! o% L% u. C; aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& c! X4 c$ E7 f7 T: t& F- Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ F7 q! b7 L1 V; G2 I' PThe Get_DDB service is used to determine whether or not a VxD is installed
! b! L3 X# g' r' @& V2 N5 {3 Wfor the specified device and returns a Device Description Block (in ecx) for
2 r+ v$ j' Q$ O( Rthat device if it is installed.6 U9 l6 f; H6 n4 d% t
" Z' i9 T8 E$ e! q/ I7 h- k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" K! ^* J% B, w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ V8 h S+ T2 V4 h g; f* U% D VMMCall Get_DDB( d, @8 e$ R' R# }+ J* L
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 Z+ x9 K5 l1 ^2 h+ t& N1 r
/ x9 e( r2 ~# V+ F9 xNote as well that you can easily detect this method with SoftICE:
9 S) E% N1 j$ T) ?9 c/ o bpx Get_DDB if ax==0202 || ax==7a5fh: `! K6 c% A. v, l- U: M
# y9 e4 t ^9 X) ]__________________________________________________________________________: d7 T+ Y5 S+ X) a9 A3 r5 O
/ J9 Y5 k% f3 L* I9 JMethod 10
% w, F8 {6 I; ?' W% ~7 |/ X=========4 L& k7 w: q1 L" R
: U# S2 i# v# }( ]9 Y1 y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
& o3 q# @0 n3 D9 i SoftICE while the option is enable!!5 x+ r7 I* \( k1 f& z+ V' A
! }" I- m4 Y$ R! U* t; R
This trick is very efficient:
0 f7 g: O5 ?2 j/ Q" Zby checking the Debug Registers, you can detect if SoftICE is loaded
/ R" e: @4 P+ u# g4 P/ K# U% O1 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 ~% j+ `0 P% E- n: ^2 I5 t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) l, g. I& G) [1 e6 |8 w: B8 pvalue (in ring0 only). Values can be manipulated and or changed as well
7 e# R2 j/ Z1 J" Q: T(clearing BPMs for instance)% W1 V# y3 X! Q, S; T
" _; E" C; M. ?: m. M: C: V _# u
__________________________________________________________________________
' W$ |2 P* ^7 r; z% f9 y2 a/ p6 _6 ^" }8 `
Method 116 R4 Q2 Z* v0 L! F2 u, |- X
=========
6 p3 U, Y/ M3 m" c! p+ `( X3 J+ j# }% i9 u
This method is most known as 'MeltICE' because it has been freely distributed
# E# f% i3 A. s: F6 Svia www.winfiles.com. However it was first used by NuMega people to allow# i( z# A/ x3 [& ~9 g
Symbol Loader to check if SoftICE was active or not (the code is located0 ?2 y; l& z& H9 q5 c
inside nmtrans.dll).
- l l) a$ V# _3 N+ |- ^/ ?, L: l$ s8 m- r0 F6 `, e
The way it works is very simple:
) f) P# K9 K3 c+ Q1 r1 IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
^" ]7 f# z) Y# h0 r. P5 j% oWinNT) with the CreateFileA API.
- L. m" y( p) R) w7 |9 [; i' p/ N8 ^) }: Y- k+ u, v7 j
Here is a sample (checking for 'SICE'):- t; `& Y3 |( _2 B: ^
0 ~8 V8 O! J5 p/ |. y/ _/ }' G9 D
BOOL IsSoftIce95Loaded()- X' G y" D. I- \. k
{
8 G/ R [/ J! w HANDLE hFile; . z. j7 \, x4 |2 W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) W. Y9 W$ u" K/ w! `
FILE_SHARE_READ | FILE_SHARE_WRITE,
& t! U. L+ C% \2 w. }1 y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 T+ W+ p0 X, u8 X, U& R if( hFile != INVALID_HANDLE_VALUE )$ q& S- m0 I$ ]& X1 c( m4 l, h8 {
{; f( z, G4 p& z3 n( X& N3 q' J
CloseHandle(hFile);
$ G5 k$ Q! b; E7 ]" c! \* n return TRUE;9 J( N+ Z8 d" e% [3 p
}
( K/ X5 o9 ?0 U% o4 e return FALSE;
& P! h1 h* v. _# R$ Q}
3 Q2 P/ j4 N$ n; L- D
2 \# J2 ^- W9 s, `) S; lAlthough this trick calls the CreateFileA function, don't even expect to be6 Q" j; h3 S& a; ~! ?" k6 Y: d( \1 t N
able to intercept it by installing a IFS hook: it will not work, no way!
" r! X6 d. x0 p, P6 p& W$ Z HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ Y7 M6 U/ ~( w) L, {0 iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) m- f' {* U- \" I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 X2 j6 `% x; L
field.2 \: M) C4 Y& h2 W7 V
In fact, its purpose is not to load/unload VxDs but only to send a
! {; ~3 h2 {. J# KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( ~8 K2 v% J, {" a* K4 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 `5 | V$ |0 z7 m0 v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- z4 V% O9 M9 L( cIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 `1 Y A( z. K) B1 l( a
its handle to be opened and then, will be detected.5 q* H( b/ T. s, k2 ^( [
You can check that simply by hooking Winice.exe control proc entry point
) y% S' c" [% ^5 W# m5 ]: fwhile running MeltICE.
U- M6 k: ?% ?' D" c0 a
- ~( Y( S( ?; i3 o# G
' n2 X5 F3 `0 a 00401067: push 00402025 ; \\.\SICE
4 q4 G! i$ r [- o; W. K; L3 Y, t 0040106C: call CreateFileA7 e; }6 G* @" e7 w2 f5 Y
00401071: cmp eax,-0017 q/ M# n+ z& h/ g
00401074: je 00401091 ^( q8 E: P% K6 a0 A$ F4 {
# a" L+ o A4 h) V! u: T* T
' z R9 g# a8 H+ q zThere could be hundreds of BPX you could use to detect this trick.8 I J" m/ J: Z& {
-The most classical one is:
6 N S6 _$ x% o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
0 w+ J+ F0 e$ ? *(esp->4+4)=='NTIC'
! r, d+ [; `! t5 {) Q# K" w" ^* r p& `: G$ u* H( ?( m
-The most exotic ones (could be very slooooow :-(% Y. c0 Z( s- t0 }: {/ ?; d
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') P- Q7 f% d/ q2 \* [
;will break 3 times :-(
5 F# ^' t! D H: ^ Q$ ?; n a7 ^; k2 C x
-or (a bit) faster:
$ T! q8 a5 a( p* i BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! I+ U9 J2 Z8 T9 _( R
. t# V. ?( Y# k" H1 V BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 7 y: S) v+ H4 O4 o `4 _6 q
;will break 3 times :-(* [, p% ^& j- n7 m$ B# v
5 Z! n! X7 J9 T- m0 r+ |5 |
-Much faster:
- {, y% J4 q4 z& Z" f, { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
6 y& A6 B+ Y' \$ X. l* B8 G5 h2 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& d( @/ m2 M) D% h$ H3 Z# h% C {6 pfunction to do the same job:
4 w: J- K* X6 k( P; a
0 u; ^$ i* q5 l4 Y6 d5 `$ U push 00 ; OF_READ* P6 n6 t6 b: q" X" c
mov eax,[00656634] ; '\\.\SICE',0
" s# V* L) b! a v push eax0 |/ c2 }" B8 L( m! |; v6 l
call KERNEL32!_lopen% M, f) d( Z; k+ I8 D" X1 N+ m
inc eax" x I5 S2 i. M5 j+ M
jnz 00650589 ; detected, ]. l3 g' ?4 M
push 00 ; OF_READ3 I) v; p. u S4 l" S; M- `6 t
mov eax,[00656638] ; '\\.\SICE'
/ y8 x; ~5 }; l8 j8 q4 U" Q push eax$ V' l/ d. @( \ M* {) d4 k
call KERNEL32!_lopen- X( V( ]( q& i" ~. O+ L8 P
inc eax
! w3 n0 W3 X7 N/ Z( _+ ?) b jz 006505ae ; not detected
8 r0 e5 u) e2 R* F) I% H6 Q" W( y# s" x& i! b. s
, T) m7 p# j% m6 |+ _2 {* X
__________________________________________________________________________' r2 Q/ Z2 D/ W; [
/ a- ^4 n5 J; ?% ]
Method 126 U) N7 g) T4 i
=========
0 F6 J8 f4 W9 [/ e( z. m
" C5 L) J! \ j& _9 T* QThis trick is similar to int41h/4fh Debugger installation check (code 05
7 r( B2 F: Z( {1 P% ~8 V& 06) but very limited because it's only available for Win95/98 (not NT)1 F4 z5 }4 P! k9 M/ A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: d: I9 k/ }/ M W* Z9 H% R
: G# ^8 X- r x4 S push 0000004fh ; function 4fh
0 ?4 B9 g; D/ c4 V9 X4 p3 e1 V push 002a002ah ; high word specifies which VxD (VWIN32)3 v8 A ^+ Q! I; q+ w
; low word specifies which service/ d8 r/ D- j' P& G5 {5 {
(VWIN32_Int41Dispatch)
; e# h( @3 z2 t$ l4 I call Kernel32!ORD_001 ; VxdCall
- C3 F% b2 K& t9 n( P$ {- _ cmp ax, 0f386h ; magic number returned by system debuggers- g* U4 W' _' B
jz SoftICE_detected
X( c/ _6 u' q3 l9 w
- d/ \7 U* m" k+ k1 A' D+ S% }Here again, several ways to detect it:7 J ]% d5 W- A+ U# U. c
- {$ F* X1 H' m" A6 j' s( M
BPINT 41 if ax==4f
5 Z8 F; `' p! H8 g; u& v. C G, V# u( `% { I% j C. \; Y: S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
, w" O3 i S& k! |; ?2 E" S/ [8 C i( l* ]/ N( r. |& p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 z- n; {% G$ @, M/ }1 ]3 P x/ K7 Y- R, G
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 V/ P, {+ x( F8 Z: j
6 W4 c5 ^1 l2 T) d, Y% ~) q9 w# G
__________________________________________________________________________
5 n$ i# l1 m% s1 f/ `, i' I+ z; n
+ L) d, g" L: `Method 13
6 N9 M: ]( b9 w; `- b: V1 O=========
& k% F$ Q' |% r
1 D2 F& J, d2 i3 O4 INot a real method of detection, but a good way to know if SoftICE is3 O- i7 u- |( T3 d) ?% {
installed on a computer and to locate its installation directory.5 m' K- E4 W/ l
It is used by few softs which access the following registry keys (usually #2) :3 U6 \9 f1 t& p- @
( c, J) S- O) v2 a( {/ d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' I) o" L: I$ K4 l: n3 |
\Uninstall\SoftICE
7 O1 @1 U5 X5 a( ^; _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, O/ @ |8 Z5 K* q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 v3 T5 L( L, m' g1 e
\App Paths\Loader32.Exe8 M6 T3 Q# A3 U$ z5 c
) [# N" y4 T0 Q3 E: }0 A
4 I' y2 v# o* _5 C& pNote that some nasty apps could then erase all files from SoftICE directory
5 o4 }& G7 s, o" ~(I faced that once :-(8 h( E2 n7 m6 I2 [
: U0 y& w5 M' G3 }6 MUseful breakpoint to detect it:' F3 |% U# C. T2 G, V
5 L T7 ^2 j# b4 h: h
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' D! d H1 u* m4 ~( e3 j# I& e4 Z1 I, u. ]4 \% n6 B# W, f2 `
__________________________________________________________________________
5 z9 |) N Y" a3 k8 u
+ l8 |! w6 @2 _& G) E
' K' R C8 I. c2 dMethod 14
5 Y/ v( @: m) z. o$ V=========
; A! d2 \& m H! y% Y# o& y5 a" L9 W" d4 s# m) f% o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 v. o6 T$ T$ i) I c
is to determines whether a debugger is running on your system (ring0 only).! j( o4 d# ~; C- j* D5 r# ?
2 \6 c. o9 f* R VMMCall Test_Debug_Installed
P% l4 n0 q" U je not_installed' j, u7 ?5 F9 E( U: t$ ~; o
% V( B% [0 m' f' k! ?, Z
This service just checks a flag.' m6 q) J6 O m$ F; {) R
</PRE></TD></TR></TBODY></TABLE> |