<TABLE width=500>/ i" Z* ^" }+ K _# R* U# Q$ i
<TBODY>
+ y- \3 B& _3 b9 r$ j+ x<TR>% c; N) R+ P7 ?$ ~- _1 v% f
<TD><PRE>Method 01
; ^% ]1 T% A- {5 C, X8 R8 C=========, k( t) c& {" |
8 }, T7 j) v" S' o2 ]. Z" l- z6 oThis method of detection of SoftICE (as well as the following one) is3 f! O- t* A. ~- R
used by the majority of packers/encryptors found on Internet.
8 x' P' J2 X# V0 l* T2 f3 n; _# qIt seeks the signature of BoundsChecker in SoftICE
. F/ t2 `3 _: @
. @! d6 W' b5 x% C7 m9 h mov ebp, 04243484Bh ; 'BCHK'
9 f3 K2 m7 d% E g) ^/ ?1 C mov ax, 04h! N7 [! L& @8 W4 O3 G: O+ ~
int 3 7 V" u8 ?4 i b0 i2 P4 j4 `
cmp al,4/ |) G" O) Q6 q: b, B* p9 A
jnz SoftICE_Detected
* ^8 ~& w v" H- ]/ I& }
: A7 G( I# g$ p; c z9 {___________________________________________________________________________
# f" w. z; {/ t6 r# I d' E! O) ~9 x2 S! L
Method 02
6 g8 E3 a9 s* G# \% l9 o# ^% x=========
5 F3 J% k4 r) |6 h! U( N0 z3 @2 J, W; \. k0 s" T6 ~% ?
Still a method very much used (perhaps the most frequent one). It is used
/ H8 D, \1 Y f1 n* h0 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: y6 d7 \& y! n3 q4 B8 n" B: y$ S! t
or execute SoftICE commands...
8 ]0 e! `0 Y8 z+ fIt is also used to crash SoftICE and to force it to execute any commands/ e6 Y; F/ z9 e6 P
(HBOOT...) :-(( , i; Z r2 d3 m4 i- @
$ L, I& _" [3 q8 y3 o& t
Here is a quick description:
0 ~% m9 @$ X- G3 G% f-AX = 0910h (Display string in SIce windows)
( t7 \ J2 } N" c& _, B7 f- e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 Z. i) q3 ]" k) X' z' {1 f
-AX = 0912h (Get breakpoint infos)
7 W6 o$ {7 ^! E3 y5 u2 F9 ?: _-AX = 0913h (Set Sice breakpoints)7 ^8 c8 T+ D3 u" }+ f7 E! I
-AX = 0914h (Remove SIce breakoints); s0 u6 H& j2 [# v, ^
3 P+ E7 B1 s o6 v0 g( _, V" nEach time you'll meet this trick, you'll see:
* U7 j" a. x- C( ~-SI = 4647h$ O0 z& x# ^( c$ e" `6 ^& B
-DI = 4A4Dh4 G5 D" B; v" q& x* E8 N
Which are the 'magic values' used by SoftIce.
' H& p) i8 P! B) ~' GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) k& F3 \% P9 B+ X) M% U7 G r+ T
/ p" u( {. n' `$ F4 B; `, kHere is one example from the file "Haspinst.exe" which is the dongle HASP
- H. T: N, q8 t, BEnvelope utility use to protect DOS applications:1 T* f% u0 v, |- ]
1 {' O1 u3 U0 \' ?' D9 k
* C8 h" C" B- o8 @& j0 J7 O' `
4C19:0095 MOV AX,0911 ; execute command.5 G* K0 H8 m$ d) Y6 ^: f1 o! I5 C9 X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
- }; A+ [% P4 o3 _; x0 f4C19:009A MOV SI,4647 ; 1st magic value.
! X7 Z6 ?& z7 h4 M- H! y4 {, p4C19:009D MOV DI,4A4D ; 2nd magic value.) M9 a# j5 o8 ]8 g
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 t6 `% n3 Q7 Z( o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" `5 V; w" I) c
4C19:00A4 INC CX4 U$ A7 L/ }- V' K p- @
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" i$ b% z( K% P" u; Y9 f7 N
4C19:00A8 JB 0095 ; 6 different commands.3 a, u2 o7 n4 {( ]( w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.9 p/ e1 E1 ^# E& l1 Y( @3 Y0 b
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) k, w. J5 H5 `. w) D, m0 r. k8 I# N" b I" r
The program will execute 6 different SIce commands located at ds:dx, which
, O" d9 l4 |7 q+ ^/ Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- Y1 o5 S: u* N/ T
* x* T- o# w5 K3 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) w( F" H7 U! s1 }+ R7 Y& J9 b___________________________________________________________________________
_2 N# u: K" D% J
S- B6 j( \2 i' L1 z' q o+ t1 W7 |) r8 A; W: X" r9 b
Method 037 h; Y6 K% I( L* S
=========8 \9 K4 H) a! w8 x- ~" g
$ T) J( y) n4 i% ~9 i5 q& m9 ZLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' E7 [& Q) H2 Y
(API Get entry point)4 d) {4 o3 l0 I N* V
3 r2 B" k, y: u
e7 B2 a/ o/ c; k xor di,di' h+ ?; J, d# i8 b: c. u j
mov es,di F" r. M$ y! q- z
mov ax, 1684h
! ]" r$ A( m u% l- G2 ^5 D1 U: L mov bx, 0202h ; VxD ID of winice
" p1 `+ ^- ?- S- x8 s* Q4 W! }: x9 R int 2Fh
# H4 ^& k# n5 C" s mov ax, es ; ES:DI -> VxD API entry point
$ d* Y3 \: A- H1 n2 |# L& _- \ add ax, di3 \: Y, Q6 B9 J& ?6 Q# ?# H
test ax,ax
5 E( B, \3 u3 {6 i! N jnz SoftICE_Detected# x7 O. d( F) f9 h) @
3 o+ d$ D% n0 ?2 F___________________________________________________________________________
+ e$ t' O1 L K( q1 [& V
& J0 P- s# G; x( L' _Method 04
; n8 d% Y, v4 l6 k: ?6 f) T2 @9 G$ X8 |=========
$ @ @# ^- z5 A7 g" \
" A# z% @1 Z6 B4 ]7 W% \0 k+ ]Method identical to the preceding one except that it seeks the ID of SoftICE
6 j; W; k O: V' Y, ~# X* W4 mGFX VxD.
- a" A, B9 b& |0 W
! I h$ r, g6 K$ [ xor di,di J. S! R9 g& R' N- q+ |) z
mov es,di
0 @ I4 N# }5 L) q7 |/ N mov ax, 1684h
4 L: d5 ~' N' C0 s! N5 r mov bx, 7a5Fh ; VxD ID of SIWVID! k4 H7 k1 ^$ R% Q) o
int 2fh k6 A" p, Z* O6 R) F( T( v
mov ax, es ; ES:DI -> VxD API entry point C' A. Q* |: j$ U2 w; }3 U" p0 D
add ax, di: @4 A- o6 I5 P6 O
test ax,ax
/ Q1 q* u" G8 J4 _6 Y jnz SoftICE_Detected$ z- j6 y# h7 R; U; Z7 V+ Y4 Y3 y5 p
* C% ]7 S$ X3 P5 {& T; y
__________________________________________________________________________8 i* K2 j! i5 v& d2 ?0 T7 u* x
' U/ d* o$ k) B- T3 l0 d" L3 Y
9 o; K" d1 l( SMethod 05
9 q9 q o* s. H9 q+ t5 g=========- o" h% m; J$ {; a0 R
0 ?3 Z. f, N3 X% z1 |$ J% j8 A
Method seeking the 'magic number' 0F386h returned (in ax) by all system. a; j: A0 @( f$ l8 I7 ?+ @4 l1 m
debugger. It calls the int 41h, function 4Fh. K" H6 O3 H8 s1 a b
There are several alternatives. 4 v( H9 k1 \; f: [0 x% J- h
3 q9 x8 w9 W( S# M: Q8 W) zThe following one is the simplest:
# q& D7 b7 [6 [; s) E
0 m+ ^/ w9 N6 g' v* w! L" |6 S mov ax,4fh: [( u( ~5 J2 E
int 41h
0 m+ \! n0 ^7 X9 z* L. \+ p6 O2 e8 u$ f cmp ax, 0F386
- a$ d' n& R4 ]7 }; L" m jz SoftICE_detected
9 ]0 b7 a0 I9 u
$ B- N8 |2 k3 k. x4 y' u4 a& a6 s0 ~. \, C/ E9 ]
Next method as well as the following one are 2 examples from Stone's
, L( m9 J% b/ p; M. r/ f1 Z"stn-wid.zip" (www.cracking.net):
/ r( C0 h1 N q1 [
; t! b1 N R5 O! t+ r+ o: s, z5 c mov bx, cs
3 `& e/ E+ X; `' ^5 m/ b: ]; P lea dx, int41handler23 _( n/ m: w" M/ A3 U! ~$ ]
xchg dx, es:[41h*4]
% c9 I3 m4 x# O* Q xchg bx, es:[41h*4+2]4 ]( \2 D% z9 Q* J' Y- y% S0 C. u
mov ax,4fh
* R. A0 P5 j- ^& j2 m int 41h4 s' n; e: Z; ]; d: p5 M$ b2 L
xchg dx, es:[41h*4]( x( t2 ?7 p! x3 w+ d X
xchg bx, es:[41h*4+2]
: g2 a- V0 J* j2 a( V! M% g6 \ cmp ax, 0f386h
- W9 `" {$ L) W8 }& ~# e. ], H9 \ jz SoftICE_detected& r- s8 y* k; M1 w$ |1 F
# y" X. f. k4 j1 M, {$ H; ?1 H/ F
int41handler2 PROC+ H1 V* O8 S/ |! _2 W- H8 U
iret
, V- S! d) J% j& u$ k7 ]0 C. W& Mint41handler2 ENDP
( i' w1 x, {$ r0 {8 b. E: y- w
# T' C; N3 G, ]: A" S# T' U8 K! G: t2 {+ [
_________________________________________________________________________
+ E4 I. d4 A2 Z0 x
% y2 w L' V! Q4 b: }( m a
+ g1 {9 U* H& d% n; j' nMethod 06
) b9 A3 K( x+ G! I0 n; e, R1 `=========
: X+ O& u) a# _7 e5 [( V) ^7 Q' Q: l
6 a* L6 U T" w: R: `" E, F
2nd method similar to the preceding one but more difficult to detect:! E3 i7 C1 Z$ r6 I# Z
6 `% {# f, c7 d% h; @+ }1 ^- \, R+ ]5 |# e- C3 n( V
int41handler PROC
5 ^4 K* X1 h% b7 C9 }( S2 S7 Q mov cl,al L' Y- r$ a, K+ R) K
iret3 C& J. R% b5 e% O; L1 m7 I; Q
int41handler ENDP
7 X0 k8 b1 y6 C% _( f; {
7 k+ r9 s$ t8 k2 y! Y. a# L3 C
\8 b% f# P& n8 g: d6 \( E4 ~ xor ax,ax6 S) H, w. X( e6 t
mov es,ax
9 e" y2 s9 D( x mov bx, cs1 R d- V+ w& A* e% w
lea dx, int41handler
: S- F% }) @( t& _ xchg dx, es:[41h*4]
# [' l, |1 B9 c' w9 b xchg bx, es:[41h*4+2]! D+ `9 d% x2 u i9 E
in al, 40h
" m& g0 {* m; Z8 l' r/ Q) H xor cx,cx
9 d4 Q( I$ J) I: I int 41h3 j( r+ F% E5 S
xchg dx, es:[41h*4]* [ a+ g+ X- G6 Z# N5 \) t, D9 J1 l
xchg bx, es:[41h*4+2]2 I) P* ]$ L" Y1 D# N
cmp cl,al
. C+ c) [9 r* w. v& T a jnz SoftICE_detected
& }5 X# I5 ^' i) x. C, d; y6 m" h! L9 P' C
_________________________________________________________________________4 C7 B6 P- x% F4 v: ~ c, f D
0 m, b' A$ ^1 r
Method 07
5 D: h1 S# O$ l. g$ p=========
6 j3 h, e8 x. Z9 n/ K6 q- \5 `7 ~$ v
% C% r" h. `" C5 X7 \Method of detection of the WinICE handler in the int68h (V86)
! z9 g! t8 ^( e2 h y! b' i/ S: O# Z' D- q% d5 G. o2 [
mov ah,43h0 T; q6 c! O% s8 o- ]
int 68h
" u- f4 W) u4 k, D7 N; j+ Q cmp ax,0F386h, W0 V9 q: d* |
jz SoftICE_Detected
5 l& r2 A+ z# ^7 P, L; T+ {) T$ p. f Z6 R. y8 g
2 |8 d) s- s8 Q b=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
a, g5 f" P7 W& p b6 \; b/ ^ app like this:
: [4 ^' W# N' k0 c. S/ A8 Y' R$ s& r4 r, Q9 v. }, ?6 R: S8 o
BPX exec_int if ax==68
' ?& f0 {2 T5 c3 q, ]7 `- [ (function called is located at byte ptr [ebp+1Dh] and client eip is% U' |& z; k! a8 D2 g1 l
located at [ebp+48h] for 32Bit apps)
. d6 o) r& I0 t. I# Z8 E8 K__________________________________________________________________________4 b$ G0 r+ ?; }9 f
; [, v! o/ y7 {# T+ r8 f$ _! Z
R: V8 j3 z' u2 tMethod 08; [0 d7 Z9 h9 Q3 o6 ?9 `
=========+ ^2 z" |) [9 `) ~0 c
% h: u' K! @) g9 `
It is not a method of detection of SoftICE but a possibility to crash the1 o; O3 ?: X/ M% e! ]9 l
system by intercepting int 01h and int 03h and redirecting them to another8 E5 f& t% c7 Y( V0 o! u% I$ z* |
routine.* s9 D. o8 k- I3 E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ R- A r3 h- F6 _; X1 [5 Zto the new routine to execute (hangs computer...)7 M( c9 k3 P# b- E4 X- n; ^' ^
1 M v* V4 q0 o; _: T mov ah, 25h
0 s) ^! }( `/ ]& y8 Z) e mov al, Int_Number (01h or 03h)
+ c' d3 ]- S6 T4 Z1 n \. z' P mov dx, offset New_Int_Routine. L8 R+ `7 O2 M8 D! b. g
int 21h
2 j/ l. r. X6 F. ?$ e6 J3 Y$ j: o$ m" v5 H
__________________________________________________________________________
8 H+ }+ h# H9 |9 h5 A0 f0 W( l
Method 09# L* D5 @0 p1 k; `) ~
=========
0 d9 Z) ~7 H- S- O7 [, n
) S( P( l2 ?) b. pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ S8 _2 j% x& {9 k$ x# \+ V x
performed in ring0 (VxD or a ring3 app using the VxdCall).
; K3 G1 D& n$ L( O" h6 q* K( KThe Get_DDB service is used to determine whether or not a VxD is installed
$ p4 e" m. }" F. C) ^for the specified device and returns a Device Description Block (in ecx) for; k2 R1 p2 j# o* }& u
that device if it is installed.
/ c# _8 ~% m/ x. _: K, q; n' {9 l: u: ?3 w4 j) s% E
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ~! d! u! ]3 c' d( D. { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" W/ P e) h r4 W' P; b, }
VMMCall Get_DDB
4 I& E" [: n T9 i3 \- @ k mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ @! n* U7 A' @$ L w+ D% }
6 \: g5 a9 s/ b; l5 K5 Y ^- YNote as well that you can easily detect this method with SoftICE:% i+ b; ?1 s. b( S$ G. l
bpx Get_DDB if ax==0202 || ax==7a5fh x, m+ ?& T( B% T/ T/ _
( A5 `- x1 m3 y6 g+ A& h__________________________________________________________________________" P' w* N, _7 ~+ j( a8 Q0 B
2 t v3 u, j4 u& X7 {Method 10
3 V2 q; I4 P. W3 c6 K6 W3 @=========
2 U+ s, E1 ?7 Z$ W. U8 S; T) v( }
0 s, D/ ]2 m1 d+ O& I) y7 o2 P% n=>Disable or clear breakpoints before using this feature. DO NOT trace with8 p+ C, T1 |9 u: J( C
SoftICE while the option is enable!!
- l# u0 ?: Z8 {4 K5 ~0 H0 {& D6 n# I% L1 {7 d7 P& a, e8 w
This trick is very efficient:
% l9 b4 P) L c( |8 ?by checking the Debug Registers, you can detect if SoftICE is loaded6 t6 ^; L2 M& {; I9 T. P3 }8 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# N6 f- S9 ~( J( c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# d/ @. z3 E" p) X0 Y- m6 A/ U0 r: cvalue (in ring0 only). Values can be manipulated and or changed as well
: V& h$ p& D9 T! P, O(clearing BPMs for instance)
4 k t; w. F; T1 `4 C* a. f) ?0 D& K! ?' O- ?$ s
__________________________________________________________________________8 R; P \8 {9 f
, c5 U0 b8 f: ~9 O: \
Method 11
6 x6 }4 f8 \5 y! c=========! H- l3 ~+ j% n' N
; v& i& t$ X1 ^0 v4 X3 r/ r
This method is most known as 'MeltICE' because it has been freely distributed7 J0 p( J# E1 I8 \; R
via www.winfiles.com. However it was first used by NuMega people to allow- t8 P$ M) X$ J ?( m
Symbol Loader to check if SoftICE was active or not (the code is located
2 g* f7 m( y; w( D( finside nmtrans.dll).
! [& D7 N7 T, |6 J8 j
: a7 I0 I- P, d: P! j: h3 \The way it works is very simple:, E+ ~9 b# Y9 N: |9 g+ @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' G9 L3 j4 X9 _9 S0 `WinNT) with the CreateFileA API.6 H2 u# [$ z4 i4 E
o1 Z2 a6 K2 Y9 m3 M
Here is a sample (checking for 'SICE'):
9 Q0 a9 H% Q$ M v) I+ c n( o$ E+ `
/ r& H+ R) D0 c3 WBOOL IsSoftIce95Loaded()
% I8 v, \/ u: |6 p; V0 ^& f{
0 M) x; x& J: T4 M5 K5 G7 r" q! f* Q HANDLE hFile; 3 V6 ^( _) T# K7 @9 \
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ l2 \1 W1 L7 t' M8 J2 i6 z0 {8 Z8 ~
FILE_SHARE_READ | FILE_SHARE_WRITE,
- E0 [9 ]: P( z$ j& _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; q; B' Q7 V" j9 Y
if( hFile != INVALID_HANDLE_VALUE )) z y! Q* X9 |6 ?7 G7 o: f2 r) L
{
M9 k# ~& f1 g( h( Q2 i5 U CloseHandle(hFile);
+ K6 [: H. U8 B return TRUE;
/ B6 A- M% O2 Y8 E' C9 p5 R }
2 A. f. |+ {& X! |3 \+ L! W$ B$ w return FALSE;
& u" r: r7 x. D& ]9 F3 d U}
0 h' s8 G) ~: U$ w7 ~7 z. v% K+ U/ x
4 h5 V) B% x" H. g: _# x( sAlthough this trick calls the CreateFileA function, don't even expect to be9 M* h ^+ u+ P- E- v- g
able to intercept it by installing a IFS hook: it will not work, no way!) d% J; o1 O7 {, {5 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 V C5 l3 n/ A# fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. O0 Q9 S2 A" @; ~% i# R2 sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ s0 E5 _% F- D! x$ C9 _. A' Lfield.
* R5 T0 T+ n+ }9 b& w2 s) S8 QIn fact, its purpose is not to load/unload VxDs but only to send a # g2 B) d0 W- a" P& |/ T" }4 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) B# Q0 ~- e0 T4 {& _7 U! y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ~/ ?/ x @% P, Q1 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% f# A4 o0 S3 b/ `If the VxD is loaded, it will always clear eax and the Carry flag to allow3 D; k9 R' P! W3 X
its handle to be opened and then, will be detected.8 q9 O# m5 P3 H) W! O* O; p6 g
You can check that simply by hooking Winice.exe control proc entry point
3 Q0 d* J" V8 S9 k. rwhile running MeltICE.2 c. Y6 `" [6 \- U1 R- a1 x
/ T4 _$ W' k3 ^0 v; P+ {
) v6 W7 ]$ r' [4 n/ p 00401067: push 00402025 ; \\.\SICE
# Y, u0 o' s& f5 d0 w0 K. F 0040106C: call CreateFileA
( H9 M/ H. G% Z$ j" | 00401071: cmp eax,-001
. S' {8 m# n& U8 w& [3 k. ] 00401074: je 004010918 L5 x! w% T3 ?: w( w+ x5 [
: F" f" O( n2 c, @4 T9 c* p
" @& h7 W% r. a! X' r/ q1 V3 R ~There could be hundreds of BPX you could use to detect this trick.) Y {# f* a }/ E
-The most classical one is:
% U+ h/ A6 W# |1 r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 k+ r4 ~ ]" V1 m
*(esp->4+4)=='NTIC'1 X$ E* ]# M2 X& ~
' ]7 q4 l6 P/ P" z6 z-The most exotic ones (could be very slooooow :-(- B$ I# C) Y$ A; M% b* m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 F- {; \! g W
;will break 3 times :-(
, E2 ?, v9 u3 ]) h5 | c$ r6 ]0 M1 q' F w1 P7 C0 |2 o& ?
-or (a bit) faster: ! A9 G1 N5 M3 O8 b$ J0 \
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- y" \2 W& A) b& n! k1 V, j* h5 C% s+ \! t9 d! {$ I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ {# k- f8 q) o ;will break 3 times :-(5 T6 i( w# O1 R1 P
% l# C* h. _4 w: X. D( ^& a-Much faster:' H% X, s! B4 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 p( g- A3 A( d; q( b' o5 ` r+ j8 T
+ r2 o. F* W: S# W: I( L( \2 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' Y2 h+ ]% k. kfunction to do the same job:# X5 [4 z6 @4 t. W/ {5 g
( q, f1 b* `5 `" D- y0 s/ G/ F1 d
push 00 ; OF_READ, F8 C' m+ i J$ q: L* m- t n
mov eax,[00656634] ; '\\.\SICE',0) e8 d! J% \ L
push eax& F0 w, _! q9 b; Y7 ?0 H
call KERNEL32!_lopen) z+ e3 j/ `- T! y
inc eax
% I0 w7 w+ G' \$ P* C( d: n jnz 00650589 ; detected6 C4 m: I. u5 o- I/ ~
push 00 ; OF_READ/ ~ ]# a u m+ Z1 `5 l. ~
mov eax,[00656638] ; '\\.\SICE'
7 U" h7 \" P5 ~" n& |" g" a: M push eax
) ^4 q4 b; }# T3 a" E call KERNEL32!_lopen
4 n1 t6 e3 F2 s inc eax
2 {" F6 _9 J$ R1 l" h jz 006505ae ; not detected( l8 i3 s: Q7 c' ?- w- g
5 W6 Z7 W5 D/ i' Z l9 h" @
1 b; X$ e( n7 Q7 |- b6 Z: T( Y__________________________________________________________________________; U, X4 Y7 W# n$ F' M% \
8 t6 h% ]$ T! a0 l: a ]- I& ^Method 129 s; z2 D; U6 n3 _6 y
=========9 X1 C, S) z0 H$ P8 t% g) t
" T, W# ^: S9 l' d
This trick is similar to int41h/4fh Debugger installation check (code 05
. X% N& x# ` T% y& 06) but very limited because it's only available for Win95/98 (not NT)
+ B1 W0 ?- y c" c* p) A# las it uses the VxDCall backdoor. This detection was found in Bleem Demo.) Q2 [( M+ ?# J4 [8 N$ i" X
! [! ~$ {9 u3 A$ } push 0000004fh ; function 4fh) v: X; R' [. X4 t6 {5 r. L" H3 c
push 002a002ah ; high word specifies which VxD (VWIN32)* T* z( P1 V( P% `3 T3 Q
; low word specifies which service! Z) K6 h, P; F) d; O5 n
(VWIN32_Int41Dispatch)$ @2 ^7 ] i0 u+ ?
call Kernel32!ORD_001 ; VxdCall
. X% G+ }9 c- A+ c, i/ O( i3 T cmp ax, 0f386h ; magic number returned by system debuggers h, R3 {& B! P( c* \1 ]
jz SoftICE_detected" y/ |% q3 c5 {
2 n/ _: S) C7 ]; ?9 x/ @# f+ P; q
Here again, several ways to detect it:
|+ H! U3 }' U+ C# a( p, f
* m, _, g# {) d9 c BPINT 41 if ax==4f* o) M" ]+ E; p) k/ k
6 V5 \% C% |0 `7 Y0 l
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 c r3 z+ n, \7 Y Q/ z
; x4 l. B6 ^: x) J) n/ M: s
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# a1 O. h0 w6 L; q1 H0 ?: p' r: b! t& c0 _2 |: F$ w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
s& U U) ^! r$ l5 v. X7 `. h5 d5 d' j7 V8 I) ]
__________________________________________________________________________$ _/ H5 v* I- f) D
0 y2 I/ j9 v3 G( W' i3 F% ?Method 13
& r4 o. a3 L; j$ p9 p# ]! |=========
1 a( c8 f: w' A2 _# R' }9 q) _8 u% l' @
Not a real method of detection, but a good way to know if SoftICE is, ~# q- C7 u+ S9 E* M- F
installed on a computer and to locate its installation directory.
. W$ o1 z# H8 l- jIt is used by few softs which access the following registry keys (usually #2) :
; z8 i5 X6 p& b3 p) \: R4 _9 v# r* ^, O( u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 s0 |1 d" e* {\Uninstall\SoftICE
* K. ]* v7 e: \3 x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- ?2 @& ^5 M J8 E! h( d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ v; U! n, i. j% s/ _ O5 J2 p\App Paths\Loader32.Exe
$ Q4 V$ u8 k% k* @8 I' T" j
! D w3 v/ q* q. O( Q+ O' k+ z. N8 ]7 ]# G1 C3 E
Note that some nasty apps could then erase all files from SoftICE directory4 A3 P0 O+ D( ]9 P5 @$ O" m
(I faced that once :-(
3 C7 R) R3 f: e. Q& f. j' A# n$ R( `: |9 I; g& o' C
Useful breakpoint to detect it:3 j/ a/ K1 n+ R8 z* h
% ]2 A, {/ Q) @6 N* w w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 n5 c4 D) @( h; k% q1 o# t0 {/ y- R4 l" J9 a R# J4 c3 r) j% H
__________________________________________________________________________
& a$ s0 U9 W/ H" D. w7 P, c) i0 I9 ~! H' o8 Y8 o. Z
' y: g2 g1 Z1 J& C2 i
Method 14 % c5 g# g0 x$ O
=========
$ @6 ~& y" ^- X6 s
) ?+ j l9 Z% H4 \& o( x m' u3 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( x! v( S6 p. Ris to determines whether a debugger is running on your system (ring0 only).
2 l D+ x% M$ e$ u7 e4 f+ q$ {' B0 f- @! W( v
VMMCall Test_Debug_Installed
- l R/ u6 Y: {' R je not_installed4 I4 A: l( R/ C, E2 a6 Q( J* z
0 z. K) x- E/ y& I NThis service just checks a flag.
7 K4 J* t0 @$ y5 ]3 o2 g/ c; m& v</PRE></TD></TR></TBODY></TABLE> |