<TABLE width=500>3 z" k T' b# F
<TBODY>+ _/ P0 v& B6 H, h
<TR>
9 ]' T& M& }' X* H. s<TD><PRE>Method 01
5 E7 b; z( ]0 v& _6 c' |=========
8 w/ C4 D0 n1 P" q ]! R, }& _& c
, o. I: y5 D' X$ V `5 @This method of detection of SoftICE (as well as the following one) is
# Y% I. y7 h' W- b+ B5 d4 W3 C4 E! ?# W- gused by the majority of packers/encryptors found on Internet.
+ T) K t8 D2 x0 lIt seeks the signature of BoundsChecker in SoftICE
; }: x' }) ^# k7 ?6 D- H, f) I% F8 ^3 T
mov ebp, 04243484Bh ; 'BCHK'
8 C- x% A7 V, k0 B) N% Z+ M" F mov ax, 04h
; q& a# E4 S. Q/ E int 3
$ a: @( V& m# N- E( B. Y cmp al,4
$ d4 A( \3 C4 V1 F$ O jnz SoftICE_Detected4 B" N) {3 D/ D- @" L3 Y2 n
" N( n0 x8 U- f# f0 |
___________________________________________________________________________
6 U( j+ {+ R1 I2 d2 W3 W3 w6 t+ m- n7 {8 t8 W3 G
Method 02
% k1 m Z+ P. E0 H0 s3 H=========
# ]9 }( [2 g- J. M8 H8 C: c3 Q" X6 C
Still a method very much used (perhaps the most frequent one). It is used, U0 g/ s+ K, T9 d, X M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- C ]' R+ J* i9 r0 A* m% mor execute SoftICE commands...' u8 `1 L- X1 }+ M
It is also used to crash SoftICE and to force it to execute any commands
+ r3 y; }, v% X! o2 f$ e( {(HBOOT...) :-((
; E0 l% `+ S/ e8 J
# x' O$ k9 w( V5 xHere is a quick description:
0 ~0 m: L) C8 @1 e-AX = 0910h (Display string in SIce windows)) P5 F. u% G9 ~: \ r2 d" z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% I, A |4 X0 {: H8 P3 n# {3 E-AX = 0912h (Get breakpoint infos)
$ X* Q" Y2 V3 @* d0 n' V: M-AX = 0913h (Set Sice breakpoints)
, r: ^ |: a5 ?$ K& @' ~) X- m0 c-AX = 0914h (Remove SIce breakoints)9 I8 @& ]* \$ m7 L* n3 E8 _
: k1 S. ]& J8 M/ z; z& j
Each time you'll meet this trick, you'll see:
+ `" B/ s" \" X& f3 y8 U-SI = 4647h c, C% M6 ~# z- {3 R' i, t
-DI = 4A4Dh
' ^, ] Q/ j& N6 u' _2 ^) dWhich are the 'magic values' used by SoftIce.
: J2 }" e, f. sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., _7 o. N% T) c
- i! p" `% K& b" V6 Q4 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP0 g1 y8 x) d# O' i9 n/ a% i
Envelope utility use to protect DOS applications:
( Z: E' t$ l1 m/ I
O' m, t ^/ T1 N* ?! T5 H- K& F
3 }$ g+ z1 z0 x8 f7 B2 H4C19:0095 MOV AX,0911 ; execute command.
. w n# V: F7 @9 u5 k4 v8 Z1 w4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" @& G' ^0 U6 F5 A, f- f( ?4C19:009A MOV SI,4647 ; 1st magic value.
- n# K- p" {( T0 W4C19:009D MOV DI,4A4D ; 2nd magic value.. y4 S0 h8 Q5 ?, F4 q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! e& E: g1 a" ]. x9 c. A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 @+ }7 v6 X, b9 n; F5 ?# t
4C19:00A4 INC CX9 P' r2 F* u, R+ J9 Z, I1 Y# t( t0 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 |9 c( F" B2 y4 I% o& H* D
4C19:00A8 JB 0095 ; 6 different commands.
1 O; t% R' ?, l" m- U. ]; k4C19:00AA JMP 0002 ; Bad_Guy jmp back.! z7 a+ W# U- p/ d+ h1 F$ k: I4 D. k
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 N# A) E; P7 j9 `3 Y+ T
1 ?& \+ k$ n, V( H D4 qThe program will execute 6 different SIce commands located at ds:dx, which% r2 M: p) k$ }' H$ s" R5 D, s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- e; X6 f; |7 a* D
& P1 T- y& T5 {" O+ a* A% [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 I* l& j! d! M8 t8 n- ]& t) i___________________________________________________________________________
6 i9 t4 |% \, `! G+ r$ o8 h; J: ^7 |. {: T* o( U7 V5 H: \
2 ^2 I6 U4 J3 _* e! t2 p; c5 WMethod 03: S7 C/ Z1 A# n1 P* P, I
=========, ^' T0 H, k% V3 E+ Y. G4 k
' G% g. V- @0 DLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 Q0 x2 M1 I% m8 G' _. F
(API Get entry point)7 H" G4 v! n! K4 T2 f! n z
* J' z' _! D3 K/ w1 N$ o& g
) m2 P2 H9 v/ H( M* E9 L1 S xor di,di1 e% h& q5 P- I
mov es,di4 @0 r; P4 l5 W" a( b( {& V" w
mov ax, 1684h
; S: u- [/ E4 B4 | mov bx, 0202h ; VxD ID of winice
" |0 T7 C" V. x) O! q5 c int 2Fh
; b2 L" c: P$ x5 w7 b U mov ax, es ; ES:DI -> VxD API entry point
; @1 D# w6 T8 k0 ?, \% V add ax, di
, S! K3 t) v% Y" ^7 ~4 D test ax,ax- b8 x; u2 C0 y2 Y
jnz SoftICE_Detected
1 d5 E$ Z' |: Z& c6 m2 V7 r, Z! M" N3 H6 N+ C* {
___________________________________________________________________________
- W! a( i! ~4 [! r" q
, s4 O, f& z4 u4 ~Method 04
1 e0 w5 t! C1 _5 l7 G. n=========
7 {/ L, ^) ^2 }* {1 l1 U& M3 n& E9 f* |9 L
Method identical to the preceding one except that it seeks the ID of SoftICE- d8 K3 o; t7 J7 V" |" o
GFX VxD.
' t+ Z0 w* Z i" y* H- X+ n! U
7 ~' G7 o$ Q) s1 I. _ xor di,di. J4 }4 ~4 r' P$ {% ]
mov es,di4 c7 v E$ {6 R& v0 T
mov ax, 1684h ( T/ `3 j Y) G& I2 o
mov bx, 7a5Fh ; VxD ID of SIWVID
# f7 @1 \& b! j, Z0 p4 b6 d int 2fh; l, u- r# Q. v; t( |" e5 I
mov ax, es ; ES:DI -> VxD API entry point
+ v: X. r! w/ @ add ax, di$ ?3 C+ o3 {: Z4 u3 v$ i
test ax,ax+ W8 E0 Y' l( Y2 v2 O: u
jnz SoftICE_Detected
1 Q2 k+ B* Q2 a+ e( B" `6 g; m- V+ q3 {* u) w8 c
__________________________________________________________________________- i( [2 J3 a; j" a
L- s- W" p; K( z! L
- [0 u/ g( n) E! h9 n7 W& ^& g3 @Method 057 l9 h' ~# r% H
=========8 e% o4 q1 ]& m7 l# V- U* U- X" X
, B) j8 u6 ^) `Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 T& ~9 q7 ^) l# v% hdebugger. It calls the int 41h, function 4Fh.- d3 v! \3 ?& v' \
There are several alternatives.
' f% `- b W8 b0 P2 ]/ B+ W! {3 y( b7 Y' Y1 n) ^
The following one is the simplest:* q. a! Y# Z8 b# u7 a3 n2 P. p2 I" T
( t; g6 @8 M3 l$ d- i6 u" z5 Z$ W
mov ax,4fh! A) o5 Y0 c+ _! ^$ Z2 F
int 41h3 [8 j9 M5 _2 K5 J, H
cmp ax, 0F386
+ z. v4 _* |: R g: _3 O2 W jz SoftICE_detected% F' N5 a( A3 o! w" s* S# u7 w+ N4 S
* s- v' I m4 i: z
/ f) r: ~1 b+ m$ c+ _$ `- k
Next method as well as the following one are 2 examples from Stone's $ O1 y( B6 i& h& m
"stn-wid.zip" (www.cracking.net):+ m$ C% }) m9 X! s. c. _$ m
' X5 E6 b: @' F/ c" i
mov bx, cs
' ^) M: m; B1 G9 _$ p0 c% |" b& ^9 Y lea dx, int41handler2. d% R% m! x2 }/ U3 O+ v+ \5 F5 i7 \
xchg dx, es:[41h*4]
- O- ]! J& Y( D+ U8 u6 V/ D xchg bx, es:[41h*4+2] |" Y3 a; G/ z/ A& y" X
mov ax,4fh5 z. x0 G7 b9 |" j; ?# O
int 41h) V u) F9 `9 ^# X+ ~
xchg dx, es:[41h*4]
% p' G$ m/ h5 Z4 ^ P% } xchg bx, es:[41h*4+2]
( K( `6 G# @0 @/ F- h+ b cmp ax, 0f386h
1 v& \- d& I; {1 t$ H% e jz SoftICE_detected
- U) f3 {7 C% s5 T9 w3 ~
. u- f& A) s: m c8 h$ |int41handler2 PROC; W; g, {- @1 x) t9 _! v
iret
; ^ P6 J$ P" }int41handler2 ENDP9 s7 X. ^5 N7 c \/ ~' D* Z7 U0 Z7 ]# R
+ X8 a/ i3 ^4 u0 l+ q y: I% w4 W+ t7 L5 R5 h5 r3 Y+ f) T
_________________________________________________________________________. G3 t8 t( p# Q& D4 X
8 k* h+ N4 K4 s
: Z8 N! I; i* @6 _5 g8 _Method 06 B$ c8 y' Q2 C F! K. [
=========8 n8 G! S+ G+ M! _" a
" B& Z- x; ~$ Z: _
. ]0 d) d* {9 d; ]2nd method similar to the preceding one but more difficult to detect:+ A C) \; H- Y& }# p
( Y, W( k2 f8 R0 ^& u/ l/ w
1 p/ s& @. [: y. }1 v8 m& Rint41handler PROC
6 {5 L9 V! p$ ~6 p: g- I mov cl,al, B$ ]5 n w5 _' Z0 X4 N) ]
iret' T+ t3 b% s+ T Z1 {& g: t W: a
int41handler ENDP' W0 A. k" \7 H, F% Z) Z
8 u# n& H% t l0 q | D/ Z) y
7 Q0 j7 |- f0 L" S0 D xor ax,ax3 F1 q" F3 _" Q6 `9 r
mov es,ax+ |- q/ h0 w1 m. c
mov bx, cs+ R& G# Z& Z X3 c& r6 v3 K
lea dx, int41handler8 @0 d4 T+ z: Q5 J& j ?/ f: H
xchg dx, es:[41h*4]
7 p7 l k" }4 R4 R+ ]: @ xchg bx, es:[41h*4+2]. M, R$ m; Q' o" x
in al, 40h N+ t" o2 I4 S8 s# c8 J6 @. [
xor cx,cx
* E& a4 ~; G6 C! _' ]2 s0 q int 41h
9 c7 e, v: e7 h- p0 h4 ]# D xchg dx, es:[41h*4]
g# E" z1 G! }) H0 D xchg bx, es:[41h*4+2]
+ K# [( ?; _9 O1 | cmp cl,al! ?0 [/ R; n( N4 j/ n8 T
jnz SoftICE_detected$ d9 [" Q% d3 A
g+ Q( W$ W! ?% \+ k- m
_________________________________________________________________________
8 @- L- |7 d2 p* G; X: d
: N. Z/ i0 \( I$ W& r3 HMethod 071 W& ]* p/ m+ w L+ c- F% M
=========) \2 ]" D. Z% U% c4 {" Z7 F( o% x
" n ^: _- c2 \5 [( P
Method of detection of the WinICE handler in the int68h (V86)
, u% d9 f$ y* _4 B: g! C/ e0 a
mov ah,43h
/ p5 x9 c4 g- F, \0 m int 68h
4 s$ E2 x* v8 ]5 V cmp ax,0F386h1 a- j( K" X" k7 D) z% N. G+ m o
jz SoftICE_Detected
: u7 U. z6 C7 f1 J$ E& d# h; J7 ~5 J: [0 e9 c
' m) y: }. U* z! P; ]=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ E4 B1 Y0 t& n1 x6 Q1 u% Q8 w) n
app like this:& U& O) P9 E3 A$ K% O
' a7 K2 ]- U: o1 O! ^4 _& z; N5 w e BPX exec_int if ax==68
) `) y0 ?4 _5 M) D( x3 u- t (function called is located at byte ptr [ebp+1Dh] and client eip is; r5 u" ]. V* P6 M- O
located at [ebp+48h] for 32Bit apps)( y: p5 \2 d3 ^' P; S: U. x% f
__________________________________________________________________________% M: f4 K, F; B- b* {7 _
( [& B/ z: }7 m& f% H5 y9 e4 X2 F
3 K6 Z( m+ m4 y- @$ IMethod 08
& B& O4 P% ?! _1 M=========" d5 K6 E+ M( W6 c% R& P
2 z. p+ Y, d, Y* z* A" v! j5 K7 L
It is not a method of detection of SoftICE but a possibility to crash the" _7 E! b( e0 f
system by intercepting int 01h and int 03h and redirecting them to another
0 ?% H$ \5 }/ uroutine.
: |3 K' ]5 m. IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: t9 T; q. U& y% ?' F' yto the new routine to execute (hangs computer...)
6 k3 t% k+ e7 `7 n3 v$ h. j2 D# d. Z1 A8 h3 g6 z$ ?8 H+ J5 i$ B
mov ah, 25h
/ G7 y1 X% {% n& r( i8 w3 I mov al, Int_Number (01h or 03h)# w- F+ Q9 [! j1 ^3 ^
mov dx, offset New_Int_Routine
/ d' ~/ i4 J1 Y; X: R. l' ~3 l int 21h8 A/ T% m/ w. A; s
4 I0 Z2 j+ h1 y5 ~& o4 ~
__________________________________________________________________________7 @ H _) \. f: X+ _- M# {
0 U( z) y" { R; ]4 |Method 09# d% y( X$ c D6 a. `, N
=========
3 w( M. N; G; N: N& d" T( Q
/ Z8 B& B' f* J- @/ i7 VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# n1 C2 i8 _$ T. V' k; L- e p$ X! _
performed in ring0 (VxD or a ring3 app using the VxdCall).1 [4 f) a0 b: {$ _- U+ K. d! }% s
The Get_DDB service is used to determine whether or not a VxD is installed
3 L/ T8 k3 }' o$ jfor the specified device and returns a Device Description Block (in ecx) for
9 N/ j3 q/ T8 U% R# Kthat device if it is installed.0 ~3 ?) J! f2 }# O1 L" \
x& A% W3 Q9 f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ h2 Y. S- c; I- D: Q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 m* l4 Y" s. L' \9 \: K3 w. ]
VMMCall Get_DDB
6 E+ w( j' w$ f mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed, d; J' q: g( B- z) n0 v3 b" D' i
$ U' i7 j! F* ^0 v
Note as well that you can easily detect this method with SoftICE:4 l( r' H" d' e/ v
bpx Get_DDB if ax==0202 || ax==7a5fh
4 x& T( ^; d$ L& @2 H; ?# U7 h0 O
/ V, \" }2 P' t! K3 z- U__________________________________________________________________________- x# j( L% r: K3 c! d2 n1 [
3 }& J1 A! L* y9 Z9 ] } n% d
Method 10
4 n. p1 {, X/ }=========
6 a, s# q2 }; Y" ~$ }; w( G, Q7 G2 q; ^6 |, s4 h5 w6 N! x
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ J3 B* V& l9 A3 l2 D/ \
SoftICE while the option is enable!!
6 v, I2 o' U: y' s, ]
0 {3 I! W' @2 z( i L+ ^, D/ bThis trick is very efficient:8 W3 K* k& p* C
by checking the Debug Registers, you can detect if SoftICE is loaded9 ~( `& S4 U7 I2 L$ K8 Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 \/ |% V* {0 ^% Y" ?& l- i" athere are some memory breakpoints set (dr0 to dr3) simply by reading their
! x3 ]6 j% ~$ o# T; Cvalue (in ring0 only). Values can be manipulated and or changed as well3 N2 s# {9 k3 ]3 G; R8 c, x+ E
(clearing BPMs for instance)/ S7 w, `6 h. r" y6 s& ]
# n5 z [4 [2 D9 ]( a__________________________________________________________________________7 W9 k. I% ~ \/ n
+ ]& K3 Y7 H9 U3 ~( t$ w7 s' U9 \. i
Method 110 O0 \* W: W5 r/ `+ B
=========2 N4 D0 t; l* m
2 n( S; H4 z- H; C# @
This method is most known as 'MeltICE' because it has been freely distributed
; r! {3 }; {) i* j" ivia www.winfiles.com. However it was first used by NuMega people to allow
- A o# j8 d: I& J3 R' lSymbol Loader to check if SoftICE was active or not (the code is located9 `, K: N' ^# u' a: n1 ^: |. q
inside nmtrans.dll).' h# ?( H3 f* [: U
Z- J1 y; b* k6 t A
The way it works is very simple:0 r: R. F' v7 t& n9 u3 M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) g0 @8 C3 u. N* S: }
WinNT) with the CreateFileA API.8 Y6 t' `/ h4 b, J3 [& x4 ?1 K. w
U9 J% M9 M2 A0 [Here is a sample (checking for 'SICE'):
, H/ L0 l4 o/ `" |/ x, c/ X9 w/ K1 r) g! h( F' k6 |4 d: |
BOOL IsSoftIce95Loaded()
7 b2 G. z; d' G; O0 v- ~{
R- H O( i. I+ r6 ^! B5 T1 ` HANDLE hFile; ' d. T$ s2 u1 I6 R2 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- K* H6 [6 t) F; k+ ~2 [) I
FILE_SHARE_READ | FILE_SHARE_WRITE,
% {- x" j8 @% P7 p B NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; L' l" \/ t; u( ~7 ?% e1 j% B n# U
if( hFile != INVALID_HANDLE_VALUE )
$ q; _ C4 i0 g+ W2 @( z6 } {
/ Y: t3 P1 R& b/ F7 |1 w5 u CloseHandle(hFile);
. E0 Z! ^( e/ Z- \4 \) Q$ N return TRUE;( R! W' F2 {8 r8 y
}- p/ c8 I3 ^" }9 W
return FALSE;
% }% X' i6 Q; v) A y. x}
; {. L! e8 ?$ ~5 J
& {% z! t7 Y. i9 FAlthough this trick calls the CreateFileA function, don't even expect to be
5 ]% ~4 k6 r( j' Y5 yable to intercept it by installing a IFS hook: it will not work, no way!
1 P* f- n8 l: X& H3 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" x, r; o4 A* Q/ T. t, ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% z9 u3 V& F# E2 A& R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% D& |, @: ?1 ~; Sfield.
4 J6 T* H: a' ~; G+ h4 oIn fact, its purpose is not to load/unload VxDs but only to send a
4 d! d$ d1 s2 i' F( e, ~: \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 E. `- g8 E: Y$ o6 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& |& h B% O j" Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 b6 R& _* e" g) D! n' [If the VxD is loaded, it will always clear eax and the Carry flag to allow
; R4 f$ B* s' S, `9 Oits handle to be opened and then, will be detected. c' J8 c. S6 H( ^; @- L
You can check that simply by hooking Winice.exe control proc entry point
7 j2 m& D0 C9 Z* l. {1 iwhile running MeltICE.
$ P/ K- b8 \1 P) Y* C7 X: p+ h$ u. K/ v! p4 [( _) A2 M ?( [4 y
7 K. i" e; }% j0 u
00401067: push 00402025 ; \\.\SICE1 w e J, n2 y
0040106C: call CreateFileA- c% X' m+ C7 N# v5 m+ B
00401071: cmp eax,-0011 p- H; Z' m }0 V* n* R
00401074: je 00401091
6 G( [. k1 r3 }) z
! I0 b2 t$ H C/ l ^2 D% n; @- q* h6 Z
There could be hundreds of BPX you could use to detect this trick.9 v! N1 x0 _! W
-The most classical one is:. I U8 U9 T' a3 T' G; q i) E
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 |* ?7 i) s* h' ?( Z3 o *(esp->4+4)=='NTIC'
! U* d' \$ r5 S0 Z+ |
5 ~- z& K9 j4 d4 a. X-The most exotic ones (could be very slooooow :-(
' G; d, c5 u( I8 |3 k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
8 s! z6 t3 m/ I9 S ;will break 3 times :-(
/ U f. j/ l2 P5 \7 J) [. Y% ^: d. x& I' g. r4 A
-or (a bit) faster: 0 w$ `) o q. ?' |, n5 { ~+ v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 e8 R: n( ^ N/ N8 R
! |2 J) P6 E5 C: C( l6 w; Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% g& \% O0 E9 E2 z: Z0 D ;will break 3 times :-(
+ U# O8 ^3 ]& |! i) d2 f6 g/ ]3 K }' m2 p3 H' r1 S9 W
-Much faster:) R' \" p5 o# F- r( H7 m' o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! [# R7 X# e' V+ c3 Z$ E, N
6 M1 l0 h" z% tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. @$ z, v3 O4 X, j
function to do the same job:
. ^- `. P' v% _& q& `) N) l2 w N
+ ]- h) f. N( t push 00 ; OF_READ& e }+ s9 u9 W0 ? o
mov eax,[00656634] ; '\\.\SICE',08 Q4 n; M% K4 h! d4 d0 J
push eax! r; j( i3 F- K' @
call KERNEL32!_lopen1 l. i) n! ]( B v9 }1 L8 H
inc eax. l* O. n9 l8 A. v0 ~9 o
jnz 00650589 ; detected# R) n: [, T; G2 {, `
push 00 ; OF_READ9 Y% `+ U4 V8 P3 E, ?
mov eax,[00656638] ; '\\.\SICE'
* u# w5 G4 j/ c" e( @ push eax$ `& l$ W. r& |
call KERNEL32!_lopen n: ]) L+ [, q9 W8 R6 J6 `2 q
inc eax. j9 w( C: _$ ^3 x7 x
jz 006505ae ; not detected. D3 F% R* L- V. h
3 p" F0 K. q Q/ Y
) |3 C+ h2 j; p! a__________________________________________________________________________# R+ k1 \$ {1 S9 ], ^" Q8 |5 A
3 I: S; w% W }9 Q5 H5 V
Method 127 M% ? {6 p1 f8 u8 P6 M- ^
=========; D5 G* L7 i" V/ U' N2 d V8 |; ^5 P
, D a& N- S" \( r
This trick is similar to int41h/4fh Debugger installation check (code 05
' n9 C1 M% u6 C! y& 06) but very limited because it's only available for Win95/98 (not NT)
9 V/ z9 x7 ~' ^. Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; W; Y7 J2 y4 J; ]+ Z' B4 w6 y- e( m% J' j. D% z7 d' m& e* y) j
push 0000004fh ; function 4fh
0 X9 V' M" i9 M0 x3 j% a6 }" Z' Z9 m push 002a002ah ; high word specifies which VxD (VWIN32)
4 d) }1 V& I# n. T( H ; low word specifies which service
& P/ s& J, }6 h* Y, Q (VWIN32_Int41Dispatch)# a; h6 G8 J' T" z
call Kernel32!ORD_001 ; VxdCall2 t" i4 M9 D/ E3 m8 ~, ?
cmp ax, 0f386h ; magic number returned by system debuggers6 A# y. @- q2 m$ m4 p# W( M/ ]! f
jz SoftICE_detected
0 H! ?; M( k( w; A) a4 i
( J/ p7 g9 `. xHere again, several ways to detect it: E) b6 K7 f- M# a
- ]1 r; n; J5 [4 C: p BPINT 41 if ax==4f' t3 y6 c/ o% [' X& v( x
) h% u) }$ N7 e% N7 k BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one& p- I4 K+ z5 U; |8 Z" J
1 s, C4 m+ M: O* C+ H( \4 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; e* t" T( Z4 g% O
& R& M l2 E6 z) ^8 p: C. L3 O7 e BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# `/ F3 Z: j9 E& T5 t- F
" E& E7 \* n( O
__________________________________________________________________________
4 r% k1 i' R5 A7 U( s- A
& T I6 E: H6 X+ K. j6 }7 xMethod 13
9 L# _ B6 M) [. {3 l4 Y! n) F/ v4 I4 K=========. A, [: q2 }. H/ J" A9 U
- V/ d _( i% Q5 D# ^) z: b
Not a real method of detection, but a good way to know if SoftICE is
6 m7 n8 B( v( @- K5 D" r1 S- f% _. pinstalled on a computer and to locate its installation directory.
2 n# Z0 f) T$ y/ t# |+ ~3 i) AIt is used by few softs which access the following registry keys (usually #2) :
* C$ j; K0 ~ s9 b# n! E# V; |! p" ^+ H2 `5 ? H% G2 K2 o7 L2 F* C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( I! [! c" j8 I1 b2 u\Uninstall\SoftICE
* {- t9 ]; b6 n' d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( c; R7 l- F$ }* x( w- X$ N4 ?-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 p1 h. g( [7 w* b+ v\App Paths\Loader32.Exe8 ~8 M6 q4 {3 S4 y( c. S
2 K4 ]/ f' X& p! I3 W/ Y
3 N! g, U1 m: |8 H6 U( q- N& bNote that some nasty apps could then erase all files from SoftICE directory
, L3 I) ~$ ?4 q! H* B$ F(I faced that once :-(( b& i. v& ~3 c2 `/ X
+ g1 V# O W+ b2 d$ `4 D
Useful breakpoint to detect it:
5 `* G: ]( t& o# P; p w0 f* o8 O3 K; ~9 J+ Z% Y3 H
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE') Q3 s+ v9 F5 v$ J2 t, `
% T# |. S# M; C: B- D__________________________________________________________________________
& c) H& V' u3 d0 W5 _
" b* R& t* Y5 u: k$ l
* k% x! s$ J' M- [Method 14
O/ Y$ \! t* N1 e=========
, x2 F, R" h; I/ t0 T4 l. e
- W1 C: K- F8 `. i- G% v; W) o( eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ X% V5 G* H! s, }3 \' Pis to determines whether a debugger is running on your system (ring0 only).3 Q: t0 ^3 w2 M4 ~) u3 H* E& ^
( z1 L' x$ q) Q) i5 ^2 M! }6 m. @
VMMCall Test_Debug_Installed
, [) O* ?0 ?9 t0 g$ Q je not_installed
& V: L+ f& g/ D+ k0 t' h
3 l! y; j! H) ]/ ~# A; TThis service just checks a flag.2 r2 t: `) n) V1 Y; R, u
</PRE></TD></TR></TBODY></TABLE> |