<TABLE width=500>
, K/ G6 |7 x2 C* R+ c+ h, d<TBODY>
+ ?1 h6 l' h1 S% a) }# e; j<TR>2 Z! R4 v1 o" @7 ~# a
<TD><PRE>Method 01 8 z R7 i* V& x7 N2 t7 ?1 V9 y. f
=========
! A4 v3 X$ x2 e/ {% @, p# B' N- Z
* d4 }2 ?7 k5 F9 n0 WThis method of detection of SoftICE (as well as the following one) is
! Y( g: Z+ x' l3 x6 x- Jused by the majority of packers/encryptors found on Internet.# l) G/ i0 b! u5 H( [3 B6 f
It seeks the signature of BoundsChecker in SoftICE! `3 i8 A0 D! K( P% r# ]- ^
0 H2 H2 N. p {( e, j5 D
mov ebp, 04243484Bh ; 'BCHK'
! T5 m9 ^7 c$ ]' {+ ?$ f- C( ]$ R mov ax, 04h
5 d3 }! x3 }% K: J' @ int 3
) {+ g7 b3 A' q) \9 I$ d cmp al,4
0 q! H0 L5 @7 w3 l+ [6 x' @6 @ jnz SoftICE_Detected1 h0 ~2 P' f- I7 s' T- s
2 Z* H& Z* T2 z; A5 S _
___________________________________________________________________________" I; S! e( R' ~9 R
( I$ s$ u8 R: A+ {( M) _: W
Method 029 Y0 D4 M7 G- L
=========
- F9 [8 z/ m# J: J+ j+ [8 L. [% B. L
Still a method very much used (perhaps the most frequent one). It is used* i* J- F3 ^ M( h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 L5 F) ?7 T/ P) ~9 `or execute SoftICE commands...
5 R8 t8 _5 w& j* ]; oIt is also used to crash SoftICE and to force it to execute any commands8 g( c: y, z- _% [
(HBOOT...) :-(( , J: m3 O0 x2 L
: `! U2 p" \7 @' l4 F
Here is a quick description:
: u2 U; i: j1 q1 a6 J0 X2 \-AX = 0910h (Display string in SIce windows)+ A6 }" j8 G# p- N, ~7 a3 H R
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 ^" g, W1 P- A0 n0 e4 ?
-AX = 0912h (Get breakpoint infos)5 k" W* W F/ u: f! n( |( N
-AX = 0913h (Set Sice breakpoints)
7 q, {6 |: z# P. y7 A! C-AX = 0914h (Remove SIce breakoints)
4 A" m1 N* U" b/ t3 G) O( A5 ]
0 _2 l% A( R1 {" nEach time you'll meet this trick, you'll see:$ Z3 f G, E! X* o: p" C8 e+ ~
-SI = 4647h
# I: @+ A9 D8 O# b9 n2 x3 d' y-DI = 4A4Dh
/ ?) m; ~, T6 \5 q8 l$ i/ `! I) xWhich are the 'magic values' used by SoftIce.! V8 |9 o; ?- u0 Q' C* |! ?7 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& P% U* m6 X* B" y& G4 P
1 Q9 l8 s" |, G0 u! [! K# c- cHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 s9 H5 u6 u; c, n: UEnvelope utility use to protect DOS applications:0 w* l2 [2 v9 {/ R Z! y8 D. M
D9 _& k# Q3 `" W4 r
: ?/ ]) H6 F0 Q5 J6 B
4C19:0095 MOV AX,0911 ; execute command.
9 z6 k1 `! `9 ?, c7 N8 j) C2 Z( V4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
8 Q2 p- M% c+ q9 m4C19:009A MOV SI,4647 ; 1st magic value., v9 U' A: F4 t8 `
4C19:009D MOV DI,4A4D ; 2nd magic value.
: z. g* _- j. Q4 Z- m$ J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' \* X# s; a& S1 x& Q1 n' L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 G$ ` G; N) A
4C19:00A4 INC CX( i3 t) ?/ {. m I7 g9 l
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: S. `3 U6 ?6 a5 q: a, D
4C19:00A8 JB 0095 ; 6 different commands.4 ^7 x: H- K s8 H
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
* c2 s: k- E& h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; ~) F5 Z, j. t2 m( e8 [( y7 O; _" K5 b8 q, G7 p6 ]) g
The program will execute 6 different SIce commands located at ds:dx, which; N% o( _ Z5 a. c6 n4 H/ w. v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 q2 j7 e( Z0 C' O1 Y& i* D3 `+ o3 ^9 p1 X# n! s$ l( O; S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 S% t( i3 b. @3 X7 e& [
___________________________________________________________________________9 r8 k: Z' D0 f: z
8 E* E4 u* D9 C3 E+ q8 n7 N2 i4 d5 d. @ @4 s$ K0 v& U" e
Method 03) P$ O- R. L6 V) ~* g6 n( o6 y, Q1 p, {. d
=========: U! v" g9 X8 u% J
0 |2 k' J+ ]$ j1 o9 c I! S
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 F( a- a7 f6 e$ i3 F0 ~
(API Get entry point)8 P2 y A: T6 I1 L }6 E( P1 P
8 l* D* b! K7 A+ [ w( b% V. Q5 F1 k7 C
xor di,di( N1 v4 V) b. n5 }
mov es,di
* {0 ?& M, k- u# O4 @) h mov ax, 1684h 7 }' s l$ i8 Q9 V
mov bx, 0202h ; VxD ID of winice# x) [$ W' P" u
int 2Fh
5 T* h" m; z. {+ h mov ax, es ; ES:DI -> VxD API entry point
" ?% X2 U% L$ E/ K$ m7 n add ax, di
0 ?9 L& B K9 A6 U: t test ax,ax! v; U* e% R% E/ H. A$ |
jnz SoftICE_Detected
. q" j1 S# f* E3 K! r: P
- X2 R; R' s5 m- ]5 d8 ]___________________________________________________________________________6 b% s3 s k* Q9 m- v) `
9 z: S( b6 x2 S7 R+ ]# P
Method 047 ?# ?/ e7 y2 {7 V1 Y, o9 `7 t
=========
2 U% y" o! r X2 @7 [+ |# A+ u q2 e R' Z2 T( i' l
Method identical to the preceding one except that it seeks the ID of SoftICE1 }) w" A! w7 `9 S+ P
GFX VxD.
; l) W3 @* c. |4 a$ P8 B5 A e3 r. T; x! z& `- J: p6 Q! R5 e% h
xor di,di
/ L' H5 f \/ `9 }: s# a# C' @2 A mov es,di
- R' \$ W4 T; _ mov ax, 1684h
2 n% a$ I) |! ~4 W mov bx, 7a5Fh ; VxD ID of SIWVID. Y$ ^2 O d% B# K6 ]( J) ^& {
int 2fh
# Q* e. H" W4 Z; h# T& G mov ax, es ; ES:DI -> VxD API entry point9 r3 g! }2 @3 d# j' B9 b' I7 R' F) ^# Q
add ax, di
7 Y. j" X& i6 `8 v) ^ test ax,ax
' p# j1 f% t/ H) D, i, @ jnz SoftICE_Detected
8 o* P3 O, E8 W* v, r* Q+ r) K0 h w" w$ A5 _6 ~8 M U
__________________________________________________________________________
/ [) O( F/ p* T: ]( `4 V. X# |) H, k0 c7 o+ ~" C
; J: m+ d) H N. h8 {1 H3 _
Method 05
: }$ K) V7 J1 G3 _/ N=========, e* N: G" W& c! z7 f: M6 ?
& U/ `/ W, K7 S8 O- u2 M2 C7 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% j! o5 y/ S" {3 r' X' g/ Z# Bdebugger. It calls the int 41h, function 4Fh.' K' S! O+ u' H+ S5 W7 C
There are several alternatives. & E1 Q: M* q1 y! L
) c' G5 E- `6 b: m9 }) b
The following one is the simplest:/ l) s$ {. ]3 {" B8 r) U- r' X& S6 q
: G; c) t: Z ~/ X; c mov ax,4fh4 z/ y5 n) b% L% S$ @# w$ }
int 41h8 ?; j, Y" N# q- y" ?7 t
cmp ax, 0F386
' o7 d3 n7 r( u jz SoftICE_detected- y% C: u+ K* a; P
5 u) N+ y) I V( ~- N5 ~1 z! v
* y( D/ w: E9 H' N5 T' m$ W8 VNext method as well as the following one are 2 examples from Stone's * J4 c" F' C& B+ g6 A; D4 ?1 S
"stn-wid.zip" (www.cracking.net):' T0 _3 f. l* v6 T7 S. w2 T
N% x' c# V* ?7 Y! R$ ^
mov bx, cs, x1 v& U2 K7 `
lea dx, int41handler21 r: W, w! M8 N/ F9 `: o6 G, }: N
xchg dx, es:[41h*4]) J$ M# l9 I, A6 m+ n4 A9 @9 K
xchg bx, es:[41h*4+2]
# j% u {$ T5 h t7 f; b mov ax,4fh7 r5 L3 V! r8 h7 o, o
int 41h8 D, ^5 h- `1 g: n
xchg dx, es:[41h*4]; M/ j# I B- G4 |* D5 G
xchg bx, es:[41h*4+2]
) P1 R, y$ L; R$ J% f cmp ax, 0f386h3 a* `' @1 R* G* s8 h6 o
jz SoftICE_detected* T$ h7 W4 o2 U a0 R8 V P* k" a" |
9 p3 {6 q4 I) B& Y( q6 p; k, ~
int41handler2 PROC
9 k7 J D" O- n8 s! R iret
# j3 p" T: R( N* g- }- W# eint41handler2 ENDP/ T4 P/ n) |- B8 Y! `9 f! ~+ j3 L9 A
( @" E2 k; |2 F& v. o% l, J9 j* K+ M0 }( f
_________________________________________________________________________' O% Y2 z9 D$ v( l! G5 I
/ V# C+ H% M% q% E
7 m, c Q2 e) g8 _Method 06
. O. U6 J/ Q9 T" i=========* `8 k6 p3 ^5 V3 m0 k3 Z& \9 t
5 T A+ U6 D2 [" A+ U# X8 k
9 f8 J* K9 S p: W1 ^& y4 v
2nd method similar to the preceding one but more difficult to detect:9 ?3 C" b+ e [! ]3 w
. D9 g! u) h6 d# r# C [
2 d7 d+ _( O, E4 e" @; V( P( p
int41handler PROC' \$ S" d. m5 \. L
mov cl,al
9 u. `' t: Q) _ iret* Z% n; D6 R2 W5 B4 h# |4 S! M7 C
int41handler ENDP
: j- X" }) P, u$ o# }; |7 w
! X* G0 I! a1 v, f% ^3 [" k, ^1 [# X5 k6 s5 s
xor ax,ax
/ b" f- ^5 n8 ]& ~5 n mov es,ax
( _3 z; K0 v3 `+ U y/ x# K& h5 N mov bx, cs/ ]/ N' B" `% T
lea dx, int41handler+ q y2 t1 }0 R' _+ Y
xchg dx, es:[41h*4]
0 v: P6 J8 m' d. E' Y& f xchg bx, es:[41h*4+2], W E% }+ M$ K6 |, J6 {$ N; o
in al, 40h. V- A# B& B4 H7 s9 v4 J5 _
xor cx,cx
# K. j6 k/ K, u2 L4 ] int 41h7 n8 H" m/ J8 y8 W5 m! b
xchg dx, es:[41h*4]0 E' v/ z- F L! T% o- U
xchg bx, es:[41h*4+2]
1 E. y7 W6 ^( ] cmp cl,al8 M- r3 v8 g( S- U! M
jnz SoftICE_detected" }0 x6 V2 K8 b$ H5 H: K. G3 `; G
0 T X# Z# Y9 ~# C* }+ ^_________________________________________________________________________
6 }: `5 V l1 \9 J6 c, [! I4 F0 O) s4 X
Method 07& a: m# _1 f$ \
=========
7 y7 p( Y7 c! Q0 O0 P! s& U
0 ?/ G2 g9 ?+ N- @+ ^) m3 n; lMethod of detection of the WinICE handler in the int68h (V86)
0 h& [3 v* a8 J; T. D- @* Y( r
, t R& D# W: O! I ^ R4 | mov ah,43h# {# ^% x. ], M0 r: e: z
int 68h
- a5 h% L8 A* b cmp ax,0F386h1 [& E5 U3 n7 x* Y9 b5 T2 l
jz SoftICE_Detected4 a3 d/ K- o$ Y9 t! H4 K: w
3 u6 z" M5 q2 a6 R3 D$ E9 x4 n) s0 @* D0 z, w& b, B
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 q' n/ u" P0 i" [1 H% t: R) ?
app like this:8 |3 s6 X6 `& `8 S
" l! G8 S- X3 C6 o+ ?' S
BPX exec_int if ax==68
4 G0 s* N' J8 e8 R6 ^. E (function called is located at byte ptr [ebp+1Dh] and client eip is
1 x& i3 d2 w- y `* K) a3 U" P( C located at [ebp+48h] for 32Bit apps)
. V8 q: M; Z) ?3 q/ W$ v; H__________________________________________________________________________
% E- T7 k1 M6 x: z: K; z
+ D6 l C6 V2 h; \/ Q% S8 x% ^) d6 n; V) t/ X
Method 08
s0 |$ p+ \' a, Y& r. ^3 t=========; C7 Y, ]6 @) U" i) A4 {: |" X
4 y" J4 v4 Y( j5 j- e/ I: S) d
It is not a method of detection of SoftICE but a possibility to crash the6 N4 ?- U" s4 ?% y% z6 E
system by intercepting int 01h and int 03h and redirecting them to another1 [, J' M4 u6 [4 ^) y
routine.5 m* Q" \7 x7 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 N1 B% |+ |4 \3 w1 lto the new routine to execute (hangs computer...)5 H" S B( j$ s0 \( X
1 s/ c$ q* X# ?. J mov ah, 25h
) X! _. \' M9 a! N* X; t- ], b mov al, Int_Number (01h or 03h)
/ \: S7 R4 k' t4 P8 J' w: m mov dx, offset New_Int_Routine- w' e& ~6 Q9 P, X
int 21h' u) |7 g; N+ q$ N! u% n0 z& Q6 j6 o$ U
b, d/ ?2 q; e7 R- Q! G
__________________________________________________________________________
6 Q) \, g( t$ z- y, G) ~" G) t/ b0 s' `9 i5 i0 D
Method 09' `8 a' A4 N$ B1 @; I
=========3 u* f& x3 r/ g0 ?; u! O' v" J1 ?2 ^
( n- m4 j/ u& g6 a' m% l5 D$ t9 SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 H1 ]# C. t8 k% M8 r5 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 `: u; h. A% G" mThe Get_DDB service is used to determine whether or not a VxD is installed
" S! W Z1 P0 R0 ]for the specified device and returns a Device Description Block (in ecx) for) ^" F7 ?' B- g( ~
that device if it is installed.* p1 L0 E) O( M: ^! ~; s0 S
. G$ B2 _# ]% n0 Z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 |9 V( H% k0 G0 W0 P3 ]
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( |. W' A+ y7 Z5 ]' Z6 ?$ | VMMCall Get_DDB
+ z$ U' m; o* V- ]* w mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 s; k, z7 L# Q6 ~" j, _" \0 R! |; S& A1 Q$ L% n G2 a- v) a
Note as well that you can easily detect this method with SoftICE:- G/ m: |4 v+ x1 p# n
bpx Get_DDB if ax==0202 || ax==7a5fh$ v; ]5 N3 R6 x' S0 \
& @( _2 h7 b" `- ^
__________________________________________________________________________
% B; T) _: q$ j$ g- ?3 i* Q- |3 d5 a/ \( Y3 H" z# n
Method 10
; o% u# T% p% l=========+ Q! |0 F+ J& S7 Y+ z
0 t% O/ p# G: z" | w, s1 e9 |
=>Disable or clear breakpoints before using this feature. DO NOT trace with
, f4 v) Y2 |( y5 j/ P" N SoftICE while the option is enable!!
7 l0 M5 ~! a' v1 P& l, b
+ R _. w3 f3 y. U( e; j6 |This trick is very efficient:! T( z, R. }' e _7 @
by checking the Debug Registers, you can detect if SoftICE is loaded
: L5 X+ u T3 P r1 r: Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 z! J3 C! u* J, F. hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. p. n+ d6 [1 m1 y- f9 W/ M0 \: evalue (in ring0 only). Values can be manipulated and or changed as well% f* D" d- z7 |& {/ v; j w6 D
(clearing BPMs for instance)
R* E W' u9 x+ J
( b8 X* R( k& m% N( ]__________________________________________________________________________
* q' @8 r* [6 F6 J0 D$ r5 t4 X4 z4 Y/ [' n X: h7 H
Method 11( @0 E$ O$ m+ u
=========$ f, d% v1 I/ h! y: K/ Z8 ]/ l
% w( q& j2 G u
This method is most known as 'MeltICE' because it has been freely distributed: t p, S" t. r1 d8 i$ A: v- e! @
via www.winfiles.com. However it was first used by NuMega people to allow
6 a4 c. R7 ?( T3 o# E, YSymbol Loader to check if SoftICE was active or not (the code is located- W, i! E2 P7 b
inside nmtrans.dll).8 r; d/ X# r+ m# ~0 }4 x; `
d: W2 X' h: b! |; \% n
The way it works is very simple:
4 D2 _* j. o. @7 y* WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% \, z7 A* N* _9 ]+ @; P* u: vWinNT) with the CreateFileA API.
l' B) S. F" E8 @; A" a9 D8 ~
& W4 d1 g/ V8 ~Here is a sample (checking for 'SICE'):
P/ J' D3 z7 u; @
3 c% ]* q) Z# G% R! hBOOL IsSoftIce95Loaded()
# C. o$ B, Q3 `# L0 A o) g{) A5 k& X* ]0 w. _, E$ Z
HANDLE hFile; ; t( W* E. P' {$ [. s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 f: ~' G9 I" D- W, t3 J1 [2 g FILE_SHARE_READ | FILE_SHARE_WRITE,
1 q% B3 ?- y, P1 w' B" f% u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); q- @# `; m3 V f9 n4 p
if( hFile != INVALID_HANDLE_VALUE )
+ C: ]9 t1 R8 E' w {, O. O; M4 t/ _7 D! S5 x
CloseHandle(hFile);
' r) w% s: k8 b8 e# r0 J return TRUE;
0 X5 R! L8 b+ U C }- s2 O" o6 N, z5 \0 k
return FALSE;. @; R3 U6 @5 C
} h, t9 d; v+ \. d
: K: p2 {0 s+ ^; f6 U0 L
Although this trick calls the CreateFileA function, don't even expect to be
7 Z$ t! S0 x' q7 u! Uable to intercept it by installing a IFS hook: it will not work, no way!
6 S- d" M E. q/ i: O/ o# }* oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 N ]4 R. i" T0 {, k4 Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 A; x( s! f& v- E* ^6 u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 P: E! r. ~0 Hfield.$ C" P8 n! S+ h* r" z# D' ^% w
In fact, its purpose is not to load/unload VxDs but only to send a # M+ Z0 d$ t% f" V8 H' V4 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 d, L- O* h2 }7 k( o \* ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. }# O: U. b, {, N5 a1 Y; x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 }- |8 N. G; C. m4 e6 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: h3 ~% s" G2 Fits handle to be opened and then, will be detected.
0 d+ F( z% m( w4 VYou can check that simply by hooking Winice.exe control proc entry point
+ S# M1 t) q: u: |while running MeltICE.
$ F% |6 h4 x0 Z5 ^) ^
+ x# {; f% Y1 U' o r4 S Q) x9 M. A( K
00401067: push 00402025 ; \\.\SICE$ r1 C8 H0 l; }
0040106C: call CreateFileA3 q" i" |) Z ~( d4 x- W( ? y4 z
00401071: cmp eax,-001
1 q) v/ D4 t8 N: ?" |- P1 n 00401074: je 00401091
( X0 E- w' v, u8 W7 b6 t3 Y6 u( Q9 E3 w
7 C5 j* `0 [; U0 ]
There could be hundreds of BPX you could use to detect this trick.
* ?0 Z, u4 Q% X1 ?8 B" U-The most classical one is:' y$ e' Q8 c" _
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 K$ C I2 P8 D3 Q! z$ n7 F
*(esp->4+4)=='NTIC'* ?5 r3 e7 ]& G! ^6 u
+ m2 O, n+ a& X0 ~0 T1 Y-The most exotic ones (could be very slooooow :-(+ V5 l- M* c, T8 ?
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 h8 q7 [, \' ?9 H( z$ }+ D# ^
;will break 3 times :-(* v* Q1 d- G0 |" y0 H" E" X
; v0 e" c1 Y' p* b' _
-or (a bit) faster:
0 R( q" j a7 D9 Z+ Q; i. d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) \/ y h- B5 c8 | K! f9 G5 [# g
6 e6 \- F$ i2 J/ u$ y
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' " v$ s, Z f; ^0 \8 ]- _7 p
;will break 3 times :-(! j2 c- C+ ]. X& u. [" z0 o
. X) R% e& P" z) L9 M
-Much faster:
8 w$ `/ Q0 _3 L9 p8 x" w9 z0 i) j BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 i" f! p9 h5 K8 [3 {
3 e* g) c6 g$ {4 x, z$ MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" a! ?" C1 R( p, x6 F" H
function to do the same job:
/ k) ~+ q+ X2 y o3 b' a
# ~) r- J8 u9 R; p8 _" @( @ push 00 ; OF_READ
. Q* Q X- x. S. u; m3 K, W mov eax,[00656634] ; '\\.\SICE',0
1 v+ a6 ^3 W6 l$ H! C push eax
, w! m5 B% b# M; b call KERNEL32!_lopen: v- d+ {# v! M5 H8 t
inc eax& X0 B# y* _( h3 m; r
jnz 00650589 ; detected
: ?* O( U5 O5 z9 g1 f2 a9 C push 00 ; OF_READ( i" N$ M" \/ X$ a! n3 `! n
mov eax,[00656638] ; '\\.\SICE'
: [; F- o/ g- W! m push eax
2 t# [$ u3 A! ` u call KERNEL32!_lopen q6 t# y, b- K( Y6 K
inc eax2 m' ^" L' W5 M" [ _
jz 006505ae ; not detected2 n! F! H( B, S, U7 _( s+ c
# b3 a# J. e7 |' t# S: I) J8 f
) V. e% S# b# L, m__________________________________________________________________________5 x5 ~' J* N9 G/ G( W& v! `
/ x# V/ t1 e( P7 @ w( m) o
Method 12
5 w) ~0 M' @+ ^/ ~5 ^=========5 U2 i2 O& g6 i* P+ p& v+ l" r
3 R1 y9 j4 V" e( D3 f4 @This trick is similar to int41h/4fh Debugger installation check (code 05
7 z, J$ D% s" s" o1 u, j& 06) but very limited because it's only available for Win95/98 (not NT)
) w8 A6 U6 ^" R% Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 |& F6 v( w7 S
1 W5 _! S+ b% j push 0000004fh ; function 4fh
( R! o Y P$ ?: l$ G/ j push 002a002ah ; high word specifies which VxD (VWIN32)
8 D, G& Q) R u6 v$ \8 \ ; low word specifies which service& f& W: V) L4 u9 F$ m
(VWIN32_Int41Dispatch)
- G) g# s5 Q9 F% r1 u/ r call Kernel32!ORD_001 ; VxdCall4 j8 M7 @, m+ y8 X. i9 Y
cmp ax, 0f386h ; magic number returned by system debuggers) A4 e4 n, y( F& M# y
jz SoftICE_detected4 z" a( y& h1 ^3 b4 r4 }
& D) K: G8 `2 z* @- O* ^
Here again, several ways to detect it:
. ~! C/ I! Q# b( i; }! N. ^9 Z& k& F& u
BPINT 41 if ax==4f& K8 S3 z% a1 k0 ^
1 p2 D# [0 C4 O3 K8 Y* [( p: ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 b- G/ I* t8 ?
: T! q& t, s. ^2 G$ F& a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 C* t' ]: l* f' b5 I! ~( N% O9 u
; A1 A1 Y$ s- N/ N9 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' G* |; B$ `. d4 t7 a
2 q- T# K% }3 Q5 ~( p__________________________________________________________________________
9 e. z! N( u. G6 [/ @+ c2 v$ Y& Y3 C6 u3 u( c5 E0 J$ T
Method 136 {9 R8 C# U: S$ ^
=========7 X* c8 f1 ?2 i1 u! \ B* c! Z
$ C% V7 N0 |$ {5 |* _( _8 Y: kNot a real method of detection, but a good way to know if SoftICE is$ N) ~ X8 U- U* U3 K' F$ y5 B" ?; i
installed on a computer and to locate its installation directory.
) _& O8 W$ V* `2 \It is used by few softs which access the following registry keys (usually #2) :* J) d( N+ a* F1 G0 w
6 |; ]4 u* }0 M2 q1 I: k6 b( T0 g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 M$ m! O$ b5 r\Uninstall\SoftICE" m' c% S/ |! O# y) v1 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t$ U- d" ]0 g0 I2 _+ N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 n5 |8 l* A3 n; q" J! _8 Q- f6 I
\App Paths\Loader32.Exe
! u2 w/ z# S$ O0 ?, g! ~# F, w( L" E9 q6 w. t4 G
5 Y" |6 d j/ M' L9 s3 [
Note that some nasty apps could then erase all files from SoftICE directory
: C# o# y. F! U) ~1 p$ M(I faced that once :-(6 }, B; G1 D! |, @/ A, w: [" X
# `! X6 ]) C D6 i0 d5 e
Useful breakpoint to detect it:* x v s* P# @+ q' i/ Q! \
* y. {5 z5 S5 M& Q: r0 x* u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# r% m$ [; A# P& S
- E, x+ O# S3 Z# l% A, n' v6 X# F. N. b__________________________________________________________________________& `( g" Q8 l+ g8 J( Y+ H9 R8 w& R8 g
9 c6 m: B& r2 \# S7 E8 Q
( h6 Z0 S8 b1 dMethod 14 N6 a0 I8 G9 f3 G. {
=========, v: }7 y9 L" k
9 v& x4 A1 `# `8 _3 M O# m! g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( ^; p4 B& L+ F T C
is to determines whether a debugger is running on your system (ring0 only).* U% n3 j2 A+ @
8 r/ P+ K' y* Z6 h VMMCall Test_Debug_Installed
3 u* [2 c1 W% P je not_installed. ?0 U# l: v' O9 q9 P
$ {" b6 H. y; I) eThis service just checks a flag.! R$ ] D2 M1 ^& @6 C) |
</PRE></TD></TR></TBODY></TABLE> |