<TABLE width=500>- h: k2 I( d& i& O2 B
<TBODY>
5 |6 V) F0 T6 ]<TR>- ~. i ^7 I/ K% X6 r4 i
<TD><PRE>Method 01
- }* J2 y* M4 ` A=========
" T" a8 a+ F" x# o. o+ f, w+ ~& w2 C' A( h6 J3 I0 K2 L
This method of detection of SoftICE (as well as the following one) is2 ?0 o* Q. H" r0 {4 n
used by the majority of packers/encryptors found on Internet.( }, D% `( q4 V
It seeks the signature of BoundsChecker in SoftICE
, B6 ]. s" i. }" ~- p* I2 A" ?; }+ _# c' a" [
mov ebp, 04243484Bh ; 'BCHK'
0 u s+ e. N9 |1 s, v' | mov ax, 04h
# p# S% p1 u0 T: r! s int 3 . [2 p- a4 R9 q5 V5 A+ V' M+ q
cmp al,4
3 q$ T4 X8 R4 o9 s4 R# o; j jnz SoftICE_Detected' O* U+ r, s/ Q1 K M$ }5 B8 h, X
5 v6 Q7 n8 U* Z0 I
___________________________________________________________________________
$ O+ @, A# O+ o+ U& D: D
+ ]( S' w) }9 \Method 02
6 y* N: e) U( Y, W=========- l9 o" G% g) Z
8 Q6 w$ t3 X+ Z! g& q) W5 ?$ @Still a method very much used (perhaps the most frequent one). It is used, D$ i4 A' T7 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 x( W, X1 v; ? f8 E# W" x5 w
or execute SoftICE commands...9 r/ _0 [: x8 D2 ^& G, V7 }
It is also used to crash SoftICE and to force it to execute any commands
3 t+ Q1 V' l) `9 i% f(HBOOT...) :-(( ' k5 R; i" _, J9 U6 M w
# b, W+ X% ?3 [& C s' k' G
Here is a quick description:
" S, f' }% C. e8 a-AX = 0910h (Display string in SIce windows)! v1 G! O) O/ O& I
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! {: ^7 R. C' d, ~) {% o. Z' ]& Z/ ?-AX = 0912h (Get breakpoint infos)8 Y h( L% Y* ]+ ~, Y4 g
-AX = 0913h (Set Sice breakpoints)
, C$ C1 Y( w1 ^5 V-AX = 0914h (Remove SIce breakoints)# a$ ^, l/ b8 L. {. z7 N1 J
) H- P) H; q/ F2 O/ Z/ d
Each time you'll meet this trick, you'll see:
% l- s7 N6 o! ~7 Z4 b: @-SI = 4647h; i( c. _3 T+ l- ~$ r" }) D
-DI = 4A4Dh
) R$ {; p3 x; S6 pWhich are the 'magic values' used by SoftIce.7 J" T8 a9 i; d, X; n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 u; m$ @& l) g
" J+ {# G4 j% K" s. U8 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 _1 x" w$ T- i r) ^" m3 Y& ~Envelope utility use to protect DOS applications:' P& M8 W! ^; ?: F8 ^/ N2 a- k. ^
, b' w0 Y% P0 Y2 y
; `# X5 O, Q2 J! Y6 z4C19:0095 MOV AX,0911 ; execute command.! K i8 {, I& `$ e
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 s6 O& M3 ~$ v, u z" u) T. {( }
4C19:009A MOV SI,4647 ; 1st magic value.% g2 G7 s9 f0 ?; g6 L V
4C19:009D MOV DI,4A4D ; 2nd magic value." Q; O/ {8 u8 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 [) Y6 `( M# F9 K
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: ]3 ^: j; E1 _0 R- H
4C19:00A4 INC CX" g8 h" A1 t- B! R% ~9 r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" h" O9 V& e, R2 W& |3 ~( o
4C19:00A8 JB 0095 ; 6 different commands.
% F4 V, W$ _1 p4 S: r0 X1 S4C19:00AA JMP 0002 ; Bad_Guy jmp back.
. X6 E! F# k' n/ y0 ?4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; e8 V: Z" O$ q4 z: k2 f8 s' g7 Z; a8 t5 z% Z
The program will execute 6 different SIce commands located at ds:dx, which: w) ~; G3 Q3 n/ V# _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 J( [9 {8 i0 S! e. p7 b( R9 `; _( j2 L& Z( A) t; H8 i, H+ `/ a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 J" c9 ]& p6 b6 F
___________________________________________________________________________
6 f1 p7 ^" y) A" y( [
7 T9 S* b5 q- |& p5 A3 C' V
3 A8 ?# B6 R% v: cMethod 03/ S/ ~0 o5 p! `. [
=========
) N2 O( k6 U' S( j8 n# h( }3 Q% J; {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 ?0 i' r: p- e5 k3 N# T- s/ V( `(API Get entry point)
+ ]' x7 ]' h" _
' @- @- D7 u( o9 k$ y' a
$ j- [( b! W4 p xor di,di- z- ?8 ]1 ~: ^( L( m. `
mov es,di3 z' Z" _9 g0 X: H. u/ F' L
mov ax, 1684h ) @: U1 \9 o& N8 G. l, Q
mov bx, 0202h ; VxD ID of winice m. M1 i# m8 n5 d
int 2Fh
0 z1 D: z; g1 G mov ax, es ; ES:DI -> VxD API entry point+ J5 Z: O/ G* R
add ax, di, R5 d2 B3 W% m7 Z4 f( Z$ W
test ax,ax
( t4 E/ L' e' F* E c jnz SoftICE_Detected. j' _' u' k4 Y' q: x1 k
2 B( w0 f( ?3 ?4 Z; r# F* W
___________________________________________________________________________" p0 }% O/ B% u' | J5 P
8 N* N2 W* I" c& b5 [1 j
Method 04% d b. G$ J' e/ {! e
=========
. S: S& t: X- [: J: a4 ?4 f; @
; o" o* s9 f- a1 I* C$ O. t, wMethod identical to the preceding one except that it seeks the ID of SoftICE
4 M1 s) `. W8 T( d) B- T7 A) RGFX VxD.! z# D A8 g* ]" Y9 m
/ L. C7 j: {/ m) L' K( @2 d: Y xor di,di7 c8 L- Z3 f! V* Y, }* q* }; T
mov es,di
' \ F. Z$ F/ |! U k- ? mov ax, 1684h 0 J7 b8 w |; _9 c& h" t
mov bx, 7a5Fh ; VxD ID of SIWVID/ Z3 H4 K# E1 ~ d/ D! K
int 2fh
J! H6 `: \4 k5 ^: E mov ax, es ; ES:DI -> VxD API entry point; G/ d' z. Z( y' T% t7 u
add ax, di7 {' L6 a, l9 z) z }4 @8 X
test ax,ax! `( Z( A! F* \" c
jnz SoftICE_Detected
& _6 j9 g" m; ~8 B! p
) o4 c( D8 e/ f__________________________________________________________________________
9 z" L9 \& K. T9 `% f8 k5 p3 F1 I) p3 n% p
0 t p& n- g7 u) i1 ?3 p+ ~$ T, j
Method 05- k3 q9 d8 q4 E! p0 k+ p
=========) _- C" q- t: ^
0 N( u" ~! G# bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: K6 d! `. u: u5 }' _debugger. It calls the int 41h, function 4Fh.
+ v2 i* u3 Z' k- zThere are several alternatives.
+ o7 Y# u- U) E9 d- U2 T3 K% Y& F/ C( i
The following one is the simplest:( P+ }5 @9 c! A! T) m: t
1 K5 U' J4 T" `0 \6 Y, r4 F
mov ax,4fh# R2 t6 r2 q2 T; L! D4 ^# V$ o
int 41h
" o6 v( J' A4 W9 M4 ` cmp ax, 0F386+ s, _5 v- V4 \9 m/ ]! Y- k
jz SoftICE_detected* H) i8 G" t0 U5 C5 j% I" U
( a/ g. I% z- q& s' c
7 e0 K( p) m# e& t4 N8 z/ w: W% o& `: zNext method as well as the following one are 2 examples from Stone's " x2 G2 R9 O$ G) j2 ?# q t/ h7 K( P
"stn-wid.zip" (www.cracking.net):
. c" t7 |5 {/ ~. T9 k C2 c8 O- Y1 G C
mov bx, cs
4 X8 m) B4 w9 L' O lea dx, int41handler2
% L* N+ b' S5 k' W4 ~$ Y xchg dx, es:[41h*4]
" A' X: Y& S6 F& I" Z# n: S xchg bx, es:[41h*4+2]- @6 d" R" g' ]3 n7 N- X+ w
mov ax,4fh
7 ]6 U1 o4 N+ z* f, i2 ` int 41h
8 |$ C' h3 G6 z K xchg dx, es:[41h*4]
' U$ @3 K" r- M$ | i3 c9 E' H, C( { xchg bx, es:[41h*4+2]+ ?5 }$ a& N7 Z8 J% _! ]3 ]1 k
cmp ax, 0f386h
+ `7 N" c7 n. L jz SoftICE_detected
" o6 L* Z6 g1 h' D, C# d) H% L8 }$ F; W+ n! \4 e
int41handler2 PROC: J" }* ^( Q, Q5 X7 B, C0 [
iret
( Y. e) e) x4 t9 D7 bint41handler2 ENDP
! w: c- ]% N0 j% W D$ T( M3 @. W% l. J# [# L; K3 _+ E
/ x$ T; }, n/ Z5 V' ]_________________________________________________________________________9 S) c% l& V7 e% x
& M. p7 O9 z$ z& v+ w
$ B) C* U! o* N3 A: t6 R4 ^4 Q
Method 06
' K2 Y# o% }& c) |=========
5 @9 L2 b/ g6 Q/ N+ L" T: z" z% Q; R, H. V' V9 b% l0 G
5 b! n! ^1 x2 H- f! L# _2nd method similar to the preceding one but more difficult to detect:; Y' W6 L" J! o
" u' l$ `! i" q. V( R- x
! O2 Y) ~4 X' u$ v( _int41handler PROC5 ]1 L& ]' Y' x; V+ ]
mov cl,al
% k9 o! h! i: z f iret
% r7 G8 u0 g U7 cint41handler ENDP& d* _& e* ? J
+ p' N3 f, @! u6 h+ W5 f0 W' Q0 C$ r, g* J4 J' I6 i
xor ax,ax
' W) c# G5 a4 u$ a; c1 @* V mov es,ax3 j3 l$ _' `) f/ B' X1 O
mov bx, cs
* v! |$ e8 \' U* @7 P+ E lea dx, int41handler
; I% @2 L3 s4 {; B$ K xchg dx, es:[41h*4]2 _4 g' f% O( ~6 F% S5 L
xchg bx, es:[41h*4+2]
2 F* R* S. I0 h* Y in al, 40h+ ~" O: p6 ~; ~$ o: T$ Z7 Z
xor cx,cx
' w: L, s' L" D: i1 m int 41h
1 T Y B3 _, h! m. R' u6 I$ \$ c xchg dx, es:[41h*4]/ M5 B0 Q8 C/ X; O" ?6 Z
xchg bx, es:[41h*4+2]
4 L, p6 q, a; `& N4 b) V$ w. R7 l cmp cl,al4 \; d C. G" |- z2 k8 e
jnz SoftICE_detected7 S& D5 y; J, r6 D( m9 Y
5 {! [* U" \; \' p. b_________________________________________________________________________
( c, P2 Z( K+ B W8 z5 U5 y3 e4 N$ d! R6 |' X: R; m" s0 l% l( s
Method 07
( c" |) X$ Y* Y, A=========
+ f! _( N7 q- [, d: c* P& X$ |; P# o$ I$ v2 s2 ^, |! s: e
Method of detection of the WinICE handler in the int68h (V86)
$ E4 c0 `' ?4 w# U$ ^9 {2 w/ u) q; ] T9 }' g5 X/ J
mov ah,43h
8 L6 W0 k) a% |2 ]# H; M int 68h* @/ Q, H$ H4 b6 q
cmp ax,0F386h
# p1 }; G* z" { jz SoftICE_Detected6 d" j9 \+ j: P9 F6 S2 A
# y! S' ?2 g" }+ A& G1 m
8 i9 I2 u8 t% u9 h. m=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 g l& Y8 ]5 l4 @- l app like this:
8 ~# Z0 ?3 C( G5 P: q+ R
# y" D: J9 k3 D; w- j BPX exec_int if ax==68. ?4 d8 W$ O8 L3 B% x9 ^8 F
(function called is located at byte ptr [ebp+1Dh] and client eip is9 j) Z! I9 @4 G! k/ u* ~+ c2 h
located at [ebp+48h] for 32Bit apps)5 O3 z; q/ \. n; b) Z+ B
__________________________________________________________________________, G4 \! Y' v2 e R2 }' M* U: w
: l# e% h! {' ]! {; t
% i- s. Q( ]* D5 u4 X- nMethod 08
4 j8 T8 A( K2 D5 Y9 d( G=========
9 d. B0 }8 }8 M' j, @- L( A& E$ a7 I& g5 ~& ]! g$ {. I2 m
It is not a method of detection of SoftICE but a possibility to crash the5 Z3 Z4 T& k7 f0 p& d# O
system by intercepting int 01h and int 03h and redirecting them to another. `8 A; v1 O- P: b6 ]3 a. O
routine." c) t+ [0 o* D8 K5 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 W. d$ n9 o; R7 r# [to the new routine to execute (hangs computer...)( }& p7 j6 y% e
5 i! x- G' U' e7 X/ k; ]! `
mov ah, 25h
) O+ E( k) H9 {9 ]6 v mov al, Int_Number (01h or 03h)
6 C; l. B+ F4 |" c. R* \; T5 j mov dx, offset New_Int_Routine" ]1 j; t5 Q7 X$ f; X
int 21h
5 [* l4 Y& k( }2 K$ U0 H9 v8 Q1 p7 j' X# b5 `8 p" t3 `
__________________________________________________________________________
4 d8 l+ `/ [+ a. J7 G% h4 [
* a; g- J' B" OMethod 09
' B1 ]! G S7 n=========
|1 y/ I& R/ Y& Z' [4 Q0 y/ t3 c2 R5 v: \# m5 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: r% U8 d6 y- g" N0 b* O1 Y$ zperformed in ring0 (VxD or a ring3 app using the VxdCall).7 J. z7 \6 J5 `5 w+ F: O, m
The Get_DDB service is used to determine whether or not a VxD is installed0 n/ w* l0 h0 {: @$ z$ t. X
for the specified device and returns a Device Description Block (in ecx) for4 p# w1 g$ M s/ {0 o8 g8 { _- T4 x' k
that device if it is installed.4 m* f- N. b/ D' f, E; _
& l: h! V+ v) m0 p1 u7 x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) Q4 b3 D9 u8 d( Z1 Z" J. G mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* ]) i& {8 J& [5 u# |
VMMCall Get_DDB
% |$ h/ Q3 g- w; W9 {; T mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ n( m! J& s6 Z1 c" J# r+ B
2 ~ i) {( r& |: U1 cNote as well that you can easily detect this method with SoftICE:! s* \ u% B% a* _" b
bpx Get_DDB if ax==0202 || ax==7a5fh
% ^% I' O4 p7 ?2 S6 U# h, l
; ^* w5 q" y& q# s5 J: K__________________________________________________________________________2 w9 {9 M2 D! v$ T
0 n# L* y! d8 W. M. R; W* a
Method 10
6 g( r0 O& A- s1 X=========: s8 }$ b* ]9 r, Q8 w8 L, @
1 P( [. o& I$ w' _7 n; O6 ~
=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 j( Y- C" f: z- x) B, U7 v SoftICE while the option is enable!!
! u! l( Y. _% J% o2 n9 {. H! S8 H5 Z, C% ]8 D* \3 g$ V& s6 g' R. q& L2 W
This trick is very efficient:* b* Q+ ]* P0 s0 k
by checking the Debug Registers, you can detect if SoftICE is loaded
g3 w5 y. W6 x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) ?8 j- k8 P/ E8 vthere are some memory breakpoints set (dr0 to dr3) simply by reading their# [* e$ |8 V, b" c
value (in ring0 only). Values can be manipulated and or changed as well6 M6 S# q" J9 ^
(clearing BPMs for instance); _0 c4 x% G# n2 d) r4 d3 C
3 |) X9 J! D1 z/ t! p! m% ___________________________________________________________________________
; t" r2 b0 {& Z; b: k ^( z' W. ]9 N k) S6 B4 N: |
Method 11
: {' s! Q3 J5 d& y=========
9 a3 o3 G+ B$ y. i) m# W: l
& v7 l: I& B p. r( S. Y b: s. kThis method is most known as 'MeltICE' because it has been freely distributed& c, Q8 ]0 w) t0 A
via www.winfiles.com. However it was first used by NuMega people to allow5 Q0 E# I8 E$ {
Symbol Loader to check if SoftICE was active or not (the code is located. |' k9 \1 w" v a+ [3 Y# N
inside nmtrans.dll).% N4 R' `, y, F, ^- k
d3 d7 e/ ]3 r' @The way it works is very simple:
2 d6 B7 s4 z+ i: {6 C. GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ P( Z. P+ `; h( c1 m3 n( m! WWinNT) with the CreateFileA API.
$ b2 I9 I9 C/ \6 o; U9 B- B
( s$ @) ^2 ~& X1 FHere is a sample (checking for 'SICE'):/ E* W) O% R- b/ N3 b* @# I
7 s8 C. r1 q" E) g
BOOL IsSoftIce95Loaded()
q" Z3 |+ `9 Z3 M0 o# `2 k+ X{
& Z' W4 r, [- V) }$ A HANDLE hFile; 0 t+ y4 e1 ^: d" T/ u' ^$ Z4 [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* x; i6 E1 ^! _ V/ E5 J: G& t T0 m FILE_SHARE_READ | FILE_SHARE_WRITE,, B% b; q, X I- M" p+ y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) ^ K; \9 o1 j$ i' j% o0 V/ c if( hFile != INVALID_HANDLE_VALUE )
# f, H3 l1 o H {
$ Q" t% f6 M& } CloseHandle(hFile);
3 d* g" ^2 H4 A* ~- I2 @ l return TRUE;
, @% a1 H0 Y9 w! w j& N }, u" R4 A( D3 S3 l6 w* t; B
return FALSE;9 T1 D5 M2 B, _. F
}) x X% }; G7 h# E$ X
* p" {+ b0 `1 h- g2 R2 l% MAlthough this trick calls the CreateFileA function, don't even expect to be% \# o* _: A: K+ O: D9 J J
able to intercept it by installing a IFS hook: it will not work, no way!
3 t" |( |6 R& c2 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F W1 }6 w8 Q. }; Y) y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 \' ^9 L3 D7 h5 z. k! Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ]7 f; q) H( b0 |4 @' ?" _2 H5 z
field.8 @, `, x: P3 [
In fact, its purpose is not to load/unload VxDs but only to send a
# a% ^; Q4 h" E! @% qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! H9 j. ~6 O2 ^5 G& C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 Z% b. R) F; |0 ?) ?2 X4 ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* _) W/ v6 W1 `% A4 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; f H# d; W( J( Pits handle to be opened and then, will be detected.
; W/ D0 u: B. \7 P# {, @You can check that simply by hooking Winice.exe control proc entry point
4 G- Z+ M$ s% d5 L, ^% D3 {: ~while running MeltICE.; [6 N- k2 S1 c7 D/ c
6 A# n9 x" X2 J/ a3 o' Z
- p/ K/ P& k4 u5 r/ l! o x4 U9 Y 00401067: push 00402025 ; \\.\SICE
0 S6 u8 T/ ~+ Y" ?2 \1 U 0040106C: call CreateFileA
2 x0 P% M, w* P( o, w9 u9 g 00401071: cmp eax,-001
; x# u; E W- A9 I/ [, ?& { 00401074: je 004010918 Q; \; w7 Q3 y; T0 q0 ~
0 t. d9 d/ y$ P+ X
9 \2 }0 s, C2 o! [: z9 N7 w ]5 xThere could be hundreds of BPX you could use to detect this trick.
1 ]3 i2 \+ u; ^, G! R4 M) A-The most classical one is:
9 B: N1 h ]$ U: a8 s' s BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 @* x1 \( K# \% \* |! Y
*(esp->4+4)=='NTIC'* B+ Z4 s+ C* o, T ]* G
% N0 v, [& k$ a$ Q+ @; h5 E-The most exotic ones (could be very slooooow :-(- i+ Z, P/ ?: j4 X& R# t. _
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , l, J* b: `* j
;will break 3 times :-(
9 _; q9 b' ^* y* r: k& `0 L" O- Q: M; w
-or (a bit) faster: + {( m2 \7 s$ G2 \8 [& l, ~" @5 f
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 F; b3 |, C8 e# ]; k0 u$ |
, q: J' N1 G. P6 A5 h+ I3 X H3 P! Z
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) a/ _ J& C, l6 g. P) q& p5 f: k ;will break 3 times :-(
, u4 @) V* `' F. U1 c5 M
4 [4 b: b/ s; \$ l-Much faster:$ n J6 Q: D/ r5 P
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'3 g- j5 t( x: _+ _
# N5 o6 n, h- C! e% ~% NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: N; r5 ? o; g+ q
function to do the same job:
4 B! t4 `+ ?, X8 V) A
0 x6 I$ f C, n' u) h push 00 ; OF_READ
5 M9 f3 \2 O: r$ D2 w d0 b& _ mov eax,[00656634] ; '\\.\SICE',0
" _0 G( j2 F4 m9 o3 V/ I push eax
. Y' V. h4 r/ f" n& n2 v call KERNEL32!_lopen
2 a" a+ a1 D( b& L6 g( \ inc eax
$ s; i5 R% n, m+ O- _/ z jnz 00650589 ; detected; ~+ l. [. J+ _% p6 n2 `/ d( {
push 00 ; OF_READ
: A( V* K* h. O# z mov eax,[00656638] ; '\\.\SICE', k' a2 l5 ?% |) @
push eax
6 [* _3 C8 }5 F4 ^/ S8 ~" W" @ call KERNEL32!_lopen
3 T: |0 K i8 E) E inc eax5 c- p( O) O4 I2 o8 ~: A
jz 006505ae ; not detected
" T" N7 \( @- q1 _9 p( e0 s9 N( k& c. y( J
$ U5 u) m. h4 }8 {2 z
__________________________________________________________________________
6 g( X" `& e* U0 P4 U# E/ H
5 j2 ~+ m4 \% C% [9 k4 {, I8 ]Method 12; _4 D/ W1 y! K4 g0 u7 Z6 r
=========! i* B/ v8 x+ t- {" c( J
( V; j* L& c* s( @$ H# v
This trick is similar to int41h/4fh Debugger installation check (code 05/ ~- G2 w" h6 C% }8 S/ t
& 06) but very limited because it's only available for Win95/98 (not NT)* W5 l4 t2 n( ~5 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ K4 I2 z E8 T- F& U7 d- L4 h
7 w' g* g" |5 D push 0000004fh ; function 4fh
6 W( s* E, a; o, f) ^- |0 Y7 @ push 002a002ah ; high word specifies which VxD (VWIN32)
9 N* C$ q9 S& X; u* k+ L0 N% L ; low word specifies which service$ T+ k: a; C! f, j/ D* Z
(VWIN32_Int41Dispatch)0 A" ] |. v" ]7 h: c* W
call Kernel32!ORD_001 ; VxdCall
1 I h1 `) `/ b4 y8 A7 K cmp ax, 0f386h ; magic number returned by system debuggers
" C. o9 k+ y. F f jz SoftICE_detected3 a$ o3 \ K8 R3 {# m
( V. B0 A$ k- o& P% d
Here again, several ways to detect it:. i0 T# s0 W6 Z0 j' X
- v/ b2 H4 J. p( i4 M
BPINT 41 if ax==4f
: P; [( m: @4 ?) s5 V! x
- K& T: |* f2 W! a( i# z) S$ e BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one/ |, D. w+ Q; c# A7 d
; p1 q3 x+ r3 L$ b4 T1 ^8 ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 j- Y7 t' b- `" I) C6 m: S6 E
$ N( u4 O0 b3 P: Z# `2 J( _, m, x
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!; p- e8 r$ a& m& ~5 A: R( h
6 s8 R% l8 z2 y4 K
__________________________________________________________________________
9 w5 ^1 b: f3 M, v, R# l' z
$ N h3 l6 y" a& YMethod 13, f, T* n) ?. I$ S( n3 U7 Z
=========. w- _* }) M4 c) U9 l
# |- Z! Z- f0 u$ r4 P3 S( R$ M
Not a real method of detection, but a good way to know if SoftICE is8 u. ]' T' q3 L% _, ~. W: _) C' D
installed on a computer and to locate its installation directory.
0 C O0 n3 f; F; }It is used by few softs which access the following registry keys (usually #2) :
* c$ L, A7 _& [
( }- ?6 K6 s( e# K9 M8 k( n* q- S& m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ D2 Y8 _7 k+ G$ _\Uninstall\SoftICE1 E& M0 V1 h/ i6 A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# P; n) R$ C: V/ a9 n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% U e1 F" ^; L7 x' V( H, u
\App Paths\Loader32.Exe/ k% ~9 H2 ~" }" y+ c% S3 i
: Y+ Q" L6 i" g. c, u- z6 J5 \
. @4 a: X h( C' p, y \- v
Note that some nasty apps could then erase all files from SoftICE directory0 m/ [2 O% o- }# A
(I faced that once :-(
+ l4 G9 P$ b N4 u0 I1 A, Z' |$ ?
Useful breakpoint to detect it:
6 O8 x/ a" |2 s m6 E
+ n: n$ s& a2 `# v& a1 B5 D9 V$ P. l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. r* e. v. Z! ?
9 E$ a* I" p0 @/ N
__________________________________________________________________________
9 q, J9 @7 ^& M1 \) K* ?5 q. S/ \* K% H s5 Y, i
4 ~7 ~; y* C1 G$ o
Method 14 ) |, v/ Q) z- d3 {
=========. i! m$ b2 n& u
, K4 z0 C3 O& d# l4 ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& z" q' k) L- O. B. ]
is to determines whether a debugger is running on your system (ring0 only).! |! ~( K8 k7 E! l$ k1 \2 f" Y
5 |& @: ~0 r$ X$ \6 B" g7 F" G3 E
VMMCall Test_Debug_Installed8 A1 z/ \/ Z7 @) N5 q; I
je not_installed0 T) w) G( g3 u
5 f( Q/ v8 p# T# c2 CThis service just checks a flag.' ^2 G" O8 u& E( x8 o4 U
</PRE></TD></TR></TBODY></TABLE> |