<TABLE width=500>
# u3 G0 K9 V: l: E3 s& w<TBODY>* E" ]3 k" y, E' K
<TR>$ g4 G) t# N5 v1 i, p
<TD><PRE>Method 01 _* H/ {* I9 `5 r y& b& C- U2 _9 ?3 q
=========
5 Y+ c9 D5 ^: x7 ]! l
5 C+ \& w5 h a: b, F( m' VThis method of detection of SoftICE (as well as the following one) is: u4 _+ C+ Y$ I
used by the majority of packers/encryptors found on Internet.& p: [6 j6 F6 G% ^! A2 ?9 y7 h( t
It seeks the signature of BoundsChecker in SoftICE
& j$ {. w j% u. P- }' s7 C( N# B6 g- W% H' L: Z! ^ |: B
mov ebp, 04243484Bh ; 'BCHK'
0 A. _. K/ @+ O4 I r% D' d mov ax, 04h
3 s( @6 `- u1 M int 3
' t: l; ?8 l/ a7 M+ H cmp al,4( A3 c5 N G8 {, X
jnz SoftICE_Detected3 H& O# y m# E9 h7 s
$ c0 ]. d# u+ N. e" C y___________________________________________________________________________ y9 t t) A, a: U4 ^; O
1 C1 G+ Y( f' g
Method 02$ E5 J. F8 c6 n1 {' ?: i0 L/ U
=========
! W3 P( ~) \% N/ X( T3 R- _. U4 S$ q* {7 ~2 n8 q2 C" A
Still a method very much used (perhaps the most frequent one). It is used5 [% |+ O( g2 M8 R$ n7 l* c% |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 _7 a1 W6 x; n, _$ M4 W$ @! y3 }7 mor execute SoftICE commands..., t2 ?. W9 T/ E$ M9 B. D
It is also used to crash SoftICE and to force it to execute any commands& z7 T5 o! _/ s- N/ e
(HBOOT...) :-(( ! i% l2 ~# H# e! l7 l
3 ]+ P/ `. d6 F1 W: X7 wHere is a quick description:# |9 v: e0 |+ g/ @1 p1 R N% I- y
-AX = 0910h (Display string in SIce windows)
0 ~8 u x/ O9 r) [+ |8 A-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" I& P# I6 y; h
-AX = 0912h (Get breakpoint infos)5 o2 x5 A6 |! _; \1 B
-AX = 0913h (Set Sice breakpoints)+ D8 S3 ]+ ]# ]3 w1 [
-AX = 0914h (Remove SIce breakoints)2 n( J1 ~6 S& g
5 M7 A0 d" _+ w- q# O+ g7 u4 LEach time you'll meet this trick, you'll see:
7 f. T: R' b" f1 ^1 L-SI = 4647h6 K! s+ [. P v* W1 W, z/ ?0 D$ Q/ G
-DI = 4A4Dh
2 ^" T- ^! L e9 Z9 {* ^- ~3 C4 RWhich are the 'magic values' used by SoftIce. k. Z; n% X- s9 o4 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 m8 y( P- `! K% H6 t9 h) a
+ k( U8 d0 z) J/ x! Q5 {Here is one example from the file "Haspinst.exe" which is the dongle HASP: m( x0 b; z6 C+ ]! a) z( g8 ^. L& Y
Envelope utility use to protect DOS applications:
. G" q9 H- _8 X' r' O
6 l7 q' B: w( g5 w* ?1 m7 ~( F1 l
4C19:0095 MOV AX,0911 ; execute command.
2 \8 ]' V# R; G- S% H9 y6 R: ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ }4 ~6 X" M% F; Y
4C19:009A MOV SI,4647 ; 1st magic value.
& r8 Z4 \) c2 ^ V4C19:009D MOV DI,4A4D ; 2nd magic value.
6 f3 A1 P' q, |- L4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*), B0 H( W! T( p: [# x
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 @; F& I5 ~# |5 n8 l4C19:00A4 INC CX
# s4 d9 b7 W% \$ d7 k% J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 T) ]+ ^! Q4 N% C0 q# j1 d4C19:00A8 JB 0095 ; 6 different commands." S, N; ?0 m, {2 P5 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 Z# k: l' A, l1 K+ s; D! t; ~: U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
: H. M; Z9 J. q0 @! _& Q+ @$ m, M4 H
The program will execute 6 different SIce commands located at ds:dx, which' c* h1 Y* ` F7 `( X0 E2 I5 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ ~5 o' B( S! U- O- R
6 ^9 [7 O: n4 r G& u1 ?$ D" A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* _2 \& m$ v! m) G% O( o6 T___________________________________________________________________________
2 w1 P/ s$ Y' v$ U" o9 C4 p' R( @( G1 U$ |% B, F
4 v$ [( L3 }2 EMethod 03: c4 f) V/ b2 V/ E
=========
0 w/ }/ \# ?4 A1 Z
& F O [( e4 C% cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 g2 \6 n$ ~+ K9 a3 r
(API Get entry point)
X. C' k# T; ^5 E9 |% N4 O) G
2 t/ ]: u- d$ X. m3 ~
; |$ _8 F$ M* v8 }" _! H xor di,di
/ Z0 A. E) j+ b$ y, E' w mov es,di
! g* b6 N9 y# Z! S( w mov ax, 1684h
, k% f! {( C: D7 P$ C( Y mov bx, 0202h ; VxD ID of winice+ P% r3 v+ c' @9 r+ L
int 2Fh4 t$ B& a1 L1 ~8 X
mov ax, es ; ES:DI -> VxD API entry point" m0 |! a! [! Z& n9 H
add ax, di
" ^$ i' [! z* H* V( D Y test ax,ax
$ e5 j! r) C0 X jnz SoftICE_Detected
0 [7 k3 f; e7 y" _
, U) [+ }9 h# O" B) R___________________________________________________________________________
6 m4 s4 N8 i6 [1 }% T' K3 r/ m7 @1 z( |
Method 04
- N9 O; b+ q7 t% q1 i1 ]=========
o# o8 e6 ~6 T. x1 @
. ?" d0 n& M3 |: d* B- G# [ FMethod identical to the preceding one except that it seeks the ID of SoftICE) A4 F+ O* j1 V, \8 G* T! f2 s
GFX VxD.
7 L% k/ W9 f; Q1 u+ E0 T( l, @
7 J& J! B7 U5 t: E; a% S, L xor di,di
5 T% f# C/ ?# a( [7 B4 h l mov es,di2 V+ @# |0 S/ z2 S! b- l
mov ax, 1684h
3 z& z) j+ |) X mov bx, 7a5Fh ; VxD ID of SIWVID
3 S2 N- g. K: \) G- ` int 2fh8 A9 k4 n" t( K6 i' f$ I3 G
mov ax, es ; ES:DI -> VxD API entry point
8 Q0 q% N" F5 F1 u5 I3 u' R add ax, di Q4 z: `2 S7 \; T: b
test ax,ax
5 C. D4 o% U( @ q# \ jnz SoftICE_Detected- D, ]6 S, @: T; Y
3 Y; l r: |' ?, q& p__________________________________________________________________________. j& e6 C; R( [; T% T9 u9 K
7 H+ C* m$ `& w
8 h; p# `( l$ x/ I/ l5 oMethod 05* M7 ]" [* @- Z5 `! d
=========( e- D* @+ W2 p! P$ i% @
& M# _) p$ ]* J# P+ B; @3 _$ j: m
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 ^: _+ k# V! P7 u6 Y! u! p. O. P& \
debugger. It calls the int 41h, function 4Fh.
2 {$ `' A2 d% m1 |4 k! F* N1 bThere are several alternatives.
& G* L! f( ?# k0 ~* U5 j2 ~& D. h2 K+ c+ w) v/ n: x
The following one is the simplest:
+ w% Q4 Y, q* q7 j9 y' ]
) ^( u! s z+ M) r mov ax,4fh8 ? a- v1 l& c2 j& E
int 41h h% H. n$ v/ B8 t
cmp ax, 0F386
% g* @; \3 P4 V- W+ h" v jz SoftICE_detected; ~3 C, z* y/ E# R
1 O) _% j7 X4 H6 R2 A" B$ F
* q m2 y! H; U' p
Next method as well as the following one are 2 examples from Stone's . H( I' t+ y, }
"stn-wid.zip" (www.cracking.net):
+ o* h. @6 g F' x( @4 E" w$ M' k5 L1 p( l* q, y0 j
mov bx, cs1 x& y8 L' w- B/ a+ T( K, A
lea dx, int41handler2" t6 Y4 b6 n4 h
xchg dx, es:[41h*4] L: g( M% _ ]5 r9 K
xchg bx, es:[41h*4+2]% O- `3 y- t3 g0 n+ S
mov ax,4fh/ z* J4 T3 B9 k
int 41h
' v9 B( H* F' q, O& k, u xchg dx, es:[41h*4]& e- c; \' s( g$ T/ f+ q
xchg bx, es:[41h*4+2]: L8 Z$ r% Q" j$ l0 d# h
cmp ax, 0f386h- D' V0 g# U4 e& o5 y
jz SoftICE_detected
" h) v e6 Y [& a
& R0 x9 a- D Z, b3 h7 W! n" y6 d3 bint41handler2 PROC. V7 i# E2 U& h& E: T
iret
7 l: b1 W8 v0 x: V- l2 K* Kint41handler2 ENDP( u- Y! w$ O& g7 ], a+ P. F
+ V1 H! {! z5 ~( _
" ?9 m8 J$ L3 R5 R! w_________________________________________________________________________
5 `! `5 u8 ?/ M- [; z$ \6 j v" U2 o, i4 {
7 R8 L% Z0 C9 i8 E7 S$ @Method 06' @, F" u4 g5 A" O6 A- t$ z
=========2 Z( ?8 Z( c+ _4 C
* Y9 u4 v9 {( f7 A; B. a
3 O3 |2 q! e _0 |7 A
2nd method similar to the preceding one but more difficult to detect:
& T0 r$ u) |' Y2 K
( A5 w% L% A0 e' t
2 c; H( }: w8 `. r+ F U* r5 Kint41handler PROC6 E: c) |' v3 ?0 i( h' E
mov cl,al
! p" i" e( ?, {$ ^5 q iret- x3 Y( c! ` q2 G6 m
int41handler ENDP/ D6 l s: d) c. T4 |2 U( {
( G) G$ s1 S3 Y+ @0 X; P% `
3 M4 `% ~0 I# @- \* [* ? xor ax,ax. U4 O( m+ Z" ?
mov es,ax
7 S1 Q& G, u$ Z2 R1 L& ~ mov bx, cs& }" A1 ^7 F3 p. \+ j( [
lea dx, int41handler
) Q- [# |7 L! [* `) K( b xchg dx, es:[41h*4]7 |3 u8 x0 j( ]1 I" k" h; d& R7 J: Q
xchg bx, es:[41h*4+2], \( X; A6 C4 k; ?, i$ j0 N/ i! H
in al, 40h
; O* R2 ?. c1 }9 ~3 m" X: \; g xor cx,cx
/ v9 i$ b6 ^6 T' W- s int 41h
9 o5 `1 l ?9 } xchg dx, es:[41h*4]' A) H/ @- y) B6 F! \4 b
xchg bx, es:[41h*4+2]
. z, v- B" r5 d4 L. S# h cmp cl,al, x) d$ @0 u2 @
jnz SoftICE_detected
! r e$ x: |/ W& e" n! Z4 N f
, m b' s2 ~+ M( M U_________________________________________________________________________0 F8 K/ B! K8 v5 O! w4 a9 B. v5 ]
2 r: M( w! f' E! i% y; q: G& W
Method 07
7 K0 s. N! b2 Q0 E v; k& s=========9 n+ R0 G! J# z B
! D* C0 B8 o2 y" C. I' e
Method of detection of the WinICE handler in the int68h (V86)/ V3 ~9 g: l% Y& `
$ X0 ^0 l a; e: l% W+ ] mov ah,43h
+ T# r: Q" G; i4 j. {( H& S int 68h
" P: U" C& o3 K cmp ax,0F386h* v4 A9 C, \) \/ f0 P( c
jz SoftICE_Detected
( j* R3 h5 K4 K, i" Q2 f, Y3 W2 y' T+ ]( x6 l9 Y4 Y* a* r
9 A: ?$ m4 Q0 o8 {, F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, Y) A7 A6 _+ ^0 N3 C: @* f app like this:1 U1 g3 [2 Z/ C& g; x1 W q
$ N( \4 K4 Y9 }. e BPX exec_int if ax==68
9 {8 F% a0 v) O/ J$ G3 b (function called is located at byte ptr [ebp+1Dh] and client eip is+ `0 s: I# [5 `" }
located at [ebp+48h] for 32Bit apps)7 c, Z! V# z+ M
__________________________________________________________________________4 u! p+ u1 u+ [& ]7 I; K
! P$ J I/ v( g+ _
' l6 f! c: L8 [& y% p; W BMethod 08% K5 @7 F) x; U0 n
=========0 A1 |& V, _1 T' s
# M b; D) c, C* M& ^2 OIt is not a method of detection of SoftICE but a possibility to crash the
! F, q& m: D8 l! O, W( Ssystem by intercepting int 01h and int 03h and redirecting them to another
( D8 @& E6 n6 Q2 H) wroutine.
2 B6 a% K1 Q5 B# \7 q# e" WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! z# H7 z/ x8 B- T O2 i0 ~- lto the new routine to execute (hangs computer...)
, X" q M9 E9 p2 l; h/ u, K, O% T) E/ c' C( u+ A
mov ah, 25h
/ P' g9 a5 i+ I8 e( p1 i' n1 L mov al, Int_Number (01h or 03h)
* R! o' ~$ C+ N# U2 H mov dx, offset New_Int_Routine6 b+ I, H& E: c5 ~6 Q) Y
int 21h
7 g9 r7 t' o9 G
6 R$ N! s7 O4 Q* i1 N$ [__________________________________________________________________________( ~- t' h/ j- b7 _) ]
+ ~' E* m0 {0 h" O- nMethod 09& e6 t6 V# Z6 ]7 ?: a3 B
=========
% }" u" W: S5 J. H5 \& _! n3 G E: e: Y# C8 Y; e" Q$ z @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, E; H w& t6 }2 c4 J/ p: ^7 t9 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
/ w/ T. Q1 t' qThe Get_DDB service is used to determine whether or not a VxD is installed
) G5 C% }1 S' Qfor the specified device and returns a Device Description Block (in ecx) for
% E3 ]6 ^) Q3 \. Y& P4 x5 dthat device if it is installed.2 d/ [$ y) L2 L0 g) I- n' T2 g8 \7 G
8 s8 ^9 V7 t/ D9 u7 v4 R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID B9 _6 C% W6 s
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 X1 ?8 N! c' ~: g2 t# ` VMMCall Get_DDB
- F2 ]0 `, @% H# y8 i* k; V, ?# g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
: i% i/ M4 F& O- L
5 O: a! P4 {& \: {4 s5 M+ x8 uNote as well that you can easily detect this method with SoftICE:
+ l& `/ p6 n4 H, n bpx Get_DDB if ax==0202 || ax==7a5fh
' Z* ~" ?! U7 r. }
( P& W: }: e1 n, C+ s3 E! b, l__________________________________________________________________________, U( N& J4 V/ o2 T# q) G6 Z! [
: Z# \8 N5 b7 v: n
Method 101 k" V- _) F# w, @ F# ? I
=========6 j9 P p& v3 G9 C+ F/ i8 _
! }; v1 l6 u/ Y5 z2 B( u=>Disable or clear breakpoints before using this feature. DO NOT trace with9 Q- y+ t4 A# ~5 h4 c. _: g! k" V
SoftICE while the option is enable!!% @: `. g" i$ k5 N. F* y0 m3 Z
8 z+ [& Z, i$ G0 J* a; rThis trick is very efficient:, A: M$ s$ _, {6 l0 W' |
by checking the Debug Registers, you can detect if SoftICE is loaded
! z+ m7 }2 Z: l y& p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; d. X3 W) c; f/ V D8 u: w# `' H: C pthere are some memory breakpoints set (dr0 to dr3) simply by reading their& f+ i- `6 ]4 g# q
value (in ring0 only). Values can be manipulated and or changed as well
- i* d0 f7 H' J% h(clearing BPMs for instance)
! E- V. D! M X& S1 o- c* I1 {; X3 T$ F# @+ U/ L. D2 _+ p
__________________________________________________________________________
; Y* c; I4 x) ?% k5 U" u
/ m3 e- M) ]. E1 Z* ]( RMethod 11
' j, @1 r3 g/ Z3 V, n# m=========5 T2 m! g, B* C! u
- M% N% T1 Y0 F" v5 s3 qThis method is most known as 'MeltICE' because it has been freely distributed
8 y1 Z0 Y: v* z, R- \. {8 f l% a! [via www.winfiles.com. However it was first used by NuMega people to allow; q' z4 u; p% [- \2 f' X4 v' H7 |
Symbol Loader to check if SoftICE was active or not (the code is located# w, \ d5 i6 z$ E0 @; L; M
inside nmtrans.dll).
* _ O( K: s: v" F
+ U$ @ Y2 r: \! Y$ b$ H5 UThe way it works is very simple:; o" [+ R9 e2 e! t3 e% O) v: @4 d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" G9 L! i5 `8 g- ^8 s
WinNT) with the CreateFileA API.3 e+ w; o" P. h. U7 \# A
7 a# Y6 r w/ t2 m% ?; }) B. h/ I) oHere is a sample (checking for 'SICE'):4 ]; J# A& W b# G0 v
& _5 b6 U; R$ a
BOOL IsSoftIce95Loaded()1 y* g7 D1 x5 ]. H. J& V4 g9 X; m
{3 Q1 l" x( y1 J
HANDLE hFile; , u9 ] a$ X$ O1 ?8 A* M0 R0 r! @
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! p$ j6 M- Z- P* \" Y# d
FILE_SHARE_READ | FILE_SHARE_WRITE,
6 A; k- X4 c0 z0 H+ x& Y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& k' b& \* ?: L; q4 w9 P if( hFile != INVALID_HANDLE_VALUE )8 k1 E: v1 x3 c' e2 ^2 w% a' p
{0 I9 K5 b" ~- j, x
CloseHandle(hFile);( w9 F) F: ?; m
return TRUE;* a8 G2 _# i' z$ _' ?& l2 n8 M0 J. {
}1 f3 k1 p5 v" C$ m# X2 a
return FALSE;; u8 ?% }9 q4 M0 a9 c& E
}2 i% Q8 l |9 n" F! J
* a% a: M5 C( `, jAlthough this trick calls the CreateFileA function, don't even expect to be
" J: b9 ?/ _& H. |! Aable to intercept it by installing a IFS hook: it will not work, no way!
# v4 P7 M$ I1 h5 l' lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& U/ }0 ^, h5 H2 _/ D4 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ _* I" p; E) `3 U3 h' P4 K9 F6 Z P, l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' g2 _4 z/ ]/ E) j' Q6 }
field.: x, b. ^$ R! n3 L; ]8 m" O
In fact, its purpose is not to load/unload VxDs but only to send a
% A" | @/ p! J6 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 a' }- R9 Y9 o3 S+ _3 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try% z; J$ H: p; M l( q+ ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ N0 L! \; |. p/ I2 |3 V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# m# j1 x% T1 p2 G1 Hits handle to be opened and then, will be detected.
, i! R% o2 X* F% k! m/ T7 C# e3 p4 oYou can check that simply by hooking Winice.exe control proc entry point$ n; `: i+ V$ c8 \
while running MeltICE.
X6 c: N8 A! F7 |
& k. K0 J, h. t8 v8 E( {5 l7 S" u9 Z. p, C# G% `7 C( Y
00401067: push 00402025 ; \\.\SICE
' q6 f' Q, v* I ?- I 0040106C: call CreateFileA
( }+ k8 `! g. r. C6 [+ F0 q 00401071: cmp eax,-001
8 m y' q* V, q( s" N% G 00401074: je 004010916 ` l9 c7 `6 V/ F2 g: K' e
2 _7 I. M' i/ g5 t0 p7 U% d
. L: l( V. B. m- ~& KThere could be hundreds of BPX you could use to detect this trick.$ S) s; m( R: P1 L
-The most classical one is:
5 l5 W0 ^/ s; m; i3 J! I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 `0 [2 W/ R/ @/ u |1 a; K, X! d *(esp->4+4)=='NTIC'
5 c: L1 ?) y+ W5 A" J( ?
6 {5 b ?: s: M: s E9 I" I3 ?-The most exotic ones (could be very slooooow :-(
+ c1 ]( r8 Z* X( ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 k- J# O- Q/ b, D
;will break 3 times :-(
% d& n# W. p$ g( Y$ k8 j1 N4 Y% |5 C
-or (a bit) faster:
7 m* x" | y: L3 A# v) ?7 s BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 c6 \( ~! ~$ F( K V4 i
$ N: k8 m" t+ U/ o! p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. h7 A# g5 t' z' ]! M0 }% f ;will break 3 times :-(
0 {3 l' N0 x; H% G) M% {
( k2 f9 b1 B2 T: y! m3 {4 v-Much faster:
; |, x; _" q. k8 d7 c; a' U BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'" ~8 |9 g$ Q X0 r9 D
5 F7 ^; |# q' L0 ]4 f# N2 G; X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; |6 }0 N+ c! y+ Afunction to do the same job:/ _( p) h% D6 x1 M" v8 { m j
) S. r. I/ }! | y+ |6 P push 00 ; OF_READ
: B$ B. J* I; d, z2 { mov eax,[00656634] ; '\\.\SICE',0
1 B3 w( O- D; B: l' g" ^7 e* c. G push eax
9 g3 W( s: p+ M0 H! [% f call KERNEL32!_lopen
$ @; z6 H8 l+ Q) @6 w( j' h+ ? inc eax
4 U8 w& n9 m4 P @7 R jnz 00650589 ; detected7 z# \, `) ?5 Y; g2 }' o
push 00 ; OF_READ
" ~* [ y8 l8 f: k mov eax,[00656638] ; '\\.\SICE'# @% j5 k h9 F
push eax7 u' P/ c% R! o5 z9 Y) s. q/ U4 g
call KERNEL32!_lopen
! B% h% k. ~' p- @/ @ inc eax. l* S& Y; b/ s$ P5 v, e' V% l
jz 006505ae ; not detected0 B* p1 S5 g2 U. ]
) x4 ~' J- o. t
8 _) o- {& c. v6 @9 F& L# `__________________________________________________________________________0 B( F0 z7 N3 @- ] O! v: ] ~
4 ]3 Q7 O: i$ f6 ~- H4 h! z7 j, aMethod 12
, A) U G6 c+ ?6 q4 l: r! E( R+ j=========
- t8 c2 H5 u& C9 e7 E6 e) u+ P! w+ ?5 @
This trick is similar to int41h/4fh Debugger installation check (code 053 X- R3 ?* }( Y
& 06) but very limited because it's only available for Win95/98 (not NT)
& r4 q, f& R/ {/ P0 @; d2 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ q9 z( V# p J% r b" Y, |5 b' V, k+ I1 r) x
push 0000004fh ; function 4fh
4 t4 x: U2 v( A# \/ m0 ]" L3 q5 J) ^' | push 002a002ah ; high word specifies which VxD (VWIN32)
& V; u8 G6 A8 e4 N+ U$ g ; low word specifies which service0 B5 j z- v% S" s3 L
(VWIN32_Int41Dispatch)* g* n( Q% d% n) }1 _
call Kernel32!ORD_001 ; VxdCall
( f4 G' r: z0 i! l/ q* q cmp ax, 0f386h ; magic number returned by system debuggers$ h2 o% m A- w4 I2 l4 U
jz SoftICE_detected+ G2 y; j2 A$ t/ _: d6 ` i; B5 ^
; G, T; { J- e' v4 W( G j; ]' pHere again, several ways to detect it:
# c* l' L' T, D, G7 ^
9 m1 }, o: h) T& q& y8 y" ~ BPINT 41 if ax==4f [4 p w, X7 w9 C/ w
+ N8 @- E1 R U+ l4 o: f2 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" m: _2 b7 F8 I
5 f' ?: S5 o3 x% U X! G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A7 a1 B* h1 o! S5 @5 j* ~$ S+ m
: n, D% u6 T0 p0 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! P, x+ C8 o5 Q8 f' s
2 v" j5 M: q8 d__________________________________________________________________________# m2 b" U6 f3 [1 c) C
" ^* j6 |( n1 C
Method 13( x- m8 d' T/ ^
========= Z* j$ b& b3 @6 {/ H# e
1 d" v z& E; M6 W, C( T2 }7 k* TNot a real method of detection, but a good way to know if SoftICE is$ G0 I& F8 z2 h. B( o3 s
installed on a computer and to locate its installation directory.; v' p+ E4 R' J. H9 Y6 r: E! H
It is used by few softs which access the following registry keys (usually #2) :
2 S3 j. P: z3 R+ b$ E4 t& |! n& P2 B% A3 b) b$ |+ ^ t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! V0 }% K# c+ D. b$ a4 P\Uninstall\SoftICE
2 D+ b9 Z% V' O- j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) f% G, n/ M5 E- d% ]! [7 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) e' P" y; R1 K9 X+ x6 g\App Paths\Loader32.Exe% P+ j/ X4 z$ S# m/ N
0 e0 l! C$ j- z6 j& y$ S* M. T$ d, z- \* x8 w
Note that some nasty apps could then erase all files from SoftICE directory6 g h3 o5 Y+ o) h1 k _5 L
(I faced that once :-(
7 {0 p: j& `3 W6 s/ I
4 X" T2 e0 }2 {Useful breakpoint to detect it:7 N0 v8 @. X. Y* n, q6 R. G
. ]5 e3 f, Y/ D; ?
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# X! u+ p0 s* m, \ |9 ], Z
3 P" W" j. q6 I
__________________________________________________________________________; ?' ^2 `( j7 o$ Y! P
8 t$ \* M" ]$ u6 _ B* Z" m/ o$ n) P) q @" V V* d+ W. |! d# F* {
Method 14
1 g: A& w% g* Q( {9 v6 y=========+ E# i: q. b$ W# c. s
2 u4 V3 [# i O; h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" g9 ]9 J! {$ d F
is to determines whether a debugger is running on your system (ring0 only).
8 Y1 Q, K" ?8 ?- b6 c3 s3 A5 d2 a V9 B x
VMMCall Test_Debug_Installed% |) K" v& P. A) ~8 C
je not_installed
' q/ | X t$ C) R0 J6 d* E( l% K+ c9 G
This service just checks a flag., e$ e; K* I, P# q
</PRE></TD></TR></TBODY></TABLE> |