<TABLE width=500>
8 B- |6 O0 q0 C# v2 y+ E0 q<TBODY>
$ ^- d9 C. O' k. X E" ^<TR>
0 X/ X- p* g; V7 d" w6 c4 _/ N2 U; M. I<TD><PRE>Method 01
, X' U/ d* t0 u. k8 i4 x5 M=========
7 t5 k% F5 y7 M
2 F, ]: A4 X) `# O1 @: g2 ^This method of detection of SoftICE (as well as the following one) is
% a( p- ]) B* o2 V% ^, Oused by the majority of packers/encryptors found on Internet.
, f1 ~3 h0 J, g: n- IIt seeks the signature of BoundsChecker in SoftICE5 i; S8 M" k/ S# y% j' e
: p+ O. |9 I0 k* v4 B! T* g
mov ebp, 04243484Bh ; 'BCHK'6 ~# b3 g9 R, U/ g" r- \6 J8 K
mov ax, 04h( M8 z" `% W" M+ l& e' n
int 3
/ r% n( J P1 y; }" `' f8 @ cmp al,4
' A. s' v$ T( N8 }: q jnz SoftICE_Detected
4 ~$ G# e) C- S8 G+ h0 f) z! d; ~% v2 t/ e5 N
___________________________________________________________________________
1 R E& P( G; x$ U8 L% R" U% J9 B# `5 i2 `2 W5 \* s1 O4 H
Method 02" V) U/ f, O& |; D
=========
' E$ c3 |5 w4 M# u8 m$ h$ g8 R8 Q {/ R9 y9 {! v; y/ m
Still a method very much used (perhaps the most frequent one). It is used
0 ]/ }4 H' Y0 P: o% b+ a: wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 C9 X/ [4 V' D- P3 s; W1 \or execute SoftICE commands...
& Y+ @5 T3 E$ [2 s1 v) G$ FIt is also used to crash SoftICE and to force it to execute any commands& t _) x; P$ C2 ~ y
(HBOOT...) :-((
- ~4 V9 z7 z0 D8 b! e4 `. U l+ J& U
7 d0 c4 j* ?/ r+ ^Here is a quick description:
7 D$ s+ d$ {& t/ J0 h$ V1 l( x. `-AX = 0910h (Display string in SIce windows)
3 R0 k' o# \$ U; f2 H e-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)1 O2 e- l+ y0 j" y9 a R3 N9 F
-AX = 0912h (Get breakpoint infos)
, F: `& S! S, B# u( ^7 }-AX = 0913h (Set Sice breakpoints)% n' \; o m% u: O3 g3 C3 j
-AX = 0914h (Remove SIce breakoints)' q( \& H" R9 F5 t2 b3 Y
. q y2 z, Y% _- S- L- B: yEach time you'll meet this trick, you'll see:& ?# ~1 J' b/ q" X6 H
-SI = 4647h# G6 M" g# [# Y6 s* y* C
-DI = 4A4Dh" F8 N3 f8 m7 j* k
Which are the 'magic values' used by SoftIce.% V2 Q2 Q0 L) n5 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. K; j0 {' V5 {- ]0 ^
: {% J3 j. L" B- y; x- Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 Z) [7 w s7 V. z) P% o
Envelope utility use to protect DOS applications:4 o2 @, g9 ], Y3 }4 i- v3 \
# z1 D; N1 R* p" J2 {1 j( ^ ^1 D2 D
x: o% n- z ^& O" c4C19:0095 MOV AX,0911 ; execute command.8 P, `+ a$ [7 n) y. J$ f$ k! W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- D( h5 P8 ~+ H& L
4C19:009A MOV SI,4647 ; 1st magic value.
0 t5 {9 X" v8 X s% q. W; j8 x. r, C4C19:009D MOV DI,4A4D ; 2nd magic value.
$ P G4 C9 Q8 u2 k8 ~- e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, ~7 }5 E; N* t9 G+ u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
?) H% K; I! b4 M2 O4 v4C19:00A4 INC CX
. N- I- v( V1 Q( H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; t% B* X2 F! x: l9 A4C19:00A8 JB 0095 ; 6 different commands.! i: c+ w" o6 F+ {& y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 O6 D- m0 ^$ |1 r; z: R
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). W* I! o: F4 ?" u7 o* j
1 h+ z. t( l3 y$ o- f% E2 y- i
The program will execute 6 different SIce commands located at ds:dx, which# w5 X0 C& X: t, x6 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ?) ], |; E1 Q( X
7 O9 `+ j( J$ q% Z" I+ G0 ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 b7 I* r; n( H___________________________________________________________________________
5 j4 V0 [5 m& I2 e0 r
$ h% n! J7 t. ?$ e
$ k# s: q' i2 _5 P9 ~& j* UMethod 036 [6 H& q9 Y' d4 _& n: P5 E. U
=========
1 Q6 C4 l+ k$ B, S! C9 K/ G# [2 T' l# b$ Z( v) m2 A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' j7 `/ h6 h$ l) X
(API Get entry point)
7 ^! z! i* h* O0 \# ` \/ f
l! f8 @- c: c* D
: {6 j( g0 u4 @* |9 S; O xor di,di
2 _! C$ I* Q# u! o mov es,di/ B9 Q; _! @2 i& h* c4 S/ x# p. u, [
mov ax, 1684h : J. ]+ f8 `0 x: _5 u
mov bx, 0202h ; VxD ID of winice
0 ^! F) k& Q8 ?# _( a( t int 2Fh
5 y' c- n& E8 x" P2 H: U2 M. } mov ax, es ; ES:DI -> VxD API entry point# z) F" ^/ N- `$ p6 G M. Y1 g
add ax, di, {# N7 \+ d x4 J2 }' j( Z
test ax,ax
, _' p7 _( e* H* U8 J( u jnz SoftICE_Detected
! B5 |3 X2 H g) d
' e. l8 v: b( i! r% a; H___________________________________________________________________________, ^/ v4 {0 p- m
. O/ ~- k* H5 O$ Q# x
Method 04; [4 u { E1 b" j% { Q
=========
9 q2 o' C9 ?2 M- X# \
, u2 y5 ]/ _. CMethod identical to the preceding one except that it seeks the ID of SoftICE9 T6 H6 E! E& y' u4 U- S d# |& t
GFX VxD.6 u" u( p; x0 C* w0 x. }- E
% V d$ d0 k- ^ P
xor di,di
: c5 o G( y( F% g: U: k mov es,di
6 B9 h6 \" i+ @1 ]9 Y. A0 ~ mov ax, 1684h
7 r1 f. l# n9 Q3 N mov bx, 7a5Fh ; VxD ID of SIWVID+ x% N/ t& b" [& \6 K7 U0 E
int 2fh
( ?1 Z5 f) a5 D4 g4 b( x% s mov ax, es ; ES:DI -> VxD API entry point
! a& {8 G: h4 M7 E ?4 ^ add ax, di- C1 Z+ G& J3 k
test ax,ax! ~. p, N/ C" [5 c* r- L6 V
jnz SoftICE_Detected$ g2 l9 K1 A& B
* j( z2 [) v/ Y- G__________________________________________________________________________6 h0 o$ m0 \- G, V( C3 \
5 {2 t, {7 k" s& G: i* I! ] p
6 n0 ]; I" Q: d% p5 S
Method 05
" s7 E# m F. E7 ]! M" c=========
, ?4 x) `2 h0 g2 W3 |2 O1 ~( H0 { N
7 G, Z( _8 O( H# E* UMethod seeking the 'magic number' 0F386h returned (in ax) by all system- q- j! k4 y+ U9 R
debugger. It calls the int 41h, function 4Fh./ a( p1 h6 e4 J8 b! w% `6 `/ x+ T
There are several alternatives.
# |2 Y% }6 q/ }3 E3 w% X( Z
2 U" g# n6 F9 }6 ]# X2 M, ZThe following one is the simplest:
+ `! l4 l S* k% J( f( T8 r* h0 a) }1 ^. `+ u7 }4 a( V, E( C: W
mov ax,4fh/ t7 x8 y7 |0 _+ |9 R4 z
int 41h4 ?/ n- b5 D* U1 a c& Z6 `/ E
cmp ax, 0F386/ [* w: `5 D- Y! ~# x+ Z- d: [
jz SoftICE_detected
# |* H( I+ c) B% M: X# `# F2 S6 K; Y0 p9 n9 H9 t) M
* g( T, Z3 O# A* X8 ]7 eNext method as well as the following one are 2 examples from Stone's 1 o( g0 o8 s9 @: H: z1 G, J4 o/ z
"stn-wid.zip" (www.cracking.net):
( Q$ X/ Y7 j8 Q, x1 T& z i) M& O7 o: l& \' R* E: W
mov bx, cs
/ d( F7 f* D9 B: W8 Z lea dx, int41handler2
$ E/ Y& {5 q; D- N( e) H) @ W xchg dx, es:[41h*4]' z' f7 d( Q9 @, @
xchg bx, es:[41h*4+2]
' v, d5 ]" V/ v mov ax,4fh
* i! X8 A1 S: c* H. o3 B int 41h
: I: r9 y7 j# Y xchg dx, es:[41h*4]8 P4 d. L1 h3 Z/ b: i( [7 b" Q
xchg bx, es:[41h*4+2]
( y. Q8 C. k, H, Q( x' Z- m cmp ax, 0f386h
% |. b5 v' k# V2 y0 W, [$ V jz SoftICE_detected
5 w; P4 L2 b8 T% a4 Z' X2 |2 F! `+ k1 R: Y
int41handler2 PROC
% |1 q: p( k% \& o& b iret
8 d1 Y& e" H( C# C1 m) \int41handler2 ENDP
6 N" T5 B; ^0 ~. L4 V+ U
7 t/ |# H2 `5 o x% K
4 W7 @1 S% f) F7 ?" w6 k_________________________________________________________________________
8 G! A0 @; s* [, {5 ^, L7 P# h# [7 k$ a2 j/ S" y
/ s4 T2 h' p+ O8 T6 E" N* Y2 |& zMethod 06
$ x2 y" T b i=========* n3 z" \ J* n4 Y ^7 G+ j7 e
, a3 }' V4 c4 u. S: |
Z* E D# ? w v2nd method similar to the preceding one but more difficult to detect:9 b+ j$ N9 M% i
! Y t. a+ v$ C; G
9 H) W" S4 ?% h5 |2 Pint41handler PROC
9 I! k6 [4 y% _" t, g mov cl,al* K% {& ^* T, o; z" ^9 b9 Z+ ^6 i
iret
. \7 e0 x- ]- @" A2 B; Uint41handler ENDP* m! {2 z, [4 R. \- n
5 _9 W* o' D- w& ^' x. @# H4 {: E: r- o$ D+ h: v7 T
xor ax,ax2 X- f' s9 h( K, c) l
mov es,ax
6 K/ K( i2 O6 Z& }* d4 y$ y- N: k mov bx, cs! f3 A' ?* d8 r0 V0 g. ?+ Z8 M/ V9 ^
lea dx, int41handler5 s) E. E( l$ a/ u
xchg dx, es:[41h*4]
/ ]+ t3 P4 w# A6 T! o: ^* x1 i' L8 h9 @ xchg bx, es:[41h*4+2]: b+ Q: F0 r+ g, b! e- z- x# {
in al, 40h9 X8 ` d4 N5 I A+ Z
xor cx,cx
0 U' t# \, h! \4 C$ T$ T O: r, p int 41h$ M9 H; D* J7 y. t) @
xchg dx, es:[41h*4]
' A9 _6 U; v+ L xchg bx, es:[41h*4+2]
# z% c% N# q: J: t" j8 T cmp cl,al
& c0 h& G0 D5 c9 } jnz SoftICE_detected4 T2 z0 U. S0 U* K2 C
1 ]4 F9 ?: L' A& ~: c) T_________________________________________________________________________7 y( V3 y' o2 a, |, P2 F
, l4 N8 J# S) f0 uMethod 07
8 @: k3 _* C6 L5 c' |========= ]* R' ~+ b' E# E& ^2 e
" p# t9 \3 ^/ Y9 d, W
Method of detection of the WinICE handler in the int68h (V86)
g( ?6 m0 v0 y$ @6 M" J5 x8 T q# v/ b
mov ah,43h2 r: _' b k7 ~1 y$ A+ g
int 68h
0 |% A$ y+ _) R( r u cmp ax,0F386h$ p3 M; e! p1 K" O# E! O$ }
jz SoftICE_Detected, l- q0 p1 ]4 p
) e/ l/ B( i4 N6 N4 L
8 Q% P0 i- P% p+ h9 ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 M3 r" R$ Y- |/ r! L) v app like this:6 Q3 W7 |# L' [* J* `* r P& S
, F! K6 }4 n+ O! D. w1 y9 c# E4 Q BPX exec_int if ax==68
/ @& L0 C- K% x$ r. h/ R: N (function called is located at byte ptr [ebp+1Dh] and client eip is' N f6 V4 Z* e) e. x- v# S
located at [ebp+48h] for 32Bit apps)
7 S/ f2 ]% K7 ^__________________________________________________________________________
5 e. E- O" X& n m" a
" ]$ c( E$ W# w4 [1 j
' y3 ?# L: P& s0 }Method 08
0 X4 H/ J5 }3 t) Y$ Z=========
) C6 b# T; O- h3 l7 t4 r: c. ]& x' r
) x; w/ C# f' c" ?1 p" a) t+ QIt is not a method of detection of SoftICE but a possibility to crash the
# `; _+ r4 B! L6 r0 W% Tsystem by intercepting int 01h and int 03h and redirecting them to another7 l( c. J- `. R: F
routine.
9 R7 U9 P0 T. P9 [( m9 qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 G1 @! F9 C! a% zto the new routine to execute (hangs computer...)
5 Z; [4 v/ S" x* i1 _& |* q0 J2 F- q( M7 o0 L) d+ m8 }
mov ah, 25h
) G: Q" r3 q2 `7 n9 ? mov al, Int_Number (01h or 03h)
& P' _5 g! ^ I2 y mov dx, offset New_Int_Routine3 d8 a- w+ G. n9 O% | [
int 21h
; j& R. y; ]# a/ o1 F% ^7 u7 T9 ^$ V% g2 W* ^
__________________________________________________________________________/ x. P. j# R0 U* Z
6 F8 N4 I- c2 z& y2 r
Method 092 I4 n: Q, A$ L; g
=========. c" P2 }0 Y. B$ ~& z7 o/ i
6 C% t" a) x! Q% ] rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 M. M) M# O: u
performed in ring0 (VxD or a ring3 app using the VxdCall).& _+ j" Y& F6 m! u; V N% j/ w. y
The Get_DDB service is used to determine whether or not a VxD is installed
& E# ]& c( H, u9 ]' O( o' U9 ofor the specified device and returns a Device Description Block (in ecx) for
/ D) h: D7 L* ]- K' i5 {that device if it is installed.
9 `% c8 Y% i: ^2 [1 D5 y" k9 B
5 m }9 W" _1 K( P+ y8 I. x mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 e8 j: G* P8 a& L k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 N- ^% k* W7 b) H( p& `
VMMCall Get_DDB
* _5 V2 M0 a1 q% r mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# u' ] m% P2 ]' X; \
+ o f, ]& c8 C+ i! g5 n3 e! ?4 iNote as well that you can easily detect this method with SoftICE:- a1 T9 x5 \+ ^; v/ L
bpx Get_DDB if ax==0202 || ax==7a5fh" q3 ?. k" f+ O2 v ~
" {- E7 y0 A# N
__________________________________________________________________________
* G& _; S: h. X3 f" p5 t, u; q! S5 g
. l1 }0 C/ P& `! SMethod 10
: }5 b* X1 T# o3 W, w7 { u=========3 x; G( R% t& h3 K" Z1 Q7 F% Y1 J5 H
i L9 i/ P3 c- H" H j=>Disable or clear breakpoints before using this feature. DO NOT trace with1 `; d, _8 C+ o7 J4 Q
SoftICE while the option is enable!!
% r5 @, t |6 k3 k: l
( t& m @3 K. J' v1 Y! R1 E0 U* p7 JThis trick is very efficient:; h7 c3 ~9 J1 Q* {8 S
by checking the Debug Registers, you can detect if SoftICE is loaded
W* V0 c6 e. M( \4 }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 W% G0 d2 p$ {there are some memory breakpoints set (dr0 to dr3) simply by reading their
# Q) ?7 T5 H, k" a" j8 N0 a( A$ Uvalue (in ring0 only). Values can be manipulated and or changed as well
a- w x" r7 O5 h1 t! U J* W(clearing BPMs for instance)
) i$ b+ r# s) W9 G" |3 g4 r6 H1 ]- l- j: l( o6 q4 |
__________________________________________________________________________% Z' ?- B. d2 D6 y
) ^( b% Y8 ^/ `% n8 b5 ?; J( @% NMethod 11/ Q0 k4 |9 z4 O2 k
=========( n7 I+ r+ w: Z
1 k1 _3 ^ Q4 O8 j' V
This method is most known as 'MeltICE' because it has been freely distributed# d$ U' p' B! n# {
via www.winfiles.com. However it was first used by NuMega people to allow; E8 a8 E. z% q7 F0 l
Symbol Loader to check if SoftICE was active or not (the code is located. Z* m7 H/ o7 c# U J, C$ |
inside nmtrans.dll).2 Z, l1 Z |: I- z' l$ p* {, O# r
, `. B Y; g1 O: [
The way it works is very simple:8 y+ j; \( ~ e* S8 w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 `* Y2 K( P, w9 f3 z. lWinNT) with the CreateFileA API.
* j8 }3 I A) J1 N7 i' P1 z/ z# {: f# _
Here is a sample (checking for 'SICE'):6 H) k7 g8 a v
& C) g& T/ B1 h5 k8 h7 Y& WBOOL IsSoftIce95Loaded()5 {, S! r/ d. f, a
{9 P. L) c0 C+ q5 q5 [
HANDLE hFile; ( G/ `1 `# S( |1 w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE, l; W0 H3 E* k
FILE_SHARE_READ | FILE_SHARE_WRITE,9 b2 ~) v% g" A; Z- b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 _1 J$ {' F* K5 O3 U/ H
if( hFile != INVALID_HANDLE_VALUE )9 E5 Y+ F1 R8 v4 G
{
0 l s9 k' s1 f1 W0 H CloseHandle(hFile);; o- C( M# k. R* Z3 }( B
return TRUE;
/ y* A3 H" Y# C+ x }' u, W8 y0 o& X. h* N
return FALSE;
* ?, {$ m" {2 o: p/ K}
) \- j; ^. W0 V# y" J
- ^+ O2 h* O: `6 ~4 |9 Q; d1 HAlthough this trick calls the CreateFileA function, don't even expect to be
- F6 @) [8 s& wable to intercept it by installing a IFS hook: it will not work, no way!
& L8 A6 l$ T6 v( o2 k% VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ V; x5 ~5 z$ q- v ]: C" L4 c, S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ k L, E$ @9 e3 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 b8 _+ R* t" P; l& x% W6 R: T
field.
/ t$ t2 f: x3 S0 I4 ^; MIn fact, its purpose is not to load/unload VxDs but only to send a
. Z! s) [. |2 HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* q3 T# A9 ?8 f( Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. h; P$ {4 N& F. G. ato load/unload a non-dynamically loadable driver such as SoftICE ;-).! ]) T Z f3 u# _; u, N) u6 A* o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 [1 X+ g& t6 g! |9 _+ Uits handle to be opened and then, will be detected. b$ l5 [0 l- g; M1 `
You can check that simply by hooking Winice.exe control proc entry point3 j( A/ L. w6 A2 f6 E: a
while running MeltICE.
, r6 M6 w; B- n9 Q1 g# a- k$ d
, U3 X5 O8 E, ~ v
( \. _; M2 z; C h 00401067: push 00402025 ; \\.\SICE
y+ W. p2 L( v9 E( M' y2 c 0040106C: call CreateFileA
* u, ~% C+ V8 Y/ |5 x" a! A 00401071: cmp eax,-001
1 P8 @# m4 u# Y1 o& ?9 Q 00401074: je 00401091
+ p* Q/ O" S U3 f2 ~# J+ z" o+ H4 Q( ^9 y) K) s
a3 X- e/ R% m9 z" t2 w; PThere could be hundreds of BPX you could use to detect this trick.' v( I ~8 @$ O6 l5 P0 T! T$ m
-The most classical one is:
) `* |% O [0 Z+ O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 Q0 |2 j& U8 E5 v Q *(esp->4+4)=='NTIC'3 O2 w* z6 n! o3 d
) R8 [! F A5 q$ I+ o1 y-The most exotic ones (could be very slooooow :-(
3 I" D- D/ |% x1 e4 _$ M/ O BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ( z/ p3 A" f" O6 Z
;will break 3 times :-(0 _" b& \( Q4 R. k
1 b8 p1 A, ~! B/ P, M-or (a bit) faster:
% o3 L7 F" G( Z5 S# c9 | BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ ?# G+ s4 `1 o, P$ f3 v$ A
- e) B) `3 r5 s6 h' | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 ?; M! e, J- k' z6 a/ }) u ;will break 3 times :-() M: U. S' {7 w$ T6 ] Y+ u
8 p) b' y- ^2 q7 ~-Much faster:
( d# X$ _' h# i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! H0 M8 l6 f& ?9 f7 [, j' g
?6 E0 y3 n( yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" p" k# M+ j: f9 efunction to do the same job:
. L( l% a& @9 s% Y: V
( ~! r# R# R7 D3 K! m7 k' ~ push 00 ; OF_READ- m& L `+ N+ V: a' O" s1 ~8 a
mov eax,[00656634] ; '\\.\SICE',0
- j: R% `0 P N1 \ push eax- x3 M6 x. |6 O6 `! F, F& }
call KERNEL32!_lopen
! ]6 T$ O+ ~9 ]5 U. f2 N: w0 G inc eax
: D0 a- Z8 d4 ^ I/ j jnz 00650589 ; detected; C3 h* ~/ ]( D8 K' m
push 00 ; OF_READ
: [# D( I/ O$ U' ~* d* \ mov eax,[00656638] ; '\\.\SICE': m! N9 D/ z1 ^$ ]! \: f
push eax
: ?3 `: c3 C1 z5 H call KERNEL32!_lopen
1 P' X& E% F. n0 t* e9 y inc eax9 i: q: ^! u! L( a* _
jz 006505ae ; not detected
" D% g! ~; L, b1 V1 p- G2 o2 | `, f: u
1 e% W- n. h* Q, ?9 j
__________________________________________________________________________2 Z2 I6 w; y$ R r1 t5 W o0 N
U& @4 ~; e* H4 SMethod 12
5 C9 m" |1 F7 d& N% f, p* q6 T# k=========' z O: j1 r4 H+ f5 S9 H8 b
3 m1 G4 m+ \, @) j; fThis trick is similar to int41h/4fh Debugger installation check (code 05; Y. |$ P h$ t8 ?: q0 o2 D
& 06) but very limited because it's only available for Win95/98 (not NT)
. P: l( P9 }) F9 }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! ]# \" a! {" g) R- |% ?4 h E, f; H. V5 d) I3 Z8 u/ S
push 0000004fh ; function 4fh
8 u: L% X0 u6 i4 ~ push 002a002ah ; high word specifies which VxD (VWIN32)5 O! e5 s) E) s2 | @
; low word specifies which service% Y! m: H+ c3 m" ?/ T7 ? |* C
(VWIN32_Int41Dispatch). T% i6 |. W# V# l' E7 l
call Kernel32!ORD_001 ; VxdCall
l8 R7 ?: L$ O0 Q. G cmp ax, 0f386h ; magic number returned by system debuggers& e& |4 f+ a% w C( i( h
jz SoftICE_detected4 j [! G; W0 E& g* y+ K4 A
/ W% E6 \; \. P. \" E8 f% [Here again, several ways to detect it:8 g* f2 d- l; p# t. C3 q3 ?% W
7 e; F9 v( o9 i4 B2 | BPINT 41 if ax==4f, ^+ d- D# G8 A- z
) s/ N1 `6 ^4 ^- A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! e* Y' ?0 d; ~& G( O8 o
) u4 ^1 j( ? W, S7 D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: J. u( u# o; h# F; L7 B$ E& U1 w' [. Z
, a9 b/ F5 o0 H4 o$ s% d8 q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 } w& l4 N# }4 w2 _" u3 s
% P/ P N5 Z% |9 K, Y
__________________________________________________________________________
: |$ Z* R3 g+ |- S: `* F& b
9 M! I% J ^4 j4 }! WMethod 132 ]9 C0 E! r: s/ _+ c
========= C; {/ Z0 C" k9 A( f. k
& _- {; l8 [9 ~7 j4 O
Not a real method of detection, but a good way to know if SoftICE is8 q, k% P U, D+ y3 H* X
installed on a computer and to locate its installation directory.6 ]' p8 t$ b6 w8 T3 S+ q3 d$ T) Y8 \
It is used by few softs which access the following registry keys (usually #2) :$ n% `9 X+ `! x% C6 a; @% p: \
: t8 \- y( J# p( a1 h1 L" |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- g4 U Z B$ F2 X9 k4 l: z\Uninstall\SoftICE2 H* W! J/ H( ^' z' C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! |* v9 W2 y3 V# M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. g; v; Z, }5 w\App Paths\Loader32.Exe& H# {/ `, r' v! o
8 k: V9 u0 Y- `& ^+ V( d5 m) Z
& b7 x$ ^! @ @Note that some nasty apps could then erase all files from SoftICE directory9 R: Q D- f0 }: f
(I faced that once :-(
- D k6 J5 Q5 M2 `/ A0 n3 L4 r% h0 t' M9 Q1 j9 t
Useful breakpoint to detect it:
7 t6 r# v1 D7 a' f0 Z* p; x- C) ], n$ z2 f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 o! q5 z7 i0 A) D+ Z6 l
" Y+ x4 r" {. a* b: k__________________________________________________________________________8 Y9 y$ a9 g9 h4 J4 ^
4 R- n2 w6 I* ?* H: X& L6 ~7 d: R4 t
Method 14 : \) D% f" r5 w6 Y
=========- Q( P+ X, k0 |
# {# q" d: ?; c- S7 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 n! O' Z5 s! o* d6 M9 ?
is to determines whether a debugger is running on your system (ring0 only).
! f1 T- |& s0 u- b& A% n& R6 Z- |# l* {$ x1 \% s
VMMCall Test_Debug_Installed5 R& w/ R, N w& `/ p: K
je not_installed
: O4 B' o" q! i6 s1 f0 f) _9 T" U1 K
This service just checks a flag." G. k+ f/ S3 k7 A" X5 B
</PRE></TD></TR></TBODY></TABLE> |