<TABLE width=500>$ v7 |3 z9 c- q' @" Y4 v
<TBODY>& C6 Y+ u8 |6 L: Y6 j6 T, K
<TR>6 ^$ I# Q) v. P' B7 @5 K; X
<TD><PRE>Method 01
$ `6 e8 S+ W6 E=========# Y' |- }" m' g7 J& Q
5 T6 X. ]/ H8 p, u. j3 R
This method of detection of SoftICE (as well as the following one) is" ~& |0 O; L3 G
used by the majority of packers/encryptors found on Internet.
/ r. {$ V; d R Q% J6 CIt seeks the signature of BoundsChecker in SoftICE& n6 }& T- ]* i |! F% @1 J
. m% C) |. H' Y( Y) X1 e9 L) x mov ebp, 04243484Bh ; 'BCHK'
0 Y& F, d. ]" Z# x mov ax, 04h
' S M8 w9 m% b1 r int 3
$ n" s2 v" H7 @1 g1 N cmp al,4
1 i1 L( H6 A! ^* a# {8 k jnz SoftICE_Detected) [6 R0 Z6 d% J1 t: ] V: L$ D. k- `" p
+ S: M1 ~4 L" R5 t/ A$ E) b# L
___________________________________________________________________________& o3 T% n1 X3 c
7 V' P" ^) U! j8 K
Method 02) Y/ i [6 @5 v K5 z. T
=========/ s$ Y) Z+ M3 D$ z$ X
0 |. F2 E6 }6 B- o: W nStill a method very much used (perhaps the most frequent one). It is used7 D6 {/ o; w5 }$ o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ H# C5 H. c8 T M0 F9 T: O& s' y$ ^; }or execute SoftICE commands...: p) c2 x) e3 U- w
It is also used to crash SoftICE and to force it to execute any commands
6 h+ K1 y, w! ?8 H: E(HBOOT...) :-((
) O' M$ [& @! z1 a* V) |" J4 |) v/ c. ?
Here is a quick description:- x3 i) Q; L; F0 w+ G0 v5 k8 v& Y
-AX = 0910h (Display string in SIce windows)
& A1 T+ G/ R, b, K1 }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 B$ C; _% h+ e' ]
-AX = 0912h (Get breakpoint infos)! O6 p8 O6 x5 h; q
-AX = 0913h (Set Sice breakpoints)
. c! w5 g; x5 x* l! V-AX = 0914h (Remove SIce breakoints)2 T* e% f2 n: c2 i* N
! y3 G& V" Z$ s' H3 sEach time you'll meet this trick, you'll see:+ i2 _) f8 m; Y' P4 d7 D' S
-SI = 4647h
- N9 w: D, ~( B$ b) t8 O-DI = 4A4Dh
4 P" \8 f2 v5 e) B. I7 lWhich are the 'magic values' used by SoftIce.
) l1 Z1 @ y+ s' _8 J; aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ D# Z0 w1 u( P8 |# S7 f, v* B. q% a# Q6 |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 I8 Z I/ `! L3 ?* e: mEnvelope utility use to protect DOS applications:: l2 i* r* N4 k6 v9 H
( a, i. Q: U0 t6 T# u
8 p4 F) J3 H: g. P9 K0 z( q4C19:0095 MOV AX,0911 ; execute command.
5 q& Z l9 N, v, Y4 [: P3 [( D8 U4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( O5 e: T' A6 T4C19:009A MOV SI,4647 ; 1st magic value.
* j/ G+ `1 s1 ?! v: b/ W4C19:009D MOV DI,4A4D ; 2nd magic value.. S$ g! g. @+ \- O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ A% G4 K: |$ H; Y- X! u( D
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
5 h& a9 h' o& I9 E. f. `: a4C19:00A4 INC CX' d" I! [0 R4 i( F# D3 m; O- J
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: I0 t. H# K$ L; S( V4C19:00A8 JB 0095 ; 6 different commands.( h) V: n/ c3 _' ], S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.' W7 i ?; g2 `* W! D7 X x( W& P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)0 t. L3 }+ Z! R+ _2 q1 L* q" `- V
# k* j- k3 R7 Q
The program will execute 6 different SIce commands located at ds:dx, which( o* k' D3 _2 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* S7 @/ i3 ^! E' i: s6 G& J5 A. R
& L6 Y5 \5 S, l2 F; @. Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& `- @; Z: Z8 {0 m3 z% s
___________________________________________________________________________2 D/ F' V- O, c* _7 a3 C
# H0 n7 B6 w( f9 y) m6 h" h c$ i1 o* o! `& U1 v
Method 03, |$ c9 r/ Z+ p6 s9 K
=========
( e3 y! W0 p$ R
7 d L/ x: I- n% uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 @% _0 w+ r6 N, P9 u, r2 ^(API Get entry point)) @6 G% T! p" z4 z
5 U" d: @. e, ~6 N' r9 g0 q8 {
$ F( c! s; I4 t9 q6 K D
xor di,di! O, F0 p: W5 T7 c- Q9 z9 y& w w5 I
mov es,di
$ A2 r( c5 Z2 e$ ~ `& N mov ax, 1684h 4 I2 f! F, r) x: ^
mov bx, 0202h ; VxD ID of winice! @3 t' I# p( B
int 2Fh
7 A7 |3 ]6 Y* S/ c" S mov ax, es ; ES:DI -> VxD API entry point3 W: C( y% |' D, A. G* k
add ax, di7 x/ t$ J; v/ ~0 N" A
test ax,ax3 P% R5 g5 m; q5 F) ?
jnz SoftICE_Detected
% K) U1 C" ?* q' S8 {
3 b7 c6 C2 B* O1 w, L3 i___________________________________________________________________________
# q1 k w) j9 N. c% W7 j
) g, b. h6 u9 ^; Z- G( AMethod 04# _4 `; j7 A: D: v
=========) t9 E3 P' m; R9 w/ n2 c1 S( K* p- k
- `8 N) q/ }! F# r: QMethod identical to the preceding one except that it seeks the ID of SoftICE* K9 ^. Y( }5 G9 a/ z
GFX VxD.
7 D+ n) J5 L7 @( ~
4 [" |" Y# n# {" d6 ?9 H xor di,di1 b0 q. U1 r( A1 T B, f- `
mov es,di
( R3 B) N) c" u) ?. b mov ax, 1684h
2 v P5 }' V0 P6 ~; } mov bx, 7a5Fh ; VxD ID of SIWVID1 |- f; Z+ m+ L: X3 L2 o
int 2fh
! A* a/ @& w8 z U5 V6 W mov ax, es ; ES:DI -> VxD API entry point+ M9 L; w, u5 Q4 Y8 d) \
add ax, di7 c6 R7 Q/ n; j8 \5 ?, _6 T
test ax,ax
$ w# c' R% _- j9 I jnz SoftICE_Detected: |! |1 d. o/ ~" C% y0 Z+ b
2 m0 ?* K6 n, {' j+ S1 D
__________________________________________________________________________( d/ m( A3 f( F2 P) D* n& K3 D: F
- n1 @( A7 A4 t' F
7 X0 v3 e: B# O iMethod 05. r+ G. _/ H0 I+ ^7 D
=========5 p9 E' ?3 O+ ?9 h( E
; t" C3 u5 ]& K, A3 l1 _" y1 S9 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 L: ]8 v! m1 u2 y3 Bdebugger. It calls the int 41h, function 4Fh., m8 r( X. w& R* _/ R7 j/ J4 n6 q
There are several alternatives. 6 r% \- m9 f3 A6 g8 Q* W! f9 A
* w8 \. i: _1 v# z- I5 Y) `$ M) J: J1 g
The following one is the simplest:, X% o/ g7 O2 g# S8 w
+ x$ N! d( D, r" u, ~4 _ mov ax,4fh" T+ F0 P1 ~. d
int 41h* i3 d. P# t. d- c& D* F& D0 x, m
cmp ax, 0F3863 [! {5 t1 [# P+ O# A
jz SoftICE_detected( [ X$ x; a0 B0 y& }2 U$ l
- B$ i6 s. t" v5 F9 |
0 k v& ]1 [- ~& |4 M* h4 cNext method as well as the following one are 2 examples from Stone's % [1 i3 `4 I7 _$ ~9 W( d9 Y
"stn-wid.zip" (www.cracking.net):4 \" A* P1 a" e
: b* d, ]- C6 l& M mov bx, cs
) J6 X" h' z6 J! E lea dx, int41handler27 C+ _$ r$ A) m$ U6 t
xchg dx, es:[41h*4]
1 n" r0 D! X1 R* M2 q: Y3 r xchg bx, es:[41h*4+2]
$ b) x1 e& L4 x" T# V6 ~. i/ f' h mov ax,4fh9 `- Q% p/ X; h! i' M( P
int 41h
) e$ l7 n9 L; X xchg dx, es:[41h*4]
1 a/ _2 L8 j9 r/ v# v, N4 \6 f xchg bx, es:[41h*4+2]
3 o. c7 Y% A7 ]* j6 L7 j cmp ax, 0f386h8 ]' c; d: t* ]5 K4 b! B9 x/ Y
jz SoftICE_detected
$ {1 H V9 A1 x. y: l1 ] m. t' d$ Y% Q; T1 e2 O
int41handler2 PROC) z+ z/ R* I1 a; c% C9 M
iret9 d& x }) ?' I8 V, w
int41handler2 ENDP
: g: `( _( g0 L& Q' J; g
! a& H% U; h0 T z& P7 G9 L" v# J% V8 U) k
_________________________________________________________________________' p$ H+ i6 I/ ]8 A7 I8 \
5 G+ ~$ i& K9 {% h! r2 r7 |
( N+ }! T" Z7 S6 {8 k" J+ YMethod 06
2 c6 t2 w) I. p7 W ~=========% r1 p6 [0 H6 |7 ?3 _+ Y! e; o
: y2 E T, ^/ o
c9 w" L8 O W. Y# F2 Z+ O
2nd method similar to the preceding one but more difficult to detect:
: m" h1 }& ^9 r" u8 Y T6 h# j4 \: H2 |7 K7 j3 Q
0 j7 j8 I" m& U X4 @2 }
int41handler PROC
% z, I# l8 Y n4 L7 E- i mov cl,al
`- _7 ?% x6 @- a4 z iret
- F; W' p. g# F2 r2 f" [int41handler ENDP
" \2 Z x) T1 M8 Q1 f5 i5 u4 D1 u9 F1 b4 n2 q% R
5 r, w$ E% L& m/ ~: \/ I xor ax,ax
/ B$ n7 w( {1 d l6 b* Q) [ mov es,ax2 u2 x H7 T1 a. l# k5 V4 g7 }3 h- B
mov bx, cs" \9 C. I/ T$ p) h" S5 u* k
lea dx, int41handler7 W3 Y4 |8 e; L& L2 |& {
xchg dx, es:[41h*4]
! o0 o+ A. N7 i) U xchg bx, es:[41h*4+2]
. g9 o' L8 {- u1 v3 ]' N in al, 40h
; i8 U* w( N. Q, x: \5 }$ K/ W% A xor cx,cx1 I9 C, A# c. J7 Y ~0 P
int 41h
+ X' |6 d0 J/ a; w, c# i8 W: \ xchg dx, es:[41h*4]% j% G4 V) L1 x$ v7 e
xchg bx, es:[41h*4+2]
3 c( A; p6 H) z4 P- C* a2 f cmp cl,al( Z! l4 `+ }5 a, w+ h# m
jnz SoftICE_detected
3 A/ X8 D5 L! y. P6 L9 r2 t1 n7 `" }. S) A) r7 ^) `( J- O
_________________________________________________________________________
R6 q7 [4 u4 c- i5 D1 j% U" _$ K) t a
Method 07
4 c( r$ a5 V) k' V=========" }- f+ W+ j$ e
* z* q# N6 m3 @. X$ L5 LMethod of detection of the WinICE handler in the int68h (V86)2 D9 I5 J! k9 b: _& ]5 r: H
* N/ M# L, ]% y
mov ah,43h- r5 @2 S% p$ X3 a& j9 x
int 68h
) Q7 M+ h" |& C1 J) P% s cmp ax,0F386h4 p9 a7 `" C% z3 H/ y
jz SoftICE_Detected( E. o. _8 A- P" n
, d5 s) M$ r$ z9 L& f' e7 N
) [1 ~) z* Q' D/ Q5 @' i) A=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 @ O6 n- M( d9 `2 o0 R5 {/ o app like this:+ t$ R6 [: o: g' k) f" B6 j$ B0 ?
6 F0 Z- s' G% \6 s a; A
BPX exec_int if ax==681 Q3 O# D5 x/ t; u' Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 g9 K, E4 T1 \% I! s% X, B1 K located at [ebp+48h] for 32Bit apps)
% O+ _1 I, \: }" W& m__________________________________________________________________________; D: P Q6 W7 D: \/ S6 J' R/ F& C
8 o/ I% ^" s# v) o7 G
7 T. q7 I+ l% J; F1 ~4 fMethod 08
8 ]5 T4 c8 q9 @) o, n* C& R+ n=========
M" [) u, d _! r" J8 u' B$ ~5 Y: T4 j% l
It is not a method of detection of SoftICE but a possibility to crash the: ?5 y5 l+ x M0 r, v! H% ^" W% ]
system by intercepting int 01h and int 03h and redirecting them to another( C+ W, O+ x% j9 M" V: K
routine.
8 F4 k$ E* J+ n& }2 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; B* v! c4 t4 n2 ~. T" _( \. @
to the new routine to execute (hangs computer...): D- q& W5 j0 y, U3 z$ \6 c
6 l# z/ Z+ k) U1 H/ b' _ mov ah, 25h
% R$ k- B6 `1 o( c! a# u/ T, h& K$ w, S mov al, Int_Number (01h or 03h)
9 R+ `* }( T7 x; r; b( ?+ j& K mov dx, offset New_Int_Routine2 ? i1 X- |; I& Y' J
int 21h
; e2 a% n# X: d, o- G4 Q' X- `+ F+ s" _; h" u
__________________________________________________________________________# D D4 x# q5 r4 f. f1 O; t
: j+ b( }5 `7 o8 \8 G: A8 \6 }" S
Method 09
* [% `) q6 c4 Y6 d7 X=========* k; I, K+ ~) q/ h' ~; g; y0 X4 n
+ t+ Q. y4 v4 _" K+ ~% I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& r' D9 R+ y( n! }
performed in ring0 (VxD or a ring3 app using the VxdCall).
( m' _8 p* Y ]7 i1 xThe Get_DDB service is used to determine whether or not a VxD is installed
7 g% t( h+ t# P4 Yfor the specified device and returns a Device Description Block (in ecx) for
9 r# w) h$ {, H/ s8 Uthat device if it is installed.
; r: o& z4 r* C+ H/ ^* B& y' I; }* n L# M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' z" i5 n' d) W' Z. b, r- j) A& q( | mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 K% Y6 C( g5 R% P, ~ VMMCall Get_DDB
" o9 c0 w/ h- V& S7 B- ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) P$ S: A6 n7 {$ v2 n$ b- T
e8 J; f) d% \( @Note as well that you can easily detect this method with SoftICE:
' c* O9 ?) W- o; s8 M; O bpx Get_DDB if ax==0202 || ax==7a5fh6 e6 k" s- ]% z+ d& d+ c" f1 o
, o2 j+ D9 h+ |7 L0 c+ e; s__________________________________________________________________________* P c* Y. M5 m- `
4 u/ W, F. R' M, ]! q( rMethod 10' [$ `% M) U; A* _* }: P
=========: @" k( f' v* n0 w V
* d+ [) n+ Q) A+ }+ W0 M7 ?+ ~# ]* g=>Disable or clear breakpoints before using this feature. DO NOT trace with
' C4 E6 u I/ |( V. a SoftICE while the option is enable!!
4 F: f; n, ^1 u, r! Q
, r( k/ J9 b! H1 QThis trick is very efficient:8 \0 I1 D& B4 V$ o' g, ?
by checking the Debug Registers, you can detect if SoftICE is loaded. R0 _0 d) o$ ]; ^; Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& Z& N4 W( U ~3 }! h+ L
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! I5 R2 [ y: D \( K9 m' @' W Kvalue (in ring0 only). Values can be manipulated and or changed as well
`6 w; i( f8 i, [! o8 m) T(clearing BPMs for instance)8 Q3 ]1 ], x+ G9 o- y1 l' `3 L
+ M! {) U0 F7 J0 v+ a__________________________________________________________________________
, ^; h- n# y* K! q- j) a8 o/ Y( g& ^
Method 11$ Z6 H t5 K' S& ?8 a# V
=========4 l6 p1 [( |( E3 ]
. G) `" _# `$ r. L. m6 d4 hThis method is most known as 'MeltICE' because it has been freely distributed
3 p. M8 w9 S6 y- u0 k# `via www.winfiles.com. However it was first used by NuMega people to allow; T: \1 Z; i0 I r0 b
Symbol Loader to check if SoftICE was active or not (the code is located, o c: T9 X( r* X2 g
inside nmtrans.dll)./ I* N+ \2 _% f t- a% z
4 I2 T7 n- G3 B$ ?: y9 x6 u
The way it works is very simple:: t7 W" }* c8 Y" P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 }% e( t, F* X4 a8 ^2 mWinNT) with the CreateFileA API.
' s0 ~* G& r" [' L7 O7 @( b* \+ U L, f, g Q
Here is a sample (checking for 'SICE'):+ ?/ q. {: t! t0 S' I6 H' U
2 W: E& K5 {9 G: d6 q/ x
BOOL IsSoftIce95Loaded()
, U" w4 c2 ~( _8 K- x; w{ l/ t7 ^/ ]& W1 A
HANDLE hFile; & N+ P5 _1 N6 J! p8 S5 G
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% R6 K0 k5 v: h! a8 F
FILE_SHARE_READ | FILE_SHARE_WRITE,7 m. c) X s+ f9 v6 \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, I( D* L8 c2 O4 T8 A$ W% x
if( hFile != INVALID_HANDLE_VALUE )! s8 n2 _* Y8 T5 S
{2 c9 Y3 c# `# c/ G+ O& ?! C+ ?7 ^
CloseHandle(hFile);9 D3 H' r i) k$ w
return TRUE;
$ j/ A$ C' {7 x* I& ]0 q! X/ p }
" c1 z- O( }1 t# C; e* [8 R return FALSE;
; b @5 f) A( K- s2 k}- ?) L1 i8 S; {: |& o+ b: r
& \) F4 a" R8 X( y: T# x5 u0 e+ h V+ QAlthough this trick calls the CreateFileA function, don't even expect to be
/ {# `2 d+ t" R5 H6 jable to intercept it by installing a IFS hook: it will not work, no way!5 S; Y2 S; m$ Q F$ Y% f) ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) G* m! i$ N# _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 ]8 y+ N; x9 ?! O2 f( R" m, n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 {/ ?. y3 i3 ~6 x, M; W' v5 ffield.
; u& p% C/ c E" a# a+ g6 UIn fact, its purpose is not to load/unload VxDs but only to send a " R w/ n+ p5 \! r' r! B. W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' T* [# O! I+ R7 }! |2 j8 E, G Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try l/ i# \4 S" v5 {" y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
R. Y4 ~ _5 C: Z* J, S2 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 I3 w" T! f) S) G2 `
its handle to be opened and then, will be detected.
1 r+ Z. a! O# k1 K, a0 VYou can check that simply by hooking Winice.exe control proc entry point
# P0 s% i! i% m" X4 F) A& Awhile running MeltICE.0 J0 o f% h9 _/ @4 V
* n( U5 V j1 [' m2 ?6 k8 Q
7 J' c. @5 M7 Y* f
00401067: push 00402025 ; \\.\SICE; }" |# g1 `9 q# o5 d; ?
0040106C: call CreateFileA
3 K O/ l9 ~/ g. d 00401071: cmp eax,-001
3 [- Y, }6 W8 a& c3 @! W, D3 S( s. w 00401074: je 00401091
7 y- a9 n" M' t0 r* O% U/ Q# m/ P6 B: S/ M7 D8 b$ C2 N- t
( u" P% I% {6 q' v6 e# T6 g5 `There could be hundreds of BPX you could use to detect this trick./ T& c- f. Y: B; n: [: v( A
-The most classical one is:
* ~3 M- R7 c) _: j7 Y1 e/ k# u BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 x( X! R" l; \, v0 v
*(esp->4+4)=='NTIC'
1 R( e" z; {* k5 J+ y
# _- H; J2 F- B1 ~+ `" h-The most exotic ones (could be very slooooow :-(1 I* }/ \& N5 w$ x% f, L# k3 s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& z$ c. T0 _* y N. H0 U/ g& I ;will break 3 times :-(4 W! `" M+ k# Z
9 D6 O) d+ ?' g) r) }
-or (a bit) faster:
, F8 L* }- Z8 x+ M/ G9 O% j. D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" n5 E2 E# r# k7 }7 p r" Z9 B
% s O2 p( U! L4 j$ W# L. H3 O
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' Y% _ F- }$ e' s. i# a+ y4 D: A
;will break 3 times :-() i9 k' v3 _3 b
" m" [; n. L$ g- b
-Much faster:9 t( H4 Z% N1 H/ D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV' |$ Q- o! V# V( E. e
( |( B$ @$ [3 C! ?6 X& LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. k# H, O9 k: x5 Vfunction to do the same job:" s q }% k4 ]0 [& | }! g. ^
! f/ C5 R$ J7 q, L
push 00 ; OF_READ4 E8 }+ @- {+ X% V; M
mov eax,[00656634] ; '\\.\SICE',0) U( \" ]" U2 ]6 \
push eax7 b# K. U( V9 }6 I% s
call KERNEL32!_lopen7 e' x( Z# [! C3 k
inc eax ^; `. ?0 _; r
jnz 00650589 ; detected7 l9 q: C& j$ m+ u
push 00 ; OF_READ; }: Z" t% W! I2 I6 B! f- Q3 ` p
mov eax,[00656638] ; '\\.\SICE'% X* `% L3 b* l0 X
push eax# o, \3 j3 H% g* s
call KERNEL32!_lopen
5 P$ i4 M' j! A7 Q# g2 D inc eax: Y! b! h+ u6 Y: w/ Q/ v8 V$ Z/ j
jz 006505ae ; not detected* }) |/ ]6 a m( g0 U/ A9 Y
3 ^. I1 l! @1 C0 |% W
# j& M" T9 G' b4 n
__________________________________________________________________________" K) k* ?( W/ T/ w3 s. _. X
4 q$ n" N. F" k- A7 j7 a
Method 12
\3 b5 P+ T3 p6 Z# f9 ?; W; O=========6 W: U/ M7 K4 q6 f6 s0 C
/ v0 g; Q; v! e* l
This trick is similar to int41h/4fh Debugger installation check (code 05. X/ b" L. T( B( m
& 06) but very limited because it's only available for Win95/98 (not NT)
& Q: b8 J b3 P. b# Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 ~5 A* ~7 s/ Y: b3 `. [- y) w* c8 W
push 0000004fh ; function 4fh
& k, t6 m% A% a4 n$ u push 002a002ah ; high word specifies which VxD (VWIN32)3 j7 d) }" Z% F$ k# Q; B
; low word specifies which service# r3 o6 Y2 i# _; R) |( P1 ^- Y
(VWIN32_Int41Dispatch)8 T5 j- K9 C- ]/ @+ J% P# [: ]
call Kernel32!ORD_001 ; VxdCall- d( V. \* J. \) O. g2 F
cmp ax, 0f386h ; magic number returned by system debuggers$ B' s; N$ f# s( n4 [1 h, {3 z7 P
jz SoftICE_detected5 z; g4 Z+ {6 v( O% z
1 J: e0 V* t+ ?$ R hHere again, several ways to detect it:
. t2 n3 r2 O7 y4 i: g' s6 }; g I. |! B: V' D
BPINT 41 if ax==4f/ S# O+ J2 K2 T% q
$ e( L8 A6 o; b8 i& I$ f
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
8 C' H! ~8 U. Z! Z1 I1 i6 ]! Z- u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' U1 g1 s) }5 W8 T' Y. i5 Z1 E7 k5 l" c3 n
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 Q* p2 d, w8 L. r" `/ C7 M
! y8 g/ o# b% h2 d* W) X" D
__________________________________________________________________________
/ v& ?$ x$ F/ T- }7 _8 C
4 b/ n- Q Q; L! bMethod 13
# Y0 A4 A0 t. c8 R: j=========% p/ f: n$ t8 N5 s9 t. k
. y- F; m$ h7 l0 k7 f
Not a real method of detection, but a good way to know if SoftICE is9 C* y, k9 ]1 S1 g& q4 g9 K" P$ T" O
installed on a computer and to locate its installation directory.
* c5 t0 r7 D1 s6 c2 BIt is used by few softs which access the following registry keys (usually #2) :
& w6 s' N2 P1 s+ k# h0 l9 v) y! D! e& x5 ?' y/ ]3 X. s X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 I% N/ m" a+ U" L, M\Uninstall\SoftICE7 }( ]. \0 ~: ~' V9 }. V8 c$ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 o7 T4 j, f y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! p: T- @* B! h, M' d b\App Paths\Loader32.Exe" v! X1 f, ~ E9 Z3 c( V1 H& e# t# O
9 O$ _: O7 m" v, X) E5 \) z Q8 F' t; k& _# o
Note that some nasty apps could then erase all files from SoftICE directory# z+ U& [) Z8 ^" j/ s) o P% w
(I faced that once :-(
6 e: \4 S& \+ D8 v) p4 D% E2 c5 ], U7 g4 ~) I1 A
Useful breakpoint to detect it:' [# Y$ R1 l) t
; J; C$ t+ H U4 g, _9 \! j# f BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
3 s* d$ r% n9 N5 u9 Z0 t' H/ \0 S1 E1 c
__________________________________________________________________________. P1 |) f" [% n5 r
# J0 {+ U! j. x5 f1 g
1 c& p& V+ h& J0 Q# lMethod 14
( i5 z8 k) P' r8 H! d1 H=========. [% X5 t* _& L
# i1 F8 s) D! k/ H p2 U7 S. N7 @" x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) u# o# v- ]8 H3 ris to determines whether a debugger is running on your system (ring0 only).
+ N: L' u- v' {9 M, [! I# R2 c0 G3 V+ d2 M7 ?; O P
VMMCall Test_Debug_Installed5 H4 Z) ~ i+ _/ K
je not_installed
* P' i' I- n- ? Y
- h7 j8 ?1 ], E9 h( i9 v1 r* ~; g. }This service just checks a flag.& X0 Z5 T0 c3 ^0 V3 k
</PRE></TD></TR></TBODY></TABLE> |