<TABLE width=500>. Y0 y9 m+ _' @+ p% r/ t5 F3 H- M
<TBODY>
7 E" L8 N; Y5 Y: V" W" o+ h! x3 u<TR>) m6 C* h$ }8 I, P( c
<TD><PRE>Method 01
8 u) w3 p- Z" Q=========
0 m$ g' p0 o: k% M& Y' ^ w8 D2 M8 Q1 E
, u" G2 L( V, H' V4 B% dThis method of detection of SoftICE (as well as the following one) is( T l$ b+ L$ q- Q
used by the majority of packers/encryptors found on Internet.
X: k/ G/ R8 u& [It seeks the signature of BoundsChecker in SoftICE
' r: P& A; e1 v& I/ V
: R( M3 t% s% N; B' n3 ~) M mov ebp, 04243484Bh ; 'BCHK'
8 s' R% D, O* K( G1 w mov ax, 04h
( D& U0 u+ D: Y3 x, N int 3
, m' h* q! ^* U9 \' c cmp al,4
$ @2 k; q- o8 f/ T jnz SoftICE_Detected( T& q% x: U9 G" P* l
7 _& {7 J" J; P9 R2 e___________________________________________________________________________. E- m8 z! p+ j4 m% L
$ b; G# h; w1 G" Q$ z4 G* OMethod 02/ l- Y# {2 V+ M" x6 p* Z% h- T2 [
=========
! _7 n/ ^3 q; z! m; D# H# n0 I: m+ N6 v6 \9 {
Still a method very much used (perhaps the most frequent one). It is used
+ n) g2 m& }- p" kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" i& y. o" r8 ~2 ]- I/ n/ T; jor execute SoftICE commands...
) C8 `0 @8 c; J- s. J& N @ R; uIt is also used to crash SoftICE and to force it to execute any commands
( h9 J4 N0 y+ @(HBOOT...) :-(( 7 P8 w( M6 T( c/ i9 u/ ]/ ^
! ~+ j% |/ Z) b$ F; D4 DHere is a quick description:6 k1 Y& {- ~5 p. j1 E' A* `
-AX = 0910h (Display string in SIce windows)6 {9 b" q8 k: l( V8 G; J6 [, A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
- \: B, C" B$ [6 p1 l' q# r1 |-AX = 0912h (Get breakpoint infos)
# d. c) `! w8 C3 v1 @- R5 C3 Q-AX = 0913h (Set Sice breakpoints)
9 v; s7 @5 U1 U-AX = 0914h (Remove SIce breakoints)
8 p/ K; Q. t. G& x
9 F4 V7 _! }5 @- Y3 f5 @Each time you'll meet this trick, you'll see:! s1 i/ W- U" @7 A! o, ]. L O
-SI = 4647h3 r& k* w V" f! s
-DI = 4A4Dh
- z1 q# L% w% e8 C" z4 B7 y' mWhich are the 'magic values' used by SoftIce.; T& T; j' M3 x" R, [. t0 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 I$ }3 y+ C- N& X5 M6 M3 T# H1 r7 T
, Y9 K5 E. B8 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP' o- i+ j- b+ b' m
Envelope utility use to protect DOS applications:
M! i9 R l6 a; f& L. {# X- q
$ X1 s" }2 _' @( T m% Q0 b' |6 q8 J, M( v9 r7 k5 t5 m2 `6 U
4C19:0095 MOV AX,0911 ; execute command.
5 f2 t. v3 i c& B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* {3 k# {, T9 a0 n4C19:009A MOV SI,4647 ; 1st magic value.7 n7 a' C% p2 a: q5 `9 L
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 r3 _. t5 z8 g( O4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- H6 j/ `0 I1 |- s; z. [6 l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 V) @6 V, \+ b4C19:00A4 INC CX
5 r3 S# b5 u* B |4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; B0 D* d+ J) ^( D4C19:00A8 JB 0095 ; 6 different commands.2 J% L( ?" f: P7 r- v/ ~8 y
4C19:00AA JMP 0002 ; Bad_Guy jmp back.+ o; u" a+ E' a: j, R4 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 |2 }. y2 d0 \$ M2 W$ Q. S/ q
The program will execute 6 different SIce commands located at ds:dx, which4 ~7 X K- u4 c8 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 t6 f' J+ f* B5 V- f7 S* }! P% ?8 R; a5 F2 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 B# B6 ~6 o( F' O* P
___________________________________________________________________________! G2 v* R6 u1 A' M6 ~' j( n6 y) d
+ P: M8 n5 B: f$ F2 ]7 g
4 s8 @* `6 U# F4 G1 u# [Method 03& N3 P% e& V" f
=========
5 r, b2 A% t; l. L5 z! C. S: n# k" e+ ^- f3 w% b+ a
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* |9 u3 i1 M& `
(API Get entry point); S. D. s- j% @9 {+ M' c9 m
! j3 P' [0 _$ P) `/ p4 L. }
2 }$ {- b( N1 G0 H3 O; W* r$ c xor di,di
# j6 h# C9 r k# z8 o mov es,di% }& j) r: G6 s
mov ax, 1684h ) x8 ?( G3 \* k
mov bx, 0202h ; VxD ID of winice" ]" i+ |0 C A
int 2Fh
# O% z$ n4 ?; I" D( b* k mov ax, es ; ES:DI -> VxD API entry point
- |8 _, g2 @" X4 P/ c. M add ax, di
4 ~# m; g+ S9 L! E/ S$ f% U1 Y$ g test ax,ax+ v7 Z- N! E0 t, c5 W
jnz SoftICE_Detected
! ~6 L+ ^8 j6 R# j4 Z0 _" p3 q4 s% _9 o5 V/ t
___________________________________________________________________________% ^$ n2 j+ [2 D
' e7 [0 m- I/ P' X* a" QMethod 04! F$ T& n* R0 b( G
=========# {) h s6 c+ f' A2 o1 O
3 [& e2 U8 x+ z* E; p/ S
Method identical to the preceding one except that it seeks the ID of SoftICE+ x. j9 o3 b+ s( Z
GFX VxD.
/ G, C" n+ k$ L7 }& u$ i$ b3 d2 }- d$ b7 x: `8 [
xor di,di
t0 I$ g" S2 {8 s, @9 ] mov es,di( Q) [) ]5 [1 @; L9 |8 W
mov ax, 1684h 2 h, M0 o0 J! N
mov bx, 7a5Fh ; VxD ID of SIWVID$ _* C! Z& f9 x' x. z, U0 Q
int 2fh
3 R' Q5 O/ B: ^+ S# g* K mov ax, es ; ES:DI -> VxD API entry point
) v" w. c: ] `/ U. L/ M: C add ax, di
) w, R/ _3 G# s, \6 _" Q test ax,ax1 ?4 h3 m: v \* H3 x
jnz SoftICE_Detected: X8 M, f% q% P9 q$ T
; y' @$ ?: z* ?
__________________________________________________________________________
: F$ f3 C6 v5 W8 C8 o1 K9 H7 H/ z1 ^+ }. W0 a& H1 g5 F
- [8 q3 n& S2 F0 |
Method 05
) A5 ^& {, ]% N2 u9 c5 |! S4 |=========/ ?. L" v/ a( d! y' C7 J4 W$ g
% l7 l9 I; D. h; H2 J7 V) B
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 K" y8 Q/ e8 F, n5 A
debugger. It calls the int 41h, function 4Fh./ r7 q7 k! r/ J R$ T
There are several alternatives. 2 `2 Y; Y) _+ N- M& m5 W8 u
, D% Y8 P5 M8 OThe following one is the simplest:
5 A' d6 y$ Z5 b+ Q
2 I- g+ V3 j& ^ mov ax,4fh
4 @; C$ N6 y. }: X int 41h+ m+ Y2 U0 P2 K: P! H, b3 F
cmp ax, 0F386
" P! a- I( F f& Q: U0 j jz SoftICE_detected
6 ~7 W' t# e5 ]
; M, N8 }2 q% c9 O
3 O3 C/ u+ u, h) }. x/ u; RNext method as well as the following one are 2 examples from Stone's
8 A, l- Q4 Y* @$ i+ r"stn-wid.zip" (www.cracking.net):+ {9 h* I4 ^1 O- E6 b
- Q7 i4 {( M# ~( r" T mov bx, cs
1 b0 p* g6 v5 q! w, F$ g+ z( b: B lea dx, int41handler26 ]1 S% F7 x% h$ o5 r) _$ t
xchg dx, es:[41h*4]7 b4 P) Z* T2 `" b$ o2 o
xchg bx, es:[41h*4+2]# G; Z6 t2 K) y1 C
mov ax,4fh
- u4 D/ k. A# o: _2 _$ W int 41h
: N2 K1 ~4 N9 D8 a1 l: F xchg dx, es:[41h*4]
& P2 k" A) ^* D* \/ t xchg bx, es:[41h*4+2]; G1 W/ _9 b" N# J& |% ~5 I4 y0 R
cmp ax, 0f386h
9 t/ `$ ?8 K! Z/ m+ _9 y0 ` jz SoftICE_detected3 D. g6 s/ S; {; r0 K0 _" i( A: V
2 q3 q+ P5 e6 p& o0 E* k5 \
int41handler2 PROC
9 a2 O7 u, K( F: l iret& z' Z1 w/ A' H( _5 j
int41handler2 ENDP( ^7 g/ |/ L% N' S. }
, g* B% u( y# c% O/ _9 E
8 O& P7 y+ e" E( p_________________________________________________________________________5 e' {! ^( p+ v7 I
+ Z5 i9 L6 A: e& H% o) D3 t! d. ^+ b" O% H5 V& F8 w; I( [: d
Method 06% U8 U$ m' ?5 Q! P" a# b
=========) W7 b" P+ G: d/ X) b6 \
3 g1 G/ E/ I0 ^" T% P+ A K+ I4 n2 }1 @# X% g/ T# R2 y( ]
2nd method similar to the preceding one but more difficult to detect:* |. d% @/ m& L) \8 j
1 h$ G7 x* B' A0 c/ z8 p
/ w; N' |/ m1 h8 n( G- X0 y" Jint41handler PROC
' U. j8 S) q2 y3 {. ] mov cl,al
4 U1 C* U+ e3 _' U iret: a2 X, H+ n# Q+ Y; t
int41handler ENDP1 R9 r+ W0 j' X& r/ |
- N# K0 V% o, h% T7 u8 S1 Z
/ U3 l/ _ V) V2 s6 h( _' j$ B& h xor ax,ax( V' c( w3 ~# W3 H r% a
mov es,ax
1 p; d6 b. T* z mov bx, cs
& x* {! F1 [0 r1 r0 E lea dx, int41handler
" I, u3 c% {, q0 C: q; l& ~ xchg dx, es:[41h*4]
% d' u2 {3 I; j- E' v0 c xchg bx, es:[41h*4+2]
2 `! R7 D) Z# @1 F7 q in al, 40h
" k3 G/ x% H9 P O xor cx,cx
! n# C! Z, }' d9 i5 b* Q0 D; [ int 41h
2 J: B3 P4 q+ \" V- l7 V: G xchg dx, es:[41h*4]# C- G8 G) m% Z, \. W/ }, \% u4 T
xchg bx, es:[41h*4+2]
2 c7 W$ j3 y* [1 n$ V* b5 I cmp cl,al
( [; h3 H' N. F% O jnz SoftICE_detected2 ^: Z$ r/ G+ p
2 `$ P, s7 h2 V$ y2 L [* C_________________________________________________________________________
$ E5 `5 p2 e; v' v+ j( e- }4 z# f8 @! {/ F" w, p! \
Method 073 v# j$ Z0 [- L3 O
=========1 x! p( q7 C- |: p
' g6 s. n' E8 @% `6 kMethod of detection of the WinICE handler in the int68h (V86)% D& `% P- _8 Z7 l+ ]
9 o% `/ r# s4 X* V0 D* y+ k' ~ mov ah,43h. X1 O2 M v0 f, |: d
int 68h
+ H* H! p X5 ` cmp ax,0F386h
6 j x$ | T1 D+ D: C4 D* l, ? jz SoftICE_Detected) h+ q" ^- ~1 L' R" P
/ Q3 E( a. p) J
0 c- c3 Z9 B N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ]. p' H' ~- N6 w# ?6 X) L
app like this:
6 K: I) u, ?9 N2 t) f" }0 |
; e3 c9 t* a1 ]3 Z* B3 c N8 T+ v BPX exec_int if ax==68
' f% h4 }+ I9 z (function called is located at byte ptr [ebp+1Dh] and client eip is. E0 Q; @/ E# i1 D. d* f
located at [ebp+48h] for 32Bit apps)7 I) M9 E9 J8 a9 d K, u l
__________________________________________________________________________
7 Z$ m' e) f( u/ E! j6 a, l
0 G& d- V# L& v* p) R0 K8 e& }& O8 `5 E( K; r
Method 080 l" L% M3 c2 ^4 x$ l7 u0 Q. l0 X/ m
=========
( J4 A7 J: V7 |4 F7 @6 h
& I1 j" V, r4 x U/ _It is not a method of detection of SoftICE but a possibility to crash the
! e0 q( o" ?3 Y* @system by intercepting int 01h and int 03h and redirecting them to another4 L5 J- L7 K5 b
routine.
4 B( o( U- N4 t cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( H! y' ^: d- u% ?5 gto the new routine to execute (hangs computer...)
' N1 X) f/ Y/ e+ u- S S! Z1 O9 P; D) b7 Q/ {# Y
mov ah, 25h
" X- w }, j! q }& D mov al, Int_Number (01h or 03h)
+ z8 ?3 _, L+ z* m* H; M4 j mov dx, offset New_Int_Routine! v+ i! n5 k1 ~
int 21h9 T7 G" u, a/ E; G
) P, B6 V" @) m+ j" M' K6 l0 v__________________________________________________________________________0 M$ V+ ^9 _7 U: @- ^. l& P' m
2 R1 u/ [. w( B. U
Method 09! H: K) _# n) R/ r: q, j R9 @- C
=========
7 O: \- X" c/ g2 D/ b3 h0 T+ b- t9 {: B! Y6 A4 ?# a0 s- s n$ U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: |) j& w8 e9 R0 `4 P* C$ R
performed in ring0 (VxD or a ring3 app using the VxdCall).2 x/ ] d5 p* m
The Get_DDB service is used to determine whether or not a VxD is installed
. X0 W% o: @. n& Efor the specified device and returns a Device Description Block (in ecx) for
. S4 c6 `7 H4 d5 \3 ]: M: m% Ithat device if it is installed.' Z9 h: n+ T+ K! x" V. ?+ n: B6 z) g
3 R% ?/ e3 m! p& h mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ p- H9 Z$ W# [; h' g& G& A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 T; P& ~. X$ S% `# g; y/ c# b* E VMMCall Get_DDB
( I* v3 i3 n, ^# d$ | mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& C# \' t' _/ b4 ^5 n7 a* |/ G- v: c$ P* l# R
Note as well that you can easily detect this method with SoftICE:
$ \1 l0 k3 r6 F& }8 f2 O bpx Get_DDB if ax==0202 || ax==7a5fh
# K" ^3 M0 d2 V5 C& P9 ~7 O6 \1 ~/ D) }2 D3 P* s
__________________________________________________________________________
6 ]+ x, X; f' [4 H1 r
2 [$ c5 v& _' |* C* K& UMethod 101 C6 ~0 Q) l3 R2 d% v. d5 i
=========3 e' k1 q+ N0 V+ s& \6 [: x( e6 b
8 m x" F& v! y- s b. B
=>Disable or clear breakpoints before using this feature. DO NOT trace with
( L4 y4 l# r9 A6 ?, T' a1 c% Z SoftICE while the option is enable!!
" W; Z8 T3 a& d. Z) ~7 G- D( `& }9 J0 Q: i9 B) V3 N
This trick is very efficient:
2 F/ ]9 ~. P- p. y% h7 e# aby checking the Debug Registers, you can detect if SoftICE is loaded
) ~! o! f- s. R: l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% a- z5 ~. ~6 m; m Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 b. i' G B8 a; A. G8 B
value (in ring0 only). Values can be manipulated and or changed as well
" ?& n2 i+ C0 I, w3 S6 D5 P' `(clearing BPMs for instance)9 c9 e1 w/ \ X0 k' [/ ]) H
9 M2 ^; k- R2 P6 u! A. c9 f__________________________________________________________________________
6 c. \8 _7 P7 P! c1 `; P$ r0 `% s6 ]7 @! p3 @& T
Method 11( ]; ]+ O+ O, D1 x/ ~& P; k
=========
; k* z/ ~2 c: z% ^! i# s
+ F' F! ]# b- t( d* e! }8 uThis method is most known as 'MeltICE' because it has been freely distributed
6 R% J* P# E, Z$ I$ Z0 U% svia www.winfiles.com. However it was first used by NuMega people to allow
7 v% ~2 |" ^' D) ^2 r2 E2 M. cSymbol Loader to check if SoftICE was active or not (the code is located* e0 U3 \1 O2 d3 p& b @
inside nmtrans.dll).5 u5 {) O7 ^; x! V! [1 J: d S# o4 L* U
& [* U8 u, H5 G4 r" j4 ^ C/ |# GThe way it works is very simple:# i9 A5 P/ a. q/ S! [" |$ [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 x0 J; O/ T ~7 k: c# z
WinNT) with the CreateFileA API." V8 b0 I3 x# W6 H
. p3 `- Y0 V, J/ A: XHere is a sample (checking for 'SICE'):. A, D3 ^$ W# s- _4 x. ]0 l
6 x8 `3 t# Y2 X9 `BOOL IsSoftIce95Loaded()
0 _. ]! R; P8 p2 W6 Z. s; V{
) C* W( M( l& F7 m I7 T# Y1 n0 t HANDLE hFile;
|2 x- E- M8 A" D( D5 J, v hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, \' [& d" y9 j! }5 {7 E FILE_SHARE_READ | FILE_SHARE_WRITE,
! X; X8 U- \6 Y- }* m1 _8 P* J* V NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: {+ Y5 v, U$ a3 J/ i
if( hFile != INVALID_HANDLE_VALUE )
. w: N ?) V) _; }# S: W' ] {/ v. G0 z5 R6 d J( U. H2 A1 R& a
CloseHandle(hFile);& V W/ ]5 y7 X* }7 ]9 x
return TRUE;
- H1 T( M$ i7 M1 ^9 I }
; r, @5 b7 W! Z; m4 h- o return FALSE;, \ y/ z; r/ Q, E; W2 y
}8 j' E; \) ?5 n! |
7 h& z, o1 q' ~3 { P' w4 [9 o, A$ Y
Although this trick calls the CreateFileA function, don't even expect to be
- @. D. { M9 j/ [9 h8 g& Q: r: ^2 pable to intercept it by installing a IFS hook: it will not work, no way!
m0 B2 J4 b- [% { e @" s: V) VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' l! V5 U- T5 [5 |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 G4 N4 P* H, K! F3 {! Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; O: W/ v& E+ r5 m' b) Ufield.5 K" P: d, j1 ^- }. I) }
In fact, its purpose is not to load/unload VxDs but only to send a 2 T* w& R7 E j) \/ v: e3 _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 O6 l. U! ?% k: a& M* Y, gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( @" K4 Q9 s; C R* t* b% [, Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 K v) g2 s$ F# Q% P( S3 A% [If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 S# \& s+ X8 O) T u6 @% `0 V" Bits handle to be opened and then, will be detected.
6 \, x, ]7 S) B9 n7 H# o# Q1 C' \1 ]You can check that simply by hooking Winice.exe control proc entry point: m7 ]/ M( }. n' P. b; A7 u
while running MeltICE.7 p1 e$ g% p! s' O( M7 S
9 B f9 V i) J" `+ q; m; y, c& d9 e( e) c& Q) [( M
00401067: push 00402025 ; \\.\SICE0 @9 U1 `; | }% r9 p9 @2 q* t5 ~$ g
0040106C: call CreateFileA: l6 a1 e {$ z# B4 `; M; [
00401071: cmp eax,-001
. |3 {4 F: p# y, Z/ m; v 00401074: je 00401091. f6 d& d' P9 _6 K* I- g% P0 h
3 B9 S8 D2 Y$ l
0 X; e3 D2 ?+ E, G
There could be hundreds of BPX you could use to detect this trick.3 G% O/ q) ]4 B: c" ]( u
-The most classical one is:
. o! `$ _3 x# @3 J$ B) h( u- H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- t( F) K7 S% p8 n" E9 E
*(esp->4+4)=='NTIC'
! Z. O4 W8 ]9 g+ t; ^9 Y* O [. V
-The most exotic ones (could be very slooooow :-(
! j' V& T( n8 {+ L BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') g* P3 S, p0 a3 Q) X5 G
;will break 3 times :-(
. S0 Q; t' W1 f
" ~) ~( _1 Z' X9 ?5 R; W2 \! g3 R v-or (a bit) faster: j5 \* G( m e: o% R# n0 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% a, V: W* w X0 l# _( s9 w
6 m& Z- w. n2 V" Q, r4 \' K BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ' F& n" ?$ b* ^; x5 Z! W
;will break 3 times :-(
% \1 ?" `1 }4 [, e" s1 p( {$ L' ]3 T& M5 L4 N/ N. Q* t1 l9 i
-Much faster:
, W6 z G* p; Q; \, @8 b @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ @+ r$ E! k' t6 c$ C
$ q9 w d1 |' k$ A& J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: s+ z% G1 k: z; Q, K' Vfunction to do the same job:' a0 C9 e0 u ~( D1 d* P# O
# C' P( f4 d" q& L, _1 S' Q4 w* F1 y
push 00 ; OF_READ4 F7 A0 K4 U: ~/ r( e2 |+ l+ e O6 d
mov eax,[00656634] ; '\\.\SICE',0
/ o6 M4 \( B# t6 [ push eax( Y# e0 q" q4 n+ f9 y0 H% s
call KERNEL32!_lopen) H/ p' f4 |, T- ]
inc eax
, h0 A. d1 l& L2 j jnz 00650589 ; detected
! r' t$ E2 R$ [1 J; [ push 00 ; OF_READ- b/ i, y) Y& o) E! z% [, i' t8 @: Y1 o
mov eax,[00656638] ; '\\.\SICE'; o( u! S; B4 p
push eax# d& g/ b4 d: e9 \6 ]+ b
call KERNEL32!_lopen
' d9 J% d M) e! W+ j inc eax
- k: c. n0 ^$ @# ?. P# v1 O jz 006505ae ; not detected
% Y( `( H9 e0 i2 ?1 O# G4 J0 e$ q6 f* x
1 \% C, v% T8 E# R% w2 T
__________________________________________________________________________: A) v3 h7 m9 {2 l0 G- ?3 J; ?
' z" o t u4 d5 m& ~
Method 12% X. s; i6 `, a! Q+ r
=========
4 L! V& }# K2 r; r& b& p* a) x+ U7 Q4 ]3 \1 A
This trick is similar to int41h/4fh Debugger installation check (code 05- c* T. ^' T' B7 u; T
& 06) but very limited because it's only available for Win95/98 (not NT)
/ \! f) p0 e5 R2 y% mas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ u7 F& d' a% M) ~7 Q
/ U/ k4 V, o+ ]; _) Q- m4 Q push 0000004fh ; function 4fh
3 N4 j& e9 ?$ s push 002a002ah ; high word specifies which VxD (VWIN32)) t0 i9 i% z( d) {& ]1 Z
; low word specifies which service
2 H E0 G) f& v& J, d (VWIN32_Int41Dispatch)+ J0 p( j, t* @2 z" i( f2 r5 @
call Kernel32!ORD_001 ; VxdCall
9 j N5 Y9 h j5 q& _5 ~ cmp ax, 0f386h ; magic number returned by system debuggers, u( @0 X3 x6 K$ t5 c+ c
jz SoftICE_detected# |* z; m6 B0 @6 M3 k6 J0 P
: }" u+ j. ^' M+ B
Here again, several ways to detect it:
$ I6 X/ P4 q- b$ Y4 x4 U$ k0 k1 k r
. n6 p( @4 M: w+ L/ D/ o) ~ BPINT 41 if ax==4f7 k* I4 R$ \5 `5 J
' ?9 d, N9 i4 ~
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 u: ?8 {: i) u3 E- M7 v: D7 G
0 b' ?2 U, Y7 X5 l
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 Q& l8 c/ g; N! W; P
; S9 F; S, Q0 w1 c' s7 ?: e% n4 s3 S BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; d2 |. {0 v8 J* ~6 F1 \+ v, Q8 P
8 J9 V' k! `9 a: ~6 r/ _8 P__________________________________________________________________________
( D2 ?7 F# i: a: U
7 U* P$ b" Q9 wMethod 131 i4 n" L+ ~5 I' Z3 E
=========
s3 v: S# `6 b# i. k2 K
2 D6 t5 f' k# o7 ^' pNot a real method of detection, but a good way to know if SoftICE is7 v6 v* p2 C5 a+ o6 T& ]0 r
installed on a computer and to locate its installation directory.
# t+ Y5 i0 b7 UIt is used by few softs which access the following registry keys (usually #2) :
* T8 x3 V8 l2 B9 z0 @$ ~* A8 U! @) ?' B* c2 T# r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- P& _& B. e {7 |: p- Y
\Uninstall\SoftICE
, N1 S8 a% d: h& r- `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% B0 O3 J+ H9 U* y6 ]/ I v6 h1 G
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( H" Q& I* E% w2 v\App Paths\Loader32.Exe
# i% U8 u, D! z( b: m8 \0 y0 V N$ j- k3 ^* D" g
# P$ \) C9 T/ c3 z' W6 z( x
Note that some nasty apps could then erase all files from SoftICE directory2 ~# g7 p& X9 A3 ^
(I faced that once :-(
2 q7 Q& p9 Q9 L! p! b( i- ]7 C7 s
Useful breakpoint to detect it:
& \* }, ~4 m7 ~! K, O4 Z* W! G
2 S( Y5 G6 d( {9 q9 C+ I ~2 J4 z. Q BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'# j' b# `# m. N$ x2 z1 q" ?
) g+ H' ?# ?+ T3 w: m: I3 d
__________________________________________________________________________0 ^% |* J. m4 v* B7 V
. o& K) W* U' A& D. Z$ q
7 q$ k" o* Y0 F: }7 gMethod 14 2 S' J6 f1 m) {( p
=========
: i6 [& M {$ l+ F' w2 L0 A( ^! s- A+ k z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) t/ N: t! R+ F4 E& Q5 K. Qis to determines whether a debugger is running on your system (ring0 only)./ z; F( [! f G5 W
1 Y7 }2 C4 t1 k
VMMCall Test_Debug_Installed3 e. |" S) H) A( n% I! @
je not_installed, A% {, ?8 X5 }$ t S7 h# ^3 h `
( x5 a' ?' T. s/ O! wThis service just checks a flag.+ [" A) k) Y5 V6 w: J+ j1 e L
</PRE></TD></TR></TBODY></TABLE> |