<TABLE width=500>! x0 I! t6 p( a# O2 f* d2 W; q: o# Y" S
<TBODY>8 k3 D$ X) F' ~ ^: u+ R) [9 S
<TR>
, c* a/ i! ?" w5 O U1 J<TD><PRE>Method 01
+ _6 ?1 f# {% Z) c3 ]8 \* A, k=========9 w8 @" o. n$ a2 B3 p1 @+ g6 E% @
; ?' h( y9 q0 Y' g& s( O% PThis method of detection of SoftICE (as well as the following one) is
# i& z6 I! Q }used by the majority of packers/encryptors found on Internet.
1 o( p( ?5 h7 J3 _1 ]# X, H; ^It seeks the signature of BoundsChecker in SoftICE
( X1 L; `. t: p8 c/ `: I
# Y3 b8 P" Q+ H/ P7 a mov ebp, 04243484Bh ; 'BCHK'
) r' Y, y% P$ D; Q8 E" `' j: _1 k mov ax, 04h
" I" V2 K. D% [0 l' \ int 3 5 v: V5 q. M5 q U1 R# d
cmp al,49 o! I( n1 z' ]. Y6 T, b
jnz SoftICE_Detected, U& B; ]/ L5 z) _& S+ _: }
0 L! D: }- i+ g5 q
___________________________________________________________________________
1 b# s3 V8 I ?1 H8 j$ C; m" ^% f2 g; S, v x
Method 02
# ]" [/ p8 o1 Z; N; w$ o; M$ }=========
" g0 w& j z9 K4 L. R4 f
* T' h# G+ d% ]/ vStill a method very much used (perhaps the most frequent one). It is used% s( `9 t, h1 R2 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ l/ D' C3 G( Kor execute SoftICE commands...
& C. h" H) l+ l2 W$ P5 }4 n- T6 yIt is also used to crash SoftICE and to force it to execute any commands
8 H7 W ? Z* A9 C' ]- o5 S* u2 E(HBOOT...) :-(( ! t% [. [+ e% b0 d/ I6 b
+ {, E& ^% a! Q+ g5 ~8 y1 e h+ D% nHere is a quick description:6 h2 a! [3 x4 R3 n* i4 }
-AX = 0910h (Display string in SIce windows)' `7 I& ~/ U, @7 C1 _
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx). y, J& a+ E% w' ?. ]
-AX = 0912h (Get breakpoint infos)2 S1 M4 y( N/ d B7 _8 I1 ?* b
-AX = 0913h (Set Sice breakpoints)1 ?6 ?0 ]% H3 x; O
-AX = 0914h (Remove SIce breakoints). ?7 e ]: y: w/ S9 O
3 P% Z$ Q2 L6 X4 f1 [
Each time you'll meet this trick, you'll see:
; Y. j9 V A* u1 `0 r; l% `7 }) a-SI = 4647h* J9 U& l/ `- h2 y5 e
-DI = 4A4Dh
* a7 o6 s I5 A$ pWhich are the 'magic values' used by SoftIce.1 n7 p& e2 ~5 t( H( U# i+ k1 Z! S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' J! k% v9 }3 s+ [% M2 n
- {8 E2 j! G: YHere is one example from the file "Haspinst.exe" which is the dongle HASP {: V& O7 h& `' A+ F
Envelope utility use to protect DOS applications:
1 t, ? M6 d/ l, d+ c, h6 b3 K2 ], ?* o; i' r. v: b
0 h! n. Q" u; C" {4C19:0095 MOV AX,0911 ; execute command.
( J1 A- `# V/ U/ @# `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# Y7 v7 P5 u, J; y( h7 J2 k
4C19:009A MOV SI,4647 ; 1st magic value.4 P4 U' ]$ e$ D6 W3 k& h
4C19:009D MOV DI,4A4D ; 2nd magic value.
1 A9 {9 ]" S& g% B( K6 L n4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
' _7 G. N; P2 l; u% i6 [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 b4 |' _- V% X8 F$ w
4C19:00A4 INC CX
! `1 [2 W. {$ }$ J4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" } ]+ P1 F. P: Y; Y4C19:00A8 JB 0095 ; 6 different commands.; z5 h; ~4 I" `% V
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 T; l) b: L8 O/ K, c5 q- v! A* r/ i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 Z% Y b" t/ e( ]( n" c/ V
* z9 R8 ~4 t1 K( T8 S# X; E4 YThe program will execute 6 different SIce commands located at ds:dx, which" W4 N: n! w4 f; D' c w
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ n7 m: x& x5 a4 }/ h( Q; [: a% D C
* k4 f/ h) K: s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; _( K$ C. [3 {6 W: ^
___________________________________________________________________________& S/ s* ~ y. V, w" K6 O# a, M9 `
+ {( S0 r1 t- y. W8 O; {
$ n9 H- ^0 ^; I4 z# { Y5 Q& \Method 030 r. z$ V+ x3 ^1 v( n2 o
=========
) M7 h1 y+ H, N/ [" W, g
) i. @0 p9 F0 g/ `$ s, \Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& U3 W2 y7 |) \4 o; }. W(API Get entry point)
' g; w: x: @" b7 Q. }' f 5 L x% x( d0 O( q, H; W9 _
; ]; T/ R1 O, P @& t, t xor di,di3 Z: U' W `: T+ c& P
mov es,di3 R# _3 x+ a# ~" S
mov ax, 1684h - k) I( M3 F5 [+ T3 x' Q* H- U8 S
mov bx, 0202h ; VxD ID of winice
6 r9 v, U: V; R; O( z% t int 2Fh2 u. Q5 S8 E/ s
mov ax, es ; ES:DI -> VxD API entry point/ k; c2 E/ V$ d
add ax, di
! o- K" I* t1 q. S; a- f% Z/ h* W test ax,ax6 z. d% T/ |- \3 |
jnz SoftICE_Detected/ i; ^5 n; Z/ `9 P3 y1 Y. [6 m# O
5 Y; u7 O6 o5 }% u# ^
___________________________________________________________________________
2 y* Z# Z7 \8 \+ }+ D( ?
4 ~2 l) {. H1 s& XMethod 04
$ T* X j: \- x% a& p" V8 R=========
$ F: Y& k5 `8 v. J
( T$ R; Z/ V, {5 uMethod identical to the preceding one except that it seeks the ID of SoftICE
( X1 X Q# R9 c; ^& IGFX VxD.3 k" ?) Z! H7 h Z- e: U
4 m& A. M0 c0 h0 }; E: [$ R xor di,di
! C) B$ x& W& p* W" y! N mov es,di* U; i( w" j4 ~2 H) x
mov ax, 1684h ( m0 c, t6 _! Q4 k* p0 v# z
mov bx, 7a5Fh ; VxD ID of SIWVID
& |( G A. e% t3 G" N7 m1 u5 N Y int 2fh* x9 p$ s) a, ]0 L
mov ax, es ; ES:DI -> VxD API entry point$ A8 F. b# }) `. Y
add ax, di0 ~3 e3 z* A1 ~- l: u
test ax,ax
" [8 N9 ~7 l4 \8 L jnz SoftICE_Detected' ^# d- G0 l9 O' k. g
% i2 a7 R* O( x& j7 e__________________________________________________________________________
- H# z4 z# q/ G9 j; q8 j
, K$ b$ U; U$ A- I" ?- ]0 `9 z2 K( Z' i p
Method 05
3 }9 I1 M5 P$ h& @2 h( u+ E* h=========
2 ^& k; B5 ]& H+ J j1 B, s
9 e. U' \9 ]7 E" f3 _Method seeking the 'magic number' 0F386h returned (in ax) by all system6 E% Q* ^: z! m( f, K$ [, x/ X
debugger. It calls the int 41h, function 4Fh.- @1 w: Z, F3 e# h0 C$ O& U n" n
There are several alternatives.
7 b( ]: R& e6 s3 y5 Y
5 K7 ]- k" F$ B Q% k. BThe following one is the simplest:
* i- Q, ?" }8 \1 s* `1 L( h0 Y/ g3 v+ `# d. @1 ~- I7 @ ^
mov ax,4fh
R0 o5 L$ p; ^6 U) }; c int 41h, k: @/ W4 S* C) o- {: ?9 I( W- D0 j; Y
cmp ax, 0F386
+ x7 U1 ?! H. W4 ]& c jz SoftICE_detected
) j$ ?& F2 D" c$ r$ E
5 i- f( K% I7 `3 L4 m, b0 q! D2 `
Next method as well as the following one are 2 examples from Stone's
1 q K2 f7 Y- h! H; @5 g"stn-wid.zip" (www.cracking.net):$ S' j' a7 N' |- G; f0 }9 [) g
7 T: o- r9 j7 P. H% a- p mov bx, cs" H8 A1 N5 o( a# w* I1 b5 ^2 _
lea dx, int41handler2
; S* X( i2 e/ o: j0 b; l( f# p# b xchg dx, es:[41h*4]
. S3 L& ?4 }* V8 z+ T; K xchg bx, es:[41h*4+2]' q2 \$ R' o: {, }9 b
mov ax,4fh
, I* f9 F2 @; {; a7 m int 41h
( g7 }/ }; ~& c9 u) u2 \0 {* y xchg dx, es:[41h*4]
" r9 I; h: |; k" {% { xchg bx, es:[41h*4+2]+ w& e: t1 K& {8 {& s: R \
cmp ax, 0f386h, [# K% X' S( v% p% ?3 b' n; ^
jz SoftICE_detected
2 F9 E) j( g- J* c7 W
' c( C# K/ {/ A; {+ [! G6 t) p6 E1 {int41handler2 PROC
) ]$ X7 o9 b& |4 F iret
, ^9 `( J; q+ Z$ l; ?4 Dint41handler2 ENDP
- R8 c. Z1 @7 l! u/ p1 x
( L8 T. F) }3 k' @8 e# j$ L: a# W
_________________________________________________________________________% }9 F6 }# X/ G c( T- N6 |( @
& U" G/ L) b) M! C6 b) I+ `* A9 {# i
Method 06
$ [# h% L; p6 a7 v, j$ d9 @=========: v$ S2 c, C6 Z: {. e
7 M6 ^% z* _/ f! Y7 j2 S8 }# ^* G- H9 L# W' b
2nd method similar to the preceding one but more difficult to detect:: _& a0 N, B3 ~1 ? _% T$ S, O/ \
1 z/ E* |$ ~7 m# c- w( }5 q2 `. }' }6 V# ^3 ^
int41handler PROC0 |" t. k9 Q/ J: p( o E @" \
mov cl,al6 t$ C5 R! E9 c- J! N5 L; Z
iret( ^$ f) x6 y3 E# N9 n
int41handler ENDP, O! M9 X, f0 u4 @: Y
# n. c$ }8 Z* X2 q
& j/ Q4 p/ V7 X& c* ~9 P' k xor ax,ax
0 v$ q5 B7 J2 c# o+ S' Z mov es,ax
2 ^# i; u' g5 E9 Q e1 }' R mov bx, cs
9 N/ g! D$ p; q0 F8 k) l5 C3 o lea dx, int41handler
# n5 @- T8 }. U N2 S xchg dx, es:[41h*4]! y' i7 S% J9 M2 F& k& Y
xchg bx, es:[41h*4+2]
0 |! c) u8 p5 r3 s0 M5 k in al, 40h
* a0 i& z a6 K# f- b9 f( t: Z2 u; H3 ^ xor cx,cx. j) @- D* J- I0 ~( y8 I. g7 n
int 41h
: h: P# ^' O& a) Z xchg dx, es:[41h*4]% L) V O c, K
xchg bx, es:[41h*4+2]) [) h; U' A; E( ]
cmp cl,al
4 s4 E2 V; r# N( t jnz SoftICE_detected
. ?3 }1 r, T T- K
1 v3 ]: T( [! M) m% Q_________________________________________________________________________. U9 X5 ` ^& ^
" c1 K5 O; e2 u) a. k. oMethod 07
. J0 M8 u: c7 p4 Y! s=========
* L! U2 ?% V3 w+ j4 c! W1 z) S* g7 e1 @& S$ d2 [$ N
Method of detection of the WinICE handler in the int68h (V86)
/ \$ n3 Y$ K' n7 H' b8 y
( [- T h1 c) [) _: F mov ah,43h+ q L* F& M$ @4 Q
int 68h6 D g2 d& v9 d& J
cmp ax,0F386h/ n s" V p" W, k& d! r/ ^
jz SoftICE_Detected
' T: L, y; }# T6 N
6 ?) R' }0 G; _4 f$ k9 B# p3 q% ^2 `8 }1 s+ S+ C( N$ P
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: l" { Z: e: A1 |$ ^; X- n
app like this:
" g) y, k9 ] j4 z! w- m8 s8 n
$ x+ f5 V4 }& T9 K. ^3 W* d, C+ [! R BPX exec_int if ax==687 k8 I6 [" H+ t
(function called is located at byte ptr [ebp+1Dh] and client eip is7 ~7 S9 {' q& X5 O3 e0 ?
located at [ebp+48h] for 32Bit apps)! k+ }7 O* f+ t2 Z
__________________________________________________________________________6 i2 h' } C/ j( L
, x M+ o3 w- ?' v8 d
- y2 N/ _# P/ t* ~1 l1 a/ D! ~Method 08# H! X9 `3 `0 e# J; N. M
=========
" ?$ B: Q m0 b: \& ]$ V% y3 |
$ E) ~% X- i7 y. ~It is not a method of detection of SoftICE but a possibility to crash the& {! Z4 g0 X, A4 j7 ~1 T
system by intercepting int 01h and int 03h and redirecting them to another
1 o i9 R/ E! I, u Jroutine.: D) y9 j5 K. Z5 Z' L/ @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# V3 O: q8 G5 V; i. q
to the new routine to execute (hangs computer...)1 N/ p- E0 A$ h$ J) }3 e! ]
2 G; I3 D/ h T
mov ah, 25h/ O+ P, s$ |! ]* m1 f `) G
mov al, Int_Number (01h or 03h)
% D: u% ~ J, P% p4 e7 V mov dx, offset New_Int_Routine) I; `+ Y7 @, ?8 a
int 21h: G6 U" ~$ h5 w }4 `% p
1 A- s. ]$ N" t c8 s' B__________________________________________________________________________) S" C# F3 J' K! ]- f9 t7 G6 o0 ^0 _
) R9 \, v* m( ]( t7 t- d
Method 09# A# n9 A+ e2 A" M
=========
0 @# I' v5 i$ T: m) I9 _5 B0 u0 u9 o& X$ H3 X: Q Z% a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' d" j+ P( Z, ^/ q* |1 f7 y# K& H
performed in ring0 (VxD or a ring3 app using the VxdCall).
# U' ^" t# n' Z7 ^The Get_DDB service is used to determine whether or not a VxD is installed" H7 Y* U: N) P7 B3 @+ Q$ b
for the specified device and returns a Device Description Block (in ecx) for* B, ~" F2 N( r% V9 m1 R+ H
that device if it is installed.( R" J1 Y! P/ m- i& x! R2 E; ]
4 T& ^/ t) [9 E& W) h5 | mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 n V, F, [( k; L* E m/ A; P6 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% H9 P' q1 J) Z7 a" N. S
VMMCall Get_DDB
1 H1 h$ T9 s) x) g6 `$ N7 t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 X4 `0 Q& H$ e0 A6 z1 W% ]
6 {9 y0 `: G; f) KNote as well that you can easily detect this method with SoftICE:
6 V2 a# T# F; l" [% @' ?; M bpx Get_DDB if ax==0202 || ax==7a5fh! r/ c* d& d& P7 `
$ S: v; M" }" a, e
__________________________________________________________________________
6 r7 {7 s- U$ h5 j# E, z5 b4 ^% x9 s* A7 i6 s2 F
Method 106 F- u& m0 h1 r5 k
=========
! C! S" P8 f1 s. b3 F' n3 t
j5 {! ?6 P: G2 y. Q0 l: R=>Disable or clear breakpoints before using this feature. DO NOT trace with" j: c' | X# c3 a% |4 B/ L
SoftICE while the option is enable!!' ^6 H6 e: S& f; R4 a' I) j! D
4 O) U1 W2 w' `& V6 x
This trick is very efficient:8 o7 B( ?/ [# q- T6 f8 B
by checking the Debug Registers, you can detect if SoftICE is loaded' K$ w% \- e" g s1 _- n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 d- J3 B; m: r4 G/ z
there are some memory breakpoints set (dr0 to dr3) simply by reading their r3 j- Z- }, {
value (in ring0 only). Values can be manipulated and or changed as well' t) w E# g/ o9 ?7 y
(clearing BPMs for instance)8 G- z+ F6 C0 R! F* z- K
5 i" v c9 \+ J, O! l__________________________________________________________________________5 Y' v6 o* |. e# G; Q- x" L
" o$ r$ \7 J+ _" w, Z% \
Method 116 l T6 `8 t+ y6 ?0 C2 ^8 F. ~; X
=========
7 z$ M& A/ z! K) M7 H7 B; Q& ?" l( m. l8 f
This method is most known as 'MeltICE' because it has been freely distributed
0 i h* }9 t7 }8 J/ a$ vvia www.winfiles.com. However it was first used by NuMega people to allow
6 g/ {0 x& Q" c9 \8 K9 [7 y$ N9 HSymbol Loader to check if SoftICE was active or not (the code is located# K/ E$ a; l2 [+ u
inside nmtrans.dll).- g" Y' x6 H' \) s, _& }
' G: \6 G; m# i* \. F" O2 _- j4 L
The way it works is very simple:
7 Q. x$ \. E. m- E: F rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 E" h" d' i9 n0 A+ _
WinNT) with the CreateFileA API.4 r1 g! `# e; S( l' O. x1 I: m; |& F1 L
, @+ l* y0 l' T! g, i# y+ _% i
Here is a sample (checking for 'SICE'):
4 O% ~! W" |4 ~( Y) y6 k- p/ r+ _
0 j1 M }2 l# [4 TBOOL IsSoftIce95Loaded()6 | Q3 q+ P( }% Z& t
{' K, h+ Y. u% U0 i
HANDLE hFile; / g1 A" Q3 p! \4 Q" z3 U
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( b7 f3 @ G5 J( G6 a# O/ ` FILE_SHARE_READ | FILE_SHARE_WRITE,
/ H6 [+ `. [* r NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; o* v G6 ^* I8 x6 J' g if( hFile != INVALID_HANDLE_VALUE )
& ?$ V6 {1 p y/ y" R/ y+ n {
4 Y' S- k9 ^; Z% G2 y% G3 E: L CloseHandle(hFile);9 T" r- f0 d0 _( `: t/ b8 |; i+ F, Q7 d
return TRUE;
! A6 I' m5 H( d6 X1 ^4 @ }
0 o; e8 o1 ?" S( P% w, U4 L( [ return FALSE;* Q4 |$ X/ N. ^5 z; y3 n( r
}
3 L) K; z" {7 r' q0 N
* p- a2 _$ k- _6 aAlthough this trick calls the CreateFileA function, don't even expect to be8 {$ ]& F' F! u0 ?+ }
able to intercept it by installing a IFS hook: it will not work, no way!
7 ? K) N9 @. \+ }* MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 y: C3 S, w% w$ p' o9 {; eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ `3 ~! M* r! a- d+ wand then browse the DDB list until it find the VxD and its DDB_Control_Proc. p+ i" o4 h% _$ N4 ?
field.. I- y/ }6 G6 V v: `$ |
In fact, its purpose is not to load/unload VxDs but only to send a % f4 _# Q/ |4 |* D1 g( @" ^% {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' @& k7 b# S! Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try; O7 J$ I: C5 z! [# l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( f6 G) |& C- x- P/ P5 |
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ C m/ Y. }0 e2 h" c. b3 u
its handle to be opened and then, will be detected.
" K6 U' D+ T: J* iYou can check that simply by hooking Winice.exe control proc entry point- {3 ]: N! y& C2 n2 w
while running MeltICE.
1 a) l- C$ h3 b7 M( S
5 |. r, X# h8 h2 K
2 _' N# z! Z1 k1 k! f 00401067: push 00402025 ; \\.\SICE: `3 H7 q+ M. Y( ^3 p) N# t1 V; m
0040106C: call CreateFileA3 O X. f" m* L2 i# `7 {, x) c) ?( a# ^
00401071: cmp eax,-001
4 ^4 L7 {& P$ }& ? 00401074: je 00401091% D, b; m/ @; p! Y: d) ^
" m# j' z4 X! C
$ I$ r! v# T* u' Z: A- |. |
There could be hundreds of BPX you could use to detect this trick.
% {6 I& R; v' m" n-The most classical one is:
1 ?* G# U' r. i5 R- k& w" b9 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 u: M/ [7 ]( ~1 u3 U; w *(esp->4+4)=='NTIC'
' i/ @! Y+ h& M3 t& _0 D4 |% \8 {/ a) X) [0 }
-The most exotic ones (could be very slooooow :-(. Y: ~ v1 V/ t7 u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 B; V8 U# X$ H; Q4 w. p
;will break 3 times :-(
. a2 F+ v! L. t' ~9 m
% b( c3 G6 B- e! C/ |* T. W8 _- D: ^+ ]# [-or (a bit) faster:
0 N- e" y, q, c BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ N R- t4 V+ X# W# m2 B1 [/ q( S
2 c9 Z; l; L( C* P BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 k. Z5 x% k& m! W; c- D1 e
;will break 3 times :-(, z- V& `' Q) V% z2 y
' p: J, e8 V$ W6 o/ U" q-Much faster:
5 }# e& U3 q5 S9 t: o( \5 d BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'* M2 X" j! Q3 T& X! N5 \; l
, ?0 u: o V; a3 `: R; S+ Z3 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ S. r$ t" B& J+ F9 nfunction to do the same job:3 s" O2 i" _+ ]8 i1 T& h- C, [
8 b( [% k' h: a3 O6 K push 00 ; OF_READ
& O* W: y5 [, M% L8 m mov eax,[00656634] ; '\\.\SICE',0
4 p H) `* x) C$ X! F1 O push eax7 Y# X2 p- G( T" k# y) |+ s
call KERNEL32!_lopen0 E8 L* Z* |# M6 ]# U) a4 Q
inc eax9 m% G# _, a; V$ u
jnz 00650589 ; detected
F- |" q: H2 O, ~& \, o' r U7 O. Z" Y push 00 ; OF_READ
1 L( @, E' H. Y9 c( v8 z- v: s mov eax,[00656638] ; '\\.\SICE'+ M" S# e% n: \: Z5 ~
push eax: z7 w' O( H- ?6 \% ?5 m) G5 a
call KERNEL32!_lopen5 O4 b6 j6 m, X' @3 B' k9 ^- K: T
inc eax; P) r" J' S9 [* T
jz 006505ae ; not detected
4 E5 S8 r& m! H \
" u4 |) y1 d" r. Q0 e+ h( p+ ]( x8 u( n6 D# b
__________________________________________________________________________
& j2 |( a1 t' F/ {, M8 Z0 a9 B u+ p, u" G% e0 I V' C
Method 12& f4 ^( o: T: l$ F6 l( T
=========
6 @6 D* m" q# W, e
) X8 s, h! o" _0 MThis trick is similar to int41h/4fh Debugger installation check (code 05! ~7 h1 g' N6 O4 D- h6 B* o9 Y
& 06) but very limited because it's only available for Win95/98 (not NT)- p' Q% Z& J8 U7 _7 s+ J% Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' ?" b# z: M* N$ ^" w" z' |
' k# {8 Q- g* y. S9 p L push 0000004fh ; function 4fh$ J6 [8 Q! j0 ?
push 002a002ah ; high word specifies which VxD (VWIN32)+ X& Q3 q1 O8 a; q3 M4 J
; low word specifies which service* n/ |3 M; \: B: x- d0 Y
(VWIN32_Int41Dispatch); k" o+ n2 G- `
call Kernel32!ORD_001 ; VxdCall( B4 Y/ j7 \/ J* g6 w
cmp ax, 0f386h ; magic number returned by system debuggers
8 D2 e2 h3 u* j6 o# f1 k jz SoftICE_detected
+ a: Z7 m( l% R0 y7 h. I# x. p& g2 p4 W1 y* ]- f! j
Here again, several ways to detect it:' }2 a& d) q7 D) t) ?2 ]
# r1 r$ r, k3 E. s* ]8 m BPINT 41 if ax==4f1 a: I( u9 R3 U! w, v
& d D3 p3 b/ K6 x, S BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one F) e3 q" }) x$ {7 s0 ~
X7 [* y I4 x% q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A/ _ V' a% x- i: X+ k2 R
+ J( `" p1 ^0 R
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
5 A) B, N2 e7 X* g
6 T; Z$ E4 u: [__________________________________________________________________________. B8 k/ g i& T
2 M* |: z* v! i( x7 P( bMethod 13. E, v0 t7 h2 t2 ~
=========# z* X7 P1 J# c9 l9 G
+ Q1 y$ I- b" c+ \) k
Not a real method of detection, but a good way to know if SoftICE is. _1 G- u3 P: K& R% ]9 `
installed on a computer and to locate its installation directory.
6 T' O' s" R& i. |8 MIt is used by few softs which access the following registry keys (usually #2) :- @0 s8 I* l u4 ~2 ?2 Z
8 a6 t% M5 Q8 _& ], x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k9 Q: I+ X" m& I# o2 _# l! G/ W+ p
\Uninstall\SoftICE
0 K" e, i9 o; |. k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; l) a: s( `8 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 g; w; K5 ` \* [\App Paths\Loader32.Exe
( i& I$ x3 j. J. u3 P# r: z/ T" O/ Q+ j4 L' M2 p
! M; _, Q2 @' k7 }
Note that some nasty apps could then erase all files from SoftICE directory
3 b; ^; |. I1 Y) ?(I faced that once :-(% \( }% p3 H' x/ R
: z- ^& d1 Y5 S% D0 R6 |Useful breakpoint to detect it:
7 \! \% w8 o/ B! `% ^4 d( @4 o. I$ E! w1 t1 R# K2 i4 Y' L% I* H% t" m2 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 Z% r! ^; n. J5 o0 T
, @8 e2 b4 v; {( }0 j0 _* W+ m__________________________________________________________________________7 p! @8 }- I; i; `0 {
% O. r; S( a+ E( A- y7 E9 Z
1 k6 u/ Y3 `9 X4 B2 s$ L: E7 a* x0 a
Method 14
6 u1 v: Y& a5 t7 `2 H9 u7 K=========
8 Q5 Z. t, l. ?/ q# F8 U( o4 j! r: L/ j2 n6 F& |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* {3 m) L7 f2 q/ Lis to determines whether a debugger is running on your system (ring0 only).6 F% [) f% ~0 s/ W# |% h& I! O( E
7 H D5 M$ H7 q, {3 v Y VMMCall Test_Debug_Installed
( W% [2 e7 U; |) N' |; R je not_installed% G$ Y' }, ^) W! I* R4 X [8 a
& O9 G# y% D3 @5 I0 d8 I: n- g* Q
This service just checks a flag.5 b4 K1 }: q) k' C9 l
</PRE></TD></TR></TBODY></TABLE> |