<TABLE width=500>) D6 r! b( w0 y/ w: I% q* a% r
<TBODY>+ x: ?- Q) X j" ]. I6 {- [
<TR>4 ~* g9 y& z L1 q
<TD><PRE>Method 01
+ a) F# o+ {& i7 G: _" U=========" B8 e h% g' P8 C* |$ ?, g
9 A( W& z X5 K0 A' b4 X
This method of detection of SoftICE (as well as the following one) is
: _) j+ V+ Y* Z! B8 Fused by the majority of packers/encryptors found on Internet.$ d+ L3 P. p1 u
It seeks the signature of BoundsChecker in SoftICE
. L# b- O3 K; J3 r) h1 y/ \0 D, ]5 k( o: }; p( T
mov ebp, 04243484Bh ; 'BCHK'
- o) H" W; P0 r+ @ ]# Y/ F0 w4 U mov ax, 04h
4 J8 @! D' Y8 Z: y' |6 S int 3
- E e8 } z8 Q8 v& Y0 Y cmp al,4
+ |! K- D9 R& R3 A7 P0 Z w6 g, s4 V) r jnz SoftICE_Detected
* b, _) v0 T& E2 X, L7 r' v
) I& A/ c6 N8 D___________________________________________________________________________- s8 b6 E- r3 k% I( S% m; Y
' R( U: @) W! M* x5 Y4 B- hMethod 02
2 B( n6 w; E) ]! S* t7 K========= u: ~# s, @ M' ?6 N
3 A6 C& M. M. G' r# M8 fStill a method very much used (perhaps the most frequent one). It is used2 w2 w5 A' r. x& v4 `3 y) F* {( w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ W+ @" @, }" ^' u B; k tor execute SoftICE commands...
; V; T2 Q3 I3 A% e7 s3 `6 VIt is also used to crash SoftICE and to force it to execute any commands
3 e, C u" U c(HBOOT...) :-(( / o9 L6 p% M9 H y- W2 L4 s
% j8 g9 D& N+ Z" L s" A. l
Here is a quick description:- K& ~) E* ~/ F/ E
-AX = 0910h (Display string in SIce windows)/ W8 H7 q9 h/ C, d3 Z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 }' \( M5 B& ~& b
-AX = 0912h (Get breakpoint infos)/ I: B5 p# n) H: R* p/ A# P
-AX = 0913h (Set Sice breakpoints)
' p+ y \) i7 h5 Z-AX = 0914h (Remove SIce breakoints)( r. `/ E/ Y/ q! y# D
' p/ e* z Z1 C0 c+ T; p! `Each time you'll meet this trick, you'll see:
/ A* M, a7 ? t7 \-SI = 4647h) B" v1 w4 v, ~( b, o# Z
-DI = 4A4Dh
4 L- s/ I- r3 n: h/ \# r) S+ d! u/ kWhich are the 'magic values' used by SoftIce.9 S! U. g( y. K- L+ Z! i8 F t% e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ G! z B% [! I) A0 w6 G/ Z
# [, [" m/ ^# k" ]3 wHere is one example from the file "Haspinst.exe" which is the dongle HASP- `) d9 _" t6 t# Z
Envelope utility use to protect DOS applications:
& F' @( _0 Q% I3 X$ f) z& b$ J8 o# m2 A
# e( y/ h( R |; a: y& ]
4C19:0095 MOV AX,0911 ; execute command.% t" {# |+ A8 a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( q1 @. j' i4 Y4C19:009A MOV SI,4647 ; 1st magic value.7 ?6 P! j( V; L7 F4 |
4C19:009D MOV DI,4A4D ; 2nd magic value.
, U1 `5 P' A- w3 |- L$ {) M4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 }& ^5 v& V4 g' R0 z5 W( H6 v) s
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 ~* S8 b; x/ t) f' K4C19:00A4 INC CX3 x! p F* E" I- \( u5 _8 f
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute+ w$ B, k0 I _2 O6 L3 ^
4C19:00A8 JB 0095 ; 6 different commands.
# F" b u$ R; K4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 g$ `( h" I! L8 g. f; M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( B( t: @ ?* D x' y- b* x3 ^& l
) {0 b; N) V2 c- S: _) |( Z
The program will execute 6 different SIce commands located at ds:dx, which
3 v$ s" t. I: b- ^% Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 ^" ?% w( `* |5 @: t. U1 y% W. e8 }$ R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 Q- v O, {" }5 f+ R; f___________________________________________________________________________
+ @$ H0 B1 T5 s& g
+ c- b5 P0 M! V0 y' l+ g% t- `
5 z) \$ m! [& v9 fMethod 03- K" T) X. m! i4 \" A" {/ o
=========7 v8 f" C$ }6 Q. `9 S2 C) }$ C
" I R( C( b/ y; S4 A
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, o( `9 v6 Q1 b! ?" k3 D(API Get entry point)
% Y1 h s% g" {/ @$ P ) h2 s% f. b* W# h, A& z' o
7 Q5 u+ M; }* V7 [" M+ ~
xor di,di" I% @* l- e/ Y1 d6 ?$ M# O
mov es,di O J: R6 g& p: j+ H; _( S
mov ax, 1684h 4 P; e3 F( s2 \& |
mov bx, 0202h ; VxD ID of winice- t9 I( u# s3 e, O# \8 U; t, _
int 2Fh
$ V/ @( n- p) M+ o. {/ A$ V" v I mov ax, es ; ES:DI -> VxD API entry point; R' j, r" L. k2 d9 H2 j9 G* G
add ax, di
# B W3 W) [) r) \9 s1 e test ax,ax
" J5 u, h& t* n* v% ?% r+ ]1 f. a/ b* Z jnz SoftICE_Detected
& E) y5 o! ~6 {$ ]3 b9 o$ @3 E$ j4 p4 K3 F. G8 r
___________________________________________________________________________
2 \1 ~8 `6 ~6 E) l2 O' p
% F+ i& d. U8 y5 ]' ]' ?, }Method 049 _* C& b8 [; E: P( x/ |! V
=========8 n8 F% ]8 R7 {5 `
2 ~; r" w% t7 Z* xMethod identical to the preceding one except that it seeks the ID of SoftICE/ x* K- e7 @+ c* n- c2 \, l
GFX VxD.
# P2 L+ w. l& S& \1 d: [
+ h. w/ k7 q* o9 t6 U/ H; C9 G xor di,di
1 p. Y h& J+ w* h mov es,di
4 U- B* N" L+ V# h mov ax, 1684h ( F! J* g- o3 A. K
mov bx, 7a5Fh ; VxD ID of SIWVID/ g; Z" }# e0 T
int 2fh1 N" c$ P5 v0 A J. Z( R$ K
mov ax, es ; ES:DI -> VxD API entry point
* y K/ h# ^6 f" C7 J4 } add ax, di
! q, _( _0 }# y- ~. F7 s test ax,ax/ b( z& {0 a* Z6 S9 j1 S; b, R7 r
jnz SoftICE_Detected: B4 G- t6 V( y: M+ Z) h# q! B D- d1 ~
& Z' [% E4 r: r: {6 [ |
__________________________________________________________________________( f/ v; a9 I% ?% T8 S
+ a; t) J# J+ R- y
) Y B N% g6 v( b0 L+ nMethod 05, V/ h; U5 m7 e$ q5 F( O
=========
7 N0 u& R7 [/ }$ x" p
8 D7 O* P& M! o* G% ^3 R: ]9 x$ h5 N; nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" ]6 X' I ]5 y. K* z) ]0 S& Qdebugger. It calls the int 41h, function 4Fh.0 E# S/ |# H# V$ I6 T' Z8 q
There are several alternatives.
' ]+ r1 l( n8 }* ~3 y# ^) i# S2 z, g2 V" \
The following one is the simplest:2 G, o8 l- J/ O! J0 }" e0 c) L+ o
8 B9 b- m% s+ `% g" v mov ax,4fh$ n; `( V. r2 r4 B% [' Q3 r3 q
int 41h! f+ V$ `" J9 a$ f! z! w3 s
cmp ax, 0F386
; t! _& R4 T s" D4 x0 z jz SoftICE_detected& p6 } M. ]' T& O3 B9 O8 b/ u
$ t8 n- T2 K- p! S. Q7 O& _: R
2 C8 i. Q% W/ v4 C2 f: S" d9 ENext method as well as the following one are 2 examples from Stone's
7 Z; ?9 E* \8 B" e"stn-wid.zip" (www.cracking.net):
8 Y9 m" }! b' N( ^" N" E3 |0 O! o- [( O3 ~. |, i4 c- _5 ?
mov bx, cs7 ` P9 T! ]1 _& H- _8 J5 e
lea dx, int41handler27 S- Q, t& n8 e ^
xchg dx, es:[41h*4]( N! q; J X" x* X7 T2 z9 v
xchg bx, es:[41h*4+2]6 {4 N0 M" s: [* v! U
mov ax,4fh
, V% o5 F1 E: N% s7 r! \' @: G) j int 41h9 T' y, g4 R0 U! j% x4 G' E
xchg dx, es:[41h*4]1 c0 J0 Y0 }/ u; g# M+ `. F
xchg bx, es:[41h*4+2]
2 O- F+ s- e& _& z; A; n& b cmp ax, 0f386h3 ^( ~5 B6 I2 R* g& i0 V7 C
jz SoftICE_detected, }+ h# V& `. o) i
7 c+ u! v- t6 bint41handler2 PROC/ Q7 Z( M7 R4 b; q/ x% V# ~
iret
8 U1 s3 z! T! a; N! g5 k2 W4 vint41handler2 ENDP7 a2 i8 v& K7 V& I6 B/ v2 T& x+ l
, { K8 J; x j& t
- } v5 }3 V C0 q) }$ J: Q
_________________________________________________________________________
8 R2 a7 t" L$ S( a8 {" M% {" N2 C+ \8 c
" P% b1 J7 n' wMethod 060 a" Z- [* w$ h4 |
=========
5 A- Y& O9 C8 o; S2 n) j' S; e0 \
4 h; T7 x+ r( J
2nd method similar to the preceding one but more difficult to detect:
5 z& `9 @' J' r2 J; V) E
' ?& s3 m% M* T' R3 U9 A: o, D: S& w4 Q2 v% H% ~" E( b; |, i: O
int41handler PROC" { i: u" I5 ?1 J, d' J: a
mov cl,al
' _4 V5 y; E- ]5 u( r+ H iret1 X9 k$ F- \6 z' ^6 @1 F# P+ Z
int41handler ENDP. K7 W+ @) t# s5 x! w- ^ D
7 W: @$ } M2 ]4 @9 I1 ]/ t) V5 m
- D+ J( l- c8 v" g
xor ax,ax& \; D T0 M3 E8 o
mov es,ax# q4 m3 S. ~0 p& H7 u2 m
mov bx, cs" ~/ c/ q. x$ V4 N- G i
lea dx, int41handler
) v' [9 u6 J# ?; e xchg dx, es:[41h*4]5 [: p- Q/ G! `' {. z& U6 f
xchg bx, es:[41h*4+2]' c0 T& H0 {) k! ^! p V
in al, 40h
7 K9 Z& ^7 g, G4 _. h2 ^ xor cx,cx @' b$ ^0 b) K: j
int 41h
U: \+ Z) f( L" d2 J9 t7 }$ I xchg dx, es:[41h*4]- |; g* _0 m9 {" T4 n% y
xchg bx, es:[41h*4+2]
+ {* I1 q! {$ `/ m' d6 B; [1 J cmp cl,al* E; y8 M$ u8 I/ x3 _+ }* s$ b
jnz SoftICE_detected" {0 O) t5 ?9 O: F' i1 ?
( K9 z( ]' d6 W8 d- j, d: |_________________________________________________________________________9 e( w0 @$ k4 F5 l
. f- i m2 b# m8 x$ X# jMethod 07
3 R( m Y; Q+ j6 \=========
# @% E: j. v. L1 l- [0 p
( {* A. z7 ~% MMethod of detection of the WinICE handler in the int68h (V86)5 Q0 K+ [- M( U, b% e& W
9 `& D7 r$ x; c. d0 Q% H mov ah,43h4 e$ |5 i3 b' W S; B$ F
int 68h
, T% i# _6 o4 L5 g( l5 t cmp ax,0F386h
% t$ d+ D# d. a$ Z jz SoftICE_Detected4 x2 W5 {% |, {4 k( R3 n
! v2 N) I- d) I6 X3 S; J$ [1 G' a/ F; |
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" ~8 W0 u* l9 Q2 n% ^5 N6 `
app like this:+ c: G, i: D! C/ N7 G% `& m5 T
& F% a7 ?3 u7 `
BPX exec_int if ax==68
5 C0 b4 x; ?- I+ J) a. A6 m3 T- _ (function called is located at byte ptr [ebp+1Dh] and client eip is
. m, T2 H! ^/ H2 |& { located at [ebp+48h] for 32Bit apps)
! O3 Z* w$ j- l+ C% V0 T__________________________________________________________________________
6 o/ V" i& D4 T, P" i- @4 R' Q+ G
2 {4 S4 C4 C: j( P) G6 D9 x6 K R' O$ |, ~( G6 Z
Method 08
% w. q1 }) }. l) R=========
7 [6 S, {( S1 B; v! l: Z# n& o. p l+ [$ X
It is not a method of detection of SoftICE but a possibility to crash the
+ M7 G1 |0 t* s0 }8 e- ssystem by intercepting int 01h and int 03h and redirecting them to another
8 h: C% `+ q' z5 ] I) Oroutine.! w4 T8 x; e6 _) n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& M6 [& j- k- e5 o
to the new routine to execute (hangs computer...). e3 P R7 s/ c9 a
9 a/ P2 S; y- P6 j1 j+ n+ t mov ah, 25h
2 g. ^" {# a0 w4 C3 h, { mov al, Int_Number (01h or 03h)/ N6 M1 \3 U! T$ N; I
mov dx, offset New_Int_Routine7 z& r7 o2 X5 ~5 r
int 21h* a1 U6 l& y- h A0 D' O; e9 |5 a
" X3 Z$ o. D$ A! Q7 Q/ u. ] a
__________________________________________________________________________$ R$ Y* U+ n; `7 T" O( z
9 u$ B1 b% {' C$ KMethod 090 e- P4 ^8 N, m5 J4 l' K
=========
( m) v- a4 j. n/ I1 z: u' G$ u- H1 ^9 H. q! z \( Q( T* l" D5 o, x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- g! W: Q% ]' T/ j7 l/ W
performed in ring0 (VxD or a ring3 app using the VxdCall).9 n# S( M" l: v* D
The Get_DDB service is used to determine whether or not a VxD is installed: j0 D1 R- B, R0 H! x
for the specified device and returns a Device Description Block (in ecx) for& F( C$ U% o7 d- Z' O) l- W Z
that device if it is installed.
; B5 I2 c# D- \$ {
6 h0 j4 h1 q1 g6 Q$ [* o mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, D+ X/ e: n; x. q: ^ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 N4 Q% C8 S* `- M# r6 e6 z/ `: w2 G VMMCall Get_DDB1 S. Z0 q4 C; ]. ]; f
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 O9 \" v$ w" y- `. @# f% \1 T8 ^& h5 z, c% z- ~* d
Note as well that you can easily detect this method with SoftICE:
3 c/ ~5 o/ [8 b+ ~+ B# k bpx Get_DDB if ax==0202 || ax==7a5fh; q" L1 K' a+ M2 \% l
1 L- _0 C- K/ i; z3 N( X
__________________________________________________________________________
& E. l2 y5 w6 @
' r0 p/ b6 W: R0 ~! g# @& MMethod 10
0 M, i- p$ q: j2 W w# ^, p7 S$ C=========1 e9 {. Z7 m$ T
. O1 ~) I. ?. _0 {& s/ Z( Y& Z=>Disable or clear breakpoints before using this feature. DO NOT trace with; ?8 S5 w5 q. K6 v
SoftICE while the option is enable!!1 b( q: x2 b; I; s( _6 F8 I
6 o& {1 S% v2 v' q) ^) rThis trick is very efficient:
0 \ a; l) x0 uby checking the Debug Registers, you can detect if SoftICE is loaded
: X0 i+ ~; C# e+ T; X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 c. g% \2 c6 R1 @9 g7 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' B5 f% K3 M6 C: a3 I# cvalue (in ring0 only). Values can be manipulated and or changed as well* k n/ F6 e" z
(clearing BPMs for instance)
0 Q) d- w8 ^4 m$ `5 [2 r1 t; e8 a. V: h- l. U/ v: ?
__________________________________________________________________________( C4 `: u4 B- r* |. e5 z* N: n+ o
$ r- Q; I0 _2 {- j1 hMethod 11
1 @ F: @0 s7 N1 u4 p/ X: B! \=========
I! Q( `& ~2 M4 @
* T, @) O& p+ \7 LThis method is most known as 'MeltICE' because it has been freely distributed
' u2 }7 l; e9 A7 J# F3 yvia www.winfiles.com. However it was first used by NuMega people to allow5 B) L/ h4 z; H D8 s. Y: j: l
Symbol Loader to check if SoftICE was active or not (the code is located
4 I/ s6 T+ n! [! p5 \ Jinside nmtrans.dll).
. e- k1 i# m; v# j# A( A V/ ? v( p1 V! k% c# r+ a
The way it works is very simple:
M" @$ A/ n, n7 I6 G+ g! yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" B5 x2 ^+ s- K9 JWinNT) with the CreateFileA API.% p% `8 [& f& z1 y/ d
+ F' L8 x9 O4 B% K( ^5 X
Here is a sample (checking for 'SICE'):+ K" _ B; i7 |$ f, Y& [. S
; v# b/ X1 i6 _# l U& Y
BOOL IsSoftIce95Loaded()2 c& q% q; t) x6 k$ u( A" p, _
{& a1 A* w5 P" \+ v; U
HANDLE hFile;
# c5 d- G: K: T8 Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 A, z% l; e" Y9 ? FILE_SHARE_READ | FILE_SHARE_WRITE, z0 l+ i# o& l8 R
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ F% i1 |# w6 q0 |, {4 m$ _5 }! f if( hFile != INVALID_HANDLE_VALUE )
7 ~! U0 U" a" W/ } {
' [$ h8 n7 R- }" ^" h5 x. r M CloseHandle(hFile);
$ X6 d7 J! A& o return TRUE;
/ y) h$ D3 i4 P% v }
% z3 V" w) l* _4 O% ^, i/ C1 Z* r- y4 P return FALSE;
7 z0 |" ~9 i' Z8 O* g. [: w}
& W% u7 s+ T" _; k$ N- ]) K5 u
% \8 H" n4 [' O* o) y- MAlthough this trick calls the CreateFileA function, don't even expect to be5 Q& J0 P! h) z" b
able to intercept it by installing a IFS hook: it will not work, no way!
: H2 ~' A9 V/ f: yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ o; d1 l4 u, p2 e) G7 Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 s1 F+ n# E! S6 T) V) Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc: G, J+ d, z" x, U
field.
" }- U* f) U) LIn fact, its purpose is not to load/unload VxDs but only to send a : Q8 W; p8 C& I# N3 P% J7 p3 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* j" @6 @" F8 o) ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. G$ P) E- P7 @( V0 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).( z" \- Q8 s" \: L5 S; j
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ F$ q# q7 S+ Z5 q+ B' c
its handle to be opened and then, will be detected.$ _' [& p1 {) e; ^+ a7 D
You can check that simply by hooking Winice.exe control proc entry point
. d1 C9 s& i* C, jwhile running MeltICE.
) z! T' I) i. {5 w0 a4 |, |- ]$ u$ v# W
$ `' W" P2 L. C# ?2 i. G) Q M0 h
00401067: push 00402025 ; \\.\SICE
. E! T, j4 c* R/ s- T; m" q8 t 0040106C: call CreateFileA: G; b$ L, n: W/ r0 g2 D
00401071: cmp eax,-001
0 c w, Q* ]* N5 f 00401074: je 00401091
2 }7 Q4 B' E; m! B" ~ H: `' }; ~5 K2 c L8 V1 I3 _1 }' [
$ T' _5 I+ i" S/ D* _$ t0 X- nThere could be hundreds of BPX you could use to detect this trick.1 ^: ?1 [( x3 F. O, `. Z/ z
-The most classical one is:- n6 h8 }! i; J" ?+ O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 z( e* d5 _6 ~& D5 X2 n$ s' N9 @
*(esp->4+4)=='NTIC') l5 _9 a" V5 [( d! @
/ ` D3 f7 Y2 H0 }9 D3 d/ B-The most exotic ones (could be very slooooow :-(
" D+ N- ^ x1 k9 u$ u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & A9 u2 G( H0 i0 t
;will break 3 times :-(
! X4 Z$ v6 v9 {' A# }1 ^, g3 m; `; x8 U/ a
-or (a bit) faster:
q2 Z e& L) N5 q" H5 X9 o; S0 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% V0 g% n, s+ j, O1 Y! X: Q8 A+ t
, S) y7 f; X# o( o( o) C BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 e0 C# p3 {# }5 n* | ;will break 3 times :-(
; o" l' v' y, }. r9 J7 K7 b" e1 I# J3 `5 Y5 Q( O" f8 v
-Much faster:
^6 P) b' B! K4 c# q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- w& _: V1 o. g4 j. T2 u( D! b: M$ o a1 F6 u3 b, O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! U# h3 G4 D9 x* M# `% p l& R" Sfunction to do the same job:
! V7 T% ]: N! U4 i- D! b, Y- b( b: f5 @
push 00 ; OF_READ
* W) f) B- \' Q5 Q4 ^$ ~% s mov eax,[00656634] ; '\\.\SICE',0. ^# l' i5 l* `7 b! _$ j6 n
push eax
0 g' T+ E7 ]$ w5 W3 W* |2 z* X3 Y call KERNEL32!_lopen
" ~* K5 c* N' R4 y& ^& _* c. z5 h N inc eax
* y/ K* I- ^* x1 i0 g- V* r jnz 00650589 ; detected% W9 W; D- t2 C: r# o3 \
push 00 ; OF_READ. @# r6 ?4 ~6 F }0 n
mov eax,[00656638] ; '\\.\SICE'
! M8 G3 E9 v4 v& U5 u$ f& n8 k6 Z3 n1 ~ push eax
6 A$ ]6 {. Z5 q# M q1 l$ n call KERNEL32!_lopen4 V# A+ m% A$ k
inc eax
2 G- q, S9 G0 v: R% s7 R, H jz 006505ae ; not detected
5 g Z3 x) [8 ]) y" l3 \
5 l: Y+ m3 k1 i/ k6 S7 f! V9 f4 T' i2 ]1 |0 J5 _+ ^) ]% f
__________________________________________________________________________
7 q r4 N5 F$ P$ }3 J3 z, F
/ ]! H( R- G# i0 ~Method 12" J! a" [' @9 e1 [" ?! u3 }0 n
=========
0 ~, o5 }' K7 t% C9 e/ h+ v* d* j7 z3 u x+ l
This trick is similar to int41h/4fh Debugger installation check (code 05. _9 v$ ?! q0 a/ H8 T2 w( B* c
& 06) but very limited because it's only available for Win95/98 (not NT)
/ P7 {( n& f; uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' T+ \0 v. ?) a: t0 o' ]% }' j c2 g$ p
0 P2 W( t( u4 U& `1 j6 Y3 i- g push 0000004fh ; function 4fh
0 J+ o4 X9 C% Z ]& E push 002a002ah ; high word specifies which VxD (VWIN32)
; d7 O0 ?; H: Q ; low word specifies which service
# U" \2 s8 T; o, m8 [& y% c# } (VWIN32_Int41Dispatch); f, o/ n8 Y) C$ k
call Kernel32!ORD_001 ; VxdCall5 F7 N0 D6 b0 y
cmp ax, 0f386h ; magic number returned by system debuggers' w# y0 f9 }5 D! ~) J- N( _4 N T6 L
jz SoftICE_detected
9 t+ ^& e: s. d+ V% W+ ^, v# ]! C; K+ w7 S$ A6 I3 M
Here again, several ways to detect it:
5 d* C! @5 z! U4 B( N) }$ {: D! h0 J# I3 p% o [
BPINT 41 if ax==4f3 {. S& ~) O ^: a! |, P/ M/ x+ k
- \1 N2 f3 }3 K: G. F: } BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! z2 l) F: i" z w. E, _
) ~6 ]" P$ v- j5 T+ ]( _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# u) b8 e9 |/ y' T0 S/ B& z/ q, z9 c" ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ I- ~- F$ t7 [( P# k& N; C1 L, x# M. j! @
__________________________________________________________________________
( ?8 C5 V+ ]( b. C( n2 X$ u' K( n, ~- O! s6 Q$ K: M! m7 m
Method 13
' C" a/ I& G% p=========
. \, F0 D0 B5 {, L* f) n) X; F# }& I( T) J
Not a real method of detection, but a good way to know if SoftICE is1 L3 o: d, j8 p' }) w+ v1 F
installed on a computer and to locate its installation directory.
" w& O4 c: P( aIt is used by few softs which access the following registry keys (usually #2) : e1 j. ?9 X C! l9 K1 F
8 [+ |+ N% ^# h: x( U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
_ ^8 h! T& }\Uninstall\SoftICE
( Z1 ]; q( g9 I2 ^, M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE @3 m! o, W" O9 y0 @7 m& G# U5 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 x7 _& D2 f& _! R+ W& ]2 W
\App Paths\Loader32.Exe
5 z( s: a; K3 E; u k1 f6 }, R# F6 ?
% K, w0 C L8 `# a4 MNote that some nasty apps could then erase all files from SoftICE directory8 \% ~% S& T. U
(I faced that once :-(
' y3 N I$ I( Y! ~
k! i! i% i+ T" O1 i2 kUseful breakpoint to detect it:
# ^3 d* J/ l2 q5 b0 u3 f
. t- X# E4 S) N' [5 }+ h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" A6 K& Y6 @: U2 Y4 E7 G
; J2 t7 ?5 l* b5 \7 D' R# V__________________________________________________________________________
6 K$ G; }7 p9 }2 d2 Z4 |2 Z) l7 ~2 ^ f8 ?) b4 H( |( x+ X( D
' ?; _" ]" }/ Z4 yMethod 14 / C( S7 X7 n h) ?- f4 l1 i
=========
- C4 D J3 N4 q+ v
3 X' X7 a" ?0 r ?& A% EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# e% }9 ~9 Q# O/ |. z- T, u/ tis to determines whether a debugger is running on your system (ring0 only).
" n3 Q+ j+ @, B, }7 d
4 H+ Y! E- V1 k! H/ u2 G+ {' V VMMCall Test_Debug_Installed
: \# r7 x1 [: p$ F1 E9 p( D2 }4 o2 R je not_installed. G) Q. ^! |' ^
. ^; `1 t- p9 s! L) }This service just checks a flag.
! |) x1 H' K% H- v7 i6 i1 t# U* S</PRE></TD></TR></TBODY></TABLE> |