<TABLE width=500>
' R: ^) U$ U$ @9 T3 M<TBODY>
7 L0 C+ L. S0 X4 e- |6 k<TR>
0 j& u. R* G2 ~7 R* w. h' x<TD><PRE>Method 01 4 S! j; {0 J- \1 o8 n" C
=========; v% V4 z0 b4 F. V- V8 Z$ f2 p3 f: b
8 |5 e! g; e0 uThis method of detection of SoftICE (as well as the following one) is" E' Z. r0 k2 a$ G$ c, J" J
used by the majority of packers/encryptors found on Internet.+ n# x1 G6 ~+ J1 ] D/ {5 r' ^& }
It seeks the signature of BoundsChecker in SoftICE6 ^' p; P% I/ ?* z" |. A
$ D: X$ N. U( Y* D0 a mov ebp, 04243484Bh ; 'BCHK'7 s9 s* O3 l- ]. D8 i
mov ax, 04h
7 C( c. y3 R' o% k4 D1 r9 i0 n int 3 ; e: ^) w- T3 ~8 Z
cmp al,4
" B4 r! z( S9 f9 _. | jnz SoftICE_Detected
+ G4 f$ s& W6 D! p' w
, b F7 q# B/ S ]+ @___________________________________________________________________________" o8 x$ ?1 f4 B% o" q8 f
; _( W/ O% }: K, @
Method 02
3 E) q( m9 f+ z0 T1 D& a0 Z=========
: C8 m5 r4 l6 {6 [* @2 _% M1 F1 b' S$ s8 K0 f/ x
Still a method very much used (perhaps the most frequent one). It is used
4 I X' a: X5 T4 h k# Y; bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 Q8 s0 H$ Y mor execute SoftICE commands...8 U" J8 y& [: B0 ]9 V0 f0 l, W
It is also used to crash SoftICE and to force it to execute any commands2 ~& x5 }& R+ D" w/ o; _9 a! o
(HBOOT...) :-(( ; B: c- Z _/ P9 \. q" [
& \* D4 A. y+ H% j8 H
Here is a quick description:
3 f- N: [0 c! t) y& K-AX = 0910h (Display string in SIce windows)
( n' A4 ]! D- t-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) s' @2 c% p$ o: M# l0 |' o
-AX = 0912h (Get breakpoint infos)
+ A# I& k* y' H! T! ^-AX = 0913h (Set Sice breakpoints)
, _! N9 f* n8 n# y2 m: e9 E-AX = 0914h (Remove SIce breakoints)
: v# X$ v. F( c& F$ [0 Q1 F. i) a- {
Each time you'll meet this trick, you'll see:: ?( h5 s* p! |! m) o' M; h% P
-SI = 4647h% ~- {+ S: R* A3 K4 t! I
-DI = 4A4Dh
6 B5 l. A! g2 GWhich are the 'magic values' used by SoftIce.
! J/ c4 g$ n, X/ J8 F4 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 e; u" U2 b2 }7 D2 Q# T- S. [' A
5 h$ l/ {/ I1 n4 S+ k, D; `5 H* |. M) IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 S+ v# P, r3 M1 j$ _2 ^/ r
Envelope utility use to protect DOS applications:! a. F* P# p) S
4 ?+ w1 K0 }* |' j+ j
8 A: m9 h. R1 ]6 e% B R! @4C19:0095 MOV AX,0911 ; execute command.
6 c- _( y: e& c b) ]- r3 B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, ]( a% m' h; c! r# e4C19:009A MOV SI,4647 ; 1st magic value.
- y+ U- _' f$ t" O: q& a1 {0 l4C19:009D MOV DI,4A4D ; 2nd magic value.7 b) o/ q$ K8 ?+ j) l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)5 w) ~4 o/ |: r5 ~' b6 I* c( \" M
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 h3 W1 ~# x. Z4C19:00A4 INC CX$ {1 N9 I2 J. t! ]2 c/ Z
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) u9 ?: V* D: ^5 L4C19:00A8 JB 0095 ; 6 different commands.
' B; J) h* i) I; ` N. Q7 ~( ^* J4C19:00AA JMP 0002 ; Bad_Guy jmp back. R0 g# ?: Z. c
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). r7 w' e$ P5 t9 D ?4 t
4 R# n. P+ {9 I
The program will execute 6 different SIce commands located at ds:dx, which
7 c* ^1 P) E+ y( h# u( w6 f2 |, Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ w0 l+ c- F8 w/ L; o; n% s3 j9 f4 z. {2 Z. n8 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( ?" J/ r( J# ?8 x. a' s: ?$ K$ `- u4 d___________________________________________________________________________; l! l$ Z9 l$ d. i0 _
9 @4 i% l3 K- a, @5 _
3 [4 A: s1 T7 R/ n3 W' [/ P2 e
Method 03. u! c Y m" @, ?/ o8 l' k
=========
2 e+ a) G# B3 Z. j; t2 x" R1 R( e7 H" w' i" [" f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' n' e+ i' X5 C8 J) M; Y+ J
(API Get entry point)2 J4 N4 X, }7 ^) {3 u9 A1 F
, x/ i! Y) [& I1 v3 [' s, w: k5 I+ ~2 N" F5 l E( F
xor di,di, ?% Q5 N: e3 |( v! e; Q
mov es,di
7 J: f4 J- x5 x7 `7 b mov ax, 1684h 4 m# d# w4 ^& I0 Q$ ?* y
mov bx, 0202h ; VxD ID of winice7 M( x( K, [! L. |5 t/ j W, n
int 2Fh
( e6 `2 e6 \# D7 [8 p mov ax, es ; ES:DI -> VxD API entry point7 V4 N2 F2 J3 M$ \$ m
add ax, di( {+ {, a! K9 @/ N4 e( b
test ax,ax3 G* X7 y+ B7 ~
jnz SoftICE_Detected9 h! X! Z6 T0 |! P; m# T$ ^, z
$ @% p, A' f) t( U, O___________________________________________________________________________- n4 y, n/ U$ n3 ?9 H
: w1 @6 f8 S; J% mMethod 04
! }; a8 I9 d% S=========" o1 L# {( i: T& t
: \6 g7 ^3 D- }( I) Q9 z& m/ i
Method identical to the preceding one except that it seeks the ID of SoftICE% A$ u0 W" b: d% H- H n5 X# z
GFX VxD.
/ [4 a, n" Y8 B) g7 S. O# e& c: t9 s1 D* _# C
xor di,di- e' E* L- z* W2 n/ ~3 h: A* T% U) u
mov es,di
5 N9 |" P$ n$ a: J! }" v5 V mov ax, 1684h 4 o; B: o6 m3 k5 T" E/ g5 T. q
mov bx, 7a5Fh ; VxD ID of SIWVID
T6 i, G( ]( F/ s1 Q$ q/ b' q int 2fh
: R' S( e, @( w6 A* u8 [ mov ax, es ; ES:DI -> VxD API entry point- K* l4 y1 c9 C3 r' G
add ax, di, J4 k# f* `0 G7 D# O
test ax,ax8 v1 c) r; k8 U: }
jnz SoftICE_Detected @" o% ~7 o5 ~$ q K5 @
7 [; O2 c+ o4 M2 `# e, H
__________________________________________________________________________ P1 w. T- |$ ` | I
, P+ K s6 |3 z9 c6 P% s4 a* O- Y# _7 z
1 F; o: A- P: b" W5 @
Method 054 H X& X" \% R: _
=========/ z! w( o$ W# C$ `! Y2 o0 i
2 |& p+ W# ]5 R7 J% F0 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 V, n! z) B: Wdebugger. It calls the int 41h, function 4Fh.4 {: L. @8 }1 u3 [
There are several alternatives.
% C$ e+ w$ }+ ^. _1 J
2 H: n- u5 S8 ]The following one is the simplest:
9 |' e. K' }- D b/ s/ c9 A3 `( t6 f3 c+ ]% A2 `5 T6 v
mov ax,4fh8 c3 a9 _) f* f' a% }
int 41h/ W% f+ \. m% c. z1 i- T8 d# j7 {
cmp ax, 0F386$ K8 X1 _, H- {! Q6 B4 K& y/ }- p1 K- ^
jz SoftICE_detected: h+ [6 Q) \5 L
9 l: W) W# s' `& k8 D( r. @3 T0 s' I
Next method as well as the following one are 2 examples from Stone's ) r) T. c F0 Y! J4 l* ~; k! B y
"stn-wid.zip" (www.cracking.net):8 ?0 A' O% |2 |8 {
- v$ r; p+ u% D) `) L5 i
mov bx, cs" J; r0 j0 x* H h5 i
lea dx, int41handler2
0 e- M5 a8 m d: U xchg dx, es:[41h*4] [% w* ~7 P3 o. d- Z8 f
xchg bx, es:[41h*4+2]! a' ]. O/ i* a( i5 [; A7 L7 s" q z3 ?
mov ax,4fh
* D% G) H6 Y$ h3 T. ?5 r7 b: i int 41h
; A0 a8 ]: ]3 L$ c) ~ xchg dx, es:[41h*4]
3 W7 {, Y- p! x3 Z9 M6 a/ d xchg bx, es:[41h*4+2]
; |" o7 g& h* ], u) e' D( y( [+ r cmp ax, 0f386h4 v1 ]( c( Z/ V3 s" t3 ~
jz SoftICE_detected$ S! M6 G# R4 V9 P/ ]
( j j+ X$ D; {& pint41handler2 PROC K6 G$ \, {% {9 G4 B
iret
0 a; m4 z) C1 \4 i( T/ @+ V0 H( d5 }int41handler2 ENDP" n7 M* b3 R$ z7 {1 e
3 D R9 Z/ `9 q; J1 U5 U! C0 q2 r1 g
9 c- M% B. V6 {5 p. Q6 k
_________________________________________________________________________
! w" e2 O6 N2 ?2 K8 h0 X$ e/ W3 t" o5 @; V; \0 x" A/ X
6 k/ [3 p0 d# } o, RMethod 06$ ~* G- `, o( W# |; ]' z) J, w
=========7 \ ^4 [+ ^6 X' @# I
) Y: @3 R3 A! r6 y! |
# }3 \; G# h; _( w. x7 ~( m) O/ W2nd method similar to the preceding one but more difficult to detect:0 o& X8 B# b- x: i( x' Y
% j( x' R8 ]2 o3 `) t
, y# {8 G! z& ~$ Bint41handler PROC* o7 Y+ t8 h- @. o+ l
mov cl,al
2 @" g% q0 |" l1 L iret
& Z6 _# v6 r: ?- N& Wint41handler ENDP G7 L/ l& X# e1 X7 h- J6 i9 v9 `
; F. I d4 O% V, R# P% k3 h
6 k# L. O2 i1 c2 p3 r xor ax,ax. g' q& S/ }3 h( ~/ c# `
mov es,ax; j D% ^% I7 ?7 s3 ?
mov bx, cs& t8 W* `3 h: D \$ [7 H
lea dx, int41handler M& S, L( B+ ]& ^# Y) a
xchg dx, es:[41h*4]
" g, Y8 L% A* t- `( f xchg bx, es:[41h*4+2]
% y; l! ?4 a; h8 y* O1 R in al, 40h
& U1 [+ \- j/ j xor cx,cx' Q- m+ z G8 J8 U0 B# e& o. _! `- ~
int 41h$ i) Y* y" u4 G( ]* `
xchg dx, es:[41h*4]
; y( d0 r) Z3 p7 `( D' p( ~4 f% {2 ^ xchg bx, es:[41h*4+2]
7 p; y% `& m7 w) o2 n. B cmp cl,al
6 L! Z1 [" J7 i$ C: Z8 D$ R jnz SoftICE_detected# s" Q, r3 o9 t5 E2 }
8 i9 V- k5 s! W3 @* V
_________________________________________________________________________
' {% f$ w1 [" D) S
0 N5 i0 x+ s& {Method 07
5 P# |, u! ?3 `# E=========2 M' W: X# ~7 k: Y
" b7 j! d( X6 Z1 B
Method of detection of the WinICE handler in the int68h (V86)
! L; v! q# u5 [3 }% U
3 c( W! h! M8 F1 V4 v( o mov ah,43h
6 g3 c7 |" I! a3 _/ L. Z* d2 ` int 68h
2 }$ ~/ [$ \, O7 c T& y cmp ax,0F386h
$ _5 a1 l/ l( i) Y jz SoftICE_Detected% Z( y# R7 |/ O- x- C0 y: k3 P% D; L
3 C& F$ }0 `! F% e
3 C6 q- y6 `. S7 Q' g/ L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; k8 i5 u0 z0 h app like this:
- L' p5 E5 s, Y) o
! G X; ^8 V" L+ x BPX exec_int if ax==68
3 s1 U3 h4 P* ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
- w x- W+ R9 z: V+ I/ E K+ F% q located at [ebp+48h] for 32Bit apps)+ ^2 d% \8 u: S+ a0 B& J
__________________________________________________________________________1 _) R/ z5 \ K+ w8 p' p3 }( s* i
0 H& x. m* o0 _9 r) R
/ t2 g, U, w* ^Method 084 @7 q9 P) O+ r# i
=========, n8 E0 \/ V8 {2 f {
! G: D4 B; |, P9 u" IIt is not a method of detection of SoftICE but a possibility to crash the) M1 o) c) A: o9 ?& }1 n1 Z$ k
system by intercepting int 01h and int 03h and redirecting them to another
5 R/ N' j+ o; X j% Y0 \+ |3 {routine.. b7 {2 i1 V6 @& F+ q" G. c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. ]4 k0 y( Z: Oto the new routine to execute (hangs computer...)8 _' d: `+ b, j
2 U/ N" g6 S7 s mov ah, 25h- C0 I+ v) K# C6 ~4 e6 n9 D1 @
mov al, Int_Number (01h or 03h)
?6 ~: B0 b3 @1 M mov dx, offset New_Int_Routine- e9 |6 B1 _' @- h
int 21h& y+ ~, n/ B0 E h" B( D! D+ Z
+ ^/ a8 c6 B% y/ I1 D) z
__________________________________________________________________________
( Z2 v8 V6 @ q h
0 C7 W, C, k# U; Y) wMethod 09
- J" `/ i1 M* ?0 ~( C( }; [=========( S! f/ _4 [2 J6 q% W' g0 }
) \, |2 @& F7 {2 J+ d5 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 `+ z/ z7 G( U- I) ?4 w) R! \
performed in ring0 (VxD or a ring3 app using the VxdCall).
- e) P0 e# y- t5 UThe Get_DDB service is used to determine whether or not a VxD is installed( R( A. F9 j+ X% ?; E" [4 A7 k
for the specified device and returns a Device Description Block (in ecx) for6 Q; ^/ Y0 G" h$ o, b8 l
that device if it is installed.0 }* Z, I1 p3 m R$ P
7 d8 k. r2 y9 D: G* Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) l- D4 v% M1 E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* _. w5 P0 K6 @2 Z/ L' i% j* W5 q' N+ ` VMMCall Get_DDB$ U5 m+ K; P- j; B3 V o
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 D$ o- \- x8 s0 R2 y |$ r
. a. s8 n9 f) g9 C
Note as well that you can easily detect this method with SoftICE:
/ y, R' K" Q( I) v bpx Get_DDB if ax==0202 || ax==7a5fh. ]5 t7 N l7 O( N$ w; P+ x
% ~6 j. O. x% P; C, M__________________________________________________________________________9 o+ M7 o& D2 Q6 I0 K2 ~
4 v/ I( {# m. I, _: iMethod 10& H6 w" t3 c. D
=========
$ t$ i3 y# D9 s. \' S* r! b5 B" Y q* d& Y
=>Disable or clear breakpoints before using this feature. DO NOT trace with
! R. O f3 C$ r SoftICE while the option is enable!!
& x, t5 D3 ^' b5 O) J! u+ ~. q3 D6 k8 B3 f
This trick is very efficient:
6 }- q) x& b* X' z0 V+ U( Uby checking the Debug Registers, you can detect if SoftICE is loaded; i6 S4 X% V+ e7 D6 j: D$ u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 a# B4 d0 Y, y' W, n
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 a/ z; ?* I8 b8 w, I, e) P
value (in ring0 only). Values can be manipulated and or changed as well. J5 w% Y$ Y# `; x" E1 B2 K
(clearing BPMs for instance)
8 q1 j" M0 b6 d( W( f) @4 u
# X. w2 d# Y) ~! Y7 }__________________________________________________________________________! S' M" ]9 h- s
% K" V6 B1 c5 j! U5 y
Method 11" k, R( e* S5 W8 l) W/ ^4 b8 l
=========8 \( y% n( f2 w J8 Q8 R4 D
; h: R7 q1 I# y$ X! b* z0 }' LThis method is most known as 'MeltICE' because it has been freely distributed; O' ]0 b: D3 b% i
via www.winfiles.com. However it was first used by NuMega people to allow3 r# a# R) }) K- R5 I
Symbol Loader to check if SoftICE was active or not (the code is located
4 G' z+ Z& `/ g2 l7 e9 qinside nmtrans.dll).
* l4 m* [: v9 i- R" o$ _! c$ l! h7 c
The way it works is very simple:
4 D8 o7 E! A: N GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. [- M; h5 n! H2 T2 @8 IWinNT) with the CreateFileA API.+ O) t! M0 J: R( p
; T: L6 O4 k% ]0 X& f; C& o$ [% r
Here is a sample (checking for 'SICE'):
" l! Q" ^8 m8 L3 \. L+ \1 n3 @2 g$ D2 B
6 u: K6 A/ W" h4 i: U8 WBOOL IsSoftIce95Loaded()3 z4 D3 G2 M2 C5 r2 ?
{: B1 _% k4 u" i( x
HANDLE hFile;
7 W/ n1 N9 e$ d I% l4 h hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 M" S' G, H) q: y8 w
FILE_SHARE_READ | FILE_SHARE_WRITE,
. S. S; ?+ e' X NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 b5 w0 f( B X* B: m
if( hFile != INVALID_HANDLE_VALUE )
& v% t2 ?4 P/ K/ [. b" j" i, v# B {
; B8 K: x; ?0 ?8 t/ x J1 ~; N0 P' q CloseHandle(hFile);
* k/ w- E( w: g7 a8 i; C! J return TRUE;
+ z! G4 l7 ^- z+ ` }
4 }: Q# C1 G O; P6 U8 n9 u return FALSE;
/ {$ v+ m$ r) {5 h" b}
9 x% V3 k6 {( B: |9 n& H0 T/ S5 J0 [& u3 L
Although this trick calls the CreateFileA function, don't even expect to be
9 W# A/ E7 H. F, \$ e# ]- F6 t1 Rable to intercept it by installing a IFS hook: it will not work, no way!# D" G2 [" i0 F2 H4 s; t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. T6 b: {1 j1 R& q6 ~& y) O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 R9 c+ ^5 |4 H. @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% p9 u9 Y0 o) M# Y& h7 o( j$ e4 P
field.; Q- j7 `/ _! ^5 g0 d$ T
In fact, its purpose is not to load/unload VxDs but only to send a
3 S8 p* J& b5 k. u) E5 I" PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! A1 U* } ?1 _$ R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ ]8 F: O: T! O8 l* t' k3 s3 @' k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& ^0 e) d( I F( d+ G: L6 U; ^2 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 E) v9 ]2 \+ P* K/ m- u7 nits handle to be opened and then, will be detected.
) Y3 ?/ R: B& e1 I$ H0 v1 t4 fYou can check that simply by hooking Winice.exe control proc entry point& h' F( ^: b' x& \# |0 r
while running MeltICE.! f6 _( ^) @5 l. K. v! K- l
- f) n7 L6 u" `
6 g6 S8 Z5 X0 A$ ~ 00401067: push 00402025 ; \\.\SICE
( Y. S1 T, Z' J0 W# q: d2 W 0040106C: call CreateFileA
# w) h P; A3 ?8 ?! l- }& I 00401071: cmp eax,-0010 ]; E) A$ ~% W
00401074: je 00401091- z. X: s2 i" H5 ~# H9 ~
3 ~" \ }+ h( L, B ?. }; \% c. y
8 r. Q0 Y9 L+ }. O3 [; yThere could be hundreds of BPX you could use to detect this trick.
0 E4 K* O# N! w9 g( x-The most classical one is:0 G' j8 W2 g8 I9 x7 w# C
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* W! l: ^! u1 H4 Q! A$ s$ L *(esp->4+4)=='NTIC'9 A$ q$ j3 o1 {4 k' K6 [" h
* K0 \; s. c$ t' @+ e
-The most exotic ones (could be very slooooow :-(
2 d8 S; {* w% p6 x& e% y6 n BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
% p0 m6 ~+ J# ^9 h6 X$ P8 _0 I ;will break 3 times :-(6 a/ H$ ~9 Q7 V$ @- U9 G0 {/ I
. x, b$ g" C! o0 l9 |" T! {8 m
-or (a bit) faster: ) Z. F* P& E7 X9 W0 ^# N- G( N
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), U4 D3 }: _2 {& m5 R
9 T3 [4 h* S, K' @( U6 h8 W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # z# l! E6 f8 H |& `- B5 ` \1 P
;will break 3 times :-(2 b+ c: |- G% i5 a/ `! c- m' s
; h5 z2 a% R2 r z: m0 h
-Much faster:
1 g$ H2 z& V8 ^! m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
- R- y! E5 t* }0 m' j+ B6 \
% \2 c. K) {% f9 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- B, g( T: |* U7 R2 h
function to do the same job:
9 M+ a# y6 C1 A/ }! q) w1 l+ E/ Z6 r$ z x" f
push 00 ; OF_READ: c$ p( f y; W( Y8 ]( ^0 m
mov eax,[00656634] ; '\\.\SICE',04 M! {; W# @. K8 R/ I: n0 y ~
push eax
0 @% v( k4 e) @; O call KERNEL32!_lopen2 {$ F$ F& Y0 c; I. ?9 T. J6 A
inc eax
: F7 R) t* C& P X jnz 00650589 ; detected
" w1 u+ b7 J/ ? push 00 ; OF_READ
8 R2 P( \3 p' U; D1 d/ Z mov eax,[00656638] ; '\\.\SICE'
6 k1 J& o: ?" o4 u push eax
( E' ~! T: x0 T3 j$ @ call KERNEL32!_lopen
3 z$ @8 @: `$ _2 d/ R. B inc eax
% e9 C* r# a5 @: M1 c' D jz 006505ae ; not detected+ ]+ _/ m7 {: w' q1 [; U
* t, o5 N/ j: J5 m
$ |/ V6 L! S5 T8 \+ S4 `& K__________________________________________________________________________: K$ x$ q# z( {% k3 \% S
$ E5 t: ~1 ]" {3 b
Method 12
& K% R* @" |8 k7 `, }=========
+ F9 n m3 G7 j# w
2 G* C" s8 I" @/ j$ VThis trick is similar to int41h/4fh Debugger installation check (code 05
4 k3 O3 u/ T) c( d+ p& 06) but very limited because it's only available for Win95/98 (not NT)% t3 U/ N+ {/ N; K" P! o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 L9 D8 v7 f0 P7 w' A
7 N; k3 ~. [$ E+ s push 0000004fh ; function 4fh
6 w- ?# c6 J: ]! a# p: U' p' V3 x push 002a002ah ; high word specifies which VxD (VWIN32)
8 m7 e' n* _% J- Y# E! d ; low word specifies which service
, d; I+ H$ |7 \6 H, d (VWIN32_Int41Dispatch)0 F* x: h; ]0 |) r9 Z7 \' a
call Kernel32!ORD_001 ; VxdCall0 {) m" x L# t F) }( t
cmp ax, 0f386h ; magic number returned by system debuggers, C$ D3 D1 i- k+ H5 D
jz SoftICE_detected3 ]5 ]! b; Q2 f5 v# I# N$ o
# O" Q7 y+ y7 y0 z1 s' }! u/ z
Here again, several ways to detect it:5 l2 X& V8 b, [% H h
* y3 j5 y- ~( [9 C
BPINT 41 if ax==4f
& I2 @$ }# J& _" L7 d4 C' f& {% F2 @3 P5 p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) u9 D* p" e) ]8 w
+ G* C2 Q b4 {: V( b/ i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, ^) ^4 d" i" h' V% E5 f: L" X! N
/ X7 X/ F: {, q9 F! Q* h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, E: u/ K& F2 O6 R% \! n1 y7 `$ O. a) d( d3 H; M3 X# [
__________________________________________________________________________' V3 \6 w; W: J6 \' r" D
5 z& H# a. U# x* x+ Q
Method 13
, h' u9 `% E, @: b5 P=========+ q- W8 R- n9 `1 g
8 m- E9 K" M* E; @$ Z. e
Not a real method of detection, but a good way to know if SoftICE is
3 j- U F. {$ ^installed on a computer and to locate its installation directory.. W3 q$ h% C) O% F. ^' C
It is used by few softs which access the following registry keys (usually #2) :
! t) \! z: M( b C' t: \* @5 R: j$ w) e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 p7 e( r! z5 V$ u" a& A
\Uninstall\SoftICE
+ D7 R% P1 {1 e C" s: N9 J, c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) Q9 d3 r$ ^; F- g# g* M I3 Y; A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: j" D1 o0 a$ l& ?; z\App Paths\Loader32.Exe
! c+ A, n4 ^& X7 W- i7 f. n+ ]" w M+ n8 t
4 x2 O6 {9 d' n* o7 d: v J0 bNote that some nasty apps could then erase all files from SoftICE directory
9 A7 {, F) z9 d9 I# ]0 P(I faced that once :-(
% ^9 M% S. F, ]
; }% u( Q/ T% r& F% iUseful breakpoint to detect it:
, E9 P1 B' }" S4 u* T
+ E8 h6 M2 f# I6 `! W8 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
& s' ^1 `' z4 C: A/ q/ a+ Q- w( B4 {& X1 \5 S
__________________________________________________________________________
# Y- B5 d' n; r9 j# }/ x8 K
c Y7 ?! R+ i3 c% S: ]) X' Z: s- F6 Z; i$ {8 ^& U* J
Method 14 # Y# E# W1 P2 N3 I) X% T6 w
=========
6 _! u, v! `0 m) W+ c1 X# j5 q0 }% N2 O! U& g1 ~; Z) M: `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ X$ y- C# M' T1 S; C# i4 Vis to determines whether a debugger is running on your system (ring0 only)." b1 S {7 \# P8 i0 C
2 O- c+ @7 Q$ Z6 j7 d
VMMCall Test_Debug_Installed2 U7 D0 v9 V' T9 B
je not_installed. u ?9 B' |; Z
+ E: l9 F) z$ v9 P0 ]5 JThis service just checks a flag.: n2 i9 M) d; K; N
</PRE></TD></TR></TBODY></TABLE> |