<TABLE width=500>" ? S. y0 X& Z, Q/ T7 {
<TBODY>
' Q: d( N- l: n8 c' P<TR>3 B. ]2 f- Q$ D. Q
<TD><PRE>Method 01 3 z% I5 J/ j! x T; ^
=========
, X: [5 H/ [! F) I) G$ e
- g p+ e, a/ \ qThis method of detection of SoftICE (as well as the following one) is% m. X b& d2 I
used by the majority of packers/encryptors found on Internet.
6 F! O- {& D! \; X/ S2 e- h" cIt seeks the signature of BoundsChecker in SoftICE
1 a! f1 x; v* Z* f* g! G( `0 |7 W# H) o
mov ebp, 04243484Bh ; 'BCHK'
5 Y9 y! L. r* U7 x8 x. ]) |" H mov ax, 04h
- U; u" A* b( [% R8 K( ]8 t9 ^' z2 E% x int 3 & n+ h6 K. Y2 S, v
cmp al,45 W! W, C" ]% i4 Q& k: e
jnz SoftICE_Detected
" _) I% E6 k( U+ b1 v7 a6 V" X, w4 n/ @, \. S- i1 p; C
___________________________________________________________________________1 _& t7 U/ g7 Z) j
: Q3 {' A) r6 JMethod 02
1 h% \3 ?4 |% `$ {8 j; ?=========
* J O/ o' r; ]
* g( G V0 f' L& Y9 p" F u+ [2 cStill a method very much used (perhaps the most frequent one). It is used( O! \$ X3 H( f7 D: {8 p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, X/ w4 Y P6 t. R: i2 y' [
or execute SoftICE commands...
6 r* F' Q! K0 o# ^ X4 ]It is also used to crash SoftICE and to force it to execute any commands/ l! \$ Y' ~! n. p0 y
(HBOOT...) :-((
9 [5 t8 r: K2 J
% h' L8 r' p0 W, Z$ Y nHere is a quick description:
! V3 Q5 {/ d; c) w, z4 ]2 R-AX = 0910h (Display string in SIce windows)4 _0 u/ M5 I7 \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: k7 x7 m$ L9 T-AX = 0912h (Get breakpoint infos); K2 ]8 y# Y$ q, r2 j
-AX = 0913h (Set Sice breakpoints)6 o1 u t7 q) j* Z
-AX = 0914h (Remove SIce breakoints)9 @( u) F* R; U, d+ I
3 U7 A7 e" x* S: _& Y3 m
Each time you'll meet this trick, you'll see:
3 L4 E" i8 G0 r( `+ j-SI = 4647h& e8 t/ y/ K5 U& ]
-DI = 4A4Dh f$ p9 H' b2 \/ Z. x; X
Which are the 'magic values' used by SoftIce.
+ {) S. Q( c. U5 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; v, E, Q+ {2 v5 F( R' j
% K8 \% ?: @& J; AHere is one example from the file "Haspinst.exe" which is the dongle HASP- ~& L. a9 [! v; D @% `' M
Envelope utility use to protect DOS applications:9 K+ C, j$ \: t! q' H! h
! }7 ?/ S% }* @8 R* \( G- J. Y/ s1 r/ E6 F/ T% ?
4C19:0095 MOV AX,0911 ; execute command." C: P: U" n5 v8 l6 M$ i& x8 ~
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ C2 m9 W& c/ c7 F4C19:009A MOV SI,4647 ; 1st magic value., [% W, b- ^& v! K; [
4C19:009D MOV DI,4A4D ; 2nd magic value.; i' h/ k4 r! F1 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 W8 n# X3 v& Y# ^5 X3 z8 A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# T+ K) |* Y0 O X, a R! |
4C19:00A4 INC CX
; w( b+ B" a! y" Q( d* E/ x0 u6 t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 u9 I7 {- z2 Y/ a6 n: c. f& Q
4C19:00A8 JB 0095 ; 6 different commands.
# G8 f' _, |. ?8 U0 x$ f4C19:00AA JMP 0002 ; Bad_Guy jmp back.! k. k1 c% Q( ]+ t
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* i; N& d& `9 |; A5 k/ _8 V; h. |+ G9 _
The program will execute 6 different SIce commands located at ds:dx, which
+ B- D R+ D% e& ~& M/ ?- Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ _: Q4 p& H7 d& `. g
( k4 D- d/ W6 s, F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( Q. B$ A' H' {9 m: x$ O
___________________________________________________________________________
7 E* _4 f; p* [ h
2 [* t/ o) M: n( Y. d7 W% F$ c$ Z* z9 Y7 N" `
Method 03/ {! V5 q1 k& @9 k! v) ^$ f+ n
=========/ @4 ]$ V. b Z; X' l$ U; e
) Q2 h& u4 M+ B$ \7 R+ u) A1 ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' }+ V7 F' Z3 k! \(API Get entry point)1 Y; n; x/ @& l0 P" u6 U$ u" B0 g9 }1 g
1 _4 N* a# p k% [; Q5 c6 ~8 ~* n3 q& F( ^$ c
xor di,di7 J3 ~( E A- j+ S! B
mov es,di
$ H/ M5 ?+ B. q4 Z$ l R mov ax, 1684h 6 G/ X" t% P& g( }2 b# O& j
mov bx, 0202h ; VxD ID of winice) S2 T' q4 _8 N4 T. M: U5 N6 T
int 2Fh
2 W- b$ u, Q6 M2 g8 _+ ^& U mov ax, es ; ES:DI -> VxD API entry point
6 y t) P$ n. {% \5 E' K add ax, di4 e5 P, w5 ^6 J
test ax,ax5 o1 Q$ e9 {+ m3 A/ U' p# e
jnz SoftICE_Detected
. d, m7 F1 |9 p4 F
, E3 b; U. x- l9 n___________________________________________________________________________
* h1 p+ ]) ~8 a+ j4 Q1 o. b* Z- j2 N5 t3 C
Method 04
, N, }8 Z- ?6 y. t. a( X, Q# X2 j=========
: b4 m" w; j% z5 f$ o
( e2 S# I: [) GMethod identical to the preceding one except that it seeks the ID of SoftICE
' v# A/ m1 D+ t6 `GFX VxD.* h, F* \ J3 u- _9 ^! |
2 ~9 F# P: W9 t; T xor di,di& r* r+ [. t1 A& ?/ h3 \
mov es,di
$ r6 X" \5 z; e+ V4 ~! }8 [ mov ax, 1684h 5 H7 W1 M5 |# \9 `$ T2 D+ k- i
mov bx, 7a5Fh ; VxD ID of SIWVID
0 C. u, M& c) ]$ R7 z int 2fh9 G" w0 l1 O) c. a0 |
mov ax, es ; ES:DI -> VxD API entry point9 ?7 v5 D% ]( i0 n: o7 i' j3 ^5 i
add ax, di" O* t% x* \, Y. n
test ax,ax
( K9 K. }3 T, X9 m jnz SoftICE_Detected
* B$ _7 Q6 H/ J, _) A+ s0 _" j: g2 q! z/ L0 G( O4 k
__________________________________________________________________________/ V4 J/ l6 f" k$ S
/ g- t; N+ V% A+ p8 h" v0 J
( p& y( Q' {7 [
Method 05/ R9 z7 j* r0 U/ N9 r I: [& ]* j! g9 n
=========* k" F+ x( L* L4 L5 X2 c# P
" {4 i; j v3 g% b
Method seeking the 'magic number' 0F386h returned (in ax) by all system. f' q6 {* k$ r, v) t6 l
debugger. It calls the int 41h, function 4Fh.
5 ]3 _8 ^1 T! E# B' [- d0 xThere are several alternatives.
% R4 J+ y/ S7 @3 q. K& z4 W1 n1 R: `" R+ K
The following one is the simplest:
" z1 }& t+ p: ]/ r4 F1 U- u7 x8 _5 N6 |3 \: C$ H# U0 }' O# x
mov ax,4fh5 v7 K e3 w. @. k# {: T) b
int 41h- p( a0 e, e0 {6 e. v. U5 Z
cmp ax, 0F386
) ^! i+ O; E2 L- j5 d jz SoftICE_detected/ v5 M# ?- J* N8 \
$ s3 H0 |: ~ s- `) h% z/ D. K
) j0 V# l+ c' T
Next method as well as the following one are 2 examples from Stone's 9 T* O5 W3 [4 Y. k9 G" g
"stn-wid.zip" (www.cracking.net):
6 u! m" X, \1 o/ V2 l% ~; B t6 F
6 K! Q8 A+ a* S" ?: L- B mov bx, cs
* w- y& I2 n3 v1 z; h( a p$ w; F lea dx, int41handler2 @( c4 P8 t- p) D
xchg dx, es:[41h*4]7 D! y- n; B5 o% J) L. y. U
xchg bx, es:[41h*4+2]/ D- F) @' _% a# _% @
mov ax,4fh
) \% m7 p+ N3 E% Z* U, z int 41h$ S0 x! }! l* h8 |- @' n
xchg dx, es:[41h*4]4 c& ?( t7 z' l2 R# H
xchg bx, es:[41h*4+2]
$ Q; B" ]( x" R) p/ i9 ^8 Q T cmp ax, 0f386h; V9 I1 ^8 B" w6 u% u
jz SoftICE_detected
$ U# Y3 V0 o8 g" a, }( s! V; g ~) H; }9 R$ E# g
int41handler2 PROC
^% T7 l; @$ H _) R1 R3 x; P iret
4 w0 |# V+ G* r: qint41handler2 ENDP5 o+ e0 E( d) I; m
1 N5 ?! s0 y, d4 J' T" U' n( J/ g+ u$ a+ ?( U
_________________________________________________________________________, x4 q! q+ H" y+ p- T6 `4 t
+ a; o: e5 A; O/ f7 P
% E/ C3 h$ o* y4 M6 ~0 zMethod 065 |$ R1 w5 | A9 Z, q6 N8 [) g
=========# Z9 s0 V! _4 S8 [+ Z2 V
1 T1 m& T7 S4 h0 S; y4 x9 C1 q
# ]6 u+ s, |8 U) l8 b0 R# ~5 M+ w- B2nd method similar to the preceding one but more difficult to detect:
" u5 B, S$ J# t) i% r. e/ ^! w1 a9 W* H) O
! }9 E. ^( ]( ?$ y# a& Oint41handler PROC
# A" e! ^" B8 h/ i! N3 s, x mov cl,al
3 A3 w' p- M m3 e; O- r iret" x) V, ~. l# E0 i& d
int41handler ENDP1 P- s/ p$ _) b6 ~0 J' Q/ t) q. b4 @
7 F; Y9 Q5 X, m0 G5 [
! f( m! G5 C, _/ D* j
xor ax,ax; j/ _; ~; X" \1 \; k3 J
mov es,ax# P* g% V! B% j
mov bx, cs' H5 C1 a: f% `" q# n8 p
lea dx, int41handler
0 Q1 H& R& c/ r4 n/ I3 r5 W1 C& g6 o8 U xchg dx, es:[41h*4]
0 k. D8 U6 x9 q+ h xchg bx, es:[41h*4+2]
1 M6 g2 m+ ]4 K0 g1 p/ Y in al, 40h9 y) d7 ?; M, B8 E) N" |
xor cx,cx( r- M9 [0 R! G& V) w
int 41h
0 l- r) P' v$ X, c# ?3 \0 A xchg dx, es:[41h*4]
9 N9 x8 @5 E4 N" T xchg bx, es:[41h*4+2]$ R! N: `( O0 c/ M6 k- d
cmp cl,al2 \# Q& \2 E2 g- {; B
jnz SoftICE_detected
* M1 z6 n5 Z* Q) B! o
# h# z: t5 y: V, F_________________________________________________________________________
/ ]$ }) U I' Y: w, d2 d% m7 U) m. e; y' E
Method 07
1 P M( o5 |$ Q6 f; m5 [=========
. v$ F. |; H/ c; W2 O4 i$ c, g+ J6 f O1 }/ T( A4 ~, H- A! b7 a7 k
Method of detection of the WinICE handler in the int68h (V86)
0 T* {& [5 [3 E9 _% E/ O# S6 w0 _, l' D0 t. i+ x* I% ~
mov ah,43h# E0 r7 }, ~. p5 Z! Q
int 68h
$ {6 t' M) A; p C' d cmp ax,0F386h7 _ ~" [* o' n1 W5 ~8 g6 D! [
jz SoftICE_Detected6 k& L' [! h6 a- o
0 B: l9 V' Q, n* B+ g8 ~: b0 Z4 O+ U0 d( B4 I0 o" K* ]
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ `* T% S( P# m) E: K' a/ |
app like this:
" W K: [4 t" s$ d, H# }3 y
( B7 u |8 W3 k0 E+ j0 [ BPX exec_int if ax==68
* ^+ w2 Q5 `8 w8 {2 C* ~4 y (function called is located at byte ptr [ebp+1Dh] and client eip is* L) z3 S2 Q$ \+ s
located at [ebp+48h] for 32Bit apps)/ W. v7 h1 F. ? V
__________________________________________________________________________
9 }2 Y9 S5 o4 \/ p% p. c, a1 g1 E
/ e/ y3 ^# s% N }
Method 08
0 |. I, e6 ~5 O, m8 m z& [% q=========% E5 y" W# R l3 N
) S, T1 M# y) Q& I9 ]
It is not a method of detection of SoftICE but a possibility to crash the' Z3 E1 q. P4 Q" ]6 W5 ^
system by intercepting int 01h and int 03h and redirecting them to another
y8 `; S5 @5 x! ^routine., c, K" i6 O% Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) V, _" t1 G' F/ l1 [3 @% S
to the new routine to execute (hangs computer...)* o" ?9 s' C/ i" ]
" C, O) U! I8 K/ K1 p7 a' U# r
mov ah, 25h
A8 C( v8 Y9 ~! q: h# ~, u! v mov al, Int_Number (01h or 03h)
3 x) X: Z) V' Z2 ]8 p% F) @3 D mov dx, offset New_Int_Routine& q: N8 s! ~' C9 N5 k8 m8 j
int 21h
; X6 Z3 p2 x8 n5 n) i+ h5 F( } ^. ]6 i2 g
__________________________________________________________________________3 v' W( N+ U9 g- ]$ o8 S& v
& S" _, e6 L" P( k! ?% a Q
Method 09
4 Q6 L4 U$ H8 L% Q5 T=========
. Q, D, l9 d+ S# o- _
$ m C8 _3 g3 s9 P0 u4 L1 OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; j% u- e- J. L- H4 a) S+ b9 \1 J
performed in ring0 (VxD or a ring3 app using the VxdCall).
: _. Y7 k/ _8 h- x/ ~ sThe Get_DDB service is used to determine whether or not a VxD is installed
0 M: |) g4 f' y; k! t% q3 ^# X: d8 Yfor the specified device and returns a Device Description Block (in ecx) for3 t: x& ?) F2 T6 Q+ q2 J9 H" i6 ^
that device if it is installed.0 ]8 ~: S+ H- K9 q' v: `
M. ?2 y8 G3 z Q4 f/ w/ x
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 P; _' o; _% q' s, V, s* h! j' O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 L9 v# l) |3 Q6 j6 K VMMCall Get_DDB
" b2 x! P1 o: B( X9 Z( ~4 ?. j mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 s0 M5 I$ a' j5 `. k
0 p6 M/ m. R+ n" s2 G$ X0 ENote as well that you can easily detect this method with SoftICE:
7 ~, s2 B: H m8 A% T* r, X# q bpx Get_DDB if ax==0202 || ax==7a5fh
- I4 l: Y8 s8 w5 [% ? Y3 A& @+ O3 M; U
__________________________________________________________________________
+ i' @1 U' t4 N4 E5 V& I; }' [3 _' s o( q
Method 10
0 p3 Y0 n+ g& R1 O" t=========
! O3 k5 ] m: c/ @3 e2 F" h% C ?; c8 c+ h5 v2 g; _! b* d; X
=>Disable or clear breakpoints before using this feature. DO NOT trace with. @* q2 W2 W) l8 x
SoftICE while the option is enable!!
( H$ k, l* Q4 C" W' W* ?/ Z |7 m( P |+ q7 o
This trick is very efficient:0 Q! Q0 W3 z7 Z$ i. A; F" h$ I
by checking the Debug Registers, you can detect if SoftICE is loaded5 G6 s3 r$ \. b. r. F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) \8 O; U$ A3 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" S V2 `4 A+ ^" `value (in ring0 only). Values can be manipulated and or changed as well( D9 ], N- c2 E2 t
(clearing BPMs for instance), x/ J& a) q+ v
8 W' b; x# p3 z
__________________________________________________________________________
+ [5 A8 T" K, m. g Y0 k) O0 Z/ M
/ L L- @2 M, ?' pMethod 11; y: J" [, F. k! r. A* m& X, F' D: d
=========9 Y; a5 J- M. G e6 M a5 B
! e! j6 t0 |+ j0 k1 f) h# {This method is most known as 'MeltICE' because it has been freely distributed( j/ D0 N+ K( V B+ a2 }( k
via www.winfiles.com. However it was first used by NuMega people to allow) D' u: P/ U- y9 a
Symbol Loader to check if SoftICE was active or not (the code is located L3 `( F- T& m7 }' @
inside nmtrans.dll).
) R% p0 T7 t3 E3 F/ m" M- r* o" Q5 M# m: p/ Q! u7 X' t
The way it works is very simple:
" w5 j* o' x+ R3 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; h+ t% Y& U' PWinNT) with the CreateFileA API.
; @' | h T* v3 O
7 }, O# f2 P4 W4 d0 kHere is a sample (checking for 'SICE'):. L' ?/ q1 A i4 c, A' y0 G
; L. `( W2 x' B, Q. A& jBOOL IsSoftIce95Loaded()
- x4 f2 E5 |# F9 u{: b2 F3 }6 Z! ^1 g' `
HANDLE hFile;
3 G2 h: X8 o& r; z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 @$ P a# i% q FILE_SHARE_READ | FILE_SHARE_WRITE,
* M; w/ s0 J# y, R7 o NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( V" Z; d* v; I! N: q if( hFile != INVALID_HANDLE_VALUE )- Q( g( Z4 ?" T$ |! G! B
{
; N0 ~! e: ^& _- A) J CloseHandle(hFile);/ g# h% A6 Z7 U* {6 p. R
return TRUE;" {+ U$ V" g! g* v0 R* [" i
}
9 T; M' v+ j8 \/ u return FALSE;
8 ?9 F+ N$ Z" d1 @1 ^0 D4 a( I}
6 k- u$ U* L! ?5 m. G, k# g: S) Q7 V0 i S7 ]( m
Although this trick calls the CreateFileA function, don't even expect to be
* [# T( ^$ L+ R3 r) s5 a) s4 kable to intercept it by installing a IFS hook: it will not work, no way!2 Y4 k- {" n( O, R. ~9 U5 ?* V6 H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: s0 U9 ^4 s6 ?; I1 Y4 n: q% ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' l: m- H" a1 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 i( O- s/ I, J' l# O
field.$ x" C" `2 K- F+ w; V
In fact, its purpose is not to load/unload VxDs but only to send a a- i9 i$ t9 [, ~& P% H/ v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) C$ v6 u. E( d3 w- V, ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 g! M3 m+ ^: ~! ?( o8 b( ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ p1 L8 U0 \9 }. S0 f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 K" G# j" v9 ?0 I$ \9 Kits handle to be opened and then, will be detected.0 ~" N- R) w6 M1 z
You can check that simply by hooking Winice.exe control proc entry point+ U% ]& \" K& W! O; u7 ?: W
while running MeltICE.8 |0 v( b2 y4 g! Z( {0 @, _* a- |
5 s z$ t4 s" ]# e- g: k4 C
* D8 S) h9 m3 p: t _3 T: u 00401067: push 00402025 ; \\.\SICE
; x: l* a4 c! Y5 ~: Q% d! X 0040106C: call CreateFileA
7 M# K) w* V% g$ i& c 00401071: cmp eax,-001 m9 H. q$ d, t* I
00401074: je 00401091
2 |. A2 r7 l" T- [5 B5 {& d% [
N, T: H$ ^, ]' ]
1 ~+ X( j" B& k" x8 c2 Y) X9 p7 U' VThere could be hundreds of BPX you could use to detect this trick.3 j( `. `. {% ]4 v7 \0 X
-The most classical one is:
( y) C( _+ N/ W, T' l; G: C BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||. L X* ^5 o& ?. m+ {; O
*(esp->4+4)=='NTIC'
+ x, O5 e. [- d9 `9 o3 C* f8 {' T1 F0 w
7 `3 O. S( w2 M( x5 l/ c A# ~. H8 o-The most exotic ones (could be very slooooow :-(
9 [, Z) |. r. Z BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 @2 C, W: s5 G6 ~* P! l
;will break 3 times :-(
8 G. _' g! z! }$ x8 Y# P& H3 D. ?2 R- g( v( [
-or (a bit) faster:
1 J) ]0 _# o% U! L: [3 i+ ~% O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, k- m7 E& H, j s. s
- Q9 ]% [5 i' T. f! |5 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
8 y4 U2 _8 J/ S7 W ;will break 3 times :-(0 {* Q6 u( A3 i2 T
: w9 \7 r% H- [3 j: W
-Much faster:8 v8 h9 ` K3 Q/ z2 S' c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ \( Q; r J( _ x* F2 E) Q) H0 _2 f# `( L' S+ H- c) X$ t I2 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# ]: t# l1 r# ? B g& {
function to do the same job:
' |. x" @/ n. O1 E# W/ B/ j9 w# n, S4 B% E; @$ }7 l. c2 {
push 00 ; OF_READ& a0 I- `! H, X3 g& s' U: L1 r
mov eax,[00656634] ; '\\.\SICE',0
{0 K. O6 j# S9 Q5 F; k push eax( A& r" Q+ e8 j( O/ {8 s ~, u X
call KERNEL32!_lopen
( {! a( Q6 f! W _) d2 ?9 b& Z inc eax
' l- b6 x- T6 O5 m/ L jnz 00650589 ; detected
{: L+ ^9 M4 x# X push 00 ; OF_READ) `: Q/ ~" q7 K% {: d$ f
mov eax,[00656638] ; '\\.\SICE'6 J p1 @6 d9 ^9 i1 j" \1 r0 g
push eax; d) T' Z. r7 i* U. s% r
call KERNEL32!_lopen
/ a8 S* G ]+ z8 @5 h/ W1 c inc eax
. s2 c+ q- Z. p5 |$ x jz 006505ae ; not detected
5 [6 A3 H8 a+ t2 N3 I, v1 c0 q2 l" @3 [: F) T$ ?0 q% F
$ y- \0 n& P- R5 L( T, |5 @: \
__________________________________________________________________________
1 h- n/ N/ d L8 y/ j5 `5 K% z5 m. u) q
Method 12; Y" t$ V0 p# m( d; |4 G
=========
9 c# G7 L3 u. k* z* f% Y& x9 x
2 [3 ?! C, }; EThis trick is similar to int41h/4fh Debugger installation check (code 05: `# Y; K K% J* t
& 06) but very limited because it's only available for Win95/98 (not NT)
5 E: B- W \ ?9 |" V) }) Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* F: G- U# w1 G+ z
8 O# d/ w3 [9 ?" o3 \
push 0000004fh ; function 4fh
* Z0 O; k9 f0 y( z* X/ {' j G push 002a002ah ; high word specifies which VxD (VWIN32)
# j/ r- H/ Z; m# ] ; low word specifies which service
# A6 b3 Z1 q- c (VWIN32_Int41Dispatch)1 _' v$ M& G0 m, I) R
call Kernel32!ORD_001 ; VxdCall+ U6 `+ a% j- m
cmp ax, 0f386h ; magic number returned by system debuggers# l) S1 d$ U0 E
jz SoftICE_detected
! Y, T6 P' ^+ }1 L* K1 e- F8 `7 g1 r9 f9 c
Here again, several ways to detect it:
# @6 p. n7 d+ A
9 X* O8 ], _# E/ R2 x: L# \7 f BPINT 41 if ax==4f, o! q+ N: H5 q7 w% |$ j# W
( f k& W& F' S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 i6 t9 d) ~ C/ D9 J: H
! y# O0 \. P% x/ j) ` BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# E$ Z% Y; c* T8 E0 O! G" y' z p6 d* a' l' r1 ]9 p
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 P; k9 f$ c" T; g2 Z, H- |& g
7 K- _/ s* W$ R( ]8 ~& }% z__________________________________________________________________________
' a7 \4 q8 A0 x% \& U; @% O* d& Q1 O1 ~. S6 {1 {# R4 F7 `
Method 13" u- ]: E( J7 U K. o
=========
2 s* D2 D# Q% H$ s: T; u* }' b |. B) a1 D n- K0 s! J" `" z, d
Not a real method of detection, but a good way to know if SoftICE is& B5 E! S$ G/ n* F) C
installed on a computer and to locate its installation directory.
1 N+ `5 x* f; k: dIt is used by few softs which access the following registry keys (usually #2) :
& E- h g* _ l" b) \4 S- u$ p3 w. |6 G3 C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 S: s: C$ M. F6 r# i# h3 }& |
\Uninstall\SoftICE
( \1 S5 K* m* O1 t4 p& g- E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" C' | O! R& G; d5 W& a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, z. R7 m3 a8 w' { v) E\App Paths\Loader32.Exe
2 h& f( b/ }3 B" w. Z; g4 t; ^! z# l. S
S. X$ K9 |$ p; F- x' ^Note that some nasty apps could then erase all files from SoftICE directory
8 n8 v8 }& K& l(I faced that once :-(
6 P, G& Z, ^% a. h
8 ^( |/ D6 h: Y. Q! R$ r6 GUseful breakpoint to detect it:' l5 B& V7 h- m) M: z" q
5 t7 n; M0 T6 m- ~' ]% \3 R
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': A% @5 l E! m+ ^2 b' |
8 t5 F( u+ N+ b# Z; B* P__________________________________________________________________________) H$ n/ W) s7 W! K5 r
$ w# }( a. ?4 E
7 {, E2 l9 q9 k7 X& S% l) gMethod 14 3 x! K5 t5 w' l1 ]4 M- x- u& ]
=========1 _+ a3 F C5 s/ d+ J
& Y& ^1 h# W8 W. D5 S$ K9 O2 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 B# v/ Q4 H. C* R0 Q! x G) Jis to determines whether a debugger is running on your system (ring0 only).
' F! m1 v- Z+ Q6 e5 c( v0 U' r
1 R3 X8 ~9 f; Y* y6 c( Y0 R VMMCall Test_Debug_Installed
' ?6 P7 _* U6 o3 T+ ]( Z9 G6 l je not_installed
. e# Y8 e! U3 r$ M
" ^: p5 m& X7 [ g0 G0 g1 S$ jThis service just checks a flag.! A4 c/ N5 n3 ~) ]5 n* u5 b
</PRE></TD></TR></TBODY></TABLE> |