<TABLE width=500>
0 @. |7 e8 r' G<TBODY>+ K+ \6 o! |: x
<TR>! z4 a) u+ K: K7 ^$ R
<TD><PRE>Method 01 ) B; k$ W- S2 b" c) c: `
=========
& y3 m1 s/ I0 T" J, c8 |! K
2 q$ X6 E9 F+ ?& r3 PThis method of detection of SoftICE (as well as the following one) is F: c( B7 x7 @; z" M8 ^' Z8 u5 ^
used by the majority of packers/encryptors found on Internet.
2 Y1 P0 G) ~, uIt seeks the signature of BoundsChecker in SoftICE
1 }0 J1 i" w' t# @# |5 N; ^, k2 Q. b) u& ]3 V
mov ebp, 04243484Bh ; 'BCHK'
$ f* A6 L4 Y, L" J2 m K& F) f mov ax, 04h0 f0 S# I. I7 F& d7 M d$ j
int 3
7 J) Y, V3 W3 C" ^ cmp al,42 t; v: q- u9 f9 f$ w3 c' _
jnz SoftICE_Detected7 u+ y5 r4 k/ b* h$ k6 b/ R j7 ^/ [
7 f3 o ^: x" q9 M___________________________________________________________________________
1 ^6 }" R' @( j4 p/ |6 L' M2 f: r* e$ u+ [( b* r! |/ q0 [4 U
Method 02
0 I* f( r# q* C3 _7 N% C4 f v8 h=========
. V) t, a0 `+ V( m5 ^$ T" z0 f% R1 t% m) i" ]; l
Still a method very much used (perhaps the most frequent one). It is used5 N" F$ _: g0 T+ j& s8 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# N, R- I5 g* q4 i9 G' x) H
or execute SoftICE commands...
3 ]$ ^. k0 ?+ U, _2 AIt is also used to crash SoftICE and to force it to execute any commands
1 ? d+ `6 G1 G6 C8 T4 e. a u& t(HBOOT...) :-(( ! Z1 y- Y. d+ b
6 Q; C0 N2 m6 N! q: [Here is a quick description:2 F o9 w9 G! W$ t: P7 d2 g
-AX = 0910h (Display string in SIce windows)5 I: n- C( } w$ D1 N# S- \ b9 B
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 i0 |/ C/ T. S-AX = 0912h (Get breakpoint infos)
# f3 e4 z9 y, G; w, w2 _- j-AX = 0913h (Set Sice breakpoints)
+ k! Q f& q$ C-AX = 0914h (Remove SIce breakoints)
# {( f$ W$ t/ o! @* M6 F' ~3 q% e% |* {+ F! J
Each time you'll meet this trick, you'll see:
/ u7 d6 x3 V I. s-SI = 4647h C- Z3 V1 E8 d0 _5 f- i C
-DI = 4A4Dh8 v1 `( ^. s& V# M
Which are the 'magic values' used by SoftIce./ c7 X9 Y' p2 ^ I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 R2 E* h- l; @! @* m$ Q y
( v; L# i E! e5 h/ b# fHere is one example from the file "Haspinst.exe" which is the dongle HASP
# \: t' H# `- k' aEnvelope utility use to protect DOS applications:$ t* r* E/ a( ~' |! D$ g
3 n9 _. \" Z. W0 S* @$ I
! H" L3 @5 `/ z0 d( i5 t& z
4C19:0095 MOV AX,0911 ; execute command./ F4 ]; @7 S2 _1 n1 X2 t; f1 X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)., T- Z# l3 U" D( [3 d5 a9 S& }
4C19:009A MOV SI,4647 ; 1st magic value.
' v3 U; \ h9 c+ h1 y) B( q4C19:009D MOV DI,4A4D ; 2nd magic value.
8 |+ R6 B5 O3 q @2 {4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* U( [( [& A* t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 H. i/ }* o% }4 d7 v5 G4C19:00A4 INC CX
: S, W9 e, n, a. F6 n6 C$ q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
9 ?1 B9 ]' x0 u0 x) ~4C19:00A8 JB 0095 ; 6 different commands.' r9 A0 @, K; \3 l$ p
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
$ d* [5 F3 V) m2 G0 y( k+ W+ h4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ q: `7 t; g) F
! R% @% V- `1 |- wThe program will execute 6 different SIce commands located at ds:dx, which
5 T; G+ g3 D) U3 U+ W! lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., B/ T9 G- O4 E: I9 ^
; Z7 j0 k2 y) ~) V1 U7 ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 C5 r. ]7 `. |, [1 L8 w& ?___________________________________________________________________________* T5 m1 ?7 T" m0 ]
6 J: p; m' T- Z; K
$ j" d' d. s9 p S9 i7 lMethod 03
( ?) G* s& a0 f+ H=========! o i# h6 z$ a: r: T/ {
1 C, y ?! ?1 j
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) }( F7 l, z- V" o) A, x- n& X! B4 f(API Get entry point)9 i: ?0 a6 H: C- F
# N" @6 L& S5 ]) j; X) K0 V# N1 f5 z- Q7 q2 C1 A% z8 v
xor di,di/ d. x" d& M% |7 y* c
mov es,di
U/ f; K8 d/ Q5 x mov ax, 1684h 1 J% B6 {6 d# Q2 ]
mov bx, 0202h ; VxD ID of winice1 o9 H( c7 ?1 d1 v3 z
int 2Fh8 j$ |4 T- r9 v ]* a7 H
mov ax, es ; ES:DI -> VxD API entry point# r1 [" g# M* P9 J8 G7 v" I+ \
add ax, di! P( x' [3 V/ M5 B( ^' u' t2 k* ?/ e5 m
test ax,ax
) N$ [! r9 u4 Q, a' k jnz SoftICE_Detected. Z7 A6 {* u7 X* N( G) D* ~
3 g& H* l# W {___________________________________________________________________________
- w$ F, [' t/ T5 U
! q4 k$ V7 P) w3 Z0 p- ` A kMethod 04
5 W/ V1 b6 l/ f$ v9 a, `- W/ h=========
& l( P2 j! d) [5 L1 p- \# F
: q& A7 ?" v2 oMethod identical to the preceding one except that it seeks the ID of SoftICE6 c2 ?" `$ N1 G0 \
GFX VxD.
- d8 U- Z4 K% @+ k( u1 Y ~5 [6 i
5 i) _' K3 h9 m; p# I# @ xor di,di
4 F/ q" r+ Q. ]2 M# b( L. ^ mov es,di
% @7 s- I* q# p3 q. z! H mov ax, 1684h
( ^0 k6 @$ i( E. `6 N w mov bx, 7a5Fh ; VxD ID of SIWVID
3 W8 z/ W! x: X7 S- ^ int 2fh
7 t! A$ k2 d2 E, H mov ax, es ; ES:DI -> VxD API entry point
9 _/ P# y1 o' {) ` add ax, di
4 q5 E; \/ w v5 b! R+ R' c. F& } test ax,ax3 u* T: |0 x% z+ Q& J- [0 r
jnz SoftICE_Detected
9 G6 U/ Y! ^/ E+ B: c% V' e" c0 P1 T2 O0 b/ G T& L
__________________________________________________________________________
9 y- K2 ?5 d& F3 Q8 R4 m W8 v; N9 `+ e5 I( F1 M
9 ^- N$ t5 N+ H7 l& B
Method 058 E1 D- x5 u) _8 Q* t
=========+ c: H1 k: A4 \% }1 q' U! Y( x
+ P# I) h8 Y$ n( [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ W4 [) L8 k+ S4 {# e3 n' Wdebugger. It calls the int 41h, function 4Fh.
( m% c" v; C- E& w! zThere are several alternatives. % E/ a/ S" u" ]
1 Z' G) K* K4 ^4 f# ], WThe following one is the simplest:
' b* [; g7 v" P' n6 K
+ }/ f7 }7 j3 M% }/ t% L5 B mov ax,4fh9 f. D b. |/ a0 W9 I# |
int 41h
& Y6 C9 ~! [- O" t$ D! S$ j cmp ax, 0F386
( h% q' L# F& o$ I9 P& m8 E8 D q jz SoftICE_detected
# ]: i1 y# D7 I# z, @4 p
" h! `- L3 k( g/ [/ H
% h N: j0 \- ^; c7 Z% J2 S+ R& ANext method as well as the following one are 2 examples from Stone's
% t k$ T/ |& T"stn-wid.zip" (www.cracking.net):
5 n& i" B% r" W0 t/ G
% P4 {) N/ D1 P9 ^2 S6 b' I mov bx, cs
5 p, H4 ]& n K8 e# ^ lea dx, int41handler2 G, i% w# ?3 V C. o! m
xchg dx, es:[41h*4]' S; m; S+ P/ g' v; q/ [; Q6 c
xchg bx, es:[41h*4+2]8 l, K( V. x! \- S
mov ax,4fh( _6 J- h ~/ Y) S
int 41h
, Z/ p3 y$ |6 r: v xchg dx, es:[41h*4]0 P( G7 Y# x9 Y1 {3 w0 ]
xchg bx, es:[41h*4+2]
3 X0 Z3 y' o+ g! I4 h cmp ax, 0f386h
e$ V7 W5 S7 V$ F/ U: K5 x& C jz SoftICE_detected
2 V" \8 o7 h% T! ]1 u2 |4 ?1 a! @5 _: y1 j3 J
int41handler2 PROC8 g# w. l; Z2 a) B @1 f) s
iret
; }1 o ?% O j0 nint41handler2 ENDP
7 U. u5 a5 T: n' {8 q% v
/ B0 l" K! b5 s: Z/ q+ {4 Q7 o" m F1 S' ^+ n; k) D/ A* M
_________________________________________________________________________5 K3 A2 c% w% u
# S" [3 |; r- ]( H3 |) U
# ~* ^- W6 y$ p0 x* jMethod 06/ S* {% F: G5 G/ x& w2 B
=========
T; F: W! b' }, Y. h: S
2 N9 g0 g, e2 V7 h( q# @' X! W( A# R. D6 H' {* K- `
2nd method similar to the preceding one but more difficult to detect: m, S4 t# n e9 ], ^
1 n% N6 @* ~( ?: Q$ G" F! u m
' P3 M5 S1 m0 x. I2 Lint41handler PROC! r( c- D; G9 `$ x0 b
mov cl,al; s" @ o: {* `. E8 ~+ e
iret5 |$ R8 \0 R& ]; i- S7 X
int41handler ENDP
7 L! u+ n1 t5 E/ Q+ C% q$ T( f
0 M! R* ]! o: h- O4 D# g) J2 P+ a! }+ \$ q5 a3 Q7 F5 q/ W; |
xor ax,ax7 g; A4 ?7 M# w8 S
mov es,ax
4 e; V& t$ N- Z3 h% G mov bx, cs
) i$ Z- {. y' J( G' \ lea dx, int41handler
7 m- R$ T6 v3 W* m" S xchg dx, es:[41h*4]
) @- p0 P( l* N2 Z8 V0 W xchg bx, es:[41h*4+2]
, K% G1 u& Z9 O1 m9 x+ o( m in al, 40h
$ c+ Z x7 W8 N% e& @. t( Q2 B" K xor cx,cx
( \1 n$ \1 }$ _" F/ Q/ m int 41h$ T }( |# i0 X
xchg dx, es:[41h*4]8 T% v4 Z% d% _- ~
xchg bx, es:[41h*4+2]2 p3 q; i& m% [7 E r; F+ X$ o1 g
cmp cl,al
) i' O+ X; |1 k# k5 _' J jnz SoftICE_detected! ~& z* a. w' _* r2 Z9 X
; l+ G- A% a7 ^5 I/ W
_________________________________________________________________________
0 x' J r _& c/ ~* [
0 E* j1 H' h; t+ H. ~6 K$ J9 S/ sMethod 07
' K0 N9 q) ]0 Y* |9 Q4 v$ x/ I, M" s=========1 B+ [8 a) j3 \" }% _+ B
5 |: P7 K ?1 @- T$ @3 q+ D% Q7 bMethod of detection of the WinICE handler in the int68h (V86)
" s! o* F9 r+ g8 \7 P. t* m
- S) [. R7 X" G9 k& {4 m" O mov ah,43h% R& x# R4 H4 y; H9 U
int 68h8 X2 E* Q2 U4 m
cmp ax,0F386h
7 h5 q6 w! H8 I0 W jz SoftICE_Detected8 p: x4 d. U, u; g3 N
. h& Z9 Y) z1 u) _6 p$ _
5 D$ @" d% O% I/ ?# o=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 g' O5 a4 W' ]) m
app like this:- B; C4 n2 r4 k5 \6 F6 V
3 e4 L& ^% M8 V0 F
BPX exec_int if ax==68
: z. u6 t5 z, E: e( W. {5 W, o! m (function called is located at byte ptr [ebp+1Dh] and client eip is
& s" N, a) z/ O8 T, Q8 d located at [ebp+48h] for 32Bit apps)
0 U; d1 {! \2 @6 ]# K, [__________________________________________________________________________
+ R; j8 v1 q7 g9 y" U
' n0 _. S R9 p4 s9 l1 I/ B( H0 P9 P$ l+ Z+ ], L& K& X @3 J
Method 08
9 J/ o5 R5 @$ n9 _. j& f=========
: J* O: B, o/ G) Z# M' I+ d. t1 d; m+ J) u- w* f" F8 k. _
It is not a method of detection of SoftICE but a possibility to crash the! I1 d2 ?% j* C' G1 R
system by intercepting int 01h and int 03h and redirecting them to another
5 f/ P6 X( W5 }; iroutine." Z/ B z" o: _* a# p, N7 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: O- U% k& n2 a7 `- Vto the new routine to execute (hangs computer...), [/ r7 y1 r7 x% r9 M) l+ z1 d
9 ?" k8 ]6 r( m% X, [ mov ah, 25h7 \; O' d) P4 s; `$ j9 a
mov al, Int_Number (01h or 03h)
4 M: `1 w P5 Z% O9 i mov dx, offset New_Int_Routine( v! C( d. @0 @' _
int 21h
" z1 J) q% a0 I" O0 f& _ q1 b% Z* M. }9 u. u
__________________________________________________________________________
; o2 _: X: r$ g* u& p/ V, I1 h2 Y+ f$ e' S7 p8 F
Method 09
* o5 f8 ]7 s3 c% q1 l4 H, V=========
( E* n- n$ ^% b2 L1 q3 M
3 j/ N: Q8 D" _+ \5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# {$ U: v, T, {& i' i( {' @; vperformed in ring0 (VxD or a ring3 app using the VxdCall).6 ?0 e! x* K. ^
The Get_DDB service is used to determine whether or not a VxD is installed
+ x2 s& e M+ d5 p: t3 l$ W0 B5 Y; rfor the specified device and returns a Device Description Block (in ecx) for
) h- Q& R, s4 Z8 ?* z, q% v* G: Cthat device if it is installed.5 s$ _8 W% x. n" I
' _' N. x) U" u- m% k. Q( r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ Z" w/ N0 L& L+ e$ M% M
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) o9 f% o3 B5 g3 F0 j& B6 s! Z) }2 n9 d
VMMCall Get_DDB
8 V8 t0 j9 {/ x( u* _$ r: g' o mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ @4 V* _ k0 s1 c/ H
4 ?: c3 S: {% k
Note as well that you can easily detect this method with SoftICE:
9 @6 }) B% O$ J9 b! m4 x( _' G bpx Get_DDB if ax==0202 || ax==7a5fh& o1 o$ a: W, F0 o
) r9 [3 m, Q* @7 I& P- {
__________________________________________________________________________8 ]. i! W. ]' `) v. g2 v+ ? m/ K
; H1 d1 w4 T2 [$ s% w U# PMethod 102 T; B: e ?- U& M, z1 ]3 x
=========
8 @% F a, C/ u9 a$ q0 E
; \3 e# P; [ N J=>Disable or clear breakpoints before using this feature. DO NOT trace with& g$ I3 C) a$ n* l6 }
SoftICE while the option is enable!!, e m$ `3 {; G! i
6 A/ K( G t! A- v3 p- o5 AThis trick is very efficient:9 R' j0 I, W7 |# A: U- E4 e. |
by checking the Debug Registers, you can detect if SoftICE is loaded& B, b( x9 k0 v2 n/ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; _% W9 x$ ~ t0 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* w$ l0 E" m1 V) Q& q" m: nvalue (in ring0 only). Values can be manipulated and or changed as well6 t- e( V0 N: Y' R
(clearing BPMs for instance)
. x) F, a! ?% c4 M8 D; a. H- o
__________________________________________________________________________
* j6 ^- N; e- ?: s/ t4 S
% h N- {2 a# n1 r7 b+ U+ F1 fMethod 11
$ k6 B( S! L1 s! d: S$ b=========1 U! V5 u& C- y
' n0 P# g9 p8 ^% LThis method is most known as 'MeltICE' because it has been freely distributed
: s! W' Q# f: F* X d4 Hvia www.winfiles.com. However it was first used by NuMega people to allow
9 Z- e# ^! x6 ESymbol Loader to check if SoftICE was active or not (the code is located. d0 b# \4 h- B2 y& ? q- C
inside nmtrans.dll).
4 {$ j k5 s$ \
% M- J' ? s; {3 x9 O3 h6 lThe way it works is very simple:
* j' g1 P o/ J6 y" rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, v' E! `- L6 n: {! ~) X5 ~$ GWinNT) with the CreateFileA API.1 A9 N* B) h, R9 l# G0 N3 g! N
1 e/ {* S/ h$ ]; b0 m& G+ m! S# f5 _Here is a sample (checking for 'SICE'):
2 }) Q: u+ H* i; @/ Z( d8 N: x, Y. M4 ~8 O/ D
BOOL IsSoftIce95Loaded()! C( X+ {3 p# U2 E
{
4 @0 A5 T+ p$ G/ V0 H5 { HANDLE hFile;
* P1 Z' o* F0 q# \ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 ^. J0 c4 h+ L9 n1 F# s) P- \
FILE_SHARE_READ | FILE_SHARE_WRITE,9 M3 A O( a: v1 a* c& e
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; h& D/ ~5 P0 u) u& Y
if( hFile != INVALID_HANDLE_VALUE ): |# C. }6 ^) p( H% _% r
{0 u7 O, R) A1 I J0 F
CloseHandle(hFile);
- Y; m; X4 |' S return TRUE;. s0 d2 w/ K3 o9 \" e& |
}0 P! L/ N/ z. ^+ d
return FALSE;" b& d9 [" ?- y
}8 U* L4 ^! z* d3 r+ a
9 W6 s. ]$ K; B
Although this trick calls the CreateFileA function, don't even expect to be
7 p) h i+ I* K% k0 ^0 eable to intercept it by installing a IFS hook: it will not work, no way!6 R( Y! n& ~" b& O. @ Y0 c; ?" M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 _% g' v8 I! ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, X! ~9 F. S; e1 S0 Y8 v- P2 [; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 n% S; k6 i. Mfield.' b- ?' O+ m* k: G- M$ g9 I7 g; n
In fact, its purpose is not to load/unload VxDs but only to send a 3 `; \; v5 i1 p1 }! o0 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 T- Z: T2 | y% _0 P8 m& jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: {& I4 v I# [, h" Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
! ^$ }5 q K" V9 P! O! B( U y( W: w# ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow) v4 m' w& ?3 m" X" x* o+ c
its handle to be opened and then, will be detected.
4 K4 ~1 {* T2 [6 `You can check that simply by hooking Winice.exe control proc entry point
* B/ u5 I1 L8 s; Fwhile running MeltICE., a- Q# M0 i5 E. Z
, w7 u! a f/ t3 {' Y+ J
/ Z5 t0 \/ P* r c 00401067: push 00402025 ; \\.\SICE( t d: B% s+ ?
0040106C: call CreateFileA
$ F/ _% A Y" S9 H7 L" I 00401071: cmp eax,-0019 C" C, F( o0 l9 a5 b
00401074: je 00401091/ @1 I+ T0 E* o2 w
4 r2 J& L3 k3 D/ z# d
: r3 T2 l5 y0 Q0 XThere could be hundreds of BPX you could use to detect this trick.- H+ J& m# I& y/ A" h
-The most classical one is:, N' H/ L! }; r q" U& O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
( C3 u0 R3 ]# ` *(esp->4+4)=='NTIC'* v2 o7 @6 i/ s4 h
( N6 J+ U+ D8 m, O2 ~# ]-The most exotic ones (could be very slooooow :-(
1 D4 [# ]- ]9 U0 n+ w/ e BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " `# p% U$ T3 E; K6 s a
;will break 3 times :-( C2 D8 L" ^+ z# J) K" T! W
; f/ Q0 p& ]" D- b, O
-or (a bit) faster: 1 R" r' z8 k9 q1 W) e
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* Z8 H+ N2 t8 v. O1 g9 Z
1 g T; Y5 [! B% C. H* \0 X Z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# z9 H4 |9 R3 J, N1 k# h ;will break 3 times :-(2 q/ C' C2 K2 z3 O" b" v1 ]7 H5 N
( D* ]. [1 ]4 w
-Much faster:
3 Q/ R$ p6 P, s; m BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 A3 \2 u& f7 c# ^/ W
2 ?1 H" m8 Z: F9 P0 b& x! Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ L( l) i# k. N3 Y, n6 R3 W2 Gfunction to do the same job:
& y4 h) q6 d3 v1 c9 m w
* }6 n! ^( \7 U; `& D7 U+ p push 00 ; OF_READ8 O3 M5 s% q I. g. ]) F3 C
mov eax,[00656634] ; '\\.\SICE',0
* z8 i o- S4 ?+ z1 A4 g8 v3 K push eax& ?- m: R1 Q, v7 A- N4 D
call KERNEL32!_lopen
- [; {5 w5 A) N# M% u inc eax* N I" g0 Q+ E2 L! z8 i. T0 c, ]3 x
jnz 00650589 ; detected& j. A; [6 W1 I8 r
push 00 ; OF_READ Y8 `7 d& x! {8 X' e8 a
mov eax,[00656638] ; '\\.\SICE'
9 X c3 J! y) e4 @. U4 p push eax
3 Q/ u( \# s: T call KERNEL32!_lopen
6 ~. Q% H! l3 \& m E, ~& @/ {# ? inc eax6 [9 n R3 H5 L, B
jz 006505ae ; not detected
9 T- B' q" w6 U* d# O/ c3 q5 s. Q+ w5 ^% r5 {+ |: X0 g
) D( m; n& T" x! w
__________________________________________________________________________
% d7 t+ X) l, c5 l% x" i$ N: J5 n# ]
Method 12
6 _* x& B/ k& u& ^7 L. _/ |=========0 l$ w3 \; _$ n% O8 z: ]& l
% a1 Q' d' h# K2 G
This trick is similar to int41h/4fh Debugger installation check (code 050 f8 K a! N1 s+ x: F0 ^8 Z( r
& 06) but very limited because it's only available for Win95/98 (not NT)5 D7 u$ _+ c# V* ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 |3 u& K G$ ]; w- |
# p* F- w& h& e+ r' W3 z2 B push 0000004fh ; function 4fh
) o7 r, B- ]" W push 002a002ah ; high word specifies which VxD (VWIN32)
- ]2 F" O0 Z- P6 o' d ; low word specifies which service; {" [* l. c- f6 s4 R* l
(VWIN32_Int41Dispatch)1 U) R- h& y- j5 T8 M
call Kernel32!ORD_001 ; VxdCall3 ~8 T& N2 |' W5 K+ B7 l
cmp ax, 0f386h ; magic number returned by system debuggers( X4 L( m( d. ^; h3 a) z/ f* P5 \
jz SoftICE_detected
5 D8 ?! C. j/ w
% \. g0 s- h2 k/ E7 A4 Q5 [Here again, several ways to detect it:! x0 e2 \: F6 c! Q: q" Y; B
( f1 s3 X+ T& s: Y+ P
BPINT 41 if ax==4f* ~1 j$ S$ Z4 z2 r5 S
# g9 O1 [/ r* Y& l+ a& M
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; ]3 w" Y5 k" _
3 n2 R1 W1 z! |4 a" u# L
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A. p+ N3 D1 z+ S2 N% f' F' F# m
9 |" B5 [! t; _/ J8 D; B9 Y3 V BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) r. v0 _3 I$ v" s# C5 Q# E7 z3 T. g$ F: F7 M' Z
__________________________________________________________________________; L+ n" q) @! M6 l5 |4 X" n! V1 h
- |! D6 s! M* C
Method 134 [! t% B% d" _! h1 s! X. K
=========1 O* Q- t9 t6 I& `! m7 W8 `
8 K. h# l$ c7 rNot a real method of detection, but a good way to know if SoftICE is' M6 O3 m- h# o6 E$ o2 `
installed on a computer and to locate its installation directory.
4 t+ U. ]& q \2 g/ p$ ^+ E/ ?It is used by few softs which access the following registry keys (usually #2) :
, c2 z4 j! A1 E9 q# }5 e4 i9 }' A. D O6 H- Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 v$ \) X# J/ q* f\Uninstall\SoftICE0 |! j/ n) n: ^+ z i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ `" Q! e* w, ]9 s5 n" {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* b' t+ ]. T" B! b\App Paths\Loader32.Exe
# d4 Z! O: i" J, o* n z# ]' h7 w) F$ c6 N0 o" S
1 h8 [0 e. [' z4 o* ?" N$ O+ t7 `5 jNote that some nasty apps could then erase all files from SoftICE directory/ Y) R& W) @4 f6 Z2 k1 h& i4 G1 e$ e
(I faced that once :-(# \/ d0 K! @6 ~6 {
$ n2 g( |! R! L- ]) o; hUseful breakpoint to detect it:
: V+ k; j) k6 k0 s. f* \, l. J" z8 g, F% t: v' y4 A
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'; X# r. {6 |5 A% u; Z! g+ {
0 A8 L0 L+ Y6 n6 D$ A# S. k__________________________________________________________________________7 ^, O. {+ S0 n! w% M9 H }; C3 _
A* R4 N3 O0 ?- r! t& }, q6 `- {" [# _* N2 W$ f( U
Method 14 " O- F4 i( N- }5 \9 Z
=========( J/ V+ ~& S2 f( F
8 t- B) X1 p" l- H3 F6 v. wA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 i' t9 Z% x5 y# H; U+ ^$ ^is to determines whether a debugger is running on your system (ring0 only).! A T$ }" y* w/ Y6 l3 o; I
1 k( H7 l+ N; v$ j& u3 ~- \) I
VMMCall Test_Debug_Installed
6 G4 q+ W M/ e: z( ~/ n3 D je not_installed0 `) N+ ~' Q7 S4 R
$ O5 E8 m+ \8 T" ~8 N
This service just checks a flag.
, f! ], W: S; Z+ T- u6 Z( d6 I</PRE></TD></TR></TBODY></TABLE> |