<TABLE width=500>; X3 ]" I- ]' }8 ?$ v
<TBODY>7 |3 S' K2 w) v. b0 i. G
<TR>" k3 {- W: Q E' o% q7 M8 m- O9 D
<TD><PRE>Method 01
8 w5 C% Z# F+ x- L& ^/ e6 q7 _1 ~=========3 Q6 m# f' f& ?6 t: V
, s0 q& S5 M* \+ ~5 LThis method of detection of SoftICE (as well as the following one) is9 d+ h2 H$ E6 J9 l* o
used by the majority of packers/encryptors found on Internet.
, \$ S8 W1 ?& @6 X# }, o" kIt seeks the signature of BoundsChecker in SoftICE' {2 ^7 p& [! R* ?, K% q
! I I) Z1 S6 `( @3 S/ L0 Q" a9 a# N mov ebp, 04243484Bh ; 'BCHK', `3 ]' R$ G& y0 y9 j
mov ax, 04h0 A9 A6 K# |, ^3 J* \
int 3 6 w: P+ Z" ^% e3 R
cmp al,4
9 b! G! K" e0 C, e U7 U9 d ? jnz SoftICE_Detected
* A x2 S9 a& }# ~, ]# q2 m7 }5 G" S3 d+ S# _
___________________________________________________________________________
; v6 ^1 M- A5 O
8 H( D: u8 o, Y* C. fMethod 02
# F# @, i X0 E9 }3 Y* j( _=========
, X$ }0 {! h9 T6 y
! K# Q" |* m" n4 e: @5 lStill a method very much used (perhaps the most frequent one). It is used" }3 |( {5 J" j4 ~/ g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. c: @3 w9 M! ~, z5 R L% m9 Zor execute SoftICE commands...& Z% I3 Y. m% S+ O6 R+ N; K- t' C
It is also used to crash SoftICE and to force it to execute any commands
8 e# e/ i& l6 D9 E {(HBOOT...) :-(( ( v! ~# m0 i2 O! r5 H4 J( w
* T8 L! K. \' T, j/ GHere is a quick description:
; ]; l* n# W# [0 X-AX = 0910h (Display string in SIce windows)
0 U7 O1 J" t5 V1 ]& ^-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)& k8 t9 r0 A# w$ w' f" z
-AX = 0912h (Get breakpoint infos)+ {5 ^! [3 {4 E) j
-AX = 0913h (Set Sice breakpoints); w1 ]( ~7 }" q' y
-AX = 0914h (Remove SIce breakoints)
0 w) I7 ?. A* G2 l! G& N J) g9 U5 c( `7 }8 S8 C
Each time you'll meet this trick, you'll see:4 l$ D1 K: K5 @0 l, g, ~5 s6 o' F
-SI = 4647h
1 s. h/ B; @ {5 M$ ]-DI = 4A4Dh% Q, K" K8 y; M; v' H* y
Which are the 'magic values' used by SoftIce.
# |7 P! F- p, J7 @" q5 @5 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( y* T0 j% B1 J# E2 }8 w* \3 [/ h" y/ U1 X; m: \' A" ^+ V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; k* @4 m" B( F: u% M4 z/ iEnvelope utility use to protect DOS applications:
; H! E, k" v- L$ P4 j: s5 u1 q/ _* ]" N/ D( f" B8 T
# K( h" F$ H$ L M, x
4C19:0095 MOV AX,0911 ; execute command.
8 W7 _) E5 ^: d# u% l+ V X4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
! H# _: E. J& H, H K4C19:009A MOV SI,4647 ; 1st magic value.: q: Y( L4 L. E+ }
4C19:009D MOV DI,4A4D ; 2nd magic value. k8 N- }: z6 J& M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# Q* \# p: Y1 {4 Q1 f4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; p+ E" z2 m$ S5 g" |; z- u
4C19:00A4 INC CX9 [: |' m4 r- H) v$ A0 l2 |( w$ n1 m
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* y' X# M: ?. ~, l8 G4C19:00A8 JB 0095 ; 6 different commands.! p# a5 e# O7 Y4 l( w1 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ F0 v6 s, m- p. l; B
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ Z9 f; G; v1 y/ e
2 W- {! O* i; C: L3 v" B$ b, R
The program will execute 6 different SIce commands located at ds:dx, which
4 c. `' T) G! H# k& m& ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. {' M2 \5 `$ L- d" Z
$ n/ N; B' z4 D9 c4 C6 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& b+ l. [% r) h2 I+ b, X" @
___________________________________________________________________________- J/ l' B# m' N! P# U
1 Z8 s; q5 G4 W; ~. g) P
; ?2 ^$ X- W2 O1 H2 gMethod 03
$ ~, s! }3 { ^6 i8 d9 ~% D) {$ P2 S; C=========
3 t" y" @+ J8 K) ~3 z5 S7 ]7 d
( S; `- ?" T5 K& F% n) CLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! [2 j" }& R# @! I. ~) H
(API Get entry point)$ c% a$ D# g$ l2 }) p% y
. N$ b9 ~) g* Z* L, K; P' r
/ V6 |) S+ E, v* o! ]! U. S8 B# ^9 }
xor di,di$ ]1 L) Z* A d2 m0 S
mov es,di0 z! W2 n5 V& W1 r0 b
mov ax, 1684h
, {( E# O7 A# r1 U, ]( O" |# `' H mov bx, 0202h ; VxD ID of winice
$ S. N) {" n2 _2 D5 _' F/ h int 2Fh
5 Q5 m7 i' X' \+ B& p mov ax, es ; ES:DI -> VxD API entry point- k+ R0 o; I( U; m4 V. G' e
add ax, di
& ]9 C% @* ]4 p) O. e) c* e% r test ax,ax
9 _6 o( V0 o- r5 O jnz SoftICE_Detected
% O m+ r* D/ K) [7 x. h) I; W% }4 D! q! Z; k
___________________________________________________________________________6 u. T+ _% @/ u0 T7 l
) R3 v. m' v/ {8 @+ V1 H- M" ^Method 04
) t7 g7 e/ v y+ k=========6 N9 w( D8 Y0 F
9 b- m: `6 ?5 N0 K2 J% c* l6 v
Method identical to the preceding one except that it seeks the ID of SoftICE0 }. u- A2 m3 I4 Y/ ?% F
GFX VxD.. `6 H4 v8 ^/ {! a' n
* y# c' u3 T2 J* m3 Q xor di,di
) x: J0 [: m7 n. C mov es,di7 w. h) B( r, L
mov ax, 1684h 9 j b; L& o4 q4 M
mov bx, 7a5Fh ; VxD ID of SIWVID* h `, z/ @$ A1 j" [- B" E
int 2fh) s) d* [% l6 C3 ~
mov ax, es ; ES:DI -> VxD API entry point
& R9 {7 I- d; V: T0 \% R) h" @ add ax, di
" T6 B. m! y% x' w" g7 [3 T test ax,ax
! S. `% d5 g% e0 r1 h3 k- F, N ]' A jnz SoftICE_Detected N+ ]5 r% i5 ]: M q9 ^" Y
0 O+ v2 I* U+ n
__________________________________________________________________________
7 ?& r( w5 D9 F7 _5 z: Z6 `$ B! } P9 r0 u) w" B* V6 n; h
- Z& [) E! l) v) b% s
Method 054 R) X5 _, w+ o1 ?/ _
=========
$ ?/ Z z2 m# a9 L1 H! f. {
+ [6 Y+ j3 f1 R- n8 a9 nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! w" J! z( ^# B/ P& ^debugger. It calls the int 41h, function 4Fh.( t# k: f9 e, y5 }/ n4 W
There are several alternatives.
; f5 j' o7 Z) K1 J
0 L* U6 V4 R V, V) qThe following one is the simplest:
# e5 y9 h- g# \8 w
- D+ k s# Y1 O* q* S% o6 i mov ax,4fh
& y1 b% K; p5 @% j" D* o( k0 h int 41h9 O" H8 ?* G$ F, m1 f/ P
cmp ax, 0F386, _7 i, F9 m4 l) k% A/ Z4 X- V/ C6 P% f
jz SoftICE_detected! z2 {7 D+ J- b0 o8 P6 P
3 _4 l2 h7 z+ H9 v
- v! q. K+ Y1 Z7 iNext method as well as the following one are 2 examples from Stone's
8 e8 Q4 k; o# c2 q4 |"stn-wid.zip" (www.cracking.net):4 w% n7 V G E0 Z8 I o4 |0 B
( J. l0 I, B6 x$ `1 o, N
mov bx, cs
8 B7 W6 _4 g+ D) @) Z# r lea dx, int41handler2/ w, V' h! ]- ?* C! t( E9 f
xchg dx, es:[41h*4]/ s+ c" k. ` P
xchg bx, es:[41h*4+2]
6 i8 L8 W5 m7 f8 ^! L6 w3 _ mov ax,4fh9 w2 G [6 Z2 y
int 41h1 c$ R# L7 N& q! v& q* i K
xchg dx, es:[41h*4]
# u7 O* G5 q, F/ E9 Y# u xchg bx, es:[41h*4+2]0 a. y( S+ A, g( J
cmp ax, 0f386h
C9 j( j7 T, r6 d jz SoftICE_detected
+ a4 V* k; ~! Z; _& a+ e. x9 W4 y+ F- h! T
int41handler2 PROC
. q4 E9 p5 k) n iret
2 d |2 [1 J% W- T9 f. l; k( |+ Gint41handler2 ENDP
- z* V" h" j V& t8 Z# e V' j7 i, N& k
# v+ b2 G3 M& p6 B" G_________________________________________________________________________
& J/ Z8 S6 L- H k6 Y0 k) d8 G$ x% ?
& m6 a7 s" Z" W6 S/ o% T, C; vMethod 062 M& [8 v5 I/ j- r7 y
=========2 M/ b8 ?8 p( P& j3 ?# W# T# Z
+ C( r1 D- t0 S |+ t9 _4 R
" \+ P: f+ z7 e) n2nd method similar to the preceding one but more difficult to detect:
8 B& w. V1 P" d9 x3 b y6 j* U9 j9 b1 `0 g; V4 y
/ Z, L! E+ Y6 Q3 O' s: K
int41handler PROC! w( J/ [2 S7 d5 \
mov cl,al+ ^1 x5 m& K1 Q$ U1 Q/ W# v
iret
# N; o+ n6 E/ Wint41handler ENDP
- L) r& R: y% H' {
7 C1 v; _* o! v# i: b/ W
9 A& e4 x/ L/ {" L O& y9 i xor ax,ax
4 X, j6 r, ]$ a2 i/ b mov es,ax
4 J+ u' O3 P3 _9 O1 h" Y5 a mov bx, cs
* o" \& k. D% Q" l7 j. T J lea dx, int41handler
; I$ k3 f( ?; [* L/ J2 h xchg dx, es:[41h*4]
+ E" K; U x$ @4 G! ? xchg bx, es:[41h*4+2]
6 t; q% O9 a7 W. }# h6 s5 w, o in al, 40h
P; L1 D& m* n* Y$ i2 } xor cx,cx2 M' @5 {$ D6 ~/ j. Y* D
int 41h
2 [4 r0 w3 Z( _: O) i: Y' N" U xchg dx, es:[41h*4]( t: l O8 n, W4 j) j* L
xchg bx, es:[41h*4+2]: F5 V& G/ z5 H0 j$ `: S
cmp cl,al6 f) N2 G5 c! U" J7 }) i$ n* j: I
jnz SoftICE_detected6 |' j8 ]! r0 i9 l# s
, b& ~1 H R0 c1 }% {7 d_________________________________________________________________________- ~0 W' @' C6 X; H4 r
7 F: L* O: b7 RMethod 07
" p4 }6 }- w) B3 D: O" A4 p0 b2 y=========/ ~$ U4 S5 ?3 \$ g
# E& G6 w9 I+ T$ ]: `/ f" Z
Method of detection of the WinICE handler in the int68h (V86)
2 A7 C) z, L5 J9 s8 z7 l3 P0 Q2 G2 J
mov ah,43h. e k/ ^3 T9 Y. H9 z
int 68h& ~# l7 m) _1 D( |2 i% J
cmp ax,0F386h
( s. p& d- x+ s( j/ O8 A jz SoftICE_Detected( |9 W5 q, L* G' h& _; R
( h8 @# w1 h @3 ?
( O ^$ U* W3 d=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 O: l6 v: L( F" \/ V0 x9 j. J6 U& c app like this:9 L4 E4 I% g4 z2 [) j' V
4 {& A2 e, A; P) j2 {
BPX exec_int if ax==68
6 w* H: Z9 W" ? (function called is located at byte ptr [ebp+1Dh] and client eip is/ s/ ?: i" b$ Q1 v1 k, v; K
located at [ebp+48h] for 32Bit apps)
% O6 ^# k, v1 J/ H4 W% N5 |8 ?( ~__________________________________________________________________________: G+ u: G" i9 @0 H6 i- t
, Q9 k9 N3 B$ d8 ^* }
% V0 C2 ?' n5 g6 V& \) M/ P. U! |0 y
Method 080 t$ {0 t+ T! O4 u
=========. R; L- c$ o& o% K) O9 y/ c
7 i/ R( ^, i8 d ]! R
It is not a method of detection of SoftICE but a possibility to crash the
! Z* ^8 H* m( i7 S$ }' Gsystem by intercepting int 01h and int 03h and redirecting them to another* y' I7 f5 J- z( {7 r" n& s
routine.
" Z9 W$ t: G! u# r9 v( A* kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; E: T1 x" n, ^* T" ^8 o1 U
to the new routine to execute (hangs computer...)# r! w4 I3 Q% J4 X
4 m3 ~+ \& k( L5 c1 g mov ah, 25h
" r& E3 A1 r2 v/ e4 Z mov al, Int_Number (01h or 03h)+ s6 a/ z+ B. A3 {1 b1 V
mov dx, offset New_Int_Routine
1 L$ j, p0 Z& j. x: S& U8 w int 21h
! Z! C0 i6 }4 Y6 p( U9 m9 A; b8 r$ @" E5 P% p: L
__________________________________________________________________________
, D7 z( `- r8 x
1 b2 ~9 i/ U7 a1 E1 V' ?Method 09
5 {/ `; F3 Z7 s6 A7 }+ }% U# D=========
% k7 q3 V H4 h$ n, ]' |
, ?8 a/ w2 N3 M( `! wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only e6 l( ^; K, m
performed in ring0 (VxD or a ring3 app using the VxdCall).9 _' h3 S+ \7 ` R0 o# S' |' w: ?
The Get_DDB service is used to determine whether or not a VxD is installed
8 Q. T" |5 c( ]; T) k' N* tfor the specified device and returns a Device Description Block (in ecx) for
1 M, C+ ~" _1 N) O" t" u% {& Ythat device if it is installed.7 B. B6 H& M$ N; `* N0 s
$ Z: E2 ]$ H; G/ [' ~. _& H. N/ d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) r f! r+ d( b$ F2 j mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' d0 S o0 T% a; x2 W$ H VMMCall Get_DDB
+ M$ Z0 C: ]6 Q& \' N. u/ t mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 ]. ^; |; N$ k4 e! I
. b9 _. C& D! _0 q9 ^: L ]Note as well that you can easily detect this method with SoftICE:
0 U4 Z# x+ o, C( i& M4 D; k bpx Get_DDB if ax==0202 || ax==7a5fh
4 H( i6 b0 p0 m6 s3 u* f* q6 m4 J0 R
__________________________________________________________________________
( j$ b" P* N7 b
+ q7 R. C! Z9 S" rMethod 10
) Q+ W- o. o8 p- o1 s=========
1 M: G5 P' F) Y7 R+ c
2 w9 l* q2 | z5 i7 w9 h- S=>Disable or clear breakpoints before using this feature. DO NOT trace with% C) N4 b) f% S$ y. b
SoftICE while the option is enable!!
( E: I' g, ~/ A& W! ^2 B, V7 [3 M) W9 p7 c
This trick is very efficient:1 Y, L) L. u( F( q1 }% p, @
by checking the Debug Registers, you can detect if SoftICE is loaded+ H6 p6 L8 r- K; q) u% i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* L! h- e! r+ E5 s- `" nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" U' o3 _, B3 L% E; cvalue (in ring0 only). Values can be manipulated and or changed as well
7 _/ C% P2 J, t6 K0 ?(clearing BPMs for instance)
6 p9 P% L$ j* A1 v/ w+ _! ~+ s* |+ [3 T$ g+ q: X0 S
__________________________________________________________________________" u, z$ h [/ k/ o
7 F1 f5 o0 a% d* p) Z, CMethod 11
/ t! E6 C, ?" D! n) J8 p=========+ c. ^& x* r- ]& l$ R
- z2 Q* V. @( |+ ` o/ ?
This method is most known as 'MeltICE' because it has been freely distributed- U% c$ j( z) [8 u- x
via www.winfiles.com. However it was first used by NuMega people to allow5 c/ `) _) ~+ l: R% H, E; K, O
Symbol Loader to check if SoftICE was active or not (the code is located" J! U9 _, i6 A1 c( Q F
inside nmtrans.dll).
% x1 V2 ]- o( \, b
+ D0 k' s- r6 S% F1 P: z! k+ \: c) _The way it works is very simple:6 A" {0 R- _8 Q3 X) L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ K0 M' a' P( N" X: t
WinNT) with the CreateFileA API.9 P' [' k( Z0 U: U# a1 M# ?6 X
1 j: v8 \9 V- Y/ SHere is a sample (checking for 'SICE'):
& K7 h+ Y% N* z# L8 A+ ]5 k8 r3 w# e l8 c; c% [0 {
BOOL IsSoftIce95Loaded()6 a, W" }+ X/ e! c; i7 m
{% F0 x2 F7 l( G2 q2 S8 @& a
HANDLE hFile;
; x0 y" K) }1 p! F" H% p hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" ^& ?7 M6 q3 R1 v7 | FILE_SHARE_READ | FILE_SHARE_WRITE,7 ^( ]$ ]6 E' f& x
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ Z. j5 ^' s. [5 | L
if( hFile != INVALID_HANDLE_VALUE )
" U5 u( v- k! {: T {; a2 c8 X1 X# ] C
CloseHandle(hFile);
$ g% B0 U% v7 ~. M4 |2 B return TRUE;
( L. Q2 C3 o" z& g; J( G4 }1 r a }
; ^ b) j4 p) y( |# X- ~7 z return FALSE;
- R1 o% q, m: B9 l g8 @9 ^}
5 v3 G. J" r4 F, q$ U8 B, r* @' @" _: p' T u
Although this trick calls the CreateFileA function, don't even expect to be1 W* E. q+ u3 U1 T
able to intercept it by installing a IFS hook: it will not work, no way!
- N# @/ n. s Q+ b3 Q+ p) fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! p/ W' N+ J$ q6 d4 j1 Q; l5 Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* J! p/ l. w3 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 u- v ~9 W* P- lfield." m- F5 s( V; t6 m
In fact, its purpose is not to load/unload VxDs but only to send a 3 m5 Q# Q. ?5 g$ ~/ X6 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- V9 ?% G" U& N. h5 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: F9 i# ~7 e8 C+ w2 |$ Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& N/ k" A: I7 C; i. G: kIf the VxD is loaded, it will always clear eax and the Carry flag to allow, E4 N* y/ Y- _% Q# Q/ |
its handle to be opened and then, will be detected.
2 ?2 b4 }" Z$ x& @2 vYou can check that simply by hooking Winice.exe control proc entry point
4 Z1 i) O' {- x' J0 Lwhile running MeltICE.8 g& ]/ ~2 T1 k' U- L, K, D+ D' |
# T" [- p% }- K( K. J4 K6 L n7 B
3 |) d h J0 M 00401067: push 00402025 ; \\.\SICE' g3 ^, I9 b. v$ z
0040106C: call CreateFileA1 _7 u8 W, v7 Y; L6 ~
00401071: cmp eax,-001/ s1 r$ w5 }8 j+ \, T0 H8 h
00401074: je 004010912 V/ f; T3 V/ N( B& R& ^! @
# Y% F% Y' H, r ]5 c8 X& J2 h9 n% k% R8 `; R- Q
There could be hundreds of BPX you could use to detect this trick.
" F2 |, }3 R! t* e-The most classical one is:
# |7 X2 P x2 T7 a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 s0 m( ?) M7 |/ i* a1 j$ w
*(esp->4+4)=='NTIC') P7 m' H' |# W/ f
' K/ m: @; K$ v1 g. ^
-The most exotic ones (could be very slooooow :-(% G1 s% j: u& h) z) k
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 z" V/ A0 B" u6 _1 s
;will break 3 times :-(
+ Z5 z" I' j7 _, p) p6 p R8 ]% p0 H6 Q2 A `, g
-or (a bit) faster:
* \6 e6 b* V; l* o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ V/ P) q, I4 p! J3 F
! o& U8 |4 V. [0 l5 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 D4 S% y2 N2 N- W2 F) r4 Z& j ;will break 3 times :-(
" n }7 d& g- E/ X6 h! `8 w! v7 s9 o& q$ | u( j$ k. [2 m, S& U6 ^
-Much faster:
' |) q4 G3 u$ |9 K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
$ Z" Y4 |9 X, ~9 v! K
7 e$ j2 u9 D, ^9 _+ ~# xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 Z! U4 j& Z/ Y# x8 j
function to do the same job:/ V4 Z: f1 l' M5 Q7 G5 ` a
* p0 Q# B0 ~/ n push 00 ; OF_READ
; q. @9 X. u! s; J mov eax,[00656634] ; '\\.\SICE',0! o5 X# } @) ^6 Q1 @/ p- z
push eax
( m% a. j1 G( a8 C call KERNEL32!_lopen
- g& {+ f$ @' @9 R8 I1 O! ?9 l inc eax. W5 U1 G- W' E7 k4 |; d3 s/ u5 o+ i
jnz 00650589 ; detected
& N; y! w( L6 Y1 i# X# G2 u push 00 ; OF_READ" o# [( _ @3 P" l
mov eax,[00656638] ; '\\.\SICE'
% }' S5 f: P# J push eax
: i& U! s. b/ o2 [: x" Y& x. ? call KERNEL32!_lopen
4 {8 P" J5 [5 R! w1 W inc eax
" ?; W! w5 \. ?9 N2 v jz 006505ae ; not detected
+ ] o% N g: b, R4 |
" _0 _4 M) r, i) x3 W+ n. X3 o3 I. G- s7 ^ d
__________________________________________________________________________
3 f' `- B* e3 \
0 w7 }/ d! V b; s0 {1 d( [Method 12( w; e( h! x2 h& I6 C1 u+ g
=========* @3 p$ l# }# y2 `
; [5 H( ~* {# @This trick is similar to int41h/4fh Debugger installation check (code 054 z6 M4 B7 C( ?# g
& 06) but very limited because it's only available for Win95/98 (not NT)8 O* I& f l6 a9 C$ K }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 t* z1 Q; P6 [" H# X
- ~& o5 P' e0 T5 N1 C3 @# @8 }
push 0000004fh ; function 4fh
2 z9 Z; a! D- [ S6 L. V: w. U push 002a002ah ; high word specifies which VxD (VWIN32)
9 p+ n& r4 ?0 j7 ?! v( g- u ; low word specifies which service+ V0 D! v! v7 F3 B9 ~$ r9 B9 M. @
(VWIN32_Int41Dispatch); r" I+ v$ G$ @3 j
call Kernel32!ORD_001 ; VxdCall
( K8 b, \' F0 i% Z cmp ax, 0f386h ; magic number returned by system debuggers
+ m7 D' O+ j# b9 A, z jz SoftICE_detected8 T; b9 g0 _" R: q
. |6 D( J1 t$ K g8 n1 pHere again, several ways to detect it:8 ~5 p/ l! h. Q( K, F S' {
3 Y% X1 E- z2 I+ V. i6 N1 [ BPINT 41 if ax==4f: k9 k ^7 N/ c6 \1 V ]" u
- Z0 J; M2 a6 ~5 O
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
' K6 W7 ^3 e" q ~0 n; H. M5 c: r0 n+ I5 T' Z* C
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ \6 t/ p+ L% M" Y# H7 T
$ x0 z# g$ |8 L* d- h- b# @
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
; ?- n5 i$ a: h9 h8 Z6 a |8 s: j" Q! \8 s, A6 l4 q* Q: i0 C
__________________________________________________________________________: x# D) t! C1 T
" a- H; G* k1 ?4 E8 T
Method 13
! i# A; M4 d* e! q3 H M5 T=========
7 W" ^/ y+ @" E0 ]
: B( y1 @8 J+ o9 bNot a real method of detection, but a good way to know if SoftICE is$ l. a0 ~+ [8 E. o& A$ ~6 C7 }( [
installed on a computer and to locate its installation directory.) o0 ?. g) `! O) _: e V8 x5 @
It is used by few softs which access the following registry keys (usually #2) :4 V7 y* g9 S2 p8 m4 o/ R
# X$ [. t6 X. w6 J- }! B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- b) H* {) W& _4 N
\Uninstall\SoftICE B- i0 g f, H, x, `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- Q6 ], o P9 R! x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! f0 F! ^4 U7 U" a\App Paths\Loader32.Exe( K1 ]4 z% X6 P& }+ A0 w" }% {
% Q; w1 h* {0 l2 [
) w& D$ { e6 y/ ]# i* r* k3 `' ^Note that some nasty apps could then erase all files from SoftICE directory
6 k' p" P' j5 A(I faced that once :-(2 k/ }# U/ z* v, N$ J7 m* D
8 E6 o+ P1 |' [3 p6 ?1 N7 y% M( Y
Useful breakpoint to detect it:
7 w8 {9 C: Q8 `' O" A3 W: |; i- n9 L Y2 G2 f R/ w. f
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. u% A( t6 E m% [* ~ U N( l7 p4 \9 d5 F' S
__________________________________________________________________________
5 e3 q7 J; l! J( h7 C( M0 n$ H$ M
' r. P: R1 \, \5 e
! F' e$ X f `: w3 L; N" GMethod 14 ' p W0 i ]0 U( T; y
=========
8 G6 U t# q6 B4 J- z" k1 l
: L! U V$ ?! w* ] w1 U5 }5 Y% L8 NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 B1 E0 t& b" {# j. Q
is to determines whether a debugger is running on your system (ring0 only).
3 W/ X0 ^3 v; k) C. Z+ a5 _5 C" f/ j7 t" F3 j" f6 C
VMMCall Test_Debug_Installed2 w* T3 @1 Z+ ?4 p! R' v# e
je not_installed) R( }. o' s2 G+ F9 A4 z/ s2 {
; g2 |7 W& y4 CThis service just checks a flag.% H) q5 x2 @ S4 s9 O+ ?
</PRE></TD></TR></TBODY></TABLE> |