<TABLE width=500>% D0 B4 c# l- ^: s
<TBODY>
4 x/ ~- p7 F; _/ Q* T<TR>
( F9 @' V R( U7 r6 U<TD><PRE>Method 01 5 }! l7 l5 S D, O- Y4 N
=========
$ \+ |4 \; X; n$ m' \! ~( C/ q* ~6 W8 B% Y' _
This method of detection of SoftICE (as well as the following one) is
$ x3 y: i0 p# @& q2 {used by the majority of packers/encryptors found on Internet.
: B5 Y8 {( H- q+ A: }It seeks the signature of BoundsChecker in SoftICE, A) V' R% M+ i a8 N
8 t, ^+ j* W7 t! y2 b5 J! ]
mov ebp, 04243484Bh ; 'BCHK'
# I0 ^7 S3 n/ H2 J$ I. s+ y mov ax, 04h
* m- p1 o5 H, E( Y int 3
8 W: M& A0 x3 A w6 J1 j' b: i7 n" \ cmp al,4
6 h; Z0 `- o2 j, d jnz SoftICE_Detected4 ~9 _ C8 V8 ?' C* g, P/ k
( [+ L* l. G$ [, N% ?( V___________________________________________________________________________% a9 c: G4 U9 d+ w' W* y
8 z1 i0 U5 z2 r/ D& R, j
Method 020 `+ u5 Z1 Q4 R& ?0 _
=========/ {4 @6 v$ [" P7 Q. K: O8 c
- K0 Y l1 n9 @# T, ?4 c
Still a method very much used (perhaps the most frequent one). It is used
! W8 C2 o9 u) p* ]5 _" W% x% yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 K, C5 I9 z* z, @- nor execute SoftICE commands...
: p' a D! {* H' \' YIt is also used to crash SoftICE and to force it to execute any commands- e. K5 C& J$ B" @
(HBOOT...) :-(( & @: t m/ a( A0 {/ {
. Z7 r# Y( c1 Y; g/ x% M5 x
Here is a quick description:6 D! f, B$ F- T3 {0 h0 A
-AX = 0910h (Display string in SIce windows)
- P5 Q, |, R, F% a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 H! D! Y; c( r5 X+ R% q-AX = 0912h (Get breakpoint infos) d0 @% P- u1 d+ Z- b, J! E
-AX = 0913h (Set Sice breakpoints)
* H) {( [( J* e, R5 |/ h2 D; b-AX = 0914h (Remove SIce breakoints)
# p, w4 ?0 n3 ?, \6 ^5 L9 C' q$ w4 B( I/ h# s1 B5 U) [
Each time you'll meet this trick, you'll see:* D5 \5 ?% A n, }& L# c' {: ^
-SI = 4647h, q0 q9 f& \# Y, R$ C0 }
-DI = 4A4Dh+ `/ Q7 L$ O1 |8 r9 V( \6 X O5 F6 _
Which are the 'magic values' used by SoftIce.
$ s# x/ A% w& \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ P K; w6 W* M! h1 w a" ^9 u; ]2 {) u# o8 w* q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# w7 t, F) g1 S" s4 \Envelope utility use to protect DOS applications:
9 X& Q7 B2 t- @6 A4 }7 D& P; e( h* U4 |& X9 H* Z' D0 e5 W
3 f; c9 p6 f! p6 G8 R
4C19:0095 MOV AX,0911 ; execute command.
# L' e1 e" [% [# s( j, N4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ B, q% T8 Q8 j/ d4C19:009A MOV SI,4647 ; 1st magic value.0 s8 I. z& ?3 B1 l+ ?. O
4C19:009D MOV DI,4A4D ; 2nd magic value.3 U) f: J$ K3 E' _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) n5 f+ ?9 o* F" r2 c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! _0 W7 u+ V7 A# L& T& n3 @! B4 t1 d3 ^4C19:00A4 INC CX( w* a% t/ `4 P/ @4 ~3 S+ i
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) w3 U$ X. n" @$ a2 Q$ p7 _4C19:00A8 JB 0095 ; 6 different commands.
# C4 V$ f# `# B% ?, ?) t! P! f4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 n5 P$ y/ v8 d" u3 n5 G i
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 W a% w3 x n/ } R2 ~, Q3 C3 B- H
; k% Y7 U9 {* ^0 K* hThe program will execute 6 different SIce commands located at ds:dx, which
+ ~1 s- B* Z& Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% Y/ C+ E; A2 z [% u# l* E7 i# f& a
$ ]4 ^( e" H! p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# D! |: @- r9 i___________________________________________________________________________7 m; s; G6 w: l7 N* g6 L* z
6 C2 ~' X3 t3 e" T
" Z& W% a. D- e$ m& _- |' `5 ]Method 03% W" k+ l7 D5 o
=========
) \3 v; }/ K& A
# W% |: h( X( u l9 ILess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 H9 h7 J5 l" ?1 e
(API Get entry point)
/ P9 [1 ~3 y. ]2 [9 j
1 M# o3 g. n+ a c& j! ]4 t0 a
. z2 \! |" |, z) Y( Z$ h# ?1 V xor di,di
% O! e n+ U3 k: N D( Y. d mov es,di" N o1 \% D Q9 W, [, z. c/ r
mov ax, 1684h & D- N4 T$ a+ p7 w4 _
mov bx, 0202h ; VxD ID of winice g& K& V2 R; p9 g; L
int 2Fh, _5 K+ \% a, q) q2 M/ b; ]5 F# R
mov ax, es ; ES:DI -> VxD API entry point" l0 X) x% X( m% P: V' b8 m
add ax, di: E% H$ |7 U* o5 `, u8 d/ l
test ax,ax
6 S. o; ?$ H& m% Y: {2 n jnz SoftICE_Detected" R6 J% l6 Z$ |% g& G
1 d( u9 D# ~' q' P___________________________________________________________________________
3 e2 \1 m& y( L# u7 y; G; u5 I8 W0 ?: v: r% Z, E7 I- G7 |
Method 04
+ N+ k3 I; V2 ]0 g. Z5 R=========; y# u) \& M( g
2 w" s3 j% W$ [" j0 G# `Method identical to the preceding one except that it seeks the ID of SoftICE
0 S& p3 _* h3 c1 i9 c3 q0 ?0 CGFX VxD.
6 ?, Z2 [& V8 P4 Q+ }- C. j4 R* w( ], [7 D9 J
xor di,di
4 }; ~$ e, Y( B* i3 o4 e mov es,di( B j2 N8 Y6 Y4 }9 N$ L
mov ax, 1684h
$ b5 O: q, C3 C7 K; K f% q. N mov bx, 7a5Fh ; VxD ID of SIWVID' H0 |, n/ S0 c3 y9 H& v4 D8 ?
int 2fh! }8 D" F( Y4 M8 s6 A3 V# e# q0 V% L2 K
mov ax, es ; ES:DI -> VxD API entry point
8 Y( U5 i7 r0 Z# G ~/ @ add ax, di4 c1 i7 O; V/ V' G9 ` O
test ax,ax% g& ~2 a! x1 k" c
jnz SoftICE_Detected5 z, I1 X% S) u/ }* z
5 Z# A* l! q. L! F$ L8 m( S8 @__________________________________________________________________________) ]+ B( d3 U8 {% ]" Y+ b
S8 p, C! s$ M! \1 t1 Q( \& m
Method 05
( z [9 A& t: k" ~5 J8 X7 z: ]$ B=========
5 P: y& K% G: w$ f# ^; X6 U4 z
9 ]/ S! T3 e4 w. r% S2 H1 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system; e. g/ e `5 @; P3 F
debugger. It calls the int 41h, function 4Fh.
, q2 l- j# h* X* m# D3 Y8 r4 l6 cThere are several alternatives. 4 V4 I3 }1 |/ D! Y. z" W( [' F& e
, f# e# J+ R" y" o& R- BThe following one is the simplest:$ v- U9 t& d$ q/ I; t
2 ^' B( ^9 M/ H' q8 \; c
mov ax,4fh. U: N& `1 E5 H; E$ ]& k5 e0 L* G
int 41h
( p( {( v& n! G% ^6 A j# ]8 d" @0 a1 Z cmp ax, 0F386- Q) c2 z& N. C
jz SoftICE_detected% T% [9 V( c$ |7 t; A4 N" {6 ?9 ?$ u
" ]1 C& C8 {! [ S' p6 d6 p/ M. f4 X
2 W( g. P' |9 n% o, t9 ^/ ^* R! X7 |Next method as well as the following one are 2 examples from Stone's
$ }. d$ x3 `+ r: Q"stn-wid.zip" (www.cracking.net):
$ Y1 ]) L4 k/ O2 X% ~) _5 k0 `2 L( \0 N" z) ]1 d9 L7 w
mov bx, cs% _3 a2 S# k# c9 d
lea dx, int41handler2
. Z8 C+ W6 M9 @5 A2 \1 J2 J. V ?& h xchg dx, es:[41h*4]2 S; S! b5 z7 c' s$ P$ v# @3 j8 K+ c
xchg bx, es:[41h*4+2], Z! ?- ]) R8 l7 |. J; U2 `* R$ B
mov ax,4fh0 o$ \. H3 Z& ^: ]4 u) m+ i
int 41h
$ f1 X9 Q3 w3 {7 |" }$ V' u xchg dx, es:[41h*4]8 t# F8 H7 q/ o+ s1 @4 a& ^
xchg bx, es:[41h*4+2]
7 B1 g+ @1 [7 p/ l4 P2 R5 z cmp ax, 0f386h
' G4 b( K/ T1 G( d a5 S; D! `) F jz SoftICE_detected
) t% {4 D9 {# x, z9 @* V6 J, ?# T" Q
3 s& C. p0 e1 a- I& zint41handler2 PROC9 Y% T) J8 ?* j# V0 q ^
iret' C+ I; X0 c$ N5 o
int41handler2 ENDP
4 ?& _. [* ` D( n' b& W1 g' u L, s5 J9 h7 g" L' m
; }2 u! B2 v( ^$ i' O# I_________________________________________________________________________1 j8 W3 d k7 @
: F/ J, V2 ^" G! y, A7 Q. W% {: I7 B! A$ c
Method 06
8 u& g. B, j, a3 v1 S8 ?# R8 \=========. n# F: j( ^+ X5 d8 E( k
- h6 @2 H4 d7 l2 f; |. Y5 O; C* b
2nd method similar to the preceding one but more difficult to detect:
# x2 h0 I5 x, j* f) z$ H& M. P' w. _
3 B5 }' |+ K# x2 l7 `: ]
- D2 q8 ^% m+ Bint41handler PROC" `4 X. W6 S# m. \& g1 z
mov cl,al
9 w$ A; M; M9 _5 `* c9 e iret5 K* Y2 }4 f& y' J
int41handler ENDP
: m8 G: S& y6 q8 d( s( h) K' p) _8 ?$ R X* K! X6 ~/ t& R) D; s4 k0 Y
' k+ V- U5 ~/ y7 b8 X3 J9 }$ |
xor ax,ax" N! P8 v1 J& o D; a* J
mov es,ax
/ Z& q0 G" x3 U% i$ x mov bx, cs$ {% d# Z+ ^- k" i
lea dx, int41handler
. l0 p; y& A- _! a$ ?/ \* S' A# ? xchg dx, es:[41h*4]
4 {" d0 r+ s, _' N4 c9 j xchg bx, es:[41h*4+2], K- W b, I/ h+ k# z
in al, 40h7 A( y4 @; V& U# a- T4 @: y5 y' h
xor cx,cx3 D2 L V2 i% n) D
int 41h! H; I2 D9 L7 k! i+ k
xchg dx, es:[41h*4]+ Y: F1 \) ^- z2 i
xchg bx, es:[41h*4+2]6 Q: L( L5 }) s- u* t t4 W
cmp cl,al0 e. M" A6 M5 Y1 P4 S( r
jnz SoftICE_detected, k; M# Y; [& v' N$ F
, S& j9 K+ o" g+ ]+ {5 Y9 p_________________________________________________________________________
1 }3 y4 O d" B5 K( b; a
% P Y% }. U4 v, P9 s1 mMethod 078 ]) S1 c( T1 V2 u0 @. j
=========
( i9 N9 o' z+ H! S8 B0 ^; b0 t- F8 d# q. M0 x- V% x. m
Method of detection of the WinICE handler in the int68h (V86)* i- S3 X# T8 A8 n/ y N' Z
% c! x6 b7 R' Y& o; e6 j mov ah,43h
/ X E$ E- Y5 u3 a2 `0 H int 68h: v3 n5 q1 {" g: `: I
cmp ax,0F386h
- t3 x/ F0 ~/ O0 ]: ?5 F jz SoftICE_Detected
* O2 y* H! j+ I% a% }7 P6 t* s
- Y) F# |: }* U8 j: C/ S) \( W3 b
$ E6 m$ Q2 i! B/ e+ ]' k) ]" n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' h/ _" f+ I0 y& {. p app like this:) ~. ]: U5 @1 [
; n: C& ?7 _( } BPX exec_int if ax==68
$ @* U& j, Q. D! @$ k. ` (function called is located at byte ptr [ebp+1Dh] and client eip is
1 Q& s* R3 a* l, P: e located at [ebp+48h] for 32Bit apps)
5 \' Z( s$ R: u__________________________________________________________________________
% h* ?) D8 V9 W K1 V( k% m. N% m8 N4 Q4 L! Z, B' S4 @
/ i' x5 y6 O* F. C
Method 08
/ Q8 B; J" z: g, n2 ~2 I) Q=========
' U: B: R4 K; I& K( V, d' U9 ^* z! S0 R
It is not a method of detection of SoftICE but a possibility to crash the! `# ~$ v* P1 s& ]4 B) O2 v
system by intercepting int 01h and int 03h and redirecting them to another
+ }: ]- ?2 _/ {; X2 qroutine.* u- C* J1 }! o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 l6 z4 o' k; U( x& ]
to the new routine to execute (hangs computer...), S" q6 J6 T5 C& Q, E8 k- \
; ? k# n H2 Z @* @! ^ mov ah, 25h
2 X2 v. h: a5 s% \0 _3 n mov al, Int_Number (01h or 03h); U4 ]8 V, H6 ~3 m9 R9 c
mov dx, offset New_Int_Routine
# s- L+ \4 E# l' O$ D int 21h
+ {& h. c, l7 n, L: D
) j3 c8 \. b' t) F5 z__________________________________________________________________________
" |; O8 E. x' Q
3 b# r6 I' Y. k: ?3 S5 ^" xMethod 09* A, E4 Y9 ~( R! w
=========* Y6 T, J; P! b/ f
$ y8 L. D) C) q9 H, t# O$ z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: x, H% x& u: X6 cperformed in ring0 (VxD or a ring3 app using the VxdCall).; w6 o- r9 y9 `5 j, O' f3 q/ `& R
The Get_DDB service is used to determine whether or not a VxD is installed
2 A) F3 \& P% p6 l* I! p2 W; nfor the specified device and returns a Device Description Block (in ecx) for$ r5 F/ ^9 b0 I; } {+ Y7 b
that device if it is installed.
5 m$ }) X9 m7 q5 _
$ T4 V) A, b; C* @4 ?- [* K9 R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: u5 F) L4 b6 u; P mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# ?8 C4 L" x+ }$ B' T( D( \
VMMCall Get_DDB* S7 u5 q' k! l( c& V
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 W/ A% K5 W' x: o' Y+ B
+ N2 R9 V! W) q6 A1 z* B1 YNote as well that you can easily detect this method with SoftICE:1 s, A" `! _0 b( U6 b
bpx Get_DDB if ax==0202 || ax==7a5fh
5 X5 y( s4 w/ x$ X. S1 z K y" S q5 D; Q2 |
__________________________________________________________________________, R. f6 L D- Y" \
- s" l/ ]# J; k6 V# ^: ~Method 10 ]3 C& v; j8 h* w* N! |
=========
( k. m/ s9 M9 _$ _6 A! s+ N+ a6 R+ W5 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: v5 i1 s' J/ a1 R( S SoftICE while the option is enable!!9 N5 _; _% O: ~1 i2 a" f
l8 }; J) B( W1 N2 m/ o
This trick is very efficient:% p; g x7 Q& |3 G3 N3 B9 D: Z4 b
by checking the Debug Registers, you can detect if SoftICE is loaded/ E" j/ X: x; N0 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 C* B0 i1 j4 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( N' i9 f6 ?4 E6 wvalue (in ring0 only). Values can be manipulated and or changed as well; t" o. k9 }$ G+ Y) g
(clearing BPMs for instance)
" o; ?& h* ?9 x7 N# ~3 j/ i a" C* m+ Y6 S) u9 C7 P; r4 R
__________________________________________________________________________- H! p/ E# I9 U' ~2 W3 D$ N- `& Z
6 Y) N6 Z( \8 M6 z: F5 M( Z; v8 U/ s
Method 117 h* j4 ^- Y* o. p5 i2 A
=========
+ b+ s- }' o+ p$ a' a9 k' c$ z3 i( I& j2 Y
This method is most known as 'MeltICE' because it has been freely distributed
+ L+ a6 h# r7 l: m: r2 x. i5 f* svia www.winfiles.com. However it was first used by NuMega people to allow
5 j; D0 F9 ?) Z' @+ u: D- j, USymbol Loader to check if SoftICE was active or not (the code is located
0 Z* J) w2 j! _. rinside nmtrans.dll).& B& V0 u# w8 ]: \% ^
l6 V8 r8 Z4 x# w) E7 ?The way it works is very simple:
! ?& I7 h. a: T3 R7 ?: [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 k9 R- c- A" i& b
WinNT) with the CreateFileA API.! L% Y6 j. c6 J" F2 o
6 V9 h9 K" I8 U9 q: P5 ^Here is a sample (checking for 'SICE'):. c2 Q* E) \8 [( U- f" [7 P$ Q. D
) i" a* P9 }. r- {! p
BOOL IsSoftIce95Loaded()" L4 i- E* T. Y4 h% c, R3 b/ z/ ]
{8 Z4 \7 {/ `* g H! ]" |
HANDLE hFile; . s3 r: E- L! P0 j6 R3 y% K: x
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ B$ ~6 m& G! w* {' ~; J
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 C o1 y$ j% s- q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. G+ l& s k' L" v6 [ ^; a
if( hFile != INVALID_HANDLE_VALUE )
z9 {! [: ]& ]" H! V { h6 B, J$ v! t1 `3 h% D$ p
CloseHandle(hFile);
9 m' I: _) J7 _2 c0 J* ~* X) ] return TRUE;
+ I4 @2 X$ @, M: Y }% Z) D+ l2 i( _( Z7 C( n
return FALSE;
& `( h" U, s9 s- c1 {7 Q- [}
, _/ M6 C2 X' V+ w- P+ o
% l( V& @2 ~% I& s. l! gAlthough this trick calls the CreateFileA function, don't even expect to be4 P* J. v; y" u
able to intercept it by installing a IFS hook: it will not work, no way!% I$ g4 U4 m: _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! E; A! h, [) k4 d; ~: n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# j* f) _2 F8 Q/ }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 P+ W( l1 f% I/ C' zfield.
: \3 ` p- g2 \! sIn fact, its purpose is not to load/unload VxDs but only to send a % t3 I3 R) u# a& X2 q4 z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 T0 f; i8 s& X1 w7 f" \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; u; L. M. V4 x% V8 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 e: [- Q- t" t* S- `3 k7 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow( B8 w& C5 n1 o8 _
its handle to be opened and then, will be detected.( H4 l9 I1 `; B( m1 C. e
You can check that simply by hooking Winice.exe control proc entry point: q% D/ u7 S$ B" w% W- {7 }$ Z
while running MeltICE.
* G1 B" Y; }6 A; c' J' n: n# j& v2 a7 v5 b& H, Q
! S7 {4 C& Z0 k6 {' W 00401067: push 00402025 ; \\.\SICE
g3 z8 `6 I5 V9 D6 _0 b* w- k 0040106C: call CreateFileA
8 A- v% |, ]4 B! C) s1 S3 L& y) t; e 00401071: cmp eax,-0010 _) R% @: H J1 W! ~
00401074: je 004010915 d) l# C( n' P: m: d2 r8 x
( Y7 G: R' I8 t0 J9 m0 d8 h4 E& G: O- ]3 `/ g1 v, L# @
There could be hundreds of BPX you could use to detect this trick.5 M. r3 O6 K, X" V( p
-The most classical one is:# I; v( x4 h7 Y% g/ G% j) o
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 Z: _' ^- Q% }+ O5 i1 ^0 k) e
*(esp->4+4)=='NTIC'
- q5 q2 v5 N- v3 b# R( K. l# Q/ o9 t/ G6 n8 M( z2 L! P
-The most exotic ones (could be very slooooow :-(
. k& K/ V0 I# N* t BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 O' T& _. k9 [ ;will break 3 times :-(; m- s [, P H: T' y3 u8 P- o5 Q+ v! J
8 K, p5 U- E% o6 a; S! j-or (a bit) faster:
9 A* I1 s) \" w3 O0 `5 R BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% L6 b& ?5 y7 t9 E
. Z0 }. p8 u6 O* i BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* B1 Z' q! H0 v ;will break 3 times :-(
' |' }/ L) W! J( X4 T8 s6 Q0 ]0 P9 ~+ d" q' ~. S
-Much faster:! |$ J4 m6 b/ }9 I7 f/ T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 w$ R4 a3 _1 [7 }
/ n: X" o: l, w* @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 a# L7 }: y, m- i3 @; P2 N; q
function to do the same job:' T" @" y6 @! L. S- y8 ]
" G9 g2 I: u. t- {2 u1 R, {2 b
push 00 ; OF_READ
# B- c/ _$ w& ~, { mov eax,[00656634] ; '\\.\SICE',0) F4 T( S- d! |* S3 p. {$ w
push eax. ` P+ b: t" ~6 v& M
call KERNEL32!_lopen' u7 s2 l/ T/ f$ ^
inc eax
9 U, P2 t0 ~2 P7 C, g jnz 00650589 ; detected9 A& _1 l2 d4 G3 F1 ?4 O
push 00 ; OF_READ; G) o* J& x. n3 U& s x
mov eax,[00656638] ; '\\.\SICE'$ w0 ~( k/ `" t ^) N
push eax
- |* u8 ]! X, E; G1 T. B call KERNEL32!_lopen% Z* V2 `+ ?. b G2 h3 o
inc eax
: K( T$ E8 l( h" ]* I jz 006505ae ; not detected
7 K8 w, i" v. F2 e0 F: v- X7 W, y1 k8 |: `+ c. f' _( ] K
2 G) J; e6 f3 ~' o: k__________________________________________________________________________
5 E7 d1 z. w5 K# M, F0 h8 b$ l0 b5 }
Method 120 {+ h. j( r& {
=========
8 ^! q, ^8 `% d! Y8 T/ y; X' K' M3 M" i- s* i% M1 U9 Q! ?+ q2 r
This trick is similar to int41h/4fh Debugger installation check (code 05
, f: Q0 H4 d8 G# |1 z( p% L& 06) but very limited because it's only available for Win95/98 (not NT)# h' p6 U; ?) y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 P: m; i$ W+ R3 f7 q7 T- j6 c! h
! l# K, P$ S$ K: W" R
push 0000004fh ; function 4fh
. ^: }+ t" K, o8 {6 v, N push 002a002ah ; high word specifies which VxD (VWIN32)( a( O/ v0 E/ T
; low word specifies which service
# Q0 R8 J1 j$ @- X: Z2 d7 n (VWIN32_Int41Dispatch)
, T& L& n6 [. q% v# E" j& h call Kernel32!ORD_001 ; VxdCall$ q+ \' p6 E1 N. R- W3 W3 _/ r
cmp ax, 0f386h ; magic number returned by system debuggers
/ V" q* r' M& Y( A- `* ? jz SoftICE_detected1 G, c9 V4 E& ^- D) o! D
9 _% `) x" D# t" H, @
Here again, several ways to detect it:
, ]$ K" L4 j6 L+ A$ g& @6 L( T8 P% ^$ l7 {6 d( e% e' B/ k
BPINT 41 if ax==4f
4 L7 t3 U; v- W0 L3 A
+ M$ I* w A3 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 `5 @" {+ k# @; x7 q1 Z1 y
: h: x- R; H4 o& Y9 q BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% z5 e2 ]/ H p" N
1 Y: S# y* `2 g8 p6 _+ M BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: d8 n9 l0 X+ e: G
/ W) n6 m1 y `) ]( N% A! C__________________________________________________________________________
: h( J% X4 h8 ?5 d2 Q& g
& U2 E. t1 P1 W8 }1 J* eMethod 13" a1 {% {% u: c& X, F9 R
=========( V) F( I) P3 k: k
' t, g- p' s- J
Not a real method of detection, but a good way to know if SoftICE is
0 d% I+ h2 I2 r8 q! \7 einstalled on a computer and to locate its installation directory.
" _! F( `% \" |5 T' vIt is used by few softs which access the following registry keys (usually #2) :. a* h4 x2 V! z+ o- b# ~
0 `; }7 ?% ]6 o/ ^0 ^4 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ V# R' r' ~5 Z/ C$ T
\Uninstall\SoftICE; W2 H8 O: X& ]- t3 {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 s7 J P& H, L& r5 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Z) k: d) U4 U( e9 G1 |8 W. A
\App Paths\Loader32.Exe& P# L5 I- o2 x) N4 s! t3 N
3 @; U7 g! ]3 N% s0 r7 |
2 w4 Z" q+ {' J0 U* x# ONote that some nasty apps could then erase all files from SoftICE directory
+ R$ }5 K7 j" i! l8 `' c1 X) N1 q' ?(I faced that once :-(
2 h& ?. x' \0 ^. U: V# m- [$ L# w3 M: f% Y
Useful breakpoint to detect it:! Q2 A3 [ D" Q1 b' }( ^
4 z* G! K, _6 u& B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 u1 l, R3 G, }3 r5 _5 L0 T0 {, |" L
__________________________________________________________________________) M/ \9 S1 _' A& I1 | {) U5 i
' h* U' ]1 J7 \ J0 a& P& J4 x% V9 S2 N% T. o
Method 14 7 a9 F4 O/ c# y7 g5 `4 L
=========" Y7 @& q5 L4 t1 c- ` M, u- N
* t' }3 O: g: d: b T. x! vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 t3 Y3 k% O% v" V- Zis to determines whether a debugger is running on your system (ring0 only)./ n/ ~ `8 ^- N5 Z+ [ q
% Z6 A9 F! g: P VMMCall Test_Debug_Installed
* Q+ A" s" q7 H3 `9 Q. A: g je not_installed" B: x, g" g, h; } _$ a
* D+ x5 a1 l! ]2 `This service just checks a flag.
& A2 S2 v8 n1 X" u' i% K</PRE></TD></TR></TBODY></TABLE> |