<TABLE width=500>* n2 L R u& D
<TBODY>
& r0 R7 o0 D7 x& n" D0 J" G" j0 u<TR>
6 m4 G5 t6 W' U/ J- n<TD><PRE>Method 01 , F5 \/ a, o) L1 s! w$ G, L8 q
=========2 F1 Q m$ V8 T! d+ m
: p I0 w- u c# y
This method of detection of SoftICE (as well as the following one) is
+ J) M! \, E- Q2 Dused by the majority of packers/encryptors found on Internet.
4 z- Z1 |( s- K9 Y$ h. BIt seeks the signature of BoundsChecker in SoftICE; i$ s+ N5 [2 t5 q/ T# l
+ k6 ]5 K; x$ l! Z- q mov ebp, 04243484Bh ; 'BCHK'4 I7 c; _: B* r) q8 T& e
mov ax, 04h
( i- e) h8 ^5 l int 3 1 B" w4 U, H! ?: \7 i5 m- ~
cmp al,4" ]9 e0 M5 A( q
jnz SoftICE_Detected
% @" H; I9 A' V. p# J% u. z8 }' x" V0 v' E& I2 s
___________________________________________________________________________
1 C8 M9 X* Z5 F A; U, k5 p( B/ i
, G, X; L% r' x) yMethod 02" z- @0 G3 ~) P; a' _! s
=========
. ~9 L( a ]/ z6 x! X- i8 a0 P- k, Y j3 K
Still a method very much used (perhaps the most frequent one). It is used
& O, Q1 Q4 K8 q% o, Oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. V. J. x0 g7 h5 g" B2 C7 ^; G2 O; wor execute SoftICE commands...
9 R1 y8 [* w- _+ f2 L* VIt is also used to crash SoftICE and to force it to execute any commands
9 u2 j$ Q" I$ A/ x5 x(HBOOT...) :-((
" V* F; Q3 B, f, V/ r$ a6 Q/ P8 N+ y; i
Here is a quick description:' K2 h9 w+ c9 U. t6 a) i: ~6 z3 Z
-AX = 0910h (Display string in SIce windows)3 t9 r& M! s$ b+ i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 I) H; E( U' M! Y
-AX = 0912h (Get breakpoint infos)8 @& E) O1 b, C. \! J ~* x3 f& t) T
-AX = 0913h (Set Sice breakpoints)& k1 Q. x' s6 P6 v0 V4 Z! P' H
-AX = 0914h (Remove SIce breakoints)
% A8 E) t$ R* y ?
1 ]0 G" z2 x2 I& @7 i% d7 d" b7 _) REach time you'll meet this trick, you'll see:6 l0 a6 n. w- j8 q! K' i; ^
-SI = 4647h, A6 W2 }, k+ y# `/ Q/ G0 J/ j
-DI = 4A4Dh- n; Q; D% ~9 r
Which are the 'magic values' used by SoftIce.
+ f" e) m) I( x7 n: `. zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 h; d6 [* k! p( a+ V
0 U& k9 Q: Q2 }( d3 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" n: P' m, P `2 R s1 `Envelope utility use to protect DOS applications:
, l! X. o* s& C* f7 k
3 C1 _, A" Y/ A; b: S- w1 }9 d7 Z6 B5 Z0 ]0 l6 D% \
4C19:0095 MOV AX,0911 ; execute command." \/ G5 c, {0 h( E0 i
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 A/ w4 x. s* V2 ~* w4C19:009A MOV SI,4647 ; 1st magic value.; g; J0 }8 a) p+ T; l j# C& Y& S
4C19:009D MOV DI,4A4D ; 2nd magic value.3 ^/ D2 d3 L# p8 y+ ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! X `; u- O$ A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' T/ Y/ A& J# q9 A
4C19:00A4 INC CX
" G4 {+ N" C3 I1 T5 G" p5 e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' r6 @8 W: z1 I* z2 W e" f4C19:00A8 JB 0095 ; 6 different commands.
/ u2 ^' F9 H+ K% E: |( {( q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
( [ f' _9 `0 M4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, r1 L8 z8 m/ ?% [+ A
) m% _ c1 |$ L5 G& n% p- r. mThe program will execute 6 different SIce commands located at ds:dx, which+ `% J5 s5 e5 i6 `( ?9 Z; G" B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 E1 D' h* v" k& H. C! a" p$ J" W5 o
: J" E: h8 }- S. J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' i% p' m1 E! O( J9 U0 o
___________________________________________________________________________3 \! c, d( X a1 O4 x3 x5 d1 B" B
?# j# m6 {9 f- _
/ t/ T. P p& K. B: D1 tMethod 039 c7 I1 r1 I. K# X$ h4 ?
=========+ D4 f" T, u4 o- p( A
$ Z/ J, k4 f* U: d" n9 h! X) B1 JLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! h( ?/ s% [$ j2 r% x9 ~9 h
(API Get entry point)0 T$ ^: I' y5 O" \# b b) `7 K
" x" b8 K% z- E" l+ W1 ]* g& j& ?, } X3 f Z* F
xor di,di
7 N1 w5 J, ]: ^3 S1 B5 x mov es,di6 M+ h# V6 O% k
mov ax, 1684h
+ x A9 [+ h( B8 s, B t6 B8 N, g0 x0 I9 k mov bx, 0202h ; VxD ID of winice
) O+ D [- Q" S: N int 2Fh
: m; v! U& R9 @+ ~& G4 v mov ax, es ; ES:DI -> VxD API entry point
% [1 v/ I' _- Q1 y1 ^, u0 O. ^9 q g add ax, di/ U0 Y* [6 b( L5 k, |; D% [2 G
test ax,ax7 F7 h4 T- M' _7 o- t+ ?0 C5 u
jnz SoftICE_Detected
6 V) l. r4 R2 w t) W* C4 b( q" |
___________________________________________________________________________' t2 F; r2 e( y! N1 g+ d5 k+ ], I
5 T9 ]5 ~" M+ w$ B% e8 D* |- [Method 04/ w2 t# C' Z b I- u6 R8 H8 w) c
=========: Y2 ?- a1 r |: Q
* M: V, f& g$ b# H$ k+ |Method identical to the preceding one except that it seeks the ID of SoftICE
% y1 x' G) B. GGFX VxD." s% s5 F9 G: x4 ^) N
7 \" A( T, G( @ xor di,di
/ G9 G Q3 J- [7 ^% V8 s T mov es,di
+ C+ h$ @3 h8 q' H2 v. f mov ax, 1684h
- c, H- ` t+ K% X1 B+ Q mov bx, 7a5Fh ; VxD ID of SIWVID+ a* r3 I: r. r! R2 H
int 2fh# A" }9 v" R/ ~) t; e @
mov ax, es ; ES:DI -> VxD API entry point
# Y7 v) P. u. w/ d add ax, di
' T- e. b7 d$ k3 [) w test ax,ax3 a. B* W7 ~; e& C2 A4 F2 f6 G
jnz SoftICE_Detected |) S2 X e, ?4 M E; a/ r
: a, s/ K% U7 ?
__________________________________________________________________________2 d _' ]0 h3 e: y1 r5 l4 @
1 t; u8 N" c6 O. w q, K
* O! V" O, k( Q; [1 \Method 05
6 i6 E: F4 O+ ]0 b$ r* h* L- Z=========
/ B7 z# X2 z. k3 C, F3 A5 E! ^& w K) d) P* L# P
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 ~( q; @0 u' Z6 b U1 I$ a
debugger. It calls the int 41h, function 4Fh.2 }- |! E7 u$ K; n t9 Q. y
There are several alternatives.
- K) f0 m' a2 P. p8 a3 L( O) m. J3 ]' @7 s, O8 ] ]' z. a
The following one is the simplest:% G$ _" ?% G% l! D* G
6 v: F* G% ~1 j' b! }1 d: ~# s
mov ax,4fh
1 T# r# q3 ]! x; C9 a$ V int 41h
6 {4 ~8 b/ c. }5 S$ |' ?9 S( X; K cmp ax, 0F386, L# P5 K# _6 g( y+ @4 s
jz SoftICE_detected& S4 B! h' Y1 _' D/ V8 D. e8 B
9 z8 j% \/ b, i. u) y) A5 X& ^0 Y6 @, `# A3 Q
Next method as well as the following one are 2 examples from Stone's
' H7 m# l7 T6 c"stn-wid.zip" (www.cracking.net):
7 u' L4 Z0 U2 h- U2 E3 P3 K* T/ W6 j
mov bx, cs
3 R9 v# `* @ I lea dx, int41handler2: r4 w6 p) B+ {0 f
xchg dx, es:[41h*4]
! W9 Y: X: ?. T( \5 w9 u/ u xchg bx, es:[41h*4+2]! r/ ?7 n/ L2 h5 h/ ]
mov ax,4fh, g& _, ] a b
int 41h
h1 _# ]3 m6 O; b2 T xchg dx, es:[41h*4]. n+ d7 ~8 F0 p# b
xchg bx, es:[41h*4+2]
' w$ h* C6 r0 Q1 C9 h) H F cmp ax, 0f386h
5 R+ v6 Q7 f! a) x8 Z, t jz SoftICE_detected! S" |* c/ M- l, x; g0 c: E
+ K$ g6 \/ W* Q! \0 E- T5 T; |0 b
int41handler2 PROC
% u7 G, B- ^, f7 N0 j2 Z" x) T iret
$ M0 o: @6 {1 m8 p. i; ^int41handler2 ENDP
, l8 i5 B# W4 Q" Q( f0 o0 h
O- u5 }9 ~ |+ }1 }8 F' D$ u/ \0 i3 r6 Y6 t6 X$ i4 c1 G
_________________________________________________________________________3 O& o8 K) A2 x( K3 S1 g+ b- V
# a3 t" I- f2 h D- k# {! O
7 W9 l) Y7 H: Y6 Y" RMethod 06
& c- Y( w; T) b5 `6 a9 E=========
* z( o3 w( U% L+ q8 `) k, }; F7 {
; U- Z- k* v* ?6 p/ H; {
" K/ Q# N$ l9 w4 u7 B" n2 G2nd method similar to the preceding one but more difficult to detect:' _# E! u8 z0 b
* k$ v6 C9 V+ ]) I S
2 {; Y& W! X/ iint41handler PROC
: d# l7 Y! [8 ]' ?: j D9 E3 l mov cl,al
; G. v2 `. ]( r7 t1 K. A# J& x% x2 ~9 m iret- b" Y5 P y( ]$ s9 ^! K
int41handler ENDP
! C2 b3 M* N, d) T( G Y
( r/ W6 \' \: r% n5 F9 G" k$ i& N) g# s- Z
xor ax,ax! T) B* ~3 V$ N. c2 `9 f- O
mov es,ax& P) E2 \# C7 x0 p5 A3 ?( C4 [
mov bx, cs
4 X1 I0 |3 t. K# ?% Y6 { lea dx, int41handler( n/ I' h# T3 i* @; i: m' y7 ]! P: T
xchg dx, es:[41h*4]3 i; k' B4 P7 j% O3 k
xchg bx, es:[41h*4+2]
& @) X$ @ _* t* l( g# M! V$ |1 o in al, 40h
, ] p5 U( u& v, @ xor cx,cx J( s9 `% ^1 ?8 M- n
int 41h
, t! f) f, L4 Y! r( } xchg dx, es:[41h*4]. V. h2 v0 X7 i2 `" o5 I
xchg bx, es:[41h*4+2] N' q* B& p8 x
cmp cl,al
) O. }0 v- f9 a9 H1 ~+ K jnz SoftICE_detected
% }- e, l" \* Q5 C+ P; a* }( q& V& ~* i3 t
_________________________________________________________________________
- x9 x! B* }& E, T- V
- ~: V4 q0 J0 w* i* FMethod 077 w9 D! m, T. e
=========5 c0 `! B: b& W9 N8 `1 x3 O
, R2 F" Q. z5 I
Method of detection of the WinICE handler in the int68h (V86)
( b( @8 v3 ]! u0 I5 ]; R. A+ c1 i3 L% `. q% g* H; @" R
mov ah,43h
- o- n" p% p0 J int 68h8 q! B8 B( ` {0 l
cmp ax,0F386h9 W6 Y; I; m6 R
jz SoftICE_Detected
4 ]5 u; [. ~# J+ H5 \' _+ i, m. ~
" P5 E* J: x0 g- \
5 s% |3 q! P9 U9 q, l9 \; o: \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* f; y I& l5 F9 M8 k: k: S6 S app like this:
1 K1 p; h9 J4 @& @* c
0 x1 ]# L7 t. c m BPX exec_int if ax==68
. ?" e; z+ u5 _5 n* U7 B' r (function called is located at byte ptr [ebp+1Dh] and client eip is- Q; V3 u) I4 v, Q& h
located at [ebp+48h] for 32Bit apps)# M. R: t" E* \9 f7 c6 A
__________________________________________________________________________ g7 |" l- [! s# t) \
6 i2 U6 b, |6 {0 y
' W8 c% \) d0 y3 oMethod 08
0 V/ j3 K+ {7 {8 f' K=========+ K$ _8 r& }$ ?. w
. s7 a5 P$ [( L% ?5 Z6 JIt is not a method of detection of SoftICE but a possibility to crash the
6 }% a4 M0 Q# R9 Z% Lsystem by intercepting int 01h and int 03h and redirecting them to another* d6 M/ v( _ o6 u! W& N# o
routine.
8 i; E% @/ Y: N' G. a' uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& f3 |( t( V5 ` \* p* \
to the new routine to execute (hangs computer...)
4 m! e% W' ~ `- _ [) d! P5 j/ H; d v
mov ah, 25h* L0 r# d3 g9 z/ B7 p8 v* q( e
mov al, Int_Number (01h or 03h)- H0 W3 L' W1 j( Z3 b% g) \
mov dx, offset New_Int_Routine
% Q& V7 i# e9 h! ]; r2 H9 C4 a int 21h
% P+ c! ]( F6 N$ U9 ]8 E) M" T+ f; Z. ^" o
__________________________________________________________________________& T5 K) O7 H! e
! r' T9 j$ [$ c5 \6 S6 U. a8 cMethod 09- W/ E1 Z3 g5 s! O' B5 [4 B% X
=========
1 y/ S* [# F Q2 Q# [# q# v: l# r0 i: l& O: E5 N6 N$ ?: m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ b6 n- X% ~: l. uperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 a* ~% O) d& E. Z) k8 W! W% n6 bThe Get_DDB service is used to determine whether or not a VxD is installed w5 \! t8 ?: N) m, I1 }2 @) e
for the specified device and returns a Device Description Block (in ecx) for
5 p7 m9 s# w" gthat device if it is installed.; l* w( C& k# D/ F- T
b/ o& x4 V* M
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 |' I9 O5 x3 ^ Z8 T" F" |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 l# v `* b- q; N2 S' S% q5 {
VMMCall Get_DDB
7 v8 K3 x5 K; d6 c' C, N# n y mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& n) [3 M: ?. k, \
" q6 U* V/ [; t" n' T7 ANote as well that you can easily detect this method with SoftICE:
: M3 @0 {3 B6 V4 Y) @/ \ bpx Get_DDB if ax==0202 || ax==7a5fh
: ^4 h! R2 I/ i" m3 w* F9 b1 @5 s/ S. }. W4 G; G: j J8 J; \' j
__________________________________________________________________________
, ~' L1 }2 `1 ^% L; j' A6 c* E5 W7 W% s4 Y: h& m
Method 103 F9 o2 |2 G/ ~, |( z
=========
0 w5 a2 P/ Y. E
6 r0 [8 B$ r' D4 e& A=>Disable or clear breakpoints before using this feature. DO NOT trace with# A7 x; s# k8 N# z7 y
SoftICE while the option is enable!!5 P5 B% s8 F$ ~4 y( S
- R' D( J7 V* \$ l" W x7 d, BThis trick is very efficient:
8 n" y8 B4 S9 L- eby checking the Debug Registers, you can detect if SoftICE is loaded7 i2 W0 ]" z) R0 {5 r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 D9 T9 S) \. \ k9 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their* N. n. O$ o1 z- t: o
value (in ring0 only). Values can be manipulated and or changed as well, E' b$ v j) E+ L
(clearing BPMs for instance)
5 @3 [* K% u0 b! J5 h* g, S- i3 p( s3 | E
__________________________________________________________________________
: I% c3 }6 P) m% p0 w" s) k
* J b6 B% L% C& V! u& X$ Y/ @Method 11
( G* O/ S3 h! a' Y8 a& C=========5 y- ?6 P( `2 R/ _& o2 ~
5 A8 T D8 f9 I: ]
This method is most known as 'MeltICE' because it has been freely distributed
+ F8 v+ r1 {3 w7 g; Z; Vvia www.winfiles.com. However it was first used by NuMega people to allow' I1 O# B6 Q8 E/ M& K8 C0 z: j
Symbol Loader to check if SoftICE was active or not (the code is located+ z, Q6 Y# D3 y6 [, m1 `, h
inside nmtrans.dll).: V. Z. W) ]# [, e6 Q
# G! N# E9 t4 A; x4 W
The way it works is very simple:
+ Y2 k! j, w1 @( C7 {7 XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 S/ r6 N0 j6 _7 q$ V! l
WinNT) with the CreateFileA API.1 R7 }6 M+ `( r _8 A
8 V! x, [- K" Z) t- T
Here is a sample (checking for 'SICE'):
3 B- G: d( a; }8 v! x0 b" |1 V; e4 V7 i0 x! f* l1 Z7 L6 \
BOOL IsSoftIce95Loaded()
* N3 w) U' O1 e: ?2 H{
+ F+ N' O; I+ O* K HANDLE hFile; , y/ F! w/ _( ?4 y& K3 r+ m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 r! f E3 I0 ~2 ~# ^- D; \! y% F* J
FILE_SHARE_READ | FILE_SHARE_WRITE,* }- y. R6 a5 y( R/ w, O- v
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 a/ Z% m4 u& @7 e
if( hFile != INVALID_HANDLE_VALUE )0 s1 a) r# S' d. E) P
{
i" B: w. R! D% z4 M CloseHandle(hFile);) K, B$ h8 q( _/ X, d2 Z
return TRUE;
3 t9 Z" Y* _6 ^' G }, Z) L8 b0 q" o' D5 I* \+ g
return FALSE;
# |. O7 s! \0 ~( T9 u}
& |& Z4 Z- m4 M+ y0 k3 }( `3 k3 l/ o$ Q$ J2 L
Although this trick calls the CreateFileA function, don't even expect to be, n, [& V" ]5 I- W$ n( c e3 G
able to intercept it by installing a IFS hook: it will not work, no way!
0 i* f# c4 `/ }1 f' l* [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 ] i' R+ I; O9 O& B/ r+ `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- [7 j5 L2 x5 n, H. `+ hand then browse the DDB list until it find the VxD and its DDB_Control_Proc r8 T3 ~" S' ~3 o. x: N
field.
, L5 o$ g4 O/ J, k& M4 F2 I' L1 x; i- _$ dIn fact, its purpose is not to load/unload VxDs but only to send a
3 @& X2 W+ q8 mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: t& }) }) w3 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 p8 L/ h2 V* V& `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 J% g5 H4 v; n. Y' sIf the VxD is loaded, it will always clear eax and the Carry flag to allow& X3 S7 c! E* `$ j$ b" `
its handle to be opened and then, will be detected.. F% G) E; B+ U$ _
You can check that simply by hooking Winice.exe control proc entry point4 f. ^' r$ s2 R5 k5 {' H
while running MeltICE.
# q( m4 r" [* f5 `$ f$ T0 E6 \1 Z% {+ T! o' r) W' H. b; \9 m; j
# _ n8 J. A6 s6 x1 b
00401067: push 00402025 ; \\.\SICE. T4 ~( M; l2 b: ~/ Q$ C
0040106C: call CreateFileA
/ Z0 X" n, k0 ^# F 00401071: cmp eax,-001* k/ J: ^3 q c5 \' C( L p; e
00401074: je 004010913 z, q8 E+ y5 T2 _% }
1 }* Y7 z) b, z2 O: J
% }3 z( ]0 I- C/ U( }There could be hundreds of BPX you could use to detect this trick.
/ c1 @( z# y9 q3 M# v1 q/ K: h1 J9 |-The most classical one is:
& ^0 p: n4 D) G+ i5 {3 P, w7 ~4 L) \ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ l+ \* p: w! c0 O& k+ J1 X
*(esp->4+4)=='NTIC'( G, z8 V6 F0 o3 k3 f
# p6 H% ^% w" S& q7 Y" e; W" m
-The most exotic ones (could be very slooooow :-(
8 J2 c4 }" ~! x* V) ` BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') - @ l& Y4 x2 y: ]' G1 ?
;will break 3 times :-(* c8 _4 E4 M1 J) q ^( z) @
; K n6 j6 Y; E, u/ w" }: D! u9 g
-or (a bit) faster:
4 [ c8 G; i6 L* d BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& W, ?! v) S4 f! K U; y' c7 D- D- ^" z. x
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 F o! {) s R# } ;will break 3 times :-(4 m4 L5 ? E6 J# v
) V# S" j9 ]! }-Much faster:9 d5 j7 i( E7 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: i! z* {1 T+ O6 [) B9 d! ~" y- [1 K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" B$ G" d/ J4 ufunction to do the same job:
, f A& Y. m J q: B# y
$ ^# n( M1 @: k7 |0 l& A. [ push 00 ; OF_READ
" S7 c [- S! M* x mov eax,[00656634] ; '\\.\SICE',0# M C+ d; ^7 x4 S# k! `+ E0 I2 @ ^/ y
push eax z. S2 t' t% x$ e6 k
call KERNEL32!_lopen
8 d/ H6 m7 b% E1 S& E inc eax0 j( E5 R& ?& X8 E9 w# @# y
jnz 00650589 ; detected
5 W$ {& R$ }8 [, j% ^& n; V; G9 Q: q push 00 ; OF_READ [9 M$ y/ t, y
mov eax,[00656638] ; '\\.\SICE'; t) g6 P }# ?4 H
push eax2 r. z5 M H9 x8 x. u* D
call KERNEL32!_lopen( G8 c! q' y5 D R) {% c1 w0 d; ?
inc eax
8 p. g' O' P) ]9 u, P9 g1 P jz 006505ae ; not detected
1 o, b2 S: r/ r& i3 N/ P
$ a( P9 i1 i1 g4 q+ F, K3 F7 G% K
__________________________________________________________________________
9 D2 O) _" G8 ~5 m3 I( |) l [' J" L C/ ?. [* I
Method 12
7 T# Y, l/ i3 _ A6 R=========
' w; Y4 o; y8 c0 B2 I2 v
5 h3 [1 k' n7 C+ Y1 A" ?This trick is similar to int41h/4fh Debugger installation check (code 05
2 {( Z% A$ {) {' N: Z# x& 06) but very limited because it's only available for Win95/98 (not NT)# b5 }2 o% p! K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ]) k8 g! y# P# y" `( T9 ~& o
+ U7 H- `7 `, P# ~; W& @* W push 0000004fh ; function 4fh$ d5 k- D8 A3 `5 c
push 002a002ah ; high word specifies which VxD (VWIN32)
' ~) }, X7 J% l; L) \( r ; low word specifies which service
4 G. C" N c6 S7 \0 F (VWIN32_Int41Dispatch)
$ {6 N7 ?9 u9 u- g J call Kernel32!ORD_001 ; VxdCall
. ], K& e8 w7 G cmp ax, 0f386h ; magic number returned by system debuggers) O% w$ H4 X' @$ d6 h& s$ O
jz SoftICE_detected3 G) L5 I6 O- C( n; G# f* k
. n7 I* [1 {' d R1 l+ Z% o
Here again, several ways to detect it:8 l, _# G5 G I. e( t x) b
1 E2 b+ A! @1 i% ]% ~" d, J6 t BPINT 41 if ax==4f9 s2 r$ R, T; h) c; u/ L
# h4 X$ v7 u- c; W. k9 C* a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. i% I) E0 O5 v: [
. g2 Y8 G' f! h1 t; [# e$ H' _ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 E D8 H5 ]8 y' }
% Q: r( a( X/ I" v5 C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- A- V/ P3 \- ?1 E- k4 I3 C
, C v( q0 p5 ^+ M5 \+ x2 p
__________________________________________________________________________4 c( P; N" d# V' F8 i. l0 D6 w
: K+ N: J- Z* n) l3 a: _. S+ SMethod 13/ b' \. y: G$ K' _" s( B" F/ C+ M
=========2 g- L- R0 p( F& u% e
+ r5 _4 b; ]! H8 ANot a real method of detection, but a good way to know if SoftICE is
+ g; ?9 I8 o8 _* `installed on a computer and to locate its installation directory.
( @7 W6 v! y& L8 p( D% @It is used by few softs which access the following registry keys (usually #2) :
9 S( l7 n* K9 v" P1 e6 a+ @$ J9 a& ?$ d. `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Q& w0 b( E* ~2 Z9 f\Uninstall\SoftICE
6 Z5 w/ b3 `" }* B* `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" C8 n* j4 U0 h4 M) O& P' w1 z% Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 B( ]# u1 P# K
\App Paths\Loader32.Exe6 x$ f1 |3 x. @8 i' |
. E; g" t5 j7 F }6 }! v( V6 Q6 u
, |" m+ f8 h: Y, W1 H1 mNote that some nasty apps could then erase all files from SoftICE directory* s) |( j8 g: @% ^, G! w
(I faced that once :-(
6 x6 l B' P5 b
" ?) U& d e1 q: r& X) zUseful breakpoint to detect it:8 [4 g6 c- z3 o8 r6 t$ L1 r
$ Q+ u- _, x9 M
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' q6 S& {: s9 l& V) U# @- ~% ]' @3 E& [" i1 ?, E
__________________________________________________________________________
2 C* p0 F) |2 H6 x1 Z
( w$ O! Q1 K3 m! T: d8 Q% ~0 C- f, c1 j5 v! S ^- q
Method 14 ; s# S6 U' k) Z. K6 P2 Y- T
=========5 r& E, P+ G- t e" E1 W; [
' l+ b m& u* d6 I0 \0 c4 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ m$ e, J! s7 B
is to determines whether a debugger is running on your system (ring0 only).+ q8 Z# R5 @) E' E4 J
: V; _1 |! u0 {) k
VMMCall Test_Debug_Installed3 ^- K o& R8 U" D
je not_installed0 h# n9 C4 d4 Z( Y
+ I; M) q0 J: l% Q5 S' eThis service just checks a flag.
/ R+ z* n B3 O- q</PRE></TD></TR></TBODY></TABLE> |