<TABLE width=500>9 w: P. @& H1 |3 @0 H
<TBODY>
/ Y+ N- s, r1 i" i<TR>/ r9 {5 g. f9 R' b
<TD><PRE>Method 01 - ] _' \7 r- B, j: O2 h+ ?8 Z
=========9 U j$ {/ L* f1 x9 i9 [
$ r8 z$ I& G% V6 `* R3 M
This method of detection of SoftICE (as well as the following one) is
2 N! [* c- M$ U. Bused by the majority of packers/encryptors found on Internet.
; F6 V' g9 L0 TIt seeks the signature of BoundsChecker in SoftICE* Y; b- n$ V( C, ~' M. G* K8 I
( P7 ^* Z' d u+ m2 s1 H$ S& n+ Z1 |
mov ebp, 04243484Bh ; 'BCHK') X) m! p) e+ J- X0 D
mov ax, 04h$ S/ m; _/ X# b7 X i0 d
int 3
M+ ]) p4 E4 ]2 r ]3 w$ c cmp al,4
- e. ?8 @4 @4 D/ ~6 X jnz SoftICE_Detected( d* }' s3 D* @2 v
7 e1 G/ R/ x, H$ }5 F; D
___________________________________________________________________________# E. t n: O( E K+ ]/ j9 g
) e8 t2 N) m7 D! _2 v" D0 N P4 ?Method 02
8 X J; N+ V* A0 s0 z! ]! Y2 V=========# q" }: K% i5 \8 O
* t; F: v K8 E2 u& g1 l9 C& _4 R6 xStill a method very much used (perhaps the most frequent one). It is used1 Q2 m& L6 X% x6 W4 A6 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ D; y! h+ x8 K4 l9 k* V) q
or execute SoftICE commands...+ b4 n. [* M. b0 J0 Y5 j
It is also used to crash SoftICE and to force it to execute any commands) X9 }/ ^( l2 ^# z# e0 w6 X
(HBOOT...) :-(( ! t1 @; U, k4 ]
2 B3 ^ j% ?3 W+ H$ z/ _Here is a quick description:7 N( P0 [+ a6 d
-AX = 0910h (Display string in SIce windows)- u' _2 g+ @7 l$ L! w1 s: o
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)3 F4 K- |* ~+ F, h! L" Z
-AX = 0912h (Get breakpoint infos)
( t: J. f0 m5 {0 f- |-AX = 0913h (Set Sice breakpoints)
( q* }# C4 X* ?-AX = 0914h (Remove SIce breakoints)5 W, q( {7 b- Z# ?
( L& w, Z& d# N8 c8 k, E l/ PEach time you'll meet this trick, you'll see:
+ G0 Z# n9 e# M* l: f$ J, l-SI = 4647h
1 D# `5 s3 w n5 m: y-DI = 4A4Dh
8 Q- v; o/ w4 `3 nWhich are the 'magic values' used by SoftIce.
1 ]7 ^) O$ Z; w1 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; b9 z3 J0 D' A" j. N
" ~0 u0 j. P& |Here is one example from the file "Haspinst.exe" which is the dongle HASP
: v- Q: G5 K0 ~9 s3 U, u* U5 P" REnvelope utility use to protect DOS applications:9 C G( w5 x; K9 J% B$ y' k
9 [* U: D7 N7 N) E/ ]* [9 N4 ^. J! s
4C19:0095 MOV AX,0911 ; execute command.0 _3 |1 d' k- P6 g& t
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' }3 u. r) F1 {. _( k7 F
4C19:009A MOV SI,4647 ; 1st magic value.6 b3 i8 f$ j# O. @2 g, w" Q6 ?
4C19:009D MOV DI,4A4D ; 2nd magic value.( P' K- y9 `+ l0 K
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- e' X5 c- o$ I a7 E7 Z g' D, A! [4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; B4 N* h, b# F0 G. J
4C19:00A4 INC CX0 M( B$ |+ Y ]7 d
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
( h0 H4 R+ v9 Q: P4C19:00A8 JB 0095 ; 6 different commands.3 u5 }7 G0 |; T( u; ]
4C19:00AA JMP 0002 ; Bad_Guy jmp back.: ?( y, A& i) V- ~5 q& ?% @- n( l
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 h2 q) F5 g8 Y5 ?/ A, j- A
0 X" M! ]9 }9 q3 SThe program will execute 6 different SIce commands located at ds:dx, which: H$ y) o; L, C/ l1 F! V. M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 I- W$ J( N8 B6 ~/ T# }; I6 c1 [
' j5 k+ f }/ t7 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 S0 ^" I' Z7 J/ K; ~3 L
___________________________________________________________________________
5 b7 Y4 d' ~; |% ` [0 s: Y+ V
: b0 Y; S- H" [/ K; X5 t. b
/ T& A+ `' v1 R, }: A3 Z3 wMethod 03
2 O2 b8 j) d, ^5 F# X4 M8 a=========- g' c( w! l3 l4 e/ u. v1 d1 d
# R6 e2 j0 c2 f7 y2 `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 g8 P3 J" u" p0 `1 M1 f+ s(API Get entry point)
) f$ c8 @1 a v- f9 T) s; V 2 C0 W$ I0 t7 n+ s9 {! }4 y* O7 n
6 p* C; F- E4 t" Z5 D* i xor di,di7 x; G/ g, g& |( C2 k' x
mov es,di" }5 r+ J, j# {! S: N' J
mov ax, 1684h
* K* f% }: S6 m0 C! e& [ mov bx, 0202h ; VxD ID of winice
- w! u1 d# B# e. ]) L5 j0 {4 ~ int 2Fh' F* F; Y# n# f/ l/ e) B
mov ax, es ; ES:DI -> VxD API entry point1 u( A6 V5 ^* ]! B+ J
add ax, di7 s( p) M# \2 r3 o0 f' q& {8 z* E
test ax,ax
$ I0 _( N2 k2 a. [' y jnz SoftICE_Detected6 G* p' f/ N$ \
. W$ O1 p6 v6 f3 T' Y3 W' E
___________________________________________________________________________
/ H( L; X# F9 x5 \) t/ U6 h
; S2 a0 `0 T4 y3 L% @6 t: rMethod 04
6 }: K/ I5 S- ^=========4 f2 u- [' D0 |
+ f) o( Q/ N2 v4 D: t
Method identical to the preceding one except that it seeks the ID of SoftICE1 @0 A- g" d- n0 j' _9 H/ z% H
GFX VxD.9 k8 f- T5 n) P
+ F3 v4 A$ w5 V' ^+ M% E) H& f xor di,di: R6 K5 b w7 s
mov es,di9 Y3 c# p4 F9 E1 f- F% u: g
mov ax, 1684h
- F" P: n d8 ]2 B+ e0 K mov bx, 7a5Fh ; VxD ID of SIWVID7 c# s. A$ I: B: X! a& C
int 2fh
6 h3 b. d3 D, S* I% w0 d) ~& Q mov ax, es ; ES:DI -> VxD API entry point
' s) T; J/ x, _8 n add ax, di) y2 \ d4 ?9 A' o: e2 ^. @
test ax,ax
" @: Q4 {1 h! | jnz SoftICE_Detected: }% m7 j* n; H8 ]. b
# e% ? C/ u( w4 O* ` s+ q
__________________________________________________________________________
/ X0 I! Z) w2 j
\% D8 l5 I0 M& m4 V
( e: U3 B, X) |( u* QMethod 05& {0 h ~4 k E+ v1 {' C# i1 k M- H
=========
0 P1 H% s, c: G7 f; s0 k2 r
5 J/ y$ U8 {, r- W4 y, H: bMethod seeking the 'magic number' 0F386h returned (in ax) by all system- V: R% R1 d* |' i5 b
debugger. It calls the int 41h, function 4Fh.
. a+ L5 V- c& \2 q5 oThere are several alternatives.
! x6 L2 D- T6 J) {6 }5 ^/ J6 [' r& s3 V% R2 Z) S& b% _
The following one is the simplest:
; x8 C! O* e$ }5 x! J; Z! L
1 B, | ]! X8 p0 w4 G) }; w7 I mov ax,4fh
# Z, P4 M) Z' } int 41h
/ K0 k% A3 y$ p5 _ cmp ax, 0F386+ N7 C: D9 n( n7 `" |2 B
jz SoftICE_detected u7 q) t8 h, @( e% J
; `9 q9 n6 I# K0 Y p
# l# P4 J+ P7 A! B6 Q+ W/ zNext method as well as the following one are 2 examples from Stone's - }/ l! s, I) y5 X
"stn-wid.zip" (www.cracking.net):
- ]9 D0 ?% P* h3 l# l% G* h: O7 J* g7 n4 z$ P* w e
mov bx, cs V9 I0 B1 Y. Q5 H ?
lea dx, int41handler2
3 A0 N/ M4 F/ @* M( s/ h1 \$ ] xchg dx, es:[41h*4]9 D4 _9 H* d% R
xchg bx, es:[41h*4+2]
' \+ h4 i- g. X8 v* Y9 u& k mov ax,4fh
% [4 f9 {( d7 {- v1 v int 41h3 n+ D6 G/ c! C9 }
xchg dx, es:[41h*4]. p6 z6 S# p. H+ v% ]9 x/ D
xchg bx, es:[41h*4+2], x6 Q$ X$ d$ v- [2 h0 @. o
cmp ax, 0f386h
) Q3 _# c! m2 E2 l jz SoftICE_detected
; {0 j" U8 c9 j* |
$ {( Q) ^2 S% c* lint41handler2 PROC( E5 j* w1 A. f1 C- i
iret- e* p( {; a% [. @ y. _: r; Z
int41handler2 ENDP
1 b9 Y& J2 C. w! U) Z
' K4 q: E) z. I0 j, O2 G) I! }6 Q& P( P
_________________________________________________________________________
2 l$ \. C9 S. ~* Y5 g: o; j5 ]4 P6 f! [
s7 {" D6 c0 U0 OMethod 06
5 e1 q2 P! {& i+ l9 {3 q=========+ D* v" Y/ q' |5 W7 }6 {0 J
- k- I- ]5 \+ \! ^ ?; `" x
* A2 z- I" }& J" ^2nd method similar to the preceding one but more difficult to detect:
8 P$ Z8 p# l% r# K0 E* S6 {2 v1 ]/ m0 `) A. ?
3 Z0 u0 s# t a& k! V/ k, `
int41handler PROC
( j' R1 k$ f1 z% r" a( F' N( i+ e1 g3 j mov cl,al
- a7 r+ p+ o5 y+ y iret
! _ w+ ?1 \& a: wint41handler ENDP9 S3 p+ u/ X7 r- E
" Q7 W% r4 s0 n0 n5 `% i5 X( u1 {* t
" B7 h8 b8 S) j( ^/ E xor ax,ax
2 u+ `0 j1 F/ d% k6 h& n mov es,ax9 ~4 N5 t7 {- N" C5 A- Z. k
mov bx, cs
$ P" v9 D2 B9 w0 w lea dx, int41handler/ [" R7 V* o5 Q' @1 @
xchg dx, es:[41h*4]$ G, p4 {2 N }% C9 |
xchg bx, es:[41h*4+2]4 `# F" o, [5 w9 f* ]
in al, 40h S- k- A- e; h! Y4 `5 I
xor cx,cx
6 h% H p* S: a; k6 q int 41h' M8 H, Z6 ^2 M5 X: g
xchg dx, es:[41h*4]
4 g0 U2 X' {5 R# D# t; w) { xchg bx, es:[41h*4+2]
7 k+ J7 w7 N7 s' _$ _! _# P! q) H cmp cl,al- q. s) Q8 c( X& S! D8 M
jnz SoftICE_detected
6 \# R+ R1 ?5 @
G, C& N+ D/ ?' _8 G_________________________________________________________________________ c- ]4 p. Y h7 [
0 V" ~# O. `! H: e8 X$ Y: ~
Method 07
; g6 z3 T, H9 w$ |2 a=========' l' {; j% g8 O; c c
6 R+ P4 G- }1 M# U( @7 i0 w: L1 C
Method of detection of the WinICE handler in the int68h (V86)2 [/ W3 ? M3 r( K" d
7 L7 a0 l% I+ D( ], l mov ah,43h4 i1 K8 x4 ?( S- }6 A
int 68h
! c) l5 h y7 J8 Y# q0 R cmp ax,0F386h
. J1 S0 D# ^7 r5 F3 F4 J jz SoftICE_Detected/ b' X% U1 s {. j
+ h) X# i) t1 U& f5 u9 U& t; U2 q& N3 T7 v7 p( S8 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) w. z" `8 Z w! P
app like this:! T. {$ B5 ~# G: D5 J0 z% M* Y
. ~: m( V8 K8 V' Q ? BPX exec_int if ax==68
5 Z; B, Q4 @% k3 c+ N4 t (function called is located at byte ptr [ebp+1Dh] and client eip is
( G' o; Q+ w4 b: A7 D; m7 z0 K located at [ebp+48h] for 32Bit apps)
9 K& S! b9 }# G6 E3 Q4 K__________________________________________________________________________3 j, W: j) S3 {# m+ _' \
* T2 F+ N7 b, R
/ D. \" ^1 }' sMethod 08% k5 R: x5 K1 ~5 T; q" }( N/ {7 p
=========& U* ^# [$ d' Y/ T
3 s- h$ h+ u' L8 p' {It is not a method of detection of SoftICE but a possibility to crash the+ u1 s4 Y1 J# m0 k5 D6 P
system by intercepting int 01h and int 03h and redirecting them to another5 e7 F( u; v+ e* J
routine.
# |3 z+ R g' [- u# v; t3 E! K% UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 Y% C% y* o3 K% `! H* [
to the new routine to execute (hangs computer...)
1 [. r. q9 o3 j& ^0 y$ m- ~' Z. ^' Z
mov ah, 25h- d, n I5 A2 T- w
mov al, Int_Number (01h or 03h)6 C l+ C+ M* f( d7 w# l, |6 m- v
mov dx, offset New_Int_Routine
" K* d( d% m6 W2 j" b' ? f3 d& Q int 21h7 t5 n) g, m; N4 }/ B1 a) O
~1 e( L6 W$ B$ s9 M7 t: ?
__________________________________________________________________________
# {+ ^' J7 O- C9 M( u: f, f
* o7 M0 I; {& Z1 fMethod 09
+ m" p" [0 U2 C4 \=========
5 W& |2 v. C. j3 x* t" }# G V5 k& A0 t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; {. l8 D' O1 F1 r2 w7 H
performed in ring0 (VxD or a ring3 app using the VxdCall).- {! @& v8 I8 `7 }3 f6 F0 V
The Get_DDB service is used to determine whether or not a VxD is installed
% S/ _. t$ E2 D7 v" |for the specified device and returns a Device Description Block (in ecx) for/ i0 |* x( q% B4 e
that device if it is installed.
3 h* X* p% I$ B* F1 Z. o
. f6 |9 Y5 X) O' N8 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, N" _& G+ L4 b4 H' `" `5 {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 [, L5 _' c# g/ _* i4 r% ^ VMMCall Get_DDB
) I" _' c" E3 T7 k: V mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) b2 f1 k3 v, E7 F9 a6 g
2 M G' f2 \6 hNote as well that you can easily detect this method with SoftICE:" H7 g" a0 x3 W) e q6 Z' `6 ^
bpx Get_DDB if ax==0202 || ax==7a5fh/ w; r$ {3 m8 n& K6 E& ^& _
+ R" T9 j# d- |( k2 S& F__________________________________________________________________________& [/ a- T- p( z, N
% r/ u$ Y' ?/ o0 k9 N. dMethod 10( T! m) y3 M" B: u0 d
=========5 K8 C9 H0 M7 o) C
' f. m; b' _- o. ]" C H% Y# W=>Disable or clear breakpoints before using this feature. DO NOT trace with' H( S: Q* [5 V7 B
SoftICE while the option is enable!!6 a5 d0 m H4 }# A
2 |/ o- a% V! l4 I
This trick is very efficient:
3 g0 q3 e1 x# e7 ^! u, C& l- O) Yby checking the Debug Registers, you can detect if SoftICE is loaded
( X, C7 X$ K5 B: B/ ~; H4 @! J7 Q9 { y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 w3 v+ t; ]5 j2 w* G% qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" U5 V8 Y$ c( R+ D) w* Ivalue (in ring0 only). Values can be manipulated and or changed as well
! }+ r% a" k) b; |: B1 s; }! I(clearing BPMs for instance)
3 ?: C% m E4 F! Q2 Q+ x! U) ~. H* Q& F) x3 d% G) n3 Z F6 i
__________________________________________________________________________
% C" D! a. g6 T
+ D5 i+ q5 w: x9 y; `+ kMethod 116 d* f$ x9 W3 \ Z
=========
" }. r! H8 {/ {) k) T! ~! a: {* Z5 B8 d6 U' {% `
This method is most known as 'MeltICE' because it has been freely distributed
6 h+ m) v; r, I T8 I7 z: y0 q: H; wvia www.winfiles.com. However it was first used by NuMega people to allow
/ A/ \! S/ C' ?8 y3 c1 V4 O: }Symbol Loader to check if SoftICE was active or not (the code is located* @( v+ u f7 V( r) S7 ^! T% {! Q
inside nmtrans.dll).% C u1 x* ~( X2 i9 W
( u' T1 e5 m& K
The way it works is very simple:
* n9 N- [$ w( N+ v5 T) {! S# O8 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 m3 E9 a: |1 a- q+ HWinNT) with the CreateFileA API.
1 u* U! H0 S. u0 \) t" m: Q2 V: F/ |1 f0 w( X. m
Here is a sample (checking for 'SICE'):
- Z. _# @0 O% H0 |: M* W( {/ C: {
/ f" x/ p7 B, G/ B9 b7 aBOOL IsSoftIce95Loaded()
9 J/ `$ p& s: f8 f( J3 I; W{
7 c+ T1 _1 x0 R/ P! t HANDLE hFile; 6 p/ [/ r: h$ R
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 U k9 W" C! J" C+ g4 {- B
FILE_SHARE_READ | FILE_SHARE_WRITE,
: y% O% ]6 L7 Y4 E9 j NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, J$ K* E5 G4 V% E, r+ h6 T if( hFile != INVALID_HANDLE_VALUE )5 ~% p9 B& u/ ~% i
{+ d* q3 X0 o- L( D/ M8 A# Z
CloseHandle(hFile);7 b6 J2 |0 ^( V- [& j' N( a
return TRUE;+ I+ ?7 n d& l9 M1 F& s- C( n
}+ n, H) [) Z( \+ }1 d; O2 |
return FALSE;$ Z; a4 V( q% d
}
" C% c, G. p5 n% G" ~) q9 S! s5 l: Q1 h4 M6 H
Although this trick calls the CreateFileA function, don't even expect to be3 s$ p; l& V$ C0 u7 I) |1 }7 w
able to intercept it by installing a IFS hook: it will not work, no way! h, _3 r4 v! j0 f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 f& c1 e% _% K) Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& y6 Y1 e: r* l1 x, F3 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, h8 B: r8 W( N" E; d# sfield.' [- H5 M, |) V a" g" L) M
In fact, its purpose is not to load/unload VxDs but only to send a
7 T6 |, |8 s0 C6 dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# @/ v5 p5 A* ]1 z ^/ I+ j* O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- [9 `) w. {- U8 s. ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 Q7 ~- l5 I+ u uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 i7 y6 J+ O2 C# ?- ~$ w: N, Oits handle to be opened and then, will be detected.
m- I. p( r& ], m" M- d MYou can check that simply by hooking Winice.exe control proc entry point
/ N L" R# W( \4 nwhile running MeltICE.
F3 V; B$ l/ `/ b/ w
% a; R; U- P, b. O
% J) b' i8 r- R3 f 00401067: push 00402025 ; \\.\SICE
4 I) d8 x$ f% p3 z! A0 x 0040106C: call CreateFileA D; T" q* b4 ?+ I D
00401071: cmp eax,-001
2 Z+ T! h9 G2 X+ q 00401074: je 00401091
+ H# d/ O- a8 S- o, J* m1 E1 I7 T0 i0 X
8 N; J3 q6 Z, A- {9 F
' Z5 H- B7 J- }# q7 q) M) _There could be hundreds of BPX you could use to detect this trick.' l# Q- x; J, m: y
-The most classical one is:1 D' [% W/ F" K9 U( _( f, Z: |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
. k/ p( y; O( S# f: H *(esp->4+4)=='NTIC'
. g+ l, }) h; N% H3 @$ c- v2 |; m5 A+ A; V$ e4 A% c
-The most exotic ones (could be very slooooow :-($ M- T5 d9 U- r' L, ^; ~
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % m1 r7 W3 ^' U" v
;will break 3 times :-(
% a) h4 {) Y% a! ^# i+ |- p) ^$ Q# C; | I9 _
-or (a bit) faster: 4 G ^8 f2 A" w
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 k2 V8 L) |2 y d7 o+ c' {3 v7 d. H
6 M* X- z& g2 B0 H, D BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
5 ?4 e. M9 \# i0 N8 H2 D# ? ;will break 3 times :-(
7 ]2 Q; M# R0 a' c3 d
$ }- f) T/ c4 o+ h! M! W-Much faster:
2 r* y1 l& O2 K. T3 {/ } BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': z8 G$ I0 k9 q( j! I6 z: Z& {
9 V6 E0 o; w; \" W9 ?9 X6 m6 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" j& s) g' f! u w% E, F! s# cfunction to do the same job:
, h* v% k! c2 A1 c. Y1 _1 X/ L! \6 k9 C) @7 v g9 B) z! k
push 00 ; OF_READ
# M. U1 l# S: K mov eax,[00656634] ; '\\.\SICE',0& d5 E y/ `% ^8 j/ g" C1 n6 v( O
push eax i! T. \; y' ~. ^7 S, m w7 P
call KERNEL32!_lopen# z" Z% x: ^" f% y N) V
inc eax
1 H. r( H V5 z$ p @+ p# A9 [ jnz 00650589 ; detected
- ~" F: Z! c; ~- c; O, h% F push 00 ; OF_READ
$ B) H( \; p$ H2 \- Q! w8 u mov eax,[00656638] ; '\\.\SICE'! I' p; E3 _5 B6 ]6 C1 D! Z2 ]& Q" u
push eax9 E! Y# w; }1 J5 s- Q" \( I# I
call KERNEL32!_lopen
, z1 W; q$ P! c inc eax
6 j( L" l5 d4 N* }9 g6 A8 n8 i jz 006505ae ; not detected, Z$ x9 F7 l, ~/ ^* G
@# Q7 u. a! r( ]1 r6 T
3 Y: t' M. I1 N i2 o
__________________________________________________________________________ [! o3 p% D+ i W; s7 g0 h
u! e/ v) D1 b5 T- b$ B+ b
Method 12
. I2 ]$ L; ]2 [& s: ~=========5 V* G( A! ~+ Y0 ]
3 t+ Z, s+ h9 [4 T$ E
This trick is similar to int41h/4fh Debugger installation check (code 058 Y6 @) t2 y( R2 x8 T) _
& 06) but very limited because it's only available for Win95/98 (not NT) n) I" O$ h' h& k/ | \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ B6 T% t, z& x" V' U4 j) q' i- H! B2 {7 a7 G- V
push 0000004fh ; function 4fh
& [. P# s* O5 T) z2 L push 002a002ah ; high word specifies which VxD (VWIN32)7 B4 F# h2 K1 _0 e- ?
; low word specifies which service
2 r6 A d. \3 r! ^ (VWIN32_Int41Dispatch)
9 |+ K3 D) \ ~, x, s call Kernel32!ORD_001 ; VxdCall
# _2 w, a" |* C cmp ax, 0f386h ; magic number returned by system debuggers
6 f6 y7 {( W6 { jz SoftICE_detected
1 d x" E( W6 ^1 I- R
) S7 ~0 F0 D/ tHere again, several ways to detect it:- e/ _8 \! m V8 U" F
, `- A J" r, h; x
BPINT 41 if ax==4f
, R4 t: D8 e4 U. M! _
4 N' y9 z# Y! P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one, \5 D" Q/ s+ h$ z
' x, B; k) o. \ Y( k& ]! u
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. c. U7 J- H1 e" s
/ U0 _; i$ W+ e e- h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# u( Z# x B( Z, G( `
5 L$ A& v0 X" ?
__________________________________________________________________________2 o0 {5 ], S2 x$ |: F
2 C! r+ {1 U+ E3 ^" f& P ?) x3 zMethod 13
/ R5 P* J" w4 P1 ` e=========
& k; \8 C4 ^& t; n7 S% m" T9 H6 _' z$ H B+ ?! e7 _
Not a real method of detection, but a good way to know if SoftICE is5 l: [& G( f' x7 D( E
installed on a computer and to locate its installation directory.
# J2 h( \) B3 Q- M+ L, e/ J! ~It is used by few softs which access the following registry keys (usually #2) :
7 i0 N# W9 s; Q& E6 o
1 S8 H8 ?6 J* d; w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ?; P9 b3 U% B! S2 Z/ l; n' m0 u
\Uninstall\SoftICE: O0 ^3 D* B% A) I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
e: p; x: |0 M' m b% |4 L4 P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" a; L3 ?- W/ c+ `" ?7 Y# {\App Paths\Loader32.Exe& M) |, C4 D9 z& f) O
+ Z! z+ A5 b- ^5 P# y
& ^9 K4 y n$ Y' Q& X; u% a' ?' k
Note that some nasty apps could then erase all files from SoftICE directory
* P9 p7 Y& E) g4 k: Y& Y% R(I faced that once :-(. Y/ c' V+ `' U6 l8 W
+ n0 m9 w1 N9 \4 r1 t/ k1 ]" qUseful breakpoint to detect it:" g7 X) Q9 [8 F% _3 T( c1 @0 s
* J- c. j, s3 t6 m& `3 Y, |' {7 Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'0 |! N/ @9 [; |- s. q6 I
4 ~; u& {6 c& [3 ?& _4 }__________________________________________________________________________
2 x# a" ?& ]5 I0 Y
1 v. s% ^' [3 @9 ^/ i) S# t; k
3 @ ~. M8 o6 S6 E1 ^' N, FMethod 14
2 F4 w1 ]- t& {=========- ?8 s# T# U+ }( ~5 [4 |2 h
& I; c( a4 b3 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, _7 p# v3 Z3 _& v( J) P, {3 G
is to determines whether a debugger is running on your system (ring0 only).- X- w2 P2 o7 z" r2 G
" Z* J% o# n- U
VMMCall Test_Debug_Installed" N4 C$ Q) Z/ w' g& V
je not_installed
, ^$ v6 `6 V/ g3 G/ V6 E0 }, `& t/ ?1 | F
This service just checks a flag.
: q/ B9 h2 E* J( k P! [</PRE></TD></TR></TBODY></TABLE> |