<TABLE width=500>
6 s* S+ t+ `" _4 f# a+ k5 W<TBODY>
4 f# z; n- K/ S" f% s<TR>
) P5 O; X% l/ {& l( p, N<TD><PRE>Method 01
- w% L. d4 U6 [3 h! U" V3 v7 s=========
/ i! r5 G+ c: P* I- Y, ]( j/ U. R4 \7 y- W
This method of detection of SoftICE (as well as the following one) is4 U* L9 S# N( O+ b
used by the majority of packers/encryptors found on Internet.. z3 N0 l% B4 u4 w3 W7 [: @) Z# o
It seeks the signature of BoundsChecker in SoftICE
) I! M, Q/ L$ b- k
- J1 Y- U9 K ` mov ebp, 04243484Bh ; 'BCHK'
4 p' V4 n" o" L mov ax, 04h6 e6 W, ]2 f8 L1 @6 @+ @
int 3
. Q) h4 l/ I8 @3 ^ Q0 ~" r( K8 y cmp al,4
* s4 l6 x8 B ~) E jnz SoftICE_Detected5 z r# W7 U7 w3 ]
+ S; m+ X* C8 p) f. Y7 x
___________________________________________________________________________
# h1 Z2 X: u" _8 F q1 b, _* w, w0 K5 ?
Method 02
, k3 v8 T2 m' g" y, d=========0 c' D8 b- |# l$ c% n6 U
. Y$ i0 A5 f' e
Still a method very much used (perhaps the most frequent one). It is used4 g6 M( N3 U. g! Z7 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ l" `9 G7 t: M4 Z5 T
or execute SoftICE commands...$ ]2 i# {3 g1 {% x
It is also used to crash SoftICE and to force it to execute any commands) x6 T0 Y: [/ N- b2 N8 |7 H
(HBOOT...) :-((
9 B- \4 \$ K1 t9 u- U& v" _6 F+ ]) n- F' D
Here is a quick description:
' x. l2 \" n9 s7 ^* ~# T-AX = 0910h (Display string in SIce windows), I9 G6 s( w5 g9 J0 }8 @3 M! [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
$ A" f& \# K9 T2 M4 ^5 h- o-AX = 0912h (Get breakpoint infos)8 P" j; P& A3 L, s0 r8 R+ _6 Y0 M
-AX = 0913h (Set Sice breakpoints); Z; O" Y& Y0 ]0 }0 P
-AX = 0914h (Remove SIce breakoints)1 |4 Q7 s) F, d+ g
2 i( f+ }! j- V5 C' N" yEach time you'll meet this trick, you'll see:
; ?- _" {, i) }: K6 b. D) X2 x-SI = 4647h5 H. p0 B# K; `+ b
-DI = 4A4Dh
3 G, m! y, |1 A3 P# d9 bWhich are the 'magic values' used by SoftIce.+ u4 y' t! S' Y5 r: U7 C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 O: L% }2 Q- k0 b$ A% f$ N( k6 g
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' @9 }+ p3 g" P+ b2 UEnvelope utility use to protect DOS applications:
9 m' p: r1 @/ h& t) h: l
8 B/ r) I4 k/ `- q
% J3 `3 ]) j& W" Z0 R; O. a4C19:0095 MOV AX,0911 ; execute command.
! S8 H- A; x W2 r. }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).# X3 O/ G4 x7 F0 Q: j
4C19:009A MOV SI,4647 ; 1st magic value.9 T+ T9 Q+ k8 _
4C19:009D MOV DI,4A4D ; 2nd magic value.
! y: q* s5 w. |6 D4 d; n1 N4 r4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ I6 u) [$ n. m6 t6 b
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute, [6 K7 ]. N4 ]6 K) i3 i" J
4C19:00A4 INC CX
1 {& ^ p" Z/ x6 w" Q1 Z% K# D4C19:00A5 CMP CX,06 ; Repeat 6 times to execute: ~* n h' V" g. o. K! z" `1 g
4C19:00A8 JB 0095 ; 6 different commands.* q; I- B# [% c0 d" q5 N4 E0 Z# b
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% W3 Q N1 P7 [/ t6 Z$ M, \
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); A1 H4 d& r( Z" |
. \( [7 K2 o# n G
The program will execute 6 different SIce commands located at ds:dx, which/ u3 t u$ l) {# X) o- ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" D: J) q! x& Y8 W5 V g8 |8 w" }! ]9 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: t, P# Q3 t$ F3 U, ?# G___________________________________________________________________________+ O* S8 ^+ s! p# R: U8 Q1 G
1 M) q# W. u( o* o) S9 X( c
: f0 k( I0 o: V* n9 @5 yMethod 030 s' v" j2 u Y+ Y- ~$ H4 z
=========/ c/ X; H" ~- b- H5 G- m+ F
- @$ S2 J5 }7 c$ f/ Q4 Y$ YLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 J$ y# F( T/ W. H$ i(API Get entry point)
0 ]+ {7 J: g$ Z" }& _! ~0 S2 S( F2 w 4 p, i) O( J$ E/ ?- f5 u0 k
- G: Y, y8 `" b* W: \( y+ p
xor di,di
: \+ W+ O; e9 v; M9 {8 z0 V mov es,di# n) s2 k8 M# s" `) `# d
mov ax, 1684h
- M/ N- W- y& P% h, z# e J mov bx, 0202h ; VxD ID of winice# ~7 z3 n0 r. G( K' x, Z' z
int 2Fh% x! [# D; Z0 H* ?% G5 @
mov ax, es ; ES:DI -> VxD API entry point
9 u4 O2 C f) A9 j9 a; y) i add ax, di
) }7 A$ g# i* i2 x test ax,ax
! I3 i8 c7 i, I( N+ p& {, p x jnz SoftICE_Detected( C' u0 D$ B" i: h' P; S
; @! G% W! D: ?. k
___________________________________________________________________________- c9 ~) l( _8 C
5 A( q2 J7 s6 [5 V
Method 04) |: z6 m; F+ X% @+ d4 {
=========! o1 B* ~( r$ T9 M. z
- ]+ l' o: m& J4 Q4 `Method identical to the preceding one except that it seeks the ID of SoftICE
: j4 B7 H, s: K8 c% z* MGFX VxD.. O# Y% l# V5 Q/ z" q! g+ D- ]
7 B' ~4 k; Z8 R$ [1 m- i
xor di,di
" Z) y8 q3 h; d1 f7 |5 }0 h mov es,di
) w/ M$ Z7 L; C4 d% {2 e/ j& }; F mov ax, 1684h
$ v8 ~( E# y `$ M, k" Q9 B mov bx, 7a5Fh ; VxD ID of SIWVID# ^% H6 M. o4 a' D
int 2fh
- X% P7 s* P, J4 n mov ax, es ; ES:DI -> VxD API entry point# m% M, F+ U7 n) {
add ax, di/ c+ m; J8 s" Y- N3 B( x
test ax,ax
" Y' I8 c" T9 M7 v! Z8 G Z) Q jnz SoftICE_Detected0 P2 q0 s- k. ?5 \( _7 @
b: h; M- W8 v0 d5 H0 C8 S, q
__________________________________________________________________________
5 ^; ]" G0 C6 ~/ J+ W4 T6 h
! M. t" f: ?# Z u1 j! }2 S0 N! T3 n/ I8 K J% f. M h
Method 05
/ _2 u, l2 P: s- ?6 e: j=========( Y c% q+ [ B
: @1 v0 _2 G2 T; K" }$ e2 _Method seeking the 'magic number' 0F386h returned (in ax) by all system
; F2 y2 H6 e5 u8 J5 Z- C% ^debugger. It calls the int 41h, function 4Fh.
4 ?% g3 \8 N- t8 W+ j; n: K: BThere are several alternatives.
- M' Z" Y4 V" d. W4 @$ b, \* K
4 C3 I8 `3 e$ o* ~' \4 E, pThe following one is the simplest:
; G; c+ E" Q- U" Z. O7 Y+ m5 B* h
+ w: h) f9 \3 b9 |' I1 F: E8 D mov ax,4fh& ?* L2 j9 F2 ?' p
int 41h* E F5 n D* T$ h7 V9 h* j f
cmp ax, 0F3867 J+ c \* W& s, @2 u0 s
jz SoftICE_detected
! X$ K _. ^; h# k
d5 J6 [0 ^. Q, S/ J
, X. S& V7 \( D/ J: ]Next method as well as the following one are 2 examples from Stone's 4 d M# H3 G; |" o, F: ~
"stn-wid.zip" (www.cracking.net):
. F7 s- N) X8 Q! Y: w* Q, E8 H5 f2 D& q, ^; h' P
mov bx, cs
5 x; B* d) _" T0 J! |$ ] lea dx, int41handler2) H ]0 A0 N. s/ b, D
xchg dx, es:[41h*4]* \- a; ?$ Y* T2 M6 c6 F
xchg bx, es:[41h*4+2]
$ H4 V" u6 _; y5 }+ o# B) Z& \+ B mov ax,4fh
5 P/ F1 X4 ?0 y5 P$ D int 41h% v4 H/ Y+ n4 R; L; m& h$ x
xchg dx, es:[41h*4]
8 \: g" r8 t- i1 g: _% d xchg bx, es:[41h*4+2]
: O3 \% Y2 i1 Z3 Q1 K7 t' q cmp ax, 0f386h: q% F) o* |$ k; H$ Q5 f- X
jz SoftICE_detected$ j1 U7 o& W" C2 c
/ J6 `/ e9 D9 Q4 [int41handler2 PROC
- v, H: @3 j' Y iret
" Z3 ]6 q) J/ q" e0 k4 Qint41handler2 ENDP
, B8 e8 P$ m* R8 i* q
! a* [ r; r! a8 ~5 y# Y% u# S( E. h/ C; H: w. l" r9 Y7 ^
_________________________________________________________________________% K; u- ?9 r% j
. r7 l/ g. O+ g( J7 L; A
' j" G3 \1 m2 W, h- ^$ e1 [
Method 06: B0 l. N( a& B2 N) c8 s
=========
: W+ I( q' j% h/ q9 z5 a. ^* h+ O5 V2 V1 P, J& E6 z% q
1 d2 c- n( j! r" @5 G1 E2nd method similar to the preceding one but more difficult to detect:
& f ^. ]8 f% a! D& U7 b8 @9 v% Z5 H( C' P) ~( T' n
8 {0 v7 Y ]( A! V2 z6 V
int41handler PROC
- Y0 \3 G- z _- G+ o mov cl,al: D3 ~# C1 S/ [0 s* ~2 a# \% _+ v
iret% `3 K" z) d) s* Y" B: e
int41handler ENDP
7 B/ W0 A5 k' r1 B; u- R% o4 h* [2 r; ]$ n! Q
# u) v. y' H+ ~8 O/ E ]* H
xor ax,ax. a0 x* \9 V( y# \1 t6 Y
mov es,ax
4 R9 ]2 ?, K) D6 P* U mov bx, cs
4 ~7 S/ o9 _' n) y( C$ ] lea dx, int41handler2 m& g' Z) R) _9 Z( o
xchg dx, es:[41h*4]9 Y( z4 D9 a0 U7 \/ p" }
xchg bx, es:[41h*4+2]
0 d! m. Q& M( ~# M$ M6 R* A in al, 40h: m+ i- [6 _6 k) E# i
xor cx,cx! k. e7 Q& \0 Y
int 41h
$ n) s5 [+ h" h+ R3 l7 W) _ xchg dx, es:[41h*4]
7 R5 H! {; ^" V xchg bx, es:[41h*4+2]
w K A6 W% N6 m6 ~) e) E* d cmp cl,al% ^7 O) V! \, m1 u5 p4 B& R' e
jnz SoftICE_detected) a7 {" A( m6 O' I$ p# Q: S$ a$ z
1 V7 _: q+ P, G: b3 q# Y4 Q( [
_________________________________________________________________________; k& X. B4 g& P2 Z) N
6 }' p3 Y6 N; h3 S5 T) J( U
Method 07
6 S0 L, g, A( D0 }8 G=========( _4 z) u* Z8 z! \) a+ H. Y& j
; d9 t- l, @4 \4 fMethod of detection of the WinICE handler in the int68h (V86)
# I7 G( y1 f' P* u6 ?1 d. u0 c& ~+ X+ T
mov ah,43h/ S0 I" y' ?! Y# y0 `3 q: _! T' }
int 68h L9 M: k' G' ~' v `9 H
cmp ax,0F386h" C! k( l% x; c+ Y8 D2 W
jz SoftICE_Detected$ v% C& p. I( Z
; O1 Z. r6 G4 A! l- Z( x4 V
3 i5 j" m" l6 S8 W: V' q" y5 h- @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* G6 h$ I S" ^& B$ ], H app like this:
) O G @& S" U& _. c- T# [- f- d; r& Y6 X# u
BPX exec_int if ax==68: v# C" a4 l H% I) V+ F& ^8 o/ D
(function called is located at byte ptr [ebp+1Dh] and client eip is) G# ?; G& G- b; K: K& S* M# F
located at [ebp+48h] for 32Bit apps)
7 e# B* E; P5 n/ E1 G% [7 K__________________________________________________________________________7 T+ N2 r0 ]( Z: C. g
" o' l# @8 J* c; k
/ u. [( S; C5 Q4 M
Method 08: V8 D* L8 u7 k5 P; W0 s x
=========* G8 T- |$ P& p
6 s( Z* a; a( T; ^! cIt is not a method of detection of SoftICE but a possibility to crash the
j7 e5 s$ Y6 M7 a, A: K" N9 xsystem by intercepting int 01h and int 03h and redirecting them to another' k4 Q5 s2 O. D: ~0 x
routine.
* {& U. X6 A q% YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* Z8 r" Q( i9 K* p! ]& @4 p9 mto the new routine to execute (hangs computer...)
6 P, I. c+ {/ y& @2 m; d5 l3 `0 T( v; R, Z
mov ah, 25h* x! f; h, _ O
mov al, Int_Number (01h or 03h)
^* d. l* Z: ^ mov dx, offset New_Int_Routine
4 F3 o1 z. A( E/ J" Y ^, \ int 21h
9 \/ p, p7 |1 v( e- \* P$ G& ~" W2 m/ ~1 W' i$ U! I7 C6 O' u
__________________________________________________________________________- i8 {8 S l- X! g) \- k
, l0 D- N) c3 h5 B/ d9 r$ k/ zMethod 09
+ @, v4 U4 G0 {! B" r; y=========
, K+ x8 Z0 E1 g' |; B# u' D2 c3 L9 P9 U. X) g; V. \% I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) T% r, h, C b9 P6 ~
performed in ring0 (VxD or a ring3 app using the VxdCall)." g; D9 }4 Y) }) g- W$ N! \" y
The Get_DDB service is used to determine whether or not a VxD is installed. }- K- E: |: ? w5 W! {
for the specified device and returns a Device Description Block (in ecx) for0 t2 v' j4 z+ D1 m/ e
that device if it is installed.
! H* _/ [' ]' K
* _4 V1 R/ \5 c0 e- M8 D' [ c3 a mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, v( A1 s1 m/ B* ~9 A. j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 _$ Y, v9 q5 K4 Z% l4 K
VMMCall Get_DDB
5 z; M: z" W8 C* v, s mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 }8 R) n2 U; S2 S
# d+ P- W6 Q- l6 ?6 u8 u9 KNote as well that you can easily detect this method with SoftICE:+ N( m6 K; s2 G! I9 |
bpx Get_DDB if ax==0202 || ax==7a5fh
! C1 g( a9 H2 q9 `4 ~8 K
. m, C" T7 G3 y7 a5 N__________________________________________________________________________
) s; H0 `" N8 _/ o6 J3 e+ e5 `8 Q* k# @+ j! F
Method 10
5 X5 i, I( J7 w t- } J+ ~0 o8 I=========
# n2 w# Z- @1 k4 m: d+ P
* @% _$ E7 s' J' E% ~% D5 j+ P=>Disable or clear breakpoints before using this feature. DO NOT trace with9 \( `' y1 Z" l
SoftICE while the option is enable!!
, G4 k5 C! K" k5 p% g9 H3 n K3 g3 L9 _
This trick is very efficient:
6 s8 i7 _2 A- w, j5 v& }by checking the Debug Registers, you can detect if SoftICE is loaded7 C. d* Z; L+ F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 X7 H: Z, E& n2 y, k) M7 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their i5 c* I, n, v' A. O: e h$ _+ m- _" Z
value (in ring0 only). Values can be manipulated and or changed as well. Q8 P* R/ Q) U5 I
(clearing BPMs for instance)! e- y" B- _* p+ l
D1 }$ G* t7 @/ h3 k9 {
__________________________________________________________________________
- d+ G0 n0 H5 y/ y) \$ U4 U& l, P- E- Z6 r9 b
Method 119 k& K; D: B. V W
=========8 r8 \. [" K; d B# Y R* ~+ R
1 h* c2 ~" G: ]: w
This method is most known as 'MeltICE' because it has been freely distributed
# q& R; x3 ^' o1 o: x: G$ H8 v& h" @via www.winfiles.com. However it was first used by NuMega people to allow
* Q. A) |( W+ [/ v; nSymbol Loader to check if SoftICE was active or not (the code is located. }1 Y7 q1 X, `6 D* ]8 p- }& ]
inside nmtrans.dll).
7 i- F/ T0 t1 n! X, a: k2 s
% U" ?+ t Q' G$ _ F9 p) f7 C6 W2 {The way it works is very simple:
; X5 Y& g9 ~1 j0 T- D# U$ dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 y4 P5 V6 K1 ~# Y* ]- \WinNT) with the CreateFileA API.
& |' G/ w+ q' x/ y& ?; T1 I* m# |- F i; i d
Here is a sample (checking for 'SICE'):; S0 T" s- i- h5 N9 u
- ]9 v( e2 W2 o
BOOL IsSoftIce95Loaded()
. Z6 ?6 K5 D! j2 A5 m9 r{% Q& Z; y: Z/ k# u
HANDLE hFile; $ f8 z; G. }0 i6 L* T# u
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 H7 s' [5 z, X, e FILE_SHARE_READ | FILE_SHARE_WRITE,5 @0 L( I* H3 A$ Z/ t/ v4 ^
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( Q" e; I! E/ Y( M" X! N
if( hFile != INVALID_HANDLE_VALUE )
; m& s( z# y+ M U: e( W0 \8 L {
$ d! W+ m% D2 X! Y' L2 ? CloseHandle(hFile);
" f9 p& D' `( ~, `) @ return TRUE;
6 K' O {, T* L3 i1 D, R }* w) j* u9 h5 g0 e }* M
return FALSE;
: q+ c, V6 ^1 _: @, t}
* v" X, {- s" G9 M4 V& @% g$ U/ t9 B; h" y
Although this trick calls the CreateFileA function, don't even expect to be5 f5 ~/ \. K5 V8 |7 @8 n. U) k+ @
able to intercept it by installing a IFS hook: it will not work, no way!
; f* A ^- \8 l2 @0 A5 vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, z `3 f4 c% }+ A, P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ p9 _( ^: Y% l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
D/ M/ f3 L& i7 s& N$ D$ ^field./ F; W" y2 `) e) u! {) [
In fact, its purpose is not to load/unload VxDs but only to send a / A6 B: _+ ]# Z( B: G* J6 }3 B9 O2 b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 \1 _6 @; f* |$ j7 n# |9 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 P& W) `) e' I8 N& R; l" E8 w( \$ g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* Y; H% g" q2 \& AIf the VxD is loaded, it will always clear eax and the Carry flag to allow' S. Z# M# P: b
its handle to be opened and then, will be detected.
L/ V, X! C; j* e% ]) F5 k |You can check that simply by hooking Winice.exe control proc entry point; J9 E+ F9 z% h. x2 `
while running MeltICE.
3 {* @: S- ?' L! F4 K8 |7 n" D0 I$ W7 p) L4 O; i1 E& z. K
4 X. x. b. G+ L( m
00401067: push 00402025 ; \\.\SICE
) f: W& I& N* L3 D9 v" l" c 0040106C: call CreateFileA# E3 B7 `& H+ W6 z% x5 I
00401071: cmp eax,-0012 G8 Q& {8 N7 n. n6 u- ]
00401074: je 00401091
; W! w2 U7 C$ y; I# Q8 L8 _" r2 s# _
8 B1 L; B. Z# _# Q
There could be hundreds of BPX you could use to detect this trick.4 H6 N2 @4 f) n: R
-The most classical one is:
4 t2 ?* r# M4 {0 o3 ~+ V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 T; q7 `9 B6 i! H# p/ I *(esp->4+4)=='NTIC'/ [: f$ T1 J# p# }9 r) X( e
) E( D/ }0 ~1 O' G \
-The most exotic ones (could be very slooooow :-(
* u2 k& _" T- {8 {8 N BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: @! C6 C0 H* M3 s ;will break 3 times :-(
8 U7 @9 l' i( O. Y7 O- V; E( |; M4 m o& \4 q
-or (a bit) faster: 7 v1 A8 M% c: B9 _) T$ a' M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' P1 Y2 u2 V6 B. O4 |! J
$ A& l: u* Q; r0 f7 G BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & s: ]9 Y" ?) H1 S5 `2 [
;will break 3 times :-(
6 O$ M0 n, |1 i& T' G: t9 K( Z! Z- C) d# \" D( s
-Much faster:
$ {0 g: i5 I5 h+ N3 T% M) ?$ z% C BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 A. V- B4 `, x- {
3 G4 o/ k2 m% A5 H0 o, u, FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ [2 B* Y- M) d1 r$ I" L* G
function to do the same job:
; V) N" j$ Q1 F7 Z1 [1 M* F# t
! M1 X! A4 c% A9 _ push 00 ; OF_READ
) V; L4 f$ o4 }7 `: q! A- J mov eax,[00656634] ; '\\.\SICE',0$ q9 ^- E* I7 m9 G
push eax/ x; f8 w. w. E" L! G
call KERNEL32!_lopen7 |; H+ z5 o3 N9 b
inc eax' R) p! x% W9 z
jnz 00650589 ; detected7 R; m1 D8 {( ?& C7 U* \
push 00 ; OF_READ' c5 u" K' k% y( j' { n
mov eax,[00656638] ; '\\.\SICE'
3 B, _% ~, i! T6 [ push eax" S% A9 @) f" i* D) ~9 ]0 x! z
call KERNEL32!_lopen
* t5 J+ y) s5 i$ M! U! g inc eax2 c1 k) ?- Y0 B+ ?5 J
jz 006505ae ; not detected1 G9 |7 s9 j O) l7 I U3 e' }
2 w! j' N6 i$ }
) U5 n; Q. Z9 t# J9 d B4 W+ ^__________________________________________________________________________
, b9 o8 I- k8 M* d/ C9 [3 L, o! K0 f8 [4 g
Method 12) C5 R- y/ P1 I9 w
=========
( [" a0 D" I7 {! y8 e* I# {% I( ^# K; @) g, _
This trick is similar to int41h/4fh Debugger installation check (code 059 a$ s) l) b! K3 Z a: [0 y* t
& 06) but very limited because it's only available for Win95/98 (not NT)
& r$ e3 G$ ]9 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.& N# J J8 w, ]$ k* P& q) g
* \, @6 W) h' ^& J: V" i( a2 D& v
push 0000004fh ; function 4fh9 L4 d4 X/ m" u) |- L8 |3 w/ j
push 002a002ah ; high word specifies which VxD (VWIN32)
) w' M- a6 K' U6 w. @) X ; low word specifies which service
) k; ]# o) S! P+ B s' } (VWIN32_Int41Dispatch): X% w+ Q y6 _" y# R
call Kernel32!ORD_001 ; VxdCall$ _$ G, v- W" S. X2 E( r
cmp ax, 0f386h ; magic number returned by system debuggers
" ~. o4 V8 m$ k0 o$ H jz SoftICE_detected
, r: Q+ B9 M' ]0 J0 M0 m, y" Y, M, k0 k, e
Here again, several ways to detect it:4 D/ F {5 |4 R: t9 ~6 X
# s ~' _$ r' z# m* U% m% B BPINT 41 if ax==4f
5 R$ b+ R/ }3 l G0 l- y6 U3 o( u h" D# m! \1 G
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: h" x/ R! u& N; L: }
! R+ a+ s0 |& j% P! K6 s8 i3 x. F BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ {8 \1 t& L; D. e! ^
5 {$ X: B$ A. @5 W+ v" K4 |; w BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' [9 k" ]! J2 Y6 B9 y1 i, b$ R# H
5 m+ ?3 x& Q1 }( ?% r$ N__________________________________________________________________________
h ^! t" T- w5 J9 P9 x# J6 }. a+ x
Method 13
1 D8 N9 y9 L, K( Q=========
* y1 P( m, q9 P' d7 q
$ g, u* T6 r! o; d9 h& \8 ZNot a real method of detection, but a good way to know if SoftICE is2 p" V+ L. n9 E$ k Z! l: J2 b1 B
installed on a computer and to locate its installation directory. q* D; f2 g/ ^' z! g) f
It is used by few softs which access the following registry keys (usually #2) :
/ w- r$ p! } [! p& t2 u
4 n: L. E8 q9 j6 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. e b/ B$ J h8 h5 g\Uninstall\SoftICE
7 v8 p5 S' N! {! I6 P1 ]" s$ `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" s" _9 f2 u7 h2 H4 y* c, o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion U( K8 ^" x: Z2 @1 {& L2 a
\App Paths\Loader32.Exe
5 _! i* f: T/ c9 ]! B/ [( |& z6 o e$ _# O
& B; \+ x- o; d7 S
Note that some nasty apps could then erase all files from SoftICE directory
( d. W$ m. |5 e/ z(I faced that once :-(& T' _ h2 l, |0 {) k4 R3 k; B7 [
. I2 S" D% C# w, y
Useful breakpoint to detect it:
. f' a' p5 \- ]/ e% U( {6 d1 |% `0 ]) F( g9 l$ B! R( }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: L# @# \7 J. u8 o3 [ t% C. m# \! i9 F* c2 ^/ V
__________________________________________________________________________; a( I& D8 ~9 f) }. M5 j2 }
7 e) o. l, B z! h4 }
# |9 E6 M! {. H6 ?; S# ]Method 14
! c+ M z! y x=========3 P f/ H- ^( b% z3 b
. r9 `" I8 P0 C, E# L0 H; h# [9 \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 M. {1 j$ d# A7 O& p" }is to determines whether a debugger is running on your system (ring0 only)./ ]# M: T$ p' t) x' `# e
# P& L, |6 O$ K9 X4 j! Q VMMCall Test_Debug_Installed# k: n# f4 ~/ G
je not_installed
]; r: H- q0 c! M8 O$ h" W
3 X7 @$ k5 b1 S; C4 H- T* b& YThis service just checks a flag.
: b1 c0 y Z7 k% g) ?: P" V</PRE></TD></TR></TBODY></TABLE> |