<TABLE width=500> R2 K5 s" A2 L3 W
<TBODY>
- ]4 A- g% O) Y# U' A/ C<TR>2 _' U$ k& V- e: Y; ?
<TD><PRE>Method 01
) i, l ?9 o4 s+ f5 q=========
! G) A( ~& ~ \( }( @- z9 K4 x2 I5 x8 d- m6 I) S# j
This method of detection of SoftICE (as well as the following one) is4 @5 k; D5 [0 H# T
used by the majority of packers/encryptors found on Internet.+ C( x2 f5 H. _+ P* P4 h, N
It seeks the signature of BoundsChecker in SoftICE
) j- s; F5 c! k* b) e8 O& k+ s, w+ B/ T S7 G- p R0 i" H/ }# H
mov ebp, 04243484Bh ; 'BCHK'3 V6 Q9 o$ u) Y- Y# l7 ~6 Y
mov ax, 04h
. y! U! V8 b7 _' r- ^/ Y int 3
0 c) m2 D( \5 j2 i& {7 { cmp al,4
( d& E! z9 S0 h jnz SoftICE_Detected
4 _% t. k7 }% G( E' { }/ ^# q( ? v/ U, U Q! ]% Z# D% K* C F9 r5 z
___________________________________________________________________________
. @7 r6 q9 y9 D8 N7 D# G- E+ G+ U6 S9 [: j: U3 c
Method 02
# k) ^2 x" r( X=========: O( \9 f1 x3 V' S$ S
7 L0 n0 d. j RStill a method very much used (perhaps the most frequent one). It is used
+ u& N3 `& ~! D# B Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 l2 v" d$ }# V6 `- W4 tor execute SoftICE commands...& M0 P5 c+ t7 J* G M
It is also used to crash SoftICE and to force it to execute any commands
5 w! Q( B0 O) X& u V(HBOOT...) :-(( - h) e2 g: U- G- b5 R
0 k9 |5 X5 w7 j3 f, t
Here is a quick description:
! I: p& |) ^" f. j6 i, N; P+ }4 e: W9 m-AX = 0910h (Display string in SIce windows)
' o G/ P4 V% C4 w, [; S6 S-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 R; Q) K( p. Z4 T3 I* ^-AX = 0912h (Get breakpoint infos)4 c9 ]4 b( q( y2 t! E6 {8 {/ ]. L
-AX = 0913h (Set Sice breakpoints)/ d0 U3 j+ o: x$ I$ U! Z3 ~- m7 g
-AX = 0914h (Remove SIce breakoints)
/ K% u1 x" t3 B$ W/ ^! u9 h3 x) f1 g6 }1 x6 x E
Each time you'll meet this trick, you'll see:; Q. l2 `* [/ c4 {+ W) M
-SI = 4647h
) w- R D2 d( o3 i1 w' X: g N-DI = 4A4Dh
% R9 m8 [ r, m* _7 `Which are the 'magic values' used by SoftIce./ g( X. ?: a7 R8 |% R! D3 \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 ~& G- u, `. b$ S7 k+ U
$ Y& r& X$ l. B2 m4 c' Z# fHere is one example from the file "Haspinst.exe" which is the dongle HASP) z' T$ |: \! ^9 b! J, E8 p- a/ Z
Envelope utility use to protect DOS applications:
' ~3 g: E" s1 \' z+ `, d2 u1 _1 _$ [3 e a+ H- Q/ U
! i( E2 H' ]6 n. X2 A
4C19:0095 MOV AX,0911 ; execute command.# s' F: R2 Y$ L7 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 t+ j f- E& E: x5 F% e4C19:009A MOV SI,4647 ; 1st magic value.' _$ ]0 C+ X6 z4 r1 ^+ j! B. r
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 P: n% G# p0 O6 t4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! q! z2 p: Q; Q/ z7 D3 {1 f* ]
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ V/ [$ H4 ~) P, B; b( ^
4C19:00A4 INC CX& N1 v# U& m$ u
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 i+ @% i: J1 l# b# [4 r4 Y
4C19:00A8 JB 0095 ; 6 different commands.
0 p6 }3 F# P& ^) ~1 g# x0 m, ~- q E4C19:00AA JMP 0002 ; Bad_Guy jmp back.
& `0 b a: _; Q k+ N4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
5 w% ^1 f0 C: k% `1 F, L" \8 o$ Y: ^) v- V" w1 }% n B4 C1 \
The program will execute 6 different SIce commands located at ds:dx, which
, C% }) P6 Q4 d4 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: Y/ e( R2 R; I; k7 _
7 I* y0 @4 A8 {' y, ^2 V% ^8 y; h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 B! B O' t \" n
___________________________________________________________________________$ U5 S# R3 ^0 ~* m, P
, \" G+ v' `" |, ^. u- Q2 v8 f' q# m# |8 _6 S/ l( o% H: E
Method 03: r- @9 z1 s. h" }8 S% t- L
=========
9 H* ?5 x' H4 x8 k6 F# P& V. x0 z/ R" [* @6 ` Y" F/ n3 h( r- \
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 K3 M; z9 Q3 Y7 U% U8 @
(API Get entry point)
6 z2 |6 V2 Y, K: \ 7 q( x+ R1 w: f5 ]" M+ l
8 b% E P- Z* F8 W% G4 n7 L8 Z
xor di,di/ U( H- O) o x" c# C( I) u- v4 [
mov es,di
& m2 B+ U8 [; D" M7 k. ? mov ax, 1684h
9 L6 |+ H( ?. K+ J9 z mov bx, 0202h ; VxD ID of winice, P/ x+ J9 y7 o; B2 \
int 2Fh1 ?4 l( N" t. k9 ]
mov ax, es ; ES:DI -> VxD API entry point6 |$ U5 d m5 }
add ax, di, r; S6 i0 i+ y, y. M
test ax,ax8 J) M$ T [- C/ _2 ]+ C
jnz SoftICE_Detected$ F. g4 \' K, E A4 T
9 R/ e+ S+ w1 f: z3 @, D; q5 c/ F' d___________________________________________________________________________
) \& C+ L! L' N- A
^; X8 J1 }5 R8 S7 L1 aMethod 047 k3 A, `3 ^. Y0 g3 R P& x6 @5 h
=========
9 [4 o Z$ o3 X- F F
; _; e, S" ` V, e3 Q# e% rMethod identical to the preceding one except that it seeks the ID of SoftICE
, e% H! A$ }- `* U8 {5 _# O% g! XGFX VxD.
* i k8 C. Z* {0 V! {, o% D* w) l; ?
xor di,di. L R6 @& t( d+ ~. r
mov es,di
% A5 O8 o9 {6 M8 c; M& Y" \) R mov ax, 1684h
0 c: R/ Y* C& A+ K( }. A h mov bx, 7a5Fh ; VxD ID of SIWVID
6 O. g$ L6 G7 q4 d6 P int 2fh" R4 I/ ^4 d$ E0 P, V" i
mov ax, es ; ES:DI -> VxD API entry point
; o3 y4 j3 l2 C% F" l* c& T add ax, di
. u" N0 U0 V+ S/ P test ax,ax5 X5 e0 W' m# ~2 E" M6 n) Z
jnz SoftICE_Detected
$ y: H7 q/ w+ s, V% c& S+ M6 l
( E9 \7 R8 v2 [: [__________________________________________________________________________$ Q, u+ I" F# J. v% I) o/ T4 Z
. G+ d* S& M( R2 K( R, j9 X+ J" l' a6 L
Method 05% G/ x' w' F5 R6 B0 i. K
=========
# a0 p! Q8 l/ X0 o+ b+ C/ b2 R; C: W! T$ F$ C" U$ v: c) X$ h5 {. k
Method seeking the 'magic number' 0F386h returned (in ax) by all system. d6 q# c/ W* W
debugger. It calls the int 41h, function 4Fh.$ p( `6 c/ s8 E1 q% s" z
There are several alternatives.
4 D; i |& P. @3 `; z& o
: C1 S) N! c% r% f7 r# ?The following one is the simplest:9 v) p- ~, |" N8 `2 c$ X- ~+ S1 s1 m( f
$ H6 |- @, M" ~7 ]7 K7 O
mov ax,4fh- T' U$ g2 @. {% `
int 41h' W3 Q8 Z1 [5 N9 `# ~
cmp ax, 0F386$ Y* a& K& _/ `' X( m$ `
jz SoftICE_detected. d1 e$ q! m7 X9 [1 a8 `
5 v. g( E$ Z! }# K o/ d
: E8 g4 p7 R* W: [# d: Z2 ]Next method as well as the following one are 2 examples from Stone's ' |* n1 `5 B: Z& W) T
"stn-wid.zip" (www.cracking.net):
( M' y7 l! d! i* v
+ A! m; U) Y* L/ T( r S+ o mov bx, cs
4 Y' s; F0 z- ^: n' ~. O lea dx, int41handler2
! w# Z$ y# l2 f4 A6 q xchg dx, es:[41h*4]" v2 h, Q$ C( I0 U- ~. ]
xchg bx, es:[41h*4+2]
2 S/ G! ]2 K) O3 T mov ax,4fh
! `: U; O* r& u2 K int 41h2 j7 m2 q5 q- B5 @) Q- w, n4 [1 x
xchg dx, es:[41h*4]
' w4 x* D/ Q( C5 Y: K& X' r xchg bx, es:[41h*4+2]' J* Z$ N. x1 c4 n. j+ V
cmp ax, 0f386h
! O: Z# K& G D9 T2 W jz SoftICE_detected1 o; q) |6 O3 m: s( A5 {
# ]( g, F( O* S Q( {, Z* w
int41handler2 PROC
2 |( n8 ?* b" n iret
, i4 d$ w9 W; N3 _: y3 dint41handler2 ENDP
' M2 J1 {7 {3 g, {) J# X+ v" I, q$ t) v# d- s9 L. k
- d- k9 b9 w7 m( ~' @! W_________________________________________________________________________
% k7 H( a" w9 } \9 R6 R+ E, {7 h0 e* u$ c X. F
& U8 i2 p- l7 P0 Y5 JMethod 06
+ i; ?* f ? o2 V=========
5 N, R3 q5 P2 l' s1 T
9 r' \* U0 Q: l. X; f( E1 Q1 I! r# ~
2nd method similar to the preceding one but more difficult to detect:0 L; E$ i" m/ ~& x2 w+ O Z
% f- E; L) H2 v7 `! z7 U7 u# `
: j8 K; ?# o9 M3 |) z$ A1 Y5 |/ ]; e
int41handler PROC
* b5 X0 j2 \; G, d7 f# i! T5 N& Y4 N mov cl,al' p1 i- \: o S
iret% W/ M( G* B4 u; f# ]' b' r; Z \
int41handler ENDP1 O' T4 o2 N" I5 g" ~
0 F- @: W# N- E% a- T9 b
. t' w9 u! E M
xor ax,ax# U+ ~& m' i! S4 ]/ ]3 E
mov es,ax
1 n. f9 z) R3 F( c mov bx, cs% W+ v8 L8 z; v: v% Q+ J& C- P
lea dx, int41handler
/ d$ d. M* ?1 C' C9 [& \, t xchg dx, es:[41h*4]
% Y: l: l- E$ O) x8 D" S E ~ xchg bx, es:[41h*4+2]
3 n: D/ w6 o9 g4 n7 `0 w+ c; \& M9 M9 y+ b in al, 40h9 N+ K; K( q" |6 q, m
xor cx,cx1 C: k. ]4 \$ J4 ?8 e
int 41h
* G4 \0 _0 a, i$ R4 ?" i9 l xchg dx, es:[41h*4]
6 m; Q2 C" R7 K6 ` g; f. Q1 O xchg bx, es:[41h*4+2]. m" O# x! W9 R" Y+ S* h4 r
cmp cl,al+ M- c" ~" w* Z1 T1 T. c
jnz SoftICE_detected
0 v8 I j+ N5 A3 o2 E* A2 V! P2 x9 k/ M7 r
_________________________________________________________________________
4 _ y- y1 V- G) I! \2 H4 x
7 K5 t; b1 }: h) j5 ~$ v2 NMethod 07
, v H" x: Z; z, M" R=========' B! K2 v3 r* n: p* t4 s2 ~5 i8 z
5 k" F: j7 L8 E9 rMethod of detection of the WinICE handler in the int68h (V86) t3 E; V0 Q I& ]. U7 w2 k2 M7 J
& e3 W2 `# d2 \- l
mov ah,43h; ]5 |1 L! a1 n1 n) w Z
int 68h2 r% m8 f( a8 }( a, l
cmp ax,0F386h( R% _7 w# _; [3 ]) h: T: \( P! v
jz SoftICE_Detected
2 l: p% y3 D1 y/ s
7 C% ^/ j& D, g, E
/ L, w6 y" Z# d1 K3 L. t q5 @=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) ]8 B5 g) U) @) d app like this:
* f& V j( a0 M& @+ U7 y3 P' p, Z& n9 Y' N/ G: w8 D. E( t
BPX exec_int if ax==68
4 ?: n9 d r! { (function called is located at byte ptr [ebp+1Dh] and client eip is
0 W$ l. w" M+ W& D- r t. }: v located at [ebp+48h] for 32Bit apps)
: G6 z& E4 h- x& c4 x( T__________________________________________________________________________( @$ t* Y; o5 ~ Q
7 B, M5 ]# c1 J* s! P
& Z9 U. u. l7 i; o% v- EMethod 08
1 m; X X7 C+ \. i=========
, M- X3 q& ^/ O, W; y4 w* P& z% d4 U- M# e
It is not a method of detection of SoftICE but a possibility to crash the
v% u7 [& o `: t$ H% b; isystem by intercepting int 01h and int 03h and redirecting them to another
8 k6 A+ v$ m9 I ^& Yroutine.
' O; j* r7 q& ^: ~$ J0 ?- F& l* aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 y8 y& \. d4 ^; z% A
to the new routine to execute (hangs computer...)8 r7 o3 \% U" Q. \8 g' S
0 k4 A d# i4 X9 h4 A mov ah, 25h
+ [" n# n4 k' p$ H0 [ mov al, Int_Number (01h or 03h)
1 w7 Z2 W8 _* k+ d mov dx, offset New_Int_Routine: @# c' E4 J2 s( _7 U3 c! m: t
int 21h( F6 W$ A9 v7 ^+ j6 p
1 B9 U, l- ~$ V5 g! |* { u8 E
__________________________________________________________________________/ c; S( g0 ? }
, V$ Z m4 B8 e' d
Method 09
, p5 Q1 R* S/ G, G, N5 K=========
" _. f7 h' J& @! x C$ n
|; _: u9 k; }$ MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 Z, Q! s, @' L& i |performed in ring0 (VxD or a ring3 app using the VxdCall).; H% j7 T4 `. S( Q" f8 E8 @: C& G
The Get_DDB service is used to determine whether or not a VxD is installed1 w' K. B5 {- s% x; m! a; H$ ~
for the specified device and returns a Device Description Block (in ecx) for# o3 i( l1 B# Q4 A- @
that device if it is installed.
& H& z1 T: b6 i1 G F! R+ ^$ |
5 _% ]: }% Z" k' M! k0 M& R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, Y o# H& N$ M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 H i# }( M/ z$ o VMMCall Get_DDB
$ s+ u" G: e% O' n; i+ H mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 N& Z! }7 l$ q" @3 V
0 B7 F% u. v2 G; }. U
Note as well that you can easily detect this method with SoftICE:
. _7 [6 I& S+ d/ N- ~, e( A: | j, { bpx Get_DDB if ax==0202 || ax==7a5fh# }( z A# D$ T s9 E
5 W w F: S4 s' @. b0 \
__________________________________________________________________________5 Y& A2 J9 C0 v0 J) U' W
* r* \/ J7 x6 i4 A! I" o
Method 10/ D7 C" w' A' k6 r6 [5 ^
=========
- X, M2 @0 J K8 K& z) f+ p. `$ b1 K9 k# n" V+ ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with$ u) }5 p2 w0 U
SoftICE while the option is enable!!
" g' `, ` \. d; e. U( E) X4 j( E! {) u$ q
This trick is very efficient:1 ^& v u, n: k( t# Q, `. e
by checking the Debug Registers, you can detect if SoftICE is loaded5 s! R" \, B9 r' n% O2 s6 f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 I+ S8 B/ J. e3 _+ Z- wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 } n9 j; W5 _1 e% u3 {value (in ring0 only). Values can be manipulated and or changed as well
3 `) {; m# N: o6 p. ^) t(clearing BPMs for instance)
* Z; R: U6 h/ H
$ @/ _) C6 T6 {( S% S( F__________________________________________________________________________
8 y! X8 P$ p6 z; I4 U
( J/ ]9 @8 |6 M, EMethod 11
) K* Q( U" {6 I$ X* D3 X=========1 K$ e. u o* Q, B7 c k& @ z' L) ^
, E8 H7 ]2 y' M& x0 ?This method is most known as 'MeltICE' because it has been freely distributed
3 b5 i! A, f+ t8 ^9 F0 C' `! Ovia www.winfiles.com. However it was first used by NuMega people to allow
3 P( |- `. N* N, Y% C4 D q ]Symbol Loader to check if SoftICE was active or not (the code is located" Q5 L3 U* d/ [, J( P
inside nmtrans.dll).' u Q( y3 e7 d+ t$ z$ z. C$ `
: ^3 Y% |' n W5 f+ r, W* x: P: SThe way it works is very simple:' z# `" z+ q0 c% z: ~2 }# k& O& Q4 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 ^5 Q- i% a. b+ N j
WinNT) with the CreateFileA API.
- D6 e& ^; W& o+ }" _) _! h/ i6 R' s/ r
Here is a sample (checking for 'SICE'):# O' y9 \; f. E& ~ j8 ^" g
' q4 f# q* U2 v
BOOL IsSoftIce95Loaded()4 F6 g; G3 q) H* X" l9 _& Q: o4 K
{& s9 u5 o, \0 w
HANDLE hFile;
( p. k9 \* y) C# U& G- y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 v0 w$ D- B' j9 ~- B8 V( A FILE_SHARE_READ | FILE_SHARE_WRITE,, Y; `* Z4 S }8 H
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) M0 l' E Q: M, e; K& F
if( hFile != INVALID_HANDLE_VALUE )
: l+ Q+ y# ]. O {0 z' t" F# b8 B0 A& M* r
CloseHandle(hFile);* b F# Z$ p) k. ^6 c0 {
return TRUE;! A0 q9 X' U1 B' @/ I$ p! n e" @7 L
}
) j) `/ A3 H' [/ ] return FALSE;& O H2 a. P# g7 C: X* P; `* v
}
& t3 J4 [1 M, u- p/ f7 Q, @
+ y% s9 Q! C% n( P* E) k- ]) X9 dAlthough this trick calls the CreateFileA function, don't even expect to be. l2 {% A: x$ V8 _' q& I2 W( ^3 }
able to intercept it by installing a IFS hook: it will not work, no way!
$ f& m! R' k+ ~! a7 i" @' E+ BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! R* _3 r; J2 O8 a& R9 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 k8 C/ {) y3 O1 O7 g8 ~) e$ |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# X: Y* W& F- } sfield.% h( {% t9 h' g* c J, B( |
In fact, its purpose is not to load/unload VxDs but only to send a - A# {0 L- U( D$ g# T6 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); v0 ^2 G% j0 D$ a& q3 ^" \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# W$ f: \8 ]6 W' mto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ M, m3 i: t7 }& Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 Q X% ?/ c/ H: W7 Qits handle to be opened and then, will be detected.
" }$ G5 j: C; e9 yYou can check that simply by hooking Winice.exe control proc entry point3 |1 [4 X. g% w: G
while running MeltICE.' J. a8 B, K6 Z5 R
7 i. R) p; l8 y% a+ S
2 f2 [& w3 M- P( M 00401067: push 00402025 ; \\.\SICE
( Y8 {" h2 K: s$ Q! e 0040106C: call CreateFileA1 t7 E" P( ^0 p' [5 [6 ^0 L
00401071: cmp eax,-001
' r; {. m9 C1 K, [9 h; a 00401074: je 00401091
. l, b1 `- t4 A+ @* A2 n, i; k/ I4 v V2 h& u" t4 x# G
9 G' x7 U4 j# B- q6 ZThere could be hundreds of BPX you could use to detect this trick. L6 k; N5 b/ q! X& c
-The most classical one is:
9 @% ^* D( X5 d: N; j& t2 B J& g k* Y. U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||0 d+ M; E* C- t r, h k
*(esp->4+4)=='NTIC'
; j( e9 Z9 k+ D
! F5 B$ t' J5 Q# ?/ F-The most exotic ones (could be very slooooow :-(
" `2 f; V! e- I1 s: b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 {5 }) R! w1 i8 Z6 f' ?6 X ;will break 3 times :-(
. s5 I/ O. }* w- h0 J
" Q; H7 }& c) I; @-or (a bit) faster: % f8 H2 J4 a/ L8 s
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 d) C1 k$ y" O! V" X4 ^; W
8 u8 g4 z' I. @1 r BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / ^- @1 P5 p/ q. O" I
;will break 3 times :-(4 E, _, |+ i. s
0 c2 A8 |) ]" |' H: F
-Much faster:6 K; S% [6 @- {4 D, Z5 m
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( D8 i3 `% W! L7 A) k! W5 F9 ~ }
1 t8 W0 r( o# W+ U. H( T* u6 ]* J* m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& `9 [4 f) S' W, c; ?. U/ o
function to do the same job:
+ Y% f* ]# M1 z% z# b- ~6 X i4 G3 ~2 X: e- H6 W* P
push 00 ; OF_READ
9 E: e: d9 u+ a6 a/ H$ `) f mov eax,[00656634] ; '\\.\SICE',0# |) v4 _3 C" j2 x$ [( ~7 u3 P
push eax' f4 G v$ I& L4 n
call KERNEL32!_lopen, H$ x3 N7 D! l9 O& V7 D. w
inc eax
8 R& V H) g# M2 V jnz 00650589 ; detected7 E/ [. o6 r9 L$ {( }' h
push 00 ; OF_READ
' p& K8 Z* B* I. Z; X; J mov eax,[00656638] ; '\\.\SICE'/ ?1 B5 O& e0 ?+ z6 \% g# R
push eax/ s; l# u) q; |+ p T7 _8 {
call KERNEL32!_lopen, o0 v( x, C$ C
inc eax
& {7 }9 J& p; I) E" Y jz 006505ae ; not detected
: v9 B% f- f1 a, n4 n" h5 f- f4 i; ?6 p1 Y: y4 ]+ B; r
0 }3 P# B( g2 m; v$ N6 |
__________________________________________________________________________ ` M c* S1 E/ ?% }" ~8 g/ i
/ Q6 l& ^+ v/ Y, h- ~; U+ ZMethod 12) K1 \) { f0 C. }* w4 ?" s
=========
1 S$ Y; w, ?% u. k& q+ c5 ?) ~- N0 i2 d+ V/ y& L: Q
This trick is similar to int41h/4fh Debugger installation check (code 05$ ^9 j* x7 {4 W! ~3 H1 |
& 06) but very limited because it's only available for Win95/98 (not NT)
$ A1 r8 C. T6 F X8 Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 g) u& h( E- I# y
* |/ `8 i- l. ]& X push 0000004fh ; function 4fh
5 \ B8 Z' e9 ^- m2 Y push 002a002ah ; high word specifies which VxD (VWIN32); i2 b1 h, v0 p _0 h8 h4 s: O
; low word specifies which service: S5 V/ T/ L5 O" O: O3 f
(VWIN32_Int41Dispatch)
1 ^3 ]- Z% ]7 r: A call Kernel32!ORD_001 ; VxdCall6 g$ T' ]: w7 }
cmp ax, 0f386h ; magic number returned by system debuggers
1 R! { X, `- U) Z7 q: K! n/ S- G jz SoftICE_detected Y8 _2 `! r) ^6 A5 I" A) {
, ~6 r4 g- ^* i- fHere again, several ways to detect it:
0 l6 [, U$ B8 j- f: q& A; `( Q6 o0 V) o
BPINT 41 if ax==4f" F- @7 z; q% k* Z' w
: ~2 s0 ~1 J" {- r- M( ]0 B
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 W- W: X0 i* z# O4 ^$ Z! F3 s
8 k5 ~5 h2 Q- n BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; ^& Y$ f1 Z; S" B+ u$ H( Y5 {" n' K2 n4 l
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ ~' g0 \/ R& y$ m/ h( N2 z0 X7 E( ]+ j" H4 T
__________________________________________________________________________6 l9 m$ P. Z4 ?
' u; m! F6 M; l& o' YMethod 13
2 [) z& Y. i" j4 M+ B=========
" k' L% T3 ?9 o1 ]/ ?* Y$ M' [, k0 X* P8 H$ ?, Z0 y6 I5 `! E U& P: B
Not a real method of detection, but a good way to know if SoftICE is
3 ]6 t# w' F5 _installed on a computer and to locate its installation directory.
9 @$ n, W+ l7 q! p! {4 q1 aIt is used by few softs which access the following registry keys (usually #2) :
, E7 _7 p$ q7 a/ h. G! E2 `% [5 ]/ A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# A$ t3 b8 b5 F) {: ?8 _
\Uninstall\SoftICE
, R# \9 u/ F! C0 d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 b) ^$ l1 C7 R; I7 E' v0 |+ j {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- f' p2 y; w" x# @9 E# q+ y! a
\App Paths\Loader32.Exe: X F4 [% {) c5 {2 k8 ? n9 t
$ c6 U/ {' F5 F8 z- O: s( h4 ?9 z. K, z
Note that some nasty apps could then erase all files from SoftICE directory
5 ^+ v! u8 H; \- G(I faced that once :-($ G# r( Q5 p8 b+ d8 P9 G) I
/ S) r: h, K% e- L, m# d) U' I6 H
Useful breakpoint to detect it:! ?( x5 w3 R( ?& m! M5 U$ }
7 Z- S) |2 f5 Q7 c2 b+ V8 T8 Z3 R2 w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 W! E! M; T+ b5 B4 B$ B w# Y
+ c. `* q) R+ P: T7 S7 x' y__________________________________________________________________________: v% @& r( z' o4 v; T. p
: X' e$ c; v% S0 u
$ r: P8 F. v* H
Method 14 * Z) x3 u1 H6 P" Q, M
=========
8 _' O) a1 A4 O0 c2 ]) ]+ P# q8 j3 _6 p8 T1 T( [, S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 }5 r, y& I6 L N8 ?is to determines whether a debugger is running on your system (ring0 only).
9 L+ Y# w6 u: v! P1 }
8 W8 j6 c! B/ x) Q/ x4 b7 h2 [ VMMCall Test_Debug_Installed1 g- o9 w5 \5 G N3 L
je not_installed; J5 V" A C, @/ V
. S% Z$ G" {6 t3 _1 b$ KThis service just checks a flag.
* w/ w7 F; R7 w1 s% x8 w6 n</PRE></TD></TR></TBODY></TABLE> |