<TABLE width=500>
7 ]5 L4 w* R; e' ~- Z; s<TBODY>
9 G; U4 S1 k' |- w% t; h<TR>
4 f/ {# p" T0 ?$ z# P<TD><PRE>Method 01 6 l- ^, B0 w, c9 T0 C
=========
" V W6 K) F' A0 t6 y7 P6 }( a8 ` R0 y/ l% H
This method of detection of SoftICE (as well as the following one) is( @: u6 d. K8 s9 K, T2 R" q; ]$ Q% |( f
used by the majority of packers/encryptors found on Internet.
3 V4 a t, B7 m, ?- E6 T$ C6 j2 l$ eIt seeks the signature of BoundsChecker in SoftICE: x2 T9 U" k# K4 M0 i
7 l! @# ?$ P- t' _
mov ebp, 04243484Bh ; 'BCHK'2 W0 t. [) |, x4 Y- s2 _
mov ax, 04h
1 y( v% b* N. l8 M9 m) g' G int 3
1 X' ^4 @ }- I: m cmp al,4: _1 o+ C+ H6 V! z( P+ l, E ^$ U/ o
jnz SoftICE_Detected
* r4 |- z) J1 z( m3 U1 d! i
N5 d3 e+ C% ____________________________________________________________________________
' G4 w0 ]2 b5 H- j) m8 t0 J! X' W( {/ b" b: S1 T9 n
Method 02
( U4 v) c0 S1 q% f7 c0 o% y=========. O, ]# }1 k3 L( K" U
0 ~+ H! W; |( h, oStill a method very much used (perhaps the most frequent one). It is used4 ~6 D. H0 u2 I% f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 h$ a2 K3 b$ i$ ]: l, }or execute SoftICE commands...
0 S. w4 D7 l. ]6 p0 nIt is also used to crash SoftICE and to force it to execute any commands
. [1 Z$ v; I6 z+ z$ n( K(HBOOT...) :-((
9 x7 h" T& U" W/ h- U& Z3 }9 S9 J
$ v/ [# N N$ F9 z4 K+ ^0 pHere is a quick description:6 `. [0 n+ z1 A, P
-AX = 0910h (Display string in SIce windows): i) L T& i; m. X* b* }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) A. f: G9 n' k. V$ A* r-AX = 0912h (Get breakpoint infos)' \6 j% |; M- x% `3 q; ?
-AX = 0913h (Set Sice breakpoints)
* A3 D2 o% B2 y$ y/ \9 W-AX = 0914h (Remove SIce breakoints)
7 u- x3 L: Q7 N4 ^0 K. F& K: T5 ] V2 B, X
Each time you'll meet this trick, you'll see:$ w. u& e; |6 D8 T5 {; o9 h8 E! ]
-SI = 4647h3 Q9 k; g3 k* V! I3 |7 L& S6 ?
-DI = 4A4Dh
- b5 g/ w! o+ l% `Which are the 'magic values' used by SoftIce.
' @6 C6 t- u; W$ t2 `9 K; E7 j8 ]8 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) h; e+ z4 A+ g" U$ O3 M2 q$ b5 C8 c/ o4 O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 f7 m( v. L# N5 a, H4 DEnvelope utility use to protect DOS applications:
1 N7 I* D( ~) n' j$ C6 l* T/ L
2 u4 I" @# k; m" [( E7 [' q7 J+ o- K8 }) ^9 V' B
4C19:0095 MOV AX,0911 ; execute command.- }) m( E/ X! M* T. f8 q; X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 g( O* Y& I+ _' z0 h) [% o5 k
4C19:009A MOV SI,4647 ; 1st magic value.
|/ ^- k. k- s6 X4C19:009D MOV DI,4A4D ; 2nd magic value.
: D& z2 y4 X7 U' z6 K5 `' N2 l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 C5 w; g4 o* k) m4 k+ c! j4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ J+ t$ M, ]. I, F, Q! M f
4C19:00A4 INC CX, i3 O$ W3 j2 U3 U) X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% h3 g/ H/ {8 ]
4C19:00A8 JB 0095 ; 6 different commands.
5 Q- K! I, p/ U/ E& J4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 e+ o5 {6 ]" g0 y" u0 o, ~* x$ ^4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* L% l" X1 f# ~1 P( p* A0 w8 X6 q. p) `( ?0 L4 X+ a
The program will execute 6 different SIce commands located at ds:dx, which
4 k: f6 P% v4 U* f% S" ~ |& dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: c$ ~3 l* G7 ~) _& r
9 E4 \; F) m i) P( h1 k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ }/ k. @- D5 Y# }- }; R5 l O___________________________________________________________________________ H% P1 H" |0 N D ~& } \- i
$ Q- x' ~5 M3 x! y; z: |
( I& @% p; }, ]; ]7 e5 @% B: qMethod 03
. a# j# r; N+ k=========! t# W; m \5 Q o% B
* g" z$ A [7 Z6 O/ M; gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 J: o+ t& p+ X0 H9 `5 t- |(API Get entry point)
3 q" ?0 v6 ~$ b! D3 U3 o
& Y- \/ s7 H5 \4 |+ X+ T+ I1 |
# @. ~# B3 P/ \6 n. k- p& t xor di,di
4 {. N) U' k& r" r/ E mov es,di) S' w' _1 n7 s' r
mov ax, 1684h 4 h4 B2 l5 m9 m; m- _% m9 w6 W# D
mov bx, 0202h ; VxD ID of winice
- G) y; U' [' N int 2Fh
+ C+ z' y( R# M: ?! g$ ^ mov ax, es ; ES:DI -> VxD API entry point& D) l# G/ I( N: `6 s+ }; G& v
add ax, di! I( H; D. ?0 H& k N
test ax,ax
' q- [& t _/ B' _% b |( n& o jnz SoftICE_Detected
% p/ x' L0 y+ ~1 X& u5 h2 `( r
; H2 F& g L* w___________________________________________________________________________
% F" y V: [* D: T; k+ F
* y, Y' l% n. f' ^1 w! mMethod 04
`: L3 W0 Z+ S: q o! C+ Y% U=========- e4 M% p0 h4 c
9 R. O+ D, Z, J$ }. I" }
Method identical to the preceding one except that it seeks the ID of SoftICE9 N% T/ k0 F' t2 `: F" x
GFX VxD.$ ~0 r7 b& c4 F" v
+ v% E$ }5 `6 y5 T; Q
xor di,di9 ~4 |% c8 A7 o
mov es,di
& l; {" h' P5 c8 \, B) I; Q mov ax, 1684h 6 J" b. b! f y1 @! G
mov bx, 7a5Fh ; VxD ID of SIWVID
; I, s7 ]$ v5 R5 t) h1 S int 2fh
! L, j% F" d! v4 R' M mov ax, es ; ES:DI -> VxD API entry point4 B3 b( z- o0 W) Y6 y3 s6 N
add ax, di
% S) F5 s. E X7 j, K% T test ax,ax- b) j, L- n6 r1 A5 `
jnz SoftICE_Detected
0 _) p& s! H1 U- H+ I. h( l, K% H$ ?8 i* c8 c7 F0 m2 R
__________________________________________________________________________7 w% q8 r1 t0 K0 Y: o
$ o% f+ r! Y% R9 z
' P& m# @) T9 z1 eMethod 05
; L, ?6 z# V2 v$ c0 j) k0 W=========
7 h; {& D: n3 J9 b7 Y$ [' E3 I, q( k- m X4 t
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( R7 ^: ?. s) Pdebugger. It calls the int 41h, function 4Fh.( u" ]( _+ g6 U( [( t5 a0 y
There are several alternatives. & g9 K, E2 J5 A5 E" @; [$ \
1 w7 Q3 ~4 Q& R) l: |) g
The following one is the simplest:
$ v5 L1 Y* j$ l0 E; O6 D
6 _6 I p/ t6 S( \; w( q* p mov ax,4fh
( y% ]) r, ~& ^5 R int 41h
0 T, j$ \% c/ o cmp ax, 0F386
# e& C/ J: S: z- R. r) P2 u* G% D3 B jz SoftICE_detected; m1 t9 C" N( Y8 S7 r
6 V- t/ g0 D5 d1 S: h
' R% |9 a- `5 l$ R8 NNext method as well as the following one are 2 examples from Stone's
# {/ X3 U/ ~7 V! a; Z! c"stn-wid.zip" (www.cracking.net):# _$ {# \# N7 [4 [" Q& l0 z
; J5 ]$ Q' _0 V& h, B3 ~4 M mov bx, cs. E, w9 P9 f5 O& `$ m
lea dx, int41handler2
7 L) S; i4 U; y$ I v4 |9 i& n xchg dx, es:[41h*4], z$ f2 a! b5 y% }
xchg bx, es:[41h*4+2]
' W1 C* G& E2 y% M- Y3 L& a0 T mov ax,4fh
1 @. L, A. I. U6 f& r# p int 41h
6 l3 \; x6 e. L* i6 l, J2 Y! Z xchg dx, es:[41h*4]) O) f3 m7 c3 {1 S% |
xchg bx, es:[41h*4+2]( J% z& U9 b3 c& G/ J+ b
cmp ax, 0f386h! I; D3 O7 u. r1 U- p
jz SoftICE_detected) f" Q- F+ y( E, v& {7 ^. i# R7 f
9 ?7 ?& G$ N4 M2 f- eint41handler2 PROC7 l8 c C) d- j/ Y' \) \- l
iret: l ?4 x# i' d0 M5 _* x& q8 A z
int41handler2 ENDP
' \3 _' ?( z" ^ p* G% r9 ~3 U7 ^ T9 Q2 d* U
. y3 L8 z/ K2 y+ P7 a; b" K_________________________________________________________________________
6 V( m, x5 s( }& T6 g8 w9 N" T1 n) C5 i$ h; X L
# m: f/ C6 T2 f* K& }- R8 f7 cMethod 063 m$ ^! _% f, k$ T
=========
( w; W: M% ^5 S$ }6 P* `5 ]9 W! k; }9 J' B
' U4 l1 `+ x: i3 n9 p2nd method similar to the preceding one but more difficult to detect:
4 U$ e# y y3 c! y; g6 b. ]! h; i) i' ?
7 z6 C0 z7 r- X( \$ |int41handler PROC& ?9 a1 J- s# A4 z9 X9 r5 G
mov cl,al
4 a/ j! P4 k. o2 N2 o iret4 ^1 y2 U4 {. C$ u2 s% h4 u
int41handler ENDP1 d- v9 o4 W/ M6 x
, W1 ?/ J5 ]+ s* W6 Q% ]% z. v
2 ]0 H1 s) y, ^" U9 C* p3 d4 W xor ax,ax/ P* k5 t; U6 ^) l. j
mov es,ax
1 }* z+ s. ` B" G% t6 R mov bx, cs
" S% j7 |% t- W4 ~4 B7 E+ j lea dx, int41handler8 u- o+ {8 C$ E* ~
xchg dx, es:[41h*4]5 x1 g }% Z2 f3 z m
xchg bx, es:[41h*4+2]
$ p- U) d/ H# I) w in al, 40h
% ?7 v# N; x Z3 r" Q1 a4 A; k xor cx,cx
t. m, q6 s' m9 t+ J3 K6 ` int 41h
2 h% c( D( P4 z6 v. _ xchg dx, es:[41h*4]$ i# ~# x( d- `" N
xchg bx, es:[41h*4+2]3 a% u7 x2 ^2 a; c( z' o, v: J
cmp cl,al
6 W% ~" j% C; z0 B jnz SoftICE_detected0 ?5 O( P* d- u6 T7 q+ [% l5 K
) M/ q' y+ o9 j' l
_________________________________________________________________________
! f( h3 C ?8 o3 e2 C, @+ d% c
$ G2 ^3 V% j$ r' N) L- k8 kMethod 07
7 b, j2 y1 z4 v# Y6 K- C9 z1 _=========
5 s* m: Z( O' D" u/ l" ^# ]2 e0 U3 W; c1 ]1 z
Method of detection of the WinICE handler in the int68h (V86)$ B u4 e+ r4 e6 ]6 Y2 j: ~
: p9 W7 h- @' G3 G n
mov ah,43h0 D' w0 H1 E6 E6 [$ Z7 r
int 68h/ ?9 r; `2 R4 H- H, l5 H
cmp ax,0F386h: P2 e7 i8 ~7 i9 q
jz SoftICE_Detected) C4 N% q* B; |+ l. v7 k
+ y! Z( B% \8 y9 X6 H2 R7 b
6 A& K) d9 C; j* f, J2 S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, n" H' W8 `* D: q: n1 f& k app like this:: R f5 z) y% n+ S& ]1 o5 d& g
: t7 `$ B5 Z, P" z: M BPX exec_int if ax==683 T0 i# _3 g; }: O1 [/ [7 w
(function called is located at byte ptr [ebp+1Dh] and client eip is. o/ X5 I4 L7 X6 R; O; Y
located at [ebp+48h] for 32Bit apps)0 ] O! c' O) J/ j
__________________________________________________________________________
: Q2 w2 h4 {4 ]1 r: K, C% b2 R- n1 _8 k5 ^# W. b
, @& L6 v: Q% Q$ \0 Y( Q# jMethod 08: r1 p7 ~; T+ y3 |! F6 H
=========( n6 {( o- v1 F
! d2 b/ c |2 c) E2 a
It is not a method of detection of SoftICE but a possibility to crash the
/ L; f3 }! Q$ B2 \* Jsystem by intercepting int 01h and int 03h and redirecting them to another
: N$ m& q7 ?# H7 p- k9 Sroutine.. [2 M3 V$ ?! |+ B6 ?3 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: e$ Q, y. ~* [( f- m6 J
to the new routine to execute (hangs computer...)
& c+ w1 F! z5 \& ]5 d3 f6 i% `9 s9 s4 [ ]! l' R& R' k8 \) p' E/ |
mov ah, 25h
1 W/ n* w, `1 C, I7 O( c, \3 i. x mov al, Int_Number (01h or 03h)
8 T; K- T' S0 o/ a mov dx, offset New_Int_Routine
) z- T9 L0 L1 L- o int 21h
( ?/ F4 r7 |6 g+ Q9 [
. Y) E1 H& [3 o9 \# V1 z$ z, ]__________________________________________________________________________
) d% v# Z) H6 X9 i, N- X, ~2 ^: k1 g
Method 097 b# U! {% F1 W0 v+ q6 `
=========
7 a+ g) K( Y$ G* [$ _! P
+ d4 G2 V$ q. B s$ pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: T6 L: {4 G* a! T6 o; r- dperformed in ring0 (VxD or a ring3 app using the VxdCall).
! W/ n3 ~, b0 |+ r. c7 zThe Get_DDB service is used to determine whether or not a VxD is installed. C: ^- H5 Q `1 e" y+ z) K5 U- Y
for the specified device and returns a Device Description Block (in ecx) for9 z1 T t. I8 S4 G
that device if it is installed.0 \1 @; ?2 ]- F
& A% e2 ?' G3 g/ i* t' N3 `& T, l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 f3 I, s% D! E. E5 {5 ?3 L
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# B+ p& P- l% K$ W. b) M VMMCall Get_DDB
4 t& `* t& v! V+ o$ b. U1 h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( X: y: k) {* g3 ^% B# ~6 i
% r; S9 }1 q1 s% F M$ H. p, XNote as well that you can easily detect this method with SoftICE:$ S& A3 J/ A. }1 T1 ~
bpx Get_DDB if ax==0202 || ax==7a5fh
9 U2 ~9 L2 b1 o3 u/ E
_% V b: _3 E2 Z+ Z2 d+ w+ L Z R__________________________________________________________________________4 Y2 a8 I: L4 w1 {
" z% q, E n- T4 LMethod 10- R9 t' x# g6 t
=========
! |. D9 {+ l4 m# Z. I- y/ Z& Y+ X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
# f+ V% r$ H# B/ @1 Y& Y' r SoftICE while the option is enable!!: c, C% J+ y3 \- m# J
- r% d9 x5 l* J, H" T, |4 h
This trick is very efficient:
: w2 }; v$ [8 Q+ n9 G* P3 |by checking the Debug Registers, you can detect if SoftICE is loaded
: r& X# G- u* s; n8 |) p( M. m+ l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* {% J, Y/ R8 Z/ ~7 ?8 W( ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 b( _4 M" |& Xvalue (in ring0 only). Values can be manipulated and or changed as well. q% J2 p9 L% y8 H& h; Y( y
(clearing BPMs for instance)
R* |3 f. w4 v+ m1 H( A
6 J$ ~) K& P+ D/ \4 s, ]/ K% o5 o__________________________________________________________________________8 F H5 [6 h4 v9 H! b3 n! A/ @
! U9 X/ d" n% @! J9 @8 k6 a; {7 t T# mMethod 119 V" A; M' ]" w" W: p
=========
! Y, N, Q' _3 E" o o
) I+ d" R5 E. ? P/ uThis method is most known as 'MeltICE' because it has been freely distributed
" G+ S3 q$ \" {: zvia www.winfiles.com. However it was first used by NuMega people to allow
' T' L' u2 {! {# N/ s2 kSymbol Loader to check if SoftICE was active or not (the code is located# b) B3 B4 r# n0 e9 T) i
inside nmtrans.dll).
3 X$ ^4 v" ~0 d4 }# N0 u. S$ N: r8 J' Q8 i( P
The way it works is very simple:* Q+ q4 K; U( A2 V1 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 Y9 d) D1 q) e& _5 h y- ~# p) |
WinNT) with the CreateFileA API.1 K$ O+ o* ^3 _' q& J5 w
% O6 ?9 d9 N: T' B2 K Y8 q
Here is a sample (checking for 'SICE'):
% i6 I) y" \ d0 E2 H8 g2 Y( ]6 R5 U2 b, _, Z& `+ `8 f) n/ L0 |
BOOL IsSoftIce95Loaded()
5 I7 o- X6 n) C! X' S# J{. B! c7 ?3 [3 |5 _& `/ }
HANDLE hFile; $ l0 k0 K8 o4 q$ v8 i9 R9 P5 k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% t( n% H- p0 O FILE_SHARE_READ | FILE_SHARE_WRITE,
6 ~# l, t: r; j1 ~ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. I8 U' }+ n! L4 l) K% C5 C if( hFile != INVALID_HANDLE_VALUE )
9 y/ L1 J, f+ n9 O/ j {$ _+ C7 A- n4 z4 |2 s: T; L9 V
CloseHandle(hFile);! S; f5 Y5 P9 f. N! F. P3 r
return TRUE;
& t. o8 |; \$ a0 S! h0 I }
3 m! H) [1 Q0 P. C return FALSE;
/ g9 X2 U& A- V) f `}
; I$ [! x- f. I; V( s; B% D" z
( h/ |$ D: }7 q/ `4 J/ D* JAlthough this trick calls the CreateFileA function, don't even expect to be, V$ j8 y0 A/ |$ t" H5 @. f6 r& B" Y
able to intercept it by installing a IFS hook: it will not work, no way!
3 P6 x o! X2 X$ FIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. C5 @, h$ o% U7 a/ J" j. }. j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
^& u. U. ?: s1 Z7 s$ `% u- qand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 j8 B1 \# I1 X; p0 M# ` Z
field.4 y3 W; @3 f3 N" K$ B. z Z- a
In fact, its purpose is not to load/unload VxDs but only to send a , D$ w5 G3 O+ Q8 }( i3 U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 |+ M) O. a6 T/ ^' z7 Z+ X2 gto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 q8 Y R2 I0 R" P$ y$ M) r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) [1 |: c4 f* b. Y. l! x8 w( f) v# Y9 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow" V, E( R0 G2 K' W
its handle to be opened and then, will be detected.( u2 H0 u6 C- ?1 D( d, R: u
You can check that simply by hooking Winice.exe control proc entry point
) i% G- L* Q! h9 l& _while running MeltICE.
- `4 `/ D' d' r1 Q
" V# Q& x/ u0 A }1 ~1 Y
d) S {, g; ~9 E% [ 00401067: push 00402025 ; \\.\SICE" E' n1 W* d# W, B0 C1 a, [7 l" ?
0040106C: call CreateFileA( N% h; C- S, z/ w2 `1 n* [, e6 I
00401071: cmp eax,-0018 `6 E9 y( ]* l9 n0 O
00401074: je 004010917 e. Q6 O) e5 {* `$ S: v/ [
) B1 j0 x" t* L& X" ]9 e. ?7 `9 h f; h8 U% K
There could be hundreds of BPX you could use to detect this trick.
* m. [* H3 S- K% g& W-The most classical one is:& p6 E9 L7 B6 J- C% {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& B# u$ G' j" q4 s" ]4 I *(esp->4+4)=='NTIC'
! ^5 F+ K& F7 c$ ?; O8 T; R5 u4 ?% V! O6 U i
-The most exotic ones (could be very slooooow :-(! N" C- R( E9 u2 m# @# G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
" [" Z o( r" s/ @ z+ a1 H ;will break 3 times :-(
* p" } ~) F; u
* I$ s! j& z. X7 w9 \-or (a bit) faster: 0 @' n# D- a) ]8 Z) Z* k
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): U% P6 Y, A' q/ @1 R6 B6 @3 _9 i
2 A$ }6 W e3 Q. K K8 x) J BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' : A, J6 c( P1 |8 }7 ^. P! s
;will break 3 times :-(" w `6 u7 E" r# f/ d
2 L0 Z" p9 S2 s. E6 b; P-Much faster:( F& U7 S- p1 G6 R; n
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
! x \5 l4 Y" A: Y' b* n. o1 f+ ?7 s* U. y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 \3 R6 l7 E# p5 Ufunction to do the same job:6 i) A7 E u: s d9 x w; Z3 y3 n. N
, i i3 ]( s x8 B& {$ S
push 00 ; OF_READ
6 R/ R+ V# _/ C% r' v; E mov eax,[00656634] ; '\\.\SICE',0* r' ]8 j- `, t# Q. C# t* K3 q! s
push eax# |( I: f8 U3 t2 u5 K S/ `; G! L
call KERNEL32!_lopen
2 B7 B- I. r9 V: q inc eax
$ K- r) D0 z5 a8 R jnz 00650589 ; detected4 l* k. e" e$ b6 t7 ^! k' f- ?) m
push 00 ; OF_READ% A1 B! L9 I$ a1 m4 ~$ U
mov eax,[00656638] ; '\\.\SICE'
9 _ H2 B6 Z, `5 b4 @% ? push eax, E F- L1 _& K& }0 h* t+ X
call KERNEL32!_lopen
q5 m, ~5 L" s8 |2 S! A, N! C inc eax
& j. o- F5 l, o; Q* l/ ^9 p jz 006505ae ; not detected3 s% l' @! b. g' j, K
% J- Y: I$ D/ g8 M8 j: c3 k: R; U
' k- h& \( j8 j7 Q__________________________________________________________________________
5 c8 v9 H5 A9 L$ B% `7 Q& n9 V$ v2 l0 F; ?) p4 X7 P
Method 12/ t2 x) o4 }: q. U
=========
0 n/ S3 Q2 |7 m7 F$ a }8 }- b% g- u5 o$ N
This trick is similar to int41h/4fh Debugger installation check (code 05$ `8 p' w# h Y6 |
& 06) but very limited because it's only available for Win95/98 (not NT)
2 A- I1 l0 W. r( V' S7 }, ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.% Z: N. o: J3 Y P' \9 b9 l- x0 X
' y+ _$ j' R7 C+ o# R push 0000004fh ; function 4fh
9 g3 J9 L" {+ f push 002a002ah ; high word specifies which VxD (VWIN32)
' s. T; X Y# Q \& ^; ^4 n ; low word specifies which service/ A3 ?7 B z' U2 Z* T
(VWIN32_Int41Dispatch)6 M/ ?, ?9 ^ i5 e
call Kernel32!ORD_001 ; VxdCall
4 V, m- l5 T2 U( k; Z( r7 S, b% O cmp ax, 0f386h ; magic number returned by system debuggers
t. H+ l3 z0 Z1 |1 i, P jz SoftICE_detected
8 o' x5 ^; p5 V& H9 T) m ^+ J4 g7 O" j2 I# T' c
Here again, several ways to detect it:
, K0 P. ^0 g( ~8 G/ N* i- K
! M- Z7 C3 ~/ c BPINT 41 if ax==4f
9 A6 x+ k3 g' ^2 F( F1 K6 }: R) Z8 q1 t* D% ]/ x4 w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one+ J; M, J6 c5 o
8 F; L- B$ \7 ~, b" x# \1 B
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A% g2 k/ T2 D& e
6 @4 }1 y4 X: {# d
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
0 V% m* i; h( h5 c7 w6 C. X% y3 V- n% x4 g/ n* X+ R
__________________________________________________________________________# U2 H4 z1 I8 D
9 n& @: c" p( a2 i0 q q% e" b
Method 13
* C+ E9 e1 q, M6 j* n; `! x" p* G=========
7 F0 R" W$ b4 k1 f& M: x1 U; o) @% l8 _; y! Q N5 p
Not a real method of detection, but a good way to know if SoftICE is
0 k! ]9 q- C7 E) o3 Q8 [' F6 Linstalled on a computer and to locate its installation directory.# x2 B* O C: F: R
It is used by few softs which access the following registry keys (usually #2) :5 i+ W- e x7 c& z9 ` E
4 S+ h1 Z$ {: ^4 f; p- r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" o% D5 R X/ Z# A j* d\Uninstall\SoftICE
' R% Z$ n6 v, m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 s* m( t0 X) r% f$ H3 {: }, B7 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: W8 o# V& {. Q" ^' T1 M\App Paths\Loader32.Exe
0 [ ]9 H2 H! V) q7 f @
6 c, Y5 @+ g: ?* L9 \/ s, h6 S2 q" M: k% a, D. V# J2 S
Note that some nasty apps could then erase all files from SoftICE directory
9 G9 Z+ G( F, c T( g(I faced that once :-(
+ |) W" X% K2 a# ^/ ]# h% f- o% V8 @3 m. `, R8 W3 ?6 R1 w% @
Useful breakpoint to detect it:9 X$ D4 [, t5 ~; h% ~) W: {
* y! m z. x! v! J$ d! l BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
' e7 Z1 B. u! M# y. a- A# a& B0 E8 R F' b# h. g+ S
__________________________________________________________________________
6 r& l/ L6 ]1 d3 }% a. c0 ^5 M0 {( P$ Y6 R
; }, A/ \1 W6 C4 P: c, x' y. WMethod 14
8 Z3 Q) p. U/ }2 i7 E# d=========
* l. \' u! v) e4 B% N5 H/ q+ J- g* c2 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 Q* T7 P: Z. V1 H& vis to determines whether a debugger is running on your system (ring0 only).
Y4 ]- v$ j/ A: Z( z+ C, F2 U8 ]9 D3 Z6 N
. I( B; B! j' E! A% S* H6 C3 A VMMCall Test_Debug_Installed# _3 B0 C9 c* f; B4 `! z* |
je not_installed
. R/ O, s9 J v. [5 T% @$ {- O: i& f! k% A
This service just checks a flag.% Y' J( s# K4 I9 H
</PRE></TD></TR></TBODY></TABLE> |