<TABLE width=500>
4 E1 B$ R; }* Y% E, d# z, R+ f<TBODY>8 Q O8 ]# @% P0 {, W! ~ ~ ?. U
<TR>* Z" P: N# n2 o1 ]+ @, e1 s& b. Q: Y
<TD><PRE>Method 01
: h' s9 u+ `) c) k8 ~3 L2 c========= _! J" t/ R$ ^8 g# _( r
0 Z& i. ?! L6 f4 c7 r& a
This method of detection of SoftICE (as well as the following one) is
% ?2 J t; G- T: g! Tused by the majority of packers/encryptors found on Internet.
$ w3 o. A1 L P1 ]It seeks the signature of BoundsChecker in SoftICE
* H% C/ J7 O4 P' x; q0 |$ M: {/ V* Y1 h* a$ c: \9 H! A
mov ebp, 04243484Bh ; 'BCHK'
0 P% ]; o6 F4 Q- S0 R6 B4 k mov ax, 04h/ e* h% A4 s9 b5 Y9 A
int 3
. r7 w! c4 o$ J' j cmp al,46 \5 p. `+ l! h/ ` H, ]- y
jnz SoftICE_Detected
( s5 A9 }. ?/ [0 S7 A1 e& C
! x1 x; s- x- b# q) E___________________________________________________________________________
, l+ _; K5 E; ]$ t9 f
" c s. l8 x% }/ nMethod 02' j* k1 v: V j* E
=========: Q' P( r1 _, U/ N/ a% y3 }% b* _. ?
- z* m, n3 m+ Z) B0 l2 Z$ U* k2 U
Still a method very much used (perhaps the most frequent one). It is used
. F% O" T) N+ @$ `2 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 W4 a/ L! t" w8 L
or execute SoftICE commands...
; q8 p( D1 E% m# ]* J, L4 q; R8 ^, JIt is also used to crash SoftICE and to force it to execute any commands
6 j9 m" L+ P! Y; b2 p, d(HBOOT...) :-(( + T; @0 s" R' K2 h, o& O
" `# e4 Z- I6 s, V' }5 o) V& ~% R7 zHere is a quick description:
+ q- [7 {0 @$ A+ z8 m-AX = 0910h (Display string in SIce windows)
# N F G4 a( _; b* ]! ?-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 }1 T# W* L/ }, }3 t0 Q-AX = 0912h (Get breakpoint infos)2 S3 E- o/ h" b h
-AX = 0913h (Set Sice breakpoints)
6 y; I7 W6 z& r' j' q& z-AX = 0914h (Remove SIce breakoints)
4 V) N ?1 h% z7 g" N8 q1 h: i' B" s; _7 { {
Each time you'll meet this trick, you'll see:
0 |* Y, \ O4 Y6 O0 \) `" J2 `-SI = 4647h
: k! \( x; e7 {-DI = 4A4Dh
& }3 j5 u& \( T( R3 hWhich are the 'magic values' used by SoftIce.
" k2 ^. Q8 m, U( m8 N4 i7 E7 k0 fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 u) O2 E; D) x& a$ v& H
# j5 X3 ?* Y9 v/ J2 l: VHere is one example from the file "Haspinst.exe" which is the dongle HASP. `8 C. z& r8 o0 O
Envelope utility use to protect DOS applications:
% E( t, r$ w2 }7 p) o
/ K# |- m" y9 u- }8 h: A
& u9 a9 V# B5 j s0 `4C19:0095 MOV AX,0911 ; execute command.
4 {$ i$ Y6 h1 _4 I/ H4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)./ e* A. J5 M) z3 x6 l
4C19:009A MOV SI,4647 ; 1st magic value./ W% F4 t1 f4 ]. ~
4C19:009D MOV DI,4A4D ; 2nd magic value.
& m& L1 K( h: O' g0 H- `8 S4 H, k4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)! W8 P/ T, T# V- b5 u F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
* h) F8 U+ O9 b' W/ v4C19:00A4 INC CX- e0 R" B! c* m" J$ }. ^5 r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 \; K7 w9 |0 n2 U+ z- S; [- n
4C19:00A8 JB 0095 ; 6 different commands.3 w1 R+ e8 h$ j5 E, g- x1 B
4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 R2 p0 k! k" \4 i! ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)/ _. T5 Z! J' g/ X
0 |; I0 z) v) C8 pThe program will execute 6 different SIce commands located at ds:dx, which
$ N, Y# y* t& E0 J! Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& o7 h/ o- t% x
m- R& k# {, @4 `7 T; X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ d; n+ e. p3 `* B; S' ?: Z___________________________________________________________________________$ v* J9 d2 V' ^8 Y' G
9 d: e$ I; d1 r* Y0 c
! r! g W5 K: E+ @" m" m$ \Method 03
" \ M: H4 z) m" B=========
+ o. k: r! f6 ], w4 P' T* _0 g q/ p$ i7 _* ?- i5 ]
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h7 D9 T3 ~8 M$ ?* T7 E
(API Get entry point)0 r+ O/ h2 t& g! K% l! J
- Y9 \( e9 Z: E' A3 C& A4 }) k
; ~, l* B9 l& S, W7 ] xor di,di" q* G; \' ?+ E+ [; N8 |+ |4 c
mov es,di4 b% D4 ]0 i5 S2 q- \- U. R
mov ax, 1684h - \$ c" q `; u" S. g
mov bx, 0202h ; VxD ID of winice
+ T u# m h. D int 2Fh
9 e& l% Y2 Z& H5 ^7 W9 ` mov ax, es ; ES:DI -> VxD API entry point, J/ I7 v4 M4 }/ E: S6 g
add ax, di
/ f) ~' n: W4 Q$ T& ~) P# t test ax,ax
/ z- ]0 K; D( O+ @: @' i. J jnz SoftICE_Detected. B* G# O9 ~' _8 \/ `, f
2 h, B7 Y D# Q7 V" I& D+ x! \___________________________________________________________________________
* i5 [9 m" `5 n( _" T: G s. m' _* S% b0 {
Method 04* F! `+ _2 S+ K5 j q O. N% j
=========
1 J0 ?5 _+ j% h, I! f- [; {2 E% \7 H3 I2 N% [
Method identical to the preceding one except that it seeks the ID of SoftICE) h- Q4 L: w7 Y6 m
GFX VxD.
& N4 \: U/ L5 |' B" ^4 ?& N* h( S$ F$ I( Y; o
xor di,di$ s. d1 [2 E4 P9 T; c! ~. G1 ]# W
mov es,di
+ a: f$ V! l% T Q' Q mov ax, 1684h
% Z' g0 ^& r- ~1 l( z mov bx, 7a5Fh ; VxD ID of SIWVID
7 K& h6 v0 T0 ? O+ B0 A$ X int 2fh
( }* A% K+ W, g; @- R1 Y# ] mov ax, es ; ES:DI -> VxD API entry point
/ o4 t _$ V' n; Z- v0 X; k/ u: Z4 C) y add ax, di: H4 q! D1 s) J. R4 _
test ax,ax" j! `. E7 F: j. g" Z& d: ~7 \$ }
jnz SoftICE_Detected
* O1 j6 K. h N t4 o
3 x' w% D- N3 F d7 _, v& s( Z__________________________________________________________________________
; ~6 E) }/ G; K1 _5 }" G. I, q% n) A& [( n3 d) t" e
3 E8 c( e p) E' J' B( W- YMethod 05+ y3 s" h5 I8 T& [
=========0 ^3 c3 H) {6 O8 A3 k( x+ S
$ V% b8 q1 g3 |- | ]9 `7 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 t0 f' u+ ~! h2 V. C8 f/ C! C
debugger. It calls the int 41h, function 4Fh.
2 N+ k% @8 B% B# @There are several alternatives.
) Z# s* T1 Z; v7 m0 u/ A+ j1 y
4 X6 l. i8 `8 F1 C" ^" `- rThe following one is the simplest:
, G3 k) b4 y* \
, f* U2 a1 O( P; ?6 B) _+ m: n+ Q; ] mov ax,4fh7 f6 k9 A8 w1 I0 `+ V; m
int 41h
Z) E; Z' e$ S: t9 J cmp ax, 0F386
% N4 i0 d" G7 u; y, I jz SoftICE_detected3 J+ r9 j" W d$ F1 v( t7 W7 e
: {/ U' b) c, q0 I; O
2 K. q$ O0 A# j0 {- SNext method as well as the following one are 2 examples from Stone's
/ ]+ E: l' l( m2 j1 f"stn-wid.zip" (www.cracking.net):8 L7 f: {; A) G- w$ {
! l& f: c& D# a: R
mov bx, cs
; j- i' Q; y# L# H% r! k lea dx, int41handler2- v8 T, Q8 e8 g3 C# o2 t/ W. Z; h
xchg dx, es:[41h*4]5 V7 P3 C2 }2 q _
xchg bx, es:[41h*4+2]
2 W/ {9 \# I0 l8 T6 j3 V mov ax,4fh( N9 k5 U( K \& ~
int 41h
+ h: E" w; I' A0 Q: w2 s xchg dx, es:[41h*4]/ i2 l9 c* t! x1 M
xchg bx, es:[41h*4+2]
s6 q5 v( A! ^1 l& p) O( f; s cmp ax, 0f386h; ?& ^: u- J/ L V. P9 h2 }* H' d, I
jz SoftICE_detected- V. Y, C; c1 v# ~+ m
# T3 p0 [% N6 Y7 `
int41handler2 PROC9 b# l( o" M4 h0 V7 Z' H7 E
iret
- \6 _5 y+ o+ W% iint41handler2 ENDP
4 _" j5 I& x' o, S K
% I P- f3 ]% ~* g% H4 O: J1 v- v$ P* X* e
_________________________________________________________________________, A" \* d$ M5 G. @9 j* v: ? e: Y
7 U) e# s" [: `; I
: q7 {7 h4 L1 _5 x& D# U4 W) eMethod 064 W, S1 G1 D8 z3 x8 `* \) y
=========
% U9 X9 l5 l H! D! b) d. \9 s7 I4 P
% T2 s2 T; X& e- R W1 W. n2nd method similar to the preceding one but more difficult to detect:
8 Z" K+ s( a) p" j
3 ]: t5 P, Z8 S2 \" K: w2 B
, E" z/ N9 {4 v1 m4 s5 [! n: ?int41handler PROC. C9 m s& q9 X1 F1 } {- b9 f
mov cl,al
8 g$ y1 S* _& V1 J( o) j iret
( E. t! [. ~3 u" E* {5 M; Vint41handler ENDP
* ?* j# l) ]& t: x/ V1 ]
. D# `9 @, X( n3 w# A+ ^7 y& o6 v4 Q2 ?
xor ax,ax
5 I/ K, `+ F! U! ? mov es,ax
* X& a8 y: @& Y" S1 D mov bx, cs
7 T5 ^" r* | n4 }8 O0 B* K2 h lea dx, int41handler
5 @2 ^ s6 ?; P2 M1 r$ z xchg dx, es:[41h*4]# ~) R6 U0 V3 X2 W8 F( }
xchg bx, es:[41h*4+2]4 g- ?$ I+ g- P9 h6 |& A: w5 F! |5 n) c
in al, 40h
$ v# s. `2 E& k7 L9 @1 \7 V0 M1 o) m2 {2 z xor cx,cx
* W0 c! p# ]5 K8 f3 e" `7 C int 41h0 G8 k/ b% g8 k% P1 v* `5 I
xchg dx, es:[41h*4]
: Y8 j& s1 s% j. m8 D7 e1 Y$ H xchg bx, es:[41h*4+2]- Y9 _ |) f8 @
cmp cl,al
]( h# Q' l1 A$ E @- j4 { jnz SoftICE_detected/ I3 L' A3 j, ]3 n
" E5 b' r8 ~' j_________________________________________________________________________
1 e! B. P$ u5 j* F& |
1 X2 M; M# @0 @2 s4 c- MMethod 07
9 O6 q. c# Y+ Y=========
6 S6 h1 [" I; O+ x. x; ~
1 Z& O4 j( P5 _7 |3 W ^" x1 C4 rMethod of detection of the WinICE handler in the int68h (V86)0 H+ j) `5 F" q: r
3 m; P* ]& p( |& P: _ @3 ^ mov ah,43h4 j3 U2 l, M5 A
int 68h
! {$ s K" O% K6 J, q cmp ax,0F386h
K' `# Q4 V& V6 t. w jz SoftICE_Detected
, d" E1 L5 [. |7 j9 O8 k3 w& e$ U) O& e* ~% b2 z: [
; x. z9 u/ N1 ?5 v. `9 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, C7 h) C! C& x% S
app like this:
# h9 j: `5 f6 V! C/ I* b, o
" K, O% ]4 l7 i BPX exec_int if ax==68# o4 W# E/ E) z" {7 H# u9 _: l
(function called is located at byte ptr [ebp+1Dh] and client eip is" ~8 X, {. P2 J! R& t8 I% ?) o% d
located at [ebp+48h] for 32Bit apps)! N0 M0 r+ s. c; f
__________________________________________________________________________- @, e: Q0 {' }0 _) m0 J# a0 B* V4 L
* c. c8 y8 Z, C2 y' c, Q9 E
, _" S# Z& Z: i2 W1 Q2 }9 T V+ ~Method 08% c1 b1 X; U; h2 i/ }7 J- p. C
=========3 q5 y* r4 Y8 x
! }# W3 W2 a3 [) P. x3 ]& [) i7 x* }It is not a method of detection of SoftICE but a possibility to crash the
" b9 f M0 Q, a4 }' B" Hsystem by intercepting int 01h and int 03h and redirecting them to another$ c. X6 K# t. q
routine.
# ~: V$ a% M s3 fIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points ` Y# g! p/ q7 n
to the new routine to execute (hangs computer...)" X4 E, ~9 W& ^8 j3 |! _: u
9 T! _3 O/ N" {/ n2 p; \ mov ah, 25h5 D# J j& [7 Y. }. n9 u- [9 @" t
mov al, Int_Number (01h or 03h)
5 w2 E4 M- V" w mov dx, offset New_Int_Routine( e3 P# p8 z4 ^% h
int 21h
" i S3 {: G9 S$ t5 L+ J6 W3 \3 y; @. s! L6 d4 M
__________________________________________________________________________
9 Q; f( y4 N' ^! m
. `5 g. {2 Z- s6 w i' FMethod 09$ {: B1 J R( S1 {
=========- n$ W6 L3 s4 G8 r4 M5 P
0 W, E$ k" Z8 L) }# S5 _# K' p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 [) d% f# `6 ?$ x0 m8 Q: z3 F' r
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 Y4 Q8 M5 h+ x* n k! [* o' R3 @The Get_DDB service is used to determine whether or not a VxD is installed8 o8 E6 x4 K0 }5 { e
for the specified device and returns a Device Description Block (in ecx) for
2 ~0 I: {1 l& B6 [- F7 N/ [that device if it is installed.2 w3 \/ m% r) p' E
/ Z+ C- M6 ]8 g2 o2 x7 J6 L V2 Y mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ _* s% L8 Q0 S0 u. s# s7 Y& O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" ]9 T0 J7 X* h8 R6 g; D VMMCall Get_DDB3 c7 _: I* X) u) _# m+ |
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 H q9 T% R+ _0 {' U' B
6 K4 P& N" d) m3 |
Note as well that you can easily detect this method with SoftICE:" a( u2 X2 U) h5 E. m6 Y- v, z
bpx Get_DDB if ax==0202 || ax==7a5fh: y. U ^6 \) T: h4 Y
5 r' q" T, L& k3 U__________________________________________________________________________/ J6 M$ w# B5 r
0 b& A9 L& v; D9 p' A1 kMethod 107 Z. E. h9 t2 t; i
=========# B# k* Q9 r' ]% P+ o: e9 P+ I9 E
7 z. m/ M2 x# z, r$ j
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 G- P" t" h+ k5 L0 n& q SoftICE while the option is enable!!7 Q, P6 n" G5 Z/ g; ~
9 g7 ^8 U' }$ Q" _This trick is very efficient:) R% r, O' m/ W- k3 e# D
by checking the Debug Registers, you can detect if SoftICE is loaded% j6 }' F! h9 ]/ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! c7 C5 f5 W6 O8 e$ z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; R/ Q. e. \* X$ O. H* A" Wvalue (in ring0 only). Values can be manipulated and or changed as well" I! s: V `6 h: @6 s
(clearing BPMs for instance)' y0 f1 v. U( A' @0 H h
4 K. e- z! ?8 a7 g__________________________________________________________________________8 B: C6 E% e" W) G$ Z
& h% A- E, e) @* i2 OMethod 11
6 j7 u$ y. L+ g+ y9 w7 l' ]=========
* L6 M9 H" b2 I9 Y3 X" n, Q6 ^0 E! J8 K- p8 I N/ ^# K# J* d
This method is most known as 'MeltICE' because it has been freely distributed3 D& } K9 C+ p
via www.winfiles.com. However it was first used by NuMega people to allow
4 W& v' K8 d4 g! v' VSymbol Loader to check if SoftICE was active or not (the code is located
8 [' m2 H- f5 Z2 f7 |$ d5 v- Ginside nmtrans.dll).0 d' p$ H0 Z5 w( c* |$ r3 O5 \/ o9 ^
% K# X7 A, M p1 U5 a$ GThe way it works is very simple:
& F4 p& u1 `! J9 P* C8 q- {! SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( D" w( C+ b& l( G5 {1 T
WinNT) with the CreateFileA API." Q+ D% b- t- U6 z
, |! F& b, a, w+ A/ Z! WHere is a sample (checking for 'SICE'):% ?5 b: Q( \! C. |6 W. n$ _% Y
6 L& K+ P! t" s- I- l
BOOL IsSoftIce95Loaded()+ @) p) @# C; f/ C# e
{+ A% t- d1 O6 a4 B5 F- h
HANDLE hFile;
! ]' d: o9 i! U; M hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 P G, Y/ o" \% a" ?. A( c; A6 d, I FILE_SHARE_READ | FILE_SHARE_WRITE,
7 F+ l- V8 j, `4 i$ _ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: s* X3 y" l% x3 w if( hFile != INVALID_HANDLE_VALUE )4 K$ L& f+ d. u N% G% {3 P
{. n# j9 w" n. l
CloseHandle(hFile);
/ O& }7 ^* l, Z+ i9 g return TRUE;% E1 Z3 Q+ a+ n6 \& l
}
% K% V5 j' U3 d# e+ f* {9 Y return FALSE;! N1 ]7 ]9 a; i
}
; U7 w5 o& X' L3 s& l; n6 P% j9 y8 u+ e
Although this trick calls the CreateFileA function, don't even expect to be
) ~: f/ e: S% \0 v/ e$ O' d& `' W0 Pable to intercept it by installing a IFS hook: it will not work, no way!: [- b9 A' K1 K! _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& t: V9 H0 }2 H o' S7 ~; sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 Y6 }# Q2 ^6 t# ^) ]( yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; i. [, o5 s5 O" D" H0 |& pfield.& j- l7 B9 c: N+ i+ j
In fact, its purpose is not to load/unload VxDs but only to send a
( ?1 @2 k. o3 a& mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# g/ }, P" d1 W3 Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 w1 F2 R! X5 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).' s8 o8 ]/ ]+ J: e0 Q: B
If the VxD is loaded, it will always clear eax and the Carry flag to allow% p" M, W+ I" K
its handle to be opened and then, will be detected.
/ h- }; j1 G2 MYou can check that simply by hooking Winice.exe control proc entry point5 K# e( h+ M! Z# k1 l
while running MeltICE.1 X1 H/ H& U% ~ l$ t# a
$ `2 @6 M+ @# I4 n& R7 }
5 f# g/ r/ m$ u 00401067: push 00402025 ; \\.\SICE+ G/ J. Y. d7 L
0040106C: call CreateFileA; m( V; s2 S0 R( ? Y- ]! q" Q
00401071: cmp eax,-001, N, l% E: x8 _+ o9 Q
00401074: je 00401091
# g$ z* J, M B# f* R$ M; C% J
- Z7 D, N6 W$ B- l C/ g! g! i$ u! v/ H* s0 Z
There could be hundreds of BPX you could use to detect this trick.8 ~! ^, T4 \! c9 m) O
-The most classical one is:
! I8 Y* P2 l5 b0 [2 s6 G: A6 H. Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||2 R9 r: n: z9 e3 a
*(esp->4+4)=='NTIC'" r0 o+ N) P8 u. n
* j) G: I0 ?' R, {( C5 S- M
-The most exotic ones (could be very slooooow :-(+ _8 P0 {1 E( B6 l+ x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
* I- \0 b, a+ n ;will break 3 times :-(
4 J1 H1 \ @8 H
% P3 Y/ v, b, h9 O# E-or (a bit) faster: * h. K ^2 W% \# `$ j6 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% ]& d+ [$ b& z S" x
: }5 M8 B I v x. E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
H" J8 N0 I# b ;will break 3 times :-(
# H4 E6 Z0 p3 X+ v+ _1 F# D$ a8 l8 d8 j- J3 }3 K5 j
-Much faster:
$ @$ k$ ]( u5 k M: w2 J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* {+ `- H0 {. W0 }
0 r- L* g% \' m7 ~) eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 D( Z# j0 y3 p. w- bfunction to do the same job: |2 F- ?; o( M) M3 S+ ?7 G
4 _7 @4 F# N; ?( @' k0 U
push 00 ; OF_READ) x$ t$ l: m4 I2 z) d) B, P" E
mov eax,[00656634] ; '\\.\SICE',0
|; U: G# ]- l2 d push eax
' @$ {" [4 {3 f$ h call KERNEL32!_lopen
5 o9 F3 {5 X8 H# f* Z0 E. g inc eax) _1 b) W% I' ^4 [0 u; H0 W+ J5 N
jnz 00650589 ; detected
' h9 _2 ]0 F3 q+ Q- U push 00 ; OF_READ6 `4 I8 i, ?+ C# j; m6 e- Y) |3 C. ]% h
mov eax,[00656638] ; '\\.\SICE'" A4 v6 h7 g k& o) a
push eax
; \' v5 {: S `$ S1 I1 `& i call KERNEL32!_lopen* G5 \4 |+ K0 [ T, u) u
inc eax w$ j F9 s" O
jz 006505ae ; not detected
& |. c1 I0 I- e, s2 S
* u& [$ N; U; r8 J& A6 h6 ]* S0 s. v0 L: L8 E9 d5 O( y) Y
__________________________________________________________________________- ~- W3 t7 {8 R5 i
& ]$ _/ U, ?# w0 d4 Y( K& V
Method 120 S( {8 F0 X/ H2 R) S# d1 _% _
=========2 L1 @0 X- |0 A8 I
, k/ o0 m5 O& q8 G; Q; r! I
This trick is similar to int41h/4fh Debugger installation check (code 05
5 R- Z4 f+ h# @( z% \, s0 M0 [' r& 06) but very limited because it's only available for Win95/98 (not NT)1 n$ b" F! C5 D# q# o ^4 d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. ^( X) C3 ^- f, f: d1 R$ v- k$ d% A( c6 Z7 r
push 0000004fh ; function 4fh
+ O8 ~. W2 u( _& @0 ?6 A( v push 002a002ah ; high word specifies which VxD (VWIN32)5 \; d$ B+ I( g" k
; low word specifies which service
# J/ f0 I$ R. K3 l (VWIN32_Int41Dispatch)$ _' e) c5 N# p; j( g3 x5 b) ]! y) p- ^, O
call Kernel32!ORD_001 ; VxdCall+ n3 n( }' Y6 J, O
cmp ax, 0f386h ; magic number returned by system debuggers
2 F5 ~8 K- p' V6 w8 N4 ]/ D3 P, ] jz SoftICE_detected
0 x7 t8 W& L1 J& u. Q, \1 y
) n" B# F! k. N( WHere again, several ways to detect it:
3 j! b1 w- P; h+ ]% g* ?/ L, X
a6 d1 ^- i9 p4 n( \ BPINT 41 if ax==4f' `/ C* F- O2 F) I
9 z! D/ y- Y$ e+ O' |! b
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
: l/ N6 J4 ?3 ~8 v# v" A' p& M, j" |) |
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 J4 a: I' X% H. E1 C5 Y" ~1 ~
; i+ N% Y8 ~! V U1 _4 P& M( O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!5 C3 l s# M& F* H0 V; i
6 |3 A3 ~! v& v5 b' K% y1 B
__________________________________________________________________________$ M2 k; U$ F) V% ^
7 H2 i: F2 i* M+ K
Method 13
$ e" I3 \4 I, u2 X' }3 e% I=========$ `3 ?. t( k7 c9 C
2 O1 _, ?. J4 ]Not a real method of detection, but a good way to know if SoftICE is
) f6 C# b$ t, X+ e5 Ginstalled on a computer and to locate its installation directory.
- N0 E6 A7 u, JIt is used by few softs which access the following registry keys (usually #2) :
7 l4 t. ]+ V- A& W3 `0 F4 u
9 N, f" i) ?7 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q5 @: C$ o' v; E" R5 S9 E\Uninstall\SoftICE6 X& N# L" w; p. z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 x- \' G4 t5 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ r( W3 \; u7 S, g* G\App Paths\Loader32.Exe3 r$ m' R) t; i9 C. v
2 N4 v! @) Y8 q5 A* A, |% c" b6 v: i/ c
Note that some nasty apps could then erase all files from SoftICE directory' F3 s8 W- R; A; C
(I faced that once :-(
4 L0 ~$ G2 k5 o/ f& V
' y) `% G% k- `+ YUseful breakpoint to detect it:
* d0 z0 W* x+ I& r( J" ]9 A5 n
L O* q* P: \ I& o' y0 S1 Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* J! t5 I4 u- J: ~ f) q2 D4 L& G& t3 Y, v6 T' [7 E) y( w
__________________________________________________________________________/ E+ w( q6 z/ e. N% l
* \8 {7 f, @( s8 X
0 ]8 O! G1 J/ L6 F* _9 YMethod 14 ! R0 X( E: I% \ L; s
=========
! F2 j3 f; c1 ^ o' C/ J0 F. P+ x( F8 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, U* y% [; {, _ {% Iis to determines whether a debugger is running on your system (ring0 only).1 |8 P) X0 o+ A5 F& T. p
$ @. Y9 n, _" k) _8 B VMMCall Test_Debug_Installed
& V; `$ w5 M' K- C7 K3 ^5 s1 j* ~ je not_installed' l. _" \+ g8 y$ Y
V3 _8 v% c e f- n3 _# R8 Q
This service just checks a flag.
# M0 s' M; S7 `( c' Z# o( n</PRE></TD></TR></TBODY></TABLE> |