<TABLE width=500>7 E6 T6 X4 i5 h, j1 Z, K$ j p
<TBODY>
4 ?' M. \7 ~6 U; P8 j# k: p<TR>
% b9 Z8 p5 R: ?6 U# U! A' H<TD><PRE>Method 01
0 r5 H; T' m; _' W" ]=========: I: E$ O& b- q$ _8 Y. T1 t
- K3 Q( }8 i% l! z* J
This method of detection of SoftICE (as well as the following one) is
j6 |! j! r/ D7 u% a4 E" E8 x# qused by the majority of packers/encryptors found on Internet.1 o5 J I; d7 Z* F& s
It seeks the signature of BoundsChecker in SoftICE2 N1 {- f. G& D1 Y
* l# }. W7 e* ^, K' Y/ u3 _
mov ebp, 04243484Bh ; 'BCHK'$ |- t: F! H5 g9 Z
mov ax, 04h
& \7 ^2 ^2 W. r. X( } int 3
% J& \6 X& |0 c4 h& e cmp al,4
( h8 i( ~" b% t* Z! E jnz SoftICE_Detected
( \/ ?6 n; T0 X/ @1 s7 |7 H. N7 m
___________________________________________________________________________
6 n8 j* L: P& v1 n! {& l: z/ y5 H" X4 q) C# c
Method 026 ^1 E" B* v7 o
=========
& i! p+ l0 G5 c4 i9 k* ?. y( Y* }3 B ~; p' L/ n: q/ R
Still a method very much used (perhaps the most frequent one). It is used
3 M' Q8 A/ Y! J/ E7 V* `% xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 @! a' A) G3 q6 v/ ^or execute SoftICE commands...! C- t; ]7 |& @4 y S) v0 G
It is also used to crash SoftICE and to force it to execute any commands
: e8 x# Z2 r1 a& g# D- W9 w(HBOOT...) :-(( 9 B, r; t% p) \5 Y T1 I
+ _ P+ `- N0 f/ ?
Here is a quick description:+ I$ ]/ w9 u) G, Q
-AX = 0910h (Display string in SIce windows)+ ^+ N7 h: _$ a5 ]! m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
?2 u! O# N# l' k7 p-AX = 0912h (Get breakpoint infos)
8 ]0 V2 f: F' f% R4 c-AX = 0913h (Set Sice breakpoints)
: e9 a" P. }0 @/ q8 ]# q-AX = 0914h (Remove SIce breakoints)* _ g- U! |: X( |; y$ N# S
8 } m# [+ p x. r, TEach time you'll meet this trick, you'll see:
+ J% F0 d7 Q/ c+ [3 R: x( ]-SI = 4647h
& s7 O% d4 t- P2 L5 t9 q- W-DI = 4A4Dh
2 g: x" P3 `/ VWhich are the 'magic values' used by SoftIce.2 g: w9 Z0 ?1 `5 U* I% v3 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* v9 q4 n- B1 x, Y+ Y4 Z% h& ~0 j9 A6 {3 d
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 _# B2 W1 p" i; ~ q# F2 F: EEnvelope utility use to protect DOS applications:
; S3 S# _* l+ w3 P0 a6 e, l" K9 R/ I5 s( O
- R& f6 j: t' U+ A7 u
+ ]3 t6 A7 V% o& N" O4C19:0095 MOV AX,0911 ; execute command.$ @) J D* x5 D4 q
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, ] A+ f" U3 X) k M$ ?) T$ a. Q4C19:009A MOV SI,4647 ; 1st magic value.
( P7 f9 t/ x9 \4C19:009D MOV DI,4A4D ; 2nd magic value.
% V! V( u9 J0 i4 Q/ G/ D3 j4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)( U4 f! R) u$ {9 S* _& d" B
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 b* X; k6 Q7 A
4C19:00A4 INC CX1 ^4 Y0 [: F/ c- P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
" H J9 o- C3 l' v8 z4 r2 N4C19:00A8 JB 0095 ; 6 different commands.
( S. k, @" B7 p2 M4C19:00AA JMP 0002 ; Bad_Guy jmp back.6 V! ^! D# q! b6 p( N
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" E! t( z) Q5 |# N: @/ e
o5 L& |* {, X( QThe program will execute 6 different SIce commands located at ds:dx, which0 J3 P+ C- f. C7 w# M S" G; n& S' c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ \! V7 ^( `: h* N' h$ s" p
0 O( l7 l# Z5 j2 T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( q1 q% {; q# {% k. K/ Z6 }% Z___________________________________________________________________________- d6 T6 F! p0 I8 W
( e: P3 O, A, k, c
8 a) Y* n, O, B% \Method 03
- z2 Z; l" e8 f6 f% s" ^2 u=========
8 r/ d0 V( F! {, _$ w
7 g1 m5 W" a/ Y7 ~& O- kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 `2 ^7 k* R/ S, f
(API Get entry point)! V; ?" e, m1 L! q2 ~7 m
) Z1 H) H! K/ S
" y3 N; f" B) W/ z xor di,di; V7 S( d: }4 l9 g
mov es,di
1 P; F/ W- b& y1 E mov ax, 1684h 6 N! \# v* R. x/ C
mov bx, 0202h ; VxD ID of winice
3 G* ~- z i% S1 t$ D; Y int 2Fh, o4 i% z: W5 V5 T8 O
mov ax, es ; ES:DI -> VxD API entry point
1 O& ^2 f. n/ J" M add ax, di
7 V4 f; r9 u# j& C/ d' D- O test ax,ax
& ?; d5 p/ |& l! F* i# D; a jnz SoftICE_Detected
5 H n+ m8 T/ ~9 }9 x. J, V/ j; S0 K9 w) {7 e3 z( z; J+ \- ?
___________________________________________________________________________# ]6 j D7 _, C6 E. Z
& g7 a( s3 g" R' p7 h' Q# y+ }Method 04
; y- x0 ]7 D9 A8 B=========
6 [" P9 T5 G7 i: n( u5 ]) k* U: @+ }) a9 K: @
Method identical to the preceding one except that it seeks the ID of SoftICE+ O. Q( n* T/ m$ c
GFX VxD.
( \% ]+ J& W/ P) g: F" k" r: I( v) ?) E5 ]! i0 ^
xor di,di% g: ?% F/ t5 {: |% i2 q
mov es,di
3 e6 ~1 `1 W2 u! [ mov ax, 1684h 1 l- o+ E% i) S! i+ @2 e/ J6 y0 F
mov bx, 7a5Fh ; VxD ID of SIWVID! @3 X4 d# O5 f# b
int 2fh# j7 x+ X& n/ u. X9 I: Y
mov ax, es ; ES:DI -> VxD API entry point: D9 [# B6 W& |/ p
add ax, di5 J3 U9 [: A1 p3 z- z! J
test ax,ax% F( |+ a1 j r9 S' d& u
jnz SoftICE_Detected' `# t0 L* r4 m/ v. m5 v
$ w: }* r1 E p* V5 B5 W3 q M__________________________________________________________________________
/ o8 j* u+ r M1 P4 q7 o; y: P6 ]- f' e8 H
! M% c& W* r& M6 y$ ^3 m% H5 DMethod 05* _ f" v: x2 P* r2 M1 z% b
=========
7 ]1 t& Q, P) ]1 `7 H9 k/ R7 O
6 n3 t$ k) K9 A+ I1 {* v! i. ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ s4 s, X3 l7 K9 |debugger. It calls the int 41h, function 4Fh.; C+ n+ N0 J' ~: S- k L( e4 m4 |" V+ x
There are several alternatives.
2 v' d. }8 V/ X* e3 ]3 O$ [$ r; j; l; H
# W; B& t' Q: n0 _The following one is the simplest:7 C# C* h$ ^/ s5 ~: m: N) E
$ F. E" p' p5 U6 n8 Y) i# \ mov ax,4fh
& |! O+ M" Q9 G int 41h
5 J' a7 p4 B+ ^ l cmp ax, 0F386: K( f$ N& _, \, t! C0 |
jz SoftICE_detected
w6 c# ~( I7 w# a! I1 q7 Z
5 ~5 l; U/ P) Q9 T3 S; |
# k, k4 y- e! }: r8 D# o$ gNext method as well as the following one are 2 examples from Stone's
2 ~: [* a6 B- [! ^; _6 T& m"stn-wid.zip" (www.cracking.net):
6 `1 n. }0 i9 K! J$ R2 A3 G) P; k$ `# t6 s$ X2 n. O
mov bx, cs
9 J1 a0 S( a( R, k% v+ H6 | lea dx, int41handler2% s. o2 m1 d( T) W; P
xchg dx, es:[41h*4]
+ g; l- S3 b. g xchg bx, es:[41h*4+2]5 _9 h! N. c. ]; M" F4 L
mov ax,4fh
* |, c5 S7 Y, C7 S' O int 41h0 A" Z$ Z9 d) Z! O7 u ~
xchg dx, es:[41h*4]! ^7 e+ N: F- c2 z4 e) ^3 P
xchg bx, es:[41h*4+2]
4 Y W. l+ O" A! ~) A4 R cmp ax, 0f386h6 z1 E- I" H- s
jz SoftICE_detected
v& D0 x' @6 g" A: v, ]( G" X. b9 \& Z- x
int41handler2 PROC% U' x- r2 n2 l" Z9 l) J4 Z2 D* L
iret
- C2 a( c( g; x. V1 yint41handler2 ENDP
F' b+ c& w: e% w/ v% k1 f/ ^& v0 m
4 [7 d, e7 ?7 g7 o8 {; `5 t: A1 W7 p/ b) @5 w' e+ i* g7 W; ~
_________________________________________________________________________3 U4 ^7 i# N2 C' w& K5 C% o4 J
. ?, `4 D! {, ]: N- t& S2 ?6 M; N" E
6 F4 Z9 J$ @' ^* TMethod 06; K6 e8 ?" S/ B
=========
/ R( ?4 P E. E8 U
4 [ Z t$ J: P( G I8 m4 H: R! W8 }% e3 Q3 \+ s5 E% j# C- G
2nd method similar to the preceding one but more difficult to detect:
* X! c- N5 W. M) e& C: M: T9 o* k8 C5 |; E4 a7 M5 A Y
# b6 z9 ~/ p9 L% Wint41handler PROC
( V8 k; @- S$ ]9 L4 e mov cl,al6 m. M- k/ g5 R5 ^3 l' s) b
iret/ P0 E% G( m/ ~ d" n6 `
int41handler ENDP9 I; l" D( X" C( Q- P
9 F8 @! j! o# a, @' j+ _8 R
5 Z, D0 l0 p4 k" d
xor ax,ax
: F$ H7 p, S1 K2 H- I% m+ J3 H0 g mov es,ax
! e, T' n" i3 J. ?* k% Z: |- @. _ mov bx, cs* u4 y4 o4 `4 e
lea dx, int41handler
; j, l4 K* G& j( q$ Q, N+ @1 k xchg dx, es:[41h*4]! ~, t1 }6 ] B/ M
xchg bx, es:[41h*4+2]
3 l' ] g& ^ J/ \) y6 ? in al, 40h
' ~/ S# \5 b" L$ Y$ u+ _ xor cx,cx" {% S3 p5 S; W3 h4 Q9 d- j0 i6 t
int 41h, P( Z) R) X# k% ]# a
xchg dx, es:[41h*4]
9 g) n7 y" ~ m0 y, k& ?! l! k) E xchg bx, es:[41h*4+2]
% K% B% V0 u# R4 |1 G cmp cl,al
2 R4 ~! r! @! g) a' F jnz SoftICE_detected% J- h8 Q O% F1 m) \/ Q1 u
0 S/ x' q. h- O. d. k- V# R5 a
_________________________________________________________________________& C# ?6 O* ^; _0 ~0 D
7 @4 z) K1 I, S1 |+ N
Method 07. A! ]9 M) ]+ q% x
=========. c8 H& E) [, Z* [" V+ f0 M
7 {( b, `) I2 b! N. Y0 [% E, ^& W
Method of detection of the WinICE handler in the int68h (V86). n8 \- M! N- S, y, l- J
/ \; ~! u% }% f, S4 K$ O# e
mov ah,43h
9 C# a, W4 p& j: P int 68h9 h. ^6 j" y* g! c
cmp ax,0F386h
. r; u2 Q% n( @/ |% ] jz SoftICE_Detected
: F0 R6 f5 B' ?, s' i3 ?3 }
" N' o3 L! ?: X$ _; a+ A: m4 F1 J3 r. B4 S8 ~3 ?' B2 X6 C
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* ^; @/ ]$ m( f6 @
app like this:2 ~" N7 u, k6 ?7 {0 O
: Q3 [% d9 A$ [7 O9 V3 e8 G* F
BPX exec_int if ax==687 W$ f- f$ O" S) r! T% k$ x2 W
(function called is located at byte ptr [ebp+1Dh] and client eip is; h3 e( l1 b1 g& `, }
located at [ebp+48h] for 32Bit apps)
2 N, \+ A1 e* g# M& \$ v3 ___________________________________________________________________________
1 G3 G8 M* J, u5 |, l/ S8 Q" H/ ?# ]) M$ g6 N* N1 b* o& @* o
5 e. j+ {% r9 Q' t% A4 e
Method 08
! ^. R9 \" F7 @- D4 {1 ^, W=========
. ]+ b. g0 z/ ]. F- S9 f2 i% G; @$ M" Y. _
It is not a method of detection of SoftICE but a possibility to crash the! E6 g0 {' k" {
system by intercepting int 01h and int 03h and redirecting them to another
' m% o( j$ {# k4 l6 E$ b0 N) Oroutine.: }: W4 H. d$ ~& B2 B3 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* |' x- l" \" s2 U, Q4 \. [, p7 u
to the new routine to execute (hangs computer...)
( d0 [8 c, J+ b# P8 b$ p" t
5 y5 U. A! ^$ f" i4 }+ I mov ah, 25h
6 E' q3 i3 v1 s, M mov al, Int_Number (01h or 03h)
( c2 S) j' G! d! P* e) V5 x mov dx, offset New_Int_Routine/ }! I5 {# I6 v
int 21h
9 ~4 h' Z2 S- D! P# O% I7 F4 z, O0 k/ A5 I
__________________________________________________________________________, g' x8 {6 V9 w1 P8 ?, k3 Y
9 ?' F1 o2 C0 H7 T# \% M0 A4 }
Method 099 a8 t. V5 u' ]" M" q" |) j0 z& H
=========
1 B& }7 }0 n9 s; ^7 ^1 I4 F7 Y* e2 E3 } B* t( z+ q- Q! m0 h5 j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- C" p) ^, r" D
performed in ring0 (VxD or a ring3 app using the VxdCall).
U2 X4 |' e4 O8 g& a- _0 c% bThe Get_DDB service is used to determine whether or not a VxD is installed
$ m' B# b- ]0 X9 a1 Ifor the specified device and returns a Device Description Block (in ecx) for* c# R( a* n; |8 L" s9 v; e
that device if it is installed.2 ~& x: N* V8 W2 `1 N9 L3 R9 a
# T8 l5 t0 R& z9 ^3 ^8 i. { mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" U6 ~; r+ d6 ]4 N! m9 @1 d& b, D mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 a4 y r# r9 g. s% }2 F$ b VMMCall Get_DDB6 c X5 Q; m( w6 k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 Q- W3 k8 {/ x# T' l0 K6 n3 s
( f( d5 R% b7 V$ ?. y* b. h; bNote as well that you can easily detect this method with SoftICE:
5 m! [8 c- P0 ^4 e: h; O# z bpx Get_DDB if ax==0202 || ax==7a5fh
S+ m/ Q- ~9 V* m2 m" I4 Y3 X
& ~4 p/ r: c1 B; l; q* b__________________________________________________________________________
. s% l; w# N" {. g& y' f: u
0 {8 g, A/ m' U2 z u6 WMethod 101 k( X5 b+ w: t8 E+ s- S$ U
=========( y6 k" r& a5 l o9 j
+ s# X6 D9 w: |=>Disable or clear breakpoints before using this feature. DO NOT trace with6 l2 P# x5 }/ R7 |5 b
SoftICE while the option is enable!!
( Z/ v9 J# e6 c) j( f/ ?% D. [7 O0 Z2 i' m5 b
This trick is very efficient:7 O) f$ e: h2 A$ \$ i' k
by checking the Debug Registers, you can detect if SoftICE is loaded# t$ Z& V# k" ?$ j' p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 \4 a G/ j; y- |0 sthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 f8 y6 N7 z* G
value (in ring0 only). Values can be manipulated and or changed as well" ]/ Z7 X4 s- w3 j
(clearing BPMs for instance)7 q8 S9 _# }+ b8 t/ M }, J
6 v0 x" i+ v" e+ Z! s8 q5 I+ }) R
__________________________________________________________________________: M2 z% \' _/ k# ]: T
* N0 y& M9 ~0 j( F; `6 MMethod 11
! ]! l$ y0 r- y' j! C8 n* l( I6 t=========
: o9 c7 J* }" Y- l- w. |; |7 C( k" i3 i! x* T) k
This method is most known as 'MeltICE' because it has been freely distributed
; l z* Y/ M8 ]% rvia www.winfiles.com. However it was first used by NuMega people to allow! |0 g2 O$ z& w# A4 K
Symbol Loader to check if SoftICE was active or not (the code is located$ q9 K7 E4 `1 F! N2 b; T
inside nmtrans.dll).
! B+ ]0 z8 \* z9 B; }
( Z. c& O& D; K% Q$ gThe way it works is very simple:! Z- M+ k4 H! A" }, N4 ^! U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for K( m- G! m2 V- I8 E* b8 }
WinNT) with the CreateFileA API.
3 L: n* B' R, ?& c" H& q4 R2 d! E0 E& r# U) R; J
Here is a sample (checking for 'SICE'):
$ m6 P8 ^/ ?( u$ M4 y1 U9 o* Z7 b. f# H( q/ P( `6 J3 A: O
BOOL IsSoftIce95Loaded()
- A; Y" y8 q3 m3 V6 E{/ K% u$ u$ K. ]: K/ N' F
HANDLE hFile; $ t: B/ W- k$ g/ J# z; g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' j$ X5 }# b( M1 O: ]7 e FILE_SHARE_READ | FILE_SHARE_WRITE,
. y) \1 K8 V% ?* Z1 b/ N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 \7 T8 D- Q9 N/ h' a" T7 Q2 @. t
if( hFile != INVALID_HANDLE_VALUE )/ e, n, d; k) p- v! a3 x
{
# O4 `8 ] Y6 z CloseHandle(hFile);6 w. l& \% l) d3 Y: x# V6 @% Z* S3 F; K
return TRUE;
E$ g' ~0 P) d* G$ j }& T/ k4 \8 r$ c$ a: M/ m
return FALSE;. s; F: U9 l1 q( z* m! d* H
}! R. ?* W5 i; `+ h# e) a2 B3 I& S
9 y0 C o( n/ \% I" k! A: ^
Although this trick calls the CreateFileA function, don't even expect to be
5 a5 |+ u! @# X& b9 @" x S' Oable to intercept it by installing a IFS hook: it will not work, no way!1 C7 [9 W: I0 O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" u' u, u( e0 [5 B2 }% A4 vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ w* J6 X) W; o# {) t4 }3 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc, d4 Q8 |: b1 {# T" V0 H- Y; C
field.4 X- P. e6 i2 R3 x6 R& b0 }
In fact, its purpose is not to load/unload VxDs but only to send a
2 j5 l8 E" t3 t* R8 D3 P; s0 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' p- p0 q8 m `! ?# n7 `7 I, tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 K5 _' r8 S0 [) y5 Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; ]# U8 o E2 S5 E- wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( h* T# e% o3 F2 z6 I* s- E4 @, Yits handle to be opened and then, will be detected.
5 \# s- _3 o4 J4 }. VYou can check that simply by hooking Winice.exe control proc entry point5 m4 S9 v2 n/ s! z
while running MeltICE.; n4 O3 E% B" U
/ A8 }4 \) f$ M3 s# p
. E6 ]5 @% t. x% W `5 S
00401067: push 00402025 ; \\.\SICE2 M% }) n7 \; K4 [
0040106C: call CreateFileA
2 t1 [/ J! K& {) T. c% f { 00401071: cmp eax,-001
2 k) r: }0 s1 \ 00401074: je 004010914 B5 }4 t# k& \( G' C; h
9 o) K# ^: J" l; z: A
$ j+ i% B* Z7 N; F1 ~ D( n! V
There could be hundreds of BPX you could use to detect this trick.3 r$ `) i1 G3 D$ d9 w, c
-The most classical one is:
3 F* `3 `7 r$ e) H7 @: e; I BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 ^2 T5 f* `8 ^! e *(esp->4+4)=='NTIC'
, N9 {" C! D4 \2 {/ ]7 i2 P. i
8 [: w7 f7 g. E' d. ?5 Z$ P0 k, D7 u-The most exotic ones (could be very slooooow :-(* l0 c; Z/ z1 Q6 K. A8 W
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + y. @6 i3 S" U' S S- P: l
;will break 3 times :-(
4 I! N- y; a1 }1 u, f r6 H) V+ E2 S6 z0 j2 V6 N! @
-or (a bit) faster:
/ H( t* p# D: W6 G BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 }- i, ^3 x2 R2 I' [0 A- G3 Z
# z) K" j8 \$ G
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
0 b7 l" }: T9 i3 U7 D ;will break 3 times :-(8 E& a4 w0 t3 E( g) \/ y
5 }% e0 H6 h. A6 F-Much faster:" d" u4 P$ z/ P, s2 W$ e) }8 l
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 A, I$ l9 u* Z& j7 K6 _, ~+ O9 p2 i8 b' |% |" [4 W* W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 Q3 b8 E9 J' X
function to do the same job:. l0 [0 {9 y% ?; l
6 H/ c7 j# r' X z push 00 ; OF_READ9 B- c% I( q+ R$ K0 Q k
mov eax,[00656634] ; '\\.\SICE',0
( ] O C) a, E3 p* C push eax6 W( O9 I: S8 P( z3 L& M3 S
call KERNEL32!_lopen% X, T! A$ h. w4 ~, v" _5 L) H
inc eax$ u- V4 a# w. S5 L2 X/ Z8 @- T6 q
jnz 00650589 ; detected2 ?4 `. a4 T) d% L) ~) {. h0 y
push 00 ; OF_READ. G8 P o+ @( Z, ]* X+ F
mov eax,[00656638] ; '\\.\SICE': ^. y; K# }2 V- w. e
push eax
# P" z$ A) F9 d% X O call KERNEL32!_lopen
4 s T. `' d/ ^" `( u5 w inc eax
9 {- Q5 D+ G& u8 \ jz 006505ae ; not detected
& Q3 K3 U: z$ R+ i3 ^( u) z. ~0 M7 I! ^! p
) r% _2 X5 U& @5 l4 G$ A__________________________________________________________________________2 p: \7 m5 l. l
3 B8 \6 C8 m, ^8 G/ E( b0 a
Method 126 ?: \' i6 u0 s1 i" u7 d
=========
$ z/ G' V0 c/ H8 S M7 R4 O9 o
$ D% m! c) U; V% |This trick is similar to int41h/4fh Debugger installation check (code 05
; P' M1 \3 r6 j. v. F8 [" C& 06) but very limited because it's only available for Win95/98 (not NT)
" D6 c' P8 U% B) i+ H& y/ Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 u1 f D0 b( \7 U
, q7 o9 O$ r. Z$ U5 l" ]- ?$ z push 0000004fh ; function 4fh
; l* m" i$ [' m. T. @5 a2 U push 002a002ah ; high word specifies which VxD (VWIN32)% P( I. S. X3 G7 M- q
; low word specifies which service
7 W( i; T1 Q0 _, @ (VWIN32_Int41Dispatch)/ _2 S0 T. ~7 ]4 g" W ~
call Kernel32!ORD_001 ; VxdCall
: ?% S- s. j7 M9 r" } cmp ax, 0f386h ; magic number returned by system debuggers) J$ G$ D* M- ?9 {! Z0 @% l
jz SoftICE_detected9 ]6 Y1 Y' h I J* y. U: o
/ e! c0 d. q/ O1 i+ m. m
Here again, several ways to detect it:/ x" |4 C. k6 ^4 z3 B7 M
) L; W( U! O/ [0 r. {1 p: e BPINT 41 if ax==4f# v' c# ]5 ^- @& @7 @
3 b4 m; B% S1 Z a. s( p: w/ a
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# O& b% h8 t: k
+ P8 J5 U4 O# a) Q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: E7 E! c! p+ H" j/ l# S' b, ^, X9 n$ q4 `
1 }' S2 c$ x5 [, a BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' _, F) P; z4 {! y& j+ M
* K+ N' @( c. u7 v, j5 s* q__________________________________________________________________________$ z, p/ U' F& E, Q5 P$ D
7 E% p* z7 m. B2 N, c/ C& r
Method 13+ `4 g8 u4 u+ l, F# d
=========3 M5 I" w0 d# l( P' y+ [3 o% l/ F
& h4 M0 g& ]* {Not a real method of detection, but a good way to know if SoftICE is
! r, Z9 Y& g d6 V, @installed on a computer and to locate its installation directory." X- q/ Y$ B3 Q* D+ e
It is used by few softs which access the following registry keys (usually #2) :4 Y5 R4 F) D' E- [5 q
+ h. D6 z$ | X' W- h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- K1 x9 f' L0 T2 W9 S9 Q9 F
\Uninstall\SoftICE
" i9 c/ H' g6 z4 s2 G- m" J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( v7 t( W5 Y* D+ u, C; n( P" Q7 E; [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Y* S( N6 G1 x1 h3 }, o\App Paths\Loader32.Exe* w3 H. k0 p# J
9 ~2 Q* T) K! G9 O% U# g
x, o- P7 [% v, P3 w% D0 d3 m
Note that some nasty apps could then erase all files from SoftICE directory
# S. t0 K- p% v5 j( t7 _' j% b7 `(I faced that once :-(5 O4 H4 q5 N! _
9 {( Z# h6 K# }; O# r3 \( q+ r" o
Useful breakpoint to detect it:
) `( J, @) n% E. \7 W: E
9 P9 K1 ]* a9 z: s5 J+ d0 V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) w5 C8 I9 P" C2 P/ m+ I% C
) y+ b2 c% }4 O" f9 @__________________________________________________________________________
( A6 Q- M$ i3 G. T ]- l q+ X1 I/ M, ^' o8 a- ]
/ X- r: p" r7 L u
Method 14
/ f& c: V! T2 Z( p/ Z7 z=========
4 ^8 p0 h, v7 A2 _: x1 o( ]5 N9 H- ^9 B" i& g/ M+ f! \4 [; H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; ^3 }* w: X1 r5 W* @
is to determines whether a debugger is running on your system (ring0 only).
4 i7 l9 ~/ Y& ~: E* u0 P' M' U' f: @* K' ~
VMMCall Test_Debug_Installed; r, M9 p1 ~: e6 t" A
je not_installed* j( S7 c" s2 Q7 ^" e \
/ v3 j. M. T3 l
This service just checks a flag.
7 M( z" \, w- c# o" M</PRE></TD></TR></TBODY></TABLE> |