<TABLE width=500>9 \& j: {: z$ L
<TBODY>
! O7 x( M8 i6 v+ C6 p( ]<TR>1 |% R) J, ^+ p1 m
<TD><PRE>Method 01
$ t+ L8 F6 D1 d3 x=========
3 r0 A7 T6 b5 h- E0 n
2 m! Y* L/ x4 H# U4 _This method of detection of SoftICE (as well as the following one) is
" x: d t+ {5 x0 M+ Z% K0 U. Jused by the majority of packers/encryptors found on Internet.
) v' S; j3 |6 K& `% g: r/ S4 U9 EIt seeks the signature of BoundsChecker in SoftICE
$ M! k' t: a, B. Q# F% A- e
5 O" Y. e" V" N5 O+ O+ F mov ebp, 04243484Bh ; 'BCHK'0 ?; }' C6 W+ ^9 Z8 |9 ^
mov ax, 04h4 K" L- ^( k1 e. N! G$ [- v. y
int 3 6 l+ e6 w) r, c3 D2 G9 r4 t+ l
cmp al,41 _- Z+ E: Y) u0 E6 ^
jnz SoftICE_Detected7 D2 V% Z* }: K
) ?: E5 Q6 B+ s8 h2 \5 E/ a___________________________________________________________________________
4 `' I: \- ^" \$ c/ [ _, s$ x0 Q+ i3 `3 C% |( P
Method 02/ s& r9 @4 n" y1 x' e9 L
=========
! o, @& `! c+ W' V9 N1 g1 e0 J5 R `
Still a method very much used (perhaps the most frequent one). It is used
6 T6 T, Y& h1 U3 \5 k! z1 ]9 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r2 g( P* k9 [
or execute SoftICE commands...
! }; _* a! s8 C/ B) ]It is also used to crash SoftICE and to force it to execute any commands/ n6 C/ {. G( ^ L1 U, r" I8 L) |
(HBOOT...) :-(( 8 v! h* R% O G1 V0 x8 ~$ R
( \( B5 W8 b8 y( H8 ?% F3 q- @Here is a quick description:% [" N) Q4 L! @1 v& M$ B; N
-AX = 0910h (Display string in SIce windows)
, q( [: \( C# C+ j6 P) ]( {; V( ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 D" K) {( i" W7 _: L-AX = 0912h (Get breakpoint infos)
?9 h& c* ~+ K! U1 g8 Q8 N-AX = 0913h (Set Sice breakpoints)
; V1 v/ E0 n8 v! B9 o2 k-AX = 0914h (Remove SIce breakoints)
. g# |" r" O% k8 C( b
: i7 V# N6 y r/ B4 {* C' _Each time you'll meet this trick, you'll see:- e# _' `3 {9 A" G. d$ |
-SI = 4647h$ P# O6 M `- J5 L; {" D3 G, z
-DI = 4A4Dh1 o8 @( A0 `# J
Which are the 'magic values' used by SoftIce.
& n5 W4 G8 N3 H& rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) j$ w F; g1 h! A
, `: ~1 z& X2 K4 SHere is one example from the file "Haspinst.exe" which is the dongle HASP
6 U0 w8 Z: I0 g1 `' P! ^) e4 QEnvelope utility use to protect DOS applications:
( z( I/ N, Y1 {0 U- x+ G
/ p/ Q2 d4 D0 r+ m
+ R; G1 P" i `4C19:0095 MOV AX,0911 ; execute command.0 ^" L+ s* E" X; Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* p/ N9 [6 u5 ^& _4C19:009A MOV SI,4647 ; 1st magic value.
9 P% r, e0 M6 ]4C19:009D MOV DI,4A4D ; 2nd magic value.% d/ C7 ]! s( ^6 G) l0 ~ p1 U- s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 \& o+ p. ?( ~% p, L
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& Q/ s2 \% ^: b) k; {; P
4C19:00A4 INC CX+ v& `6 i7 ~8 B# b5 o: |
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
6 d, F) N8 K( i1 w; n4C19:00A8 JB 0095 ; 6 different commands.
% k8 c$ F, [/ c f3 X4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 v5 s8 j% R- e: e4C19:00AD MOV BX,SP ; Good_Guy go ahead :)+ N/ D) g8 x4 _1 T
- @6 v3 C# R! R4 u8 bThe program will execute 6 different SIce commands located at ds:dx, which9 l l% x# H# ?) T1 J8 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& t _9 q, a" U
. d0 _; `- I# A! H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ V: m9 i8 `4 m/ l___________________________________________________________________________
# S) h. G3 s6 ~4 n$ T2 K: b0 d& E/ [! X
, {0 I. o4 [- w- \
Method 03" V5 q0 v3 @% M, |! e0 o. }2 x
=========! [! [# O& C+ H) M0 V
2 P* m. P! A: m4 a7 s# O* I: E( b
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 }3 Z E1 t6 G. S1 S4 R2 r
(API Get entry point)
9 K$ n. S( _' V, |' S: ]) o
- _5 a: a. B4 P. {( b2 [! ^- y- q0 V; N/ F& d. [+ [$ T
xor di,di
1 f" ^# U( h& j7 I mov es,di8 O* i& ]9 w9 ?) f: F& I
mov ax, 1684h
5 G- ?* T$ _+ f7 w6 Y/ F- t5 h- t mov bx, 0202h ; VxD ID of winice. T3 C$ b \3 [9 S
int 2Fh
+ x- }; \1 J5 R" b/ a ^ mov ax, es ; ES:DI -> VxD API entry point6 h2 {6 ?! V+ v
add ax, di
/ o2 [2 }. S5 d7 Y! Y test ax,ax9 Z4 @0 `% O6 z% z1 Y" {& z- V
jnz SoftICE_Detected; u! \' B+ G# w$ e" u! v
7 h9 f4 y8 g& p% U1 j9 H) H/ p' K
___________________________________________________________________________
6 L8 M @0 q, `# Z2 l3 ^) S
- w6 o/ D" U$ Z: KMethod 04
1 e" q; }/ I& p1 ~1 w=========
! ?; p' b" B0 s+ Z0 [$ y
+ `( I2 C( i+ `4 _+ LMethod identical to the preceding one except that it seeks the ID of SoftICE
2 f; J% ~, l5 M0 X1 X* u0 FGFX VxD.$ t9 f1 V. r- w% P, U4 ~$ Q
5 D0 a P1 \5 Z* v. F1 H: v/ F xor di,di
7 U0 r' T! F I% n( a) Q4 h* ^ mov es,di
; _ t9 T, m. X" a mov ax, 1684h
7 ], M+ s! t* ?3 G! f mov bx, 7a5Fh ; VxD ID of SIWVID# t6 W4 Z6 S( |/ }$ e8 F2 J
int 2fh$ U+ Y2 v! U- b! n/ a
mov ax, es ; ES:DI -> VxD API entry point$ @8 |" }. P( F9 D/ E* s0 w1 U4 K
add ax, di
7 w, _; g7 V. T( T test ax,ax# r* w, {( J' S- n8 _ m
jnz SoftICE_Detected
3 t+ c) l- [; z' X ?( m0 U+ G
/ r- U* r P/ N__________________________________________________________________________
4 [, ?+ T0 G6 ~
$ ]# F" f, E7 t( Z8 ~' x1 h0 n9 ]
& [- e8 \" ~. AMethod 05
$ E# V: \/ C+ C8 p: T! q=========5 k: h/ S6 J* b" y1 @
* U; h; L( e+ \" c3 {: v, ~! xMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 [5 u2 R1 W3 s* l' n9 A1 Xdebugger. It calls the int 41h, function 4Fh.
- K* S5 T0 N! A9 ^There are several alternatives.
6 @# O" E K5 A% | P/ a
/ T6 {8 m' y _9 U1 ]( m$ w8 aThe following one is the simplest:
6 ?, u* ^$ h5 F e5 F3 {4 r6 j5 x6 C+ A" K
mov ax,4fh# |3 g& V$ t; ^; |/ {% H/ k" @5 u
int 41h# [ B' s7 I( ]4 _) L% b- q
cmp ax, 0F386: @) }0 [% M& u* Y
jz SoftICE_detected
; l/ q) V7 I8 l o+ W9 t
+ s6 Z5 J, S4 O; V, ~
+ Q: O8 f3 m0 K( K4 M. sNext method as well as the following one are 2 examples from Stone's ( W" S( R- i7 w0 y2 Q1 e( b
"stn-wid.zip" (www.cracking.net): \& h0 }0 R$ c, I
# ]% s: M- i5 b0 z mov bx, cs' W2 g* ?0 a8 }% R4 D8 s
lea dx, int41handler25 s4 a' I' [1 i7 p. {* J* w% _
xchg dx, es:[41h*4]
. X" R, ~1 I: q3 { xchg bx, es:[41h*4+2]
( Y8 L) r0 d3 k6 X( _2 Y mov ax,4fh
$ Q: ?+ B# W2 n' H9 i9 G int 41h
/ K) ?+ O5 T" V& @ xchg dx, es:[41h*4]% t# }8 u2 n6 U8 c% @
xchg bx, es:[41h*4+2]
4 M$ t' M, a7 n- f' ] Y: s- O cmp ax, 0f386h5 Y+ c. }' d0 ^4 s9 p
jz SoftICE_detected
1 \( @# ~# S1 l$ a+ @; [1 ^
8 N' W6 ~3 d$ }6 E) m- G) V8 F- }1 }% hint41handler2 PROC$ ~/ L, P8 A" X
iret7 H! k% j0 r( }- b
int41handler2 ENDP8 k/ { C9 ~$ N7 i7 g) o9 v
' N7 ?8 g5 l2 }0 q) ]6 `# ]! D8 D" P" j& F; i: A6 v4 P
_________________________________________________________________________* l$ N3 n- M* g
3 f# I# q- h0 d9 ]7 i5 }3 Z$ r* G O' V( ]9 s! N
Method 066 @' N* ]% W$ X
=========
# \/ [+ ` q: K
- w# o R8 {( L( |
2 `3 [" C- N: S/ V4 d E6 {8 m) a2nd method similar to the preceding one but more difficult to detect:
4 T) P$ J$ u/ T! S
0 R+ F" Q! C4 b, s f$ Y# L. g- Z6 q
% R9 R( i/ D: Aint41handler PROC
/ N6 c% n6 N# n0 ?, {8 l, F mov cl,al- r& r1 [: p# n& s4 ~+ ?
iret8 [& h8 h5 T, F- O* ~
int41handler ENDP
# n1 [6 x, A9 T1 s+ `
3 N" j, V* q0 _; ]* @; \8 Y' Y7 S9 L+ u% V. `
xor ax,ax6 {2 J6 \# R* Z7 z# Z8 y
mov es,ax
4 S$ d& z% H8 d+ t% O0 J$ D% f mov bx, cs
" y! l$ T# V. C lea dx, int41handler
/ D+ y7 Q9 c$ l4 T/ g xchg dx, es:[41h*4]/ N3 H4 a) Q' t9 O' `
xchg bx, es:[41h*4+2]% E2 ~0 A' s5 h' f/ t
in al, 40h
$ [( c9 o o' X. P xor cx,cx
+ z1 Y0 g/ U; Z# C2 ] int 41h6 x" \2 k, H4 x z
xchg dx, es:[41h*4]
# z( Y2 m: {5 \3 U* A, M xchg bx, es:[41h*4+2]
0 K; z. V9 C( L9 p$ z5 ` cmp cl,al4 ]5 H a7 N+ g7 {) }% s
jnz SoftICE_detected+ d3 \# f, Q( D8 h6 o( w
. B& i, N/ }' ^3 @
_________________________________________________________________________
7 @' U7 s( S/ A7 m- p5 H+ ~4 e0 |0 l
Method 07
! n* n3 Z; o1 t9 D=========5 V3 |& Z. [, W4 r
" G; h+ q9 R$ M7 l% x2 h
Method of detection of the WinICE handler in the int68h (V86). e8 D; p) f, B" f8 s& P
$ A2 v+ Q0 w! q& g mov ah,43h7 u# Y- h+ R, p7 D: E9 o
int 68h0 A, O6 V* D! |7 i6 S; e! B3 w
cmp ax,0F386h* P: K) r ]7 g5 s" `) a- \8 A
jz SoftICE_Detected
$ w; `, j# d2 ^ u$ x7 L( F: E8 ]8 L* L7 w! y2 S; H
, J1 _ ]# R2 t: C6 f6 y/ D
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ R9 I8 G! K/ ^7 F8 ]4 X0 J app like this:
. G; M8 ]9 S% f I* T0 n+ R% }) ~
. P( j# [: ~5 b BPX exec_int if ax==68
1 v" Z# y% L. G$ v( f& O (function called is located at byte ptr [ebp+1Dh] and client eip is
+ G, R7 ~( k3 Y7 M1 i% B: K, x9 ~# X% c located at [ebp+48h] for 32Bit apps)
, ^# B/ n8 v0 z3 M- [5 z__________________________________________________________________________
* P+ h5 l, Z! v/ ^8 ]% Y1 U* g3 K9 d8 p1 B6 w
: X" g/ f# I+ R- C/ G
Method 08
: c m$ @9 s/ W" a8 {! B: Q=========5 D( y* V, N5 L" z! x, }! ^
7 z% U) J9 h- w
It is not a method of detection of SoftICE but a possibility to crash the0 L& J. l( E; @
system by intercepting int 01h and int 03h and redirecting them to another$ T. K. C% C5 N; _
routine.
3 g" E+ M: B0 |$ @" r4 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 h/ [1 s* I, U4 h8 o$ e1 t: a ~to the new routine to execute (hangs computer...)
& j' @1 R, K* k' W8 I, w. \3 Q
: h( F0 Q2 G9 y+ S s- Y mov ah, 25h
( h. n2 a) U( ]; F$ e mov al, Int_Number (01h or 03h)
4 q5 R& S6 T, q; e mov dx, offset New_Int_Routine0 a; }9 `+ Z# N' }
int 21h3 |( ]% {" n2 Y9 m5 @
[1 z! w! m4 d* y3 z. w, x i" H7 @__________________________________________________________________________
5 t) i7 ?- X! a9 \- X: Z9 V" M. p& m/ l0 ]! q% x! k
Method 09' M; y$ P) a- [6 i& T% ?1 ?7 h. y
=========* R0 Z' W+ t: N/ R
) h+ r" z- w9 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 |6 ~* E& {8 u+ a; n- C
performed in ring0 (VxD or a ring3 app using the VxdCall).; W w/ A7 C2 d( N; C! ^
The Get_DDB service is used to determine whether or not a VxD is installed
L. }+ M0 T; z" kfor the specified device and returns a Device Description Block (in ecx) for
% ]/ G {# ?8 `' Rthat device if it is installed.5 I) ^! a/ N6 ? V% |4 \
& \/ y7 d7 j& f
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* p/ o6 V, Q M* z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
G" `& L0 k0 T5 a1 [8 Q% @! y( M6 \ VMMCall Get_DDB; D" Q5 g- @6 ?$ z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" A( K; n, F$ t& T5 d( S1 F4 \- ^/ D" K/ G0 @+ i( z' S" K
Note as well that you can easily detect this method with SoftICE:
/ _4 N$ h* j( N! P bpx Get_DDB if ax==0202 || ax==7a5fh
' F0 M" u$ ` s
; {( N# C( ~5 I' Z, Q( L3 v__________________________________________________________________________
% y; O) q, M1 X/ h$ ], [& M, a9 _5 C% B6 Q' i% q
Method 10
( a' M9 ]& ~) y* Q6 L' O=========+ |* ?/ Y7 R- u3 N% M
3 Q9 `. F# C' p( C" S) A
=>Disable or clear breakpoints before using this feature. DO NOT trace with
: X( B$ F/ e R0 _* f SoftICE while the option is enable!!
8 M1 l* N+ g( A% B g5 g# q* D; w# L7 H! C: _2 h
This trick is very efficient:& ^" E5 S. m$ v( D: T
by checking the Debug Registers, you can detect if SoftICE is loaded
: J" O& b; m+ H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 i. N: q5 D+ K% z# r2 G" Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 F% z, [" w$ j; Rvalue (in ring0 only). Values can be manipulated and or changed as well
/ J+ T8 P7 [5 a1 O' E. L' }+ ^0 E(clearing BPMs for instance)1 I4 h. w _( D* s
: @6 d; A' }- n9 |# z" D6 y) J4 t__________________________________________________________________________
: G4 t4 a2 ]6 y2 u* m+ [6 o' W, i
Method 11
/ A. s9 c3 V+ _- e' l' `0 e=========
! n" C/ ^0 T, \3 a" q5 u
3 l0 Y9 Y% ]' a" tThis method is most known as 'MeltICE' because it has been freely distributed: h) e; {0 G0 m9 s8 ^8 I: q1 z- u9 C/ A
via www.winfiles.com. However it was first used by NuMega people to allow# ?" G- P% d0 c3 R+ ]- M
Symbol Loader to check if SoftICE was active or not (the code is located: [# _( y4 t9 ?$ F
inside nmtrans.dll).. T T0 @/ a; ^7 _8 R7 @ u
$ |7 T s" v3 T$ N' SThe way it works is very simple:
2 v8 j! t3 Q6 J/ Z. ^# \- vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for S; b* X8 b; s0 @5 i, G
WinNT) with the CreateFileA API.
$ S# V1 x E0 C U& k$ }# H W* ?) {5 }+ x9 m
Here is a sample (checking for 'SICE'):" [: Q7 _% G4 `; }, F8 D
0 B4 ?$ @/ h, s( f8 W2 g& E, i* G
BOOL IsSoftIce95Loaded()' m/ l( ]: w( @2 }; P
{, @. J/ @/ k1 R9 j6 S
HANDLE hFile; ' l3 a4 Y; X5 @' ^
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' u+ y" U- P: y! x' ]9 H0 O7 D! t FILE_SHARE_READ | FILE_SHARE_WRITE,4 i+ A' w1 m: S. E3 c3 b
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* |! A% w8 H% }# G( C: m
if( hFile != INVALID_HANDLE_VALUE ). b2 M8 W: {5 u0 k- g: U9 S. J
{
( `' U% p5 O! h5 u9 ~5 Y* O+ N CloseHandle(hFile);8 X& w6 e- @3 p. ~) H
return TRUE;) Z! B* H( L2 |! O9 l, b! _* ^
}
; _5 G& S; X" F! s6 n6 |1 h! V! V# V# ] return FALSE;
; d v, y* A0 N, [, c}2 i) `! @0 l" V% @: D4 I
: H5 v& u0 e3 w' T r6 L. ^! c
Although this trick calls the CreateFileA function, don't even expect to be. U! {& t% [7 F! b6 X3 C
able to intercept it by installing a IFS hook: it will not work, no way!- r$ ]6 V) ]& {. _! G1 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, d( w$ Z! S0 Z* y8 vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( H( E7 x% X0 S/ C3 r( b- Land then browse the DDB list until it find the VxD and its DDB_Control_Proc& S! Z5 F2 k5 ]# A/ q
field.* ^- S5 N% Z j. ]3 N3 p* R0 D
In fact, its purpose is not to load/unload VxDs but only to send a % w+ _7 _2 M, |% i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 e3 w, Y. n9 t9 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 A8 o& l, w8 A8 Y. E% ?! tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 |) ~9 t$ L1 H! F4 }/ EIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 I% ?! |' x1 u8 X \ {: z- _2 k
its handle to be opened and then, will be detected.+ t+ Y* i2 S9 Y x& n7 `% O1 ]
You can check that simply by hooking Winice.exe control proc entry point; r7 L' a+ [3 G+ T/ \* m. M2 g/ S2 G( F
while running MeltICE.; ]# D+ ~& r; b& G+ H( ]' j
# x B4 c( \7 b+ C3 u0 X# `5 }
- n1 W0 E; C+ l4 S9 G2 q; @, P 00401067: push 00402025 ; \\.\SICE! z; |. a9 V. @' Y
0040106C: call CreateFileA
4 y7 H) f1 k$ K+ b, x2 U 00401071: cmp eax,-001) n2 M. I" O9 L5 | G
00401074: je 00401091
9 t8 `5 C' D# [2 s0 ^
8 e _* J( W6 W9 f) j
5 O8 x) r! o- d$ K/ T3 \There could be hundreds of BPX you could use to detect this trick.
; h. A" B1 N! K1 r$ o! S5 |3 J7 ?-The most classical one is:
5 x% N- q, V3 X& x" H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 R# X6 c" i6 w2 V& N8 O7 Q
*(esp->4+4)=='NTIC'& a. R# q, G* q
0 ]/ w7 c/ {3 Q( Z% d8 ^: ^-The most exotic ones (could be very slooooow :-( S+ Y) J6 v* B
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 P6 J* @0 d2 l; r4 q
;will break 3 times :-() o3 W" Y& n' ^8 l0 k5 g& ]
9 d0 M: M% U+ p-or (a bit) faster:
0 n& Y( S, Q9 I1 n BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' r H( S# F/ @2 \7 i
# {9 G+ m6 R9 |) b, o9 I* O BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- `* _4 r' B0 x& P- b. j! n ;will break 3 times :-(
$ {2 R/ U. h* y2 e/ k
/ V9 w1 Y/ ?) T-Much faster:3 \9 M; z: t- m: J& L5 O! c
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', `( [8 h1 A1 C, t$ x$ F' ?! L7 j
' h$ m' ?1 X; b) O9 j2 C ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% X& n3 r& b. L) [& ]function to do the same job:/ Z9 m% ~( q, C# M
5 T1 z# X6 E( ~' ?8 P
push 00 ; OF_READ d2 K) Y' U7 ~! C5 o
mov eax,[00656634] ; '\\.\SICE',0
; {+ B2 _/ t+ x% h0 C push eax! r% f1 ^! F8 T1 M9 ?- R; m* V2 _
call KERNEL32!_lopen
: b1 P% o. p9 ^1 f5 R+ C7 Y' _ inc eax- l( E$ z( B6 V4 \; T! Z
jnz 00650589 ; detected% T! S; R& \4 m6 F0 Z
push 00 ; OF_READ0 \- ]1 m& }5 l( `0 F2 J
mov eax,[00656638] ; '\\.\SICE' T4 q- \! z0 t" c2 ^
push eax( C' u8 V3 Y1 P1 t1 J
call KERNEL32!_lopen
2 K, R/ z7 I+ N2 q' w inc eax
- |2 J" P0 T+ K1 O1 p. C7 h jz 006505ae ; not detected
0 E( ~- B6 f9 H
& H' o3 a# e, F" D7 Y( n% g5 j6 G/ w) T9 P* {2 N0 m
__________________________________________________________________________% L, H9 V) D X9 @ g
* G3 t4 \4 O4 mMethod 12
4 b% K9 M3 e- j6 ?6 R8 |: Z=========
1 s# p& K" |1 [8 X2 S
p# e( g# X+ N9 B6 \8 [This trick is similar to int41h/4fh Debugger installation check (code 052 ?: O9 u/ G9 o" v! p
& 06) but very limited because it's only available for Win95/98 (not NT)
/ }% z* e8 }+ D2 Q2 a' ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( C# O6 {8 S3 c+ T8 T' [/ z. f! t& {/ H# s6 O) }" B# ?4 T
push 0000004fh ; function 4fh! M' ~- a, U5 m* H1 m
push 002a002ah ; high word specifies which VxD (VWIN32)
0 F: D& I" N1 [' S! u- |. Y ; low word specifies which service' {, T# @, |, A0 Y5 s
(VWIN32_Int41Dispatch)0 u% v% Z; x/ ~: s( _
call Kernel32!ORD_001 ; VxdCall
# f/ n) g0 Y0 B4 L( S: s cmp ax, 0f386h ; magic number returned by system debuggers6 ?" f* m+ Z3 K
jz SoftICE_detected% g a1 b4 {8 O2 X( c4 X
) n8 D- [- J& e1 ^6 ]5 T: ^
Here again, several ways to detect it:
8 _. c7 z3 D" h: C5 W7 _/ x
& P( U, y* o" a' F BPINT 41 if ax==4f
4 y5 L. T! D9 l+ k! P& K2 l
* f8 H K' M2 R$ j6 x' \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
6 C# @$ P" G, a' L: G# D' \; _3 Q8 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A: ]0 F4 t2 U L
- |5 Q `# X/ \5 d1 F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* P7 G8 H+ g/ F2 B
3 p2 b4 Q0 h( w, s' {# g5 I# S' r__________________________________________________________________________
5 z) F+ X( ^4 ^3 _
- b* C: `2 y) lMethod 13! x4 M4 {; y( R, ]+ w4 s- @
=========& h8 j0 B' M: J$ @9 v( D+ U
+ N, b* l, k4 f+ ]$ mNot a real method of detection, but a good way to know if SoftICE is
8 x. W8 y0 p/ U% b6 F7 r0 T3 T+ z, f% Linstalled on a computer and to locate its installation directory.
1 y/ M. _. U5 Q7 qIt is used by few softs which access the following registry keys (usually #2) :& ~* M- Y: @3 K1 T* S y5 K: u
% n' w& m3 n3 u1 m% x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ^# v9 e# ~2 @4 K
\Uninstall\SoftICE
/ a: }! Y M+ S! { T4 R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ]: j$ u4 J4 m7 Y- z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% D$ Z* e7 U' `) D t+ e" T! N2 _\App Paths\Loader32.Exe
* C5 I% W$ P, ^3 S. X/ P# U/ H# o4 c2 t" @0 X
5 b4 m8 r; L. N' P4 M0 z0 y
Note that some nasty apps could then erase all files from SoftICE directory9 o* K% C4 B# R- e; P Y
(I faced that once :-(
8 X( V% f3 r$ Y
6 O1 E! x% }9 G7 G) C6 t1 ~/ fUseful breakpoint to detect it:
/ O2 i D0 [) f/ g4 U' H4 t U9 }4 W& s5 c; x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" f5 b/ _' r+ B
1 h+ G' H+ ]8 a$ n/ J$ P) C__________________________________________________________________________0 d& \' R2 U3 a1 h$ V" g) [
" T! h, U% A3 [" q& k& h1 E! m5 x. {1 T9 |$ T
Method 14
$ N* P" o: l& X4 y! z8 W: [# B- R=========
5 `' ?4 t) |! ]# m0 [& X2 E; q
, D0 r, A( U! H* qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
k% P' ~$ s/ c+ o) G5 c% Dis to determines whether a debugger is running on your system (ring0 only).3 e8 ?1 ]: I* c3 M' ~0 O/ }
8 f& I4 D. y" [4 u+ P VMMCall Test_Debug_Installed
; o2 Z2 F. W, ?8 }7 q0 R je not_installed
; h8 B- S1 w: ]9 T- q A
8 y3 m' n7 ?& R( K, eThis service just checks a flag.7 I/ l. s. U4 i- R9 S0 ~- g
</PRE></TD></TR></TBODY></TABLE> |