<TABLE width=500>3 V# ?# ^. G! I" ~4 [
<TBODY>
. _, y/ z# {: ^# r+ W' E( G<TR>5 V& j$ w s6 E2 x
<TD><PRE>Method 01
4 J( p* b3 `$ {6 Y1 N2 O8 `* G8 m% ~=========
4 q: S3 z# C t2 Y' w. P& ^' ]; f+ k. I3 I
This method of detection of SoftICE (as well as the following one) is( D" V/ Z8 J9 p; v
used by the majority of packers/encryptors found on Internet.
6 _2 x+ K4 D3 A" g5 X# [' Q( e$ kIt seeks the signature of BoundsChecker in SoftICE
% q4 a) p6 {' p; w2 _6 x9 N3 `7 {8 b
mov ebp, 04243484Bh ; 'BCHK'
9 j* W: r3 E) I( P# d; n mov ax, 04h# R1 Z8 S! D3 E2 N2 V# p: w
int 3 8 n+ P9 @" N7 e2 N
cmp al,43 ]2 v5 A0 g; x) A+ `! r6 m! D
jnz SoftICE_Detected
9 C4 _( \# x8 C9 q$ ]: z6 }+ A% a7 a! `
___________________________________________________________________________
( k$ i/ ?$ H: w/ d# `2 t( Z7 y# R# ? t
Method 02& D7 b4 W7 H5 g
========= J* x* @( C7 }8 A7 A( ?* Q
9 r- u1 s0 ?5 M- J
Still a method very much used (perhaps the most frequent one). It is used
0 u& M% u3 E! D7 |5 K0 v$ Z7 F" sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* P! K$ W9 \$ i0 h2 }* uor execute SoftICE commands...( y, l, V# z. d4 o: u8 x2 S
It is also used to crash SoftICE and to force it to execute any commands" m! h# p+ F+ v4 ]& \9 ~, R; t. Q
(HBOOT...) :-((
' Y& i# B M* T* C, o8 L, b8 S+ h3 d# _6 s5 S
Here is a quick description:
0 [, z& a' k ?" }3 _' M% C7 A" b( [-AX = 0910h (Display string in SIce windows)2 I/ O2 K8 @* K& @
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 s( P% A% P a+ {8 E1 L-AX = 0912h (Get breakpoint infos)
3 l% l% e j1 p& f-AX = 0913h (Set Sice breakpoints)
8 z8 S8 A7 }$ _, u2 _, t& |5 u+ U-AX = 0914h (Remove SIce breakoints)2 b. I- x8 Y D' q7 B. B7 r
/ R2 _# r1 {) Z" W1 @8 B6 jEach time you'll meet this trick, you'll see:/ _* }$ m" V8 ^. Q
-SI = 4647h
" r3 U5 \5 O, H7 v' O- P-DI = 4A4Dh
1 c* P# A2 o6 C, T7 p( YWhich are the 'magic values' used by SoftIce.4 f( @7 I6 C0 r" l# C' e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 _+ |! f9 ]+ O4 N$ D3 H+ `
6 O2 [1 U3 K9 {/ r ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 m8 W* a {8 J" yEnvelope utility use to protect DOS applications:2 Q* S( v# \# R r$ S5 ]) A
0 x! i- J" ^) o' a2 t P# {* i0 |6 }$ V2 H
4C19:0095 MOV AX,0911 ; execute command.$ s! A: h9 z+ L. @% ^/ z6 U8 M/ @
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% i- O/ ?% _8 J( R
4C19:009A MOV SI,4647 ; 1st magic value." h) Z, W6 |+ @* B
4C19:009D MOV DI,4A4D ; 2nd magic value.
! T8 A- J C( ~6 U% u7 I4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 G6 C; V7 ^/ O9 P. L3 G: ?# I
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 C3 l9 k' r1 ?' Z$ t4C19:00A4 INC CX Z1 S5 H: i& u$ M; X
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute) f! q4 r# n" l$ v# C6 i
4C19:00A8 JB 0095 ; 6 different commands.+ S/ `2 {6 x: M6 Q9 Q; S5 f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.& m% C; v' [) d" S! O
4C19:00AD MOV BX,SP ; Good_Guy go ahead :): E" q+ p0 L7 G9 U* q9 T! c
: z6 c8 i6 F) pThe program will execute 6 different SIce commands located at ds:dx, which
* D7 c' a8 `4 Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., l2 A8 x D: f" k( E" T9 g
, J- F; M- o! S! [( H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( M$ n/ s) N8 n: [' A$ R1 l4 G8 |9 U___________________________________________________________________________2 G8 Z l! B) L) G* s% ^: Z
% A+ {/ G4 f" E0 v
8 ^# K- v+ J" h6 m* G! a) l1 f( ZMethod 03; E& r! x+ c, B2 u% _
=========
. C' t7 _3 A) y1 O7 i0 |; w( K1 \# ]# v8 z, c# ^. D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ M2 w( i" z% t* J% L
(API Get entry point)- Z- F. v+ `2 g6 L
- M6 I+ r2 p, _ L: N; }/ E7 F+ i8 d
9 J2 f. Q2 h* b1 f8 m; ] xor di,di9 S7 G" D1 O: l+ j! z* r
mov es,di" B. L& ]- J" t1 {! b" ~7 R. u
mov ax, 1684h ( S5 q" a- v. ~- Q
mov bx, 0202h ; VxD ID of winice
. \2 a$ m4 R4 W! B int 2Fh
! q! j8 |+ u5 r" k" S" N# S mov ax, es ; ES:DI -> VxD API entry point
4 z9 u/ h$ n/ g- `; P* n- t2 Z add ax, di1 o7 ]- c4 h- L& F* Z- W- V7 Z" J
test ax,ax
& E- t* H: Y8 m jnz SoftICE_Detected
+ t4 W6 T2 E. {, B2 ~6 ]. j( t( |! l* s
0 u9 b4 v6 w8 O; ?% @___________________________________________________________________________ E, s5 T% ]% [. M9 w
8 T- Y% x! s8 F& x8 A: o( W% aMethod 04" p! N( k R7 d/ g1 P# T
=========
( n( ?+ q' ?0 v6 {& ^% Z
( a+ o: F0 k. f, y. f2 {Method identical to the preceding one except that it seeks the ID of SoftICE `5 h9 e5 }8 }- G' T
GFX VxD.1 I1 _: |( w& m2 [% _0 B* Z
2 @4 j' m% b. T4 j1 _& y B
xor di,di
3 R' U' ]/ A/ A+ |, M! ] mov es,di
, D$ R8 Z0 N5 E# r" h# } mov ax, 1684h
( R* k$ P% P* T, o i0 s mov bx, 7a5Fh ; VxD ID of SIWVID, c; I' d4 y3 z; Y) |: |* p
int 2fh
3 _" ]8 ~# s! _- U1 H mov ax, es ; ES:DI -> VxD API entry point
% T7 ^" r) i* L+ Z% T add ax, di
5 Z' f( s- U5 q A# T test ax,ax+ t- y5 i/ W" `" M9 h u% ^% U
jnz SoftICE_Detected
: q3 u8 X' e- i, |6 s( N1 U& i' c/ j
__________________________________________________________________________
E4 u2 {7 x: m5 b. o
. S7 i# v6 u! I0 n( S" o) v4 X0 q5 l' K( m( y$ e
Method 05
% h3 L) R( I e! e" h) D; h G0 `=========5 c* ]2 ]3 j7 d: h( y8 \
5 C# c+ q7 i' T9 u: m7 v5 i& \
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ q% C# h1 K- a& r
debugger. It calls the int 41h, function 4Fh.
" K+ L" A! C5 bThere are several alternatives. ) F0 Z# N7 t7 ?8 r
( J3 ~& Q( b9 L8 _$ T& U' X) AThe following one is the simplest:7 H2 O; x w! b% s3 o- [
: U' J- _1 A- E# {# ?9 u& e. J; H
mov ax,4fh" A. G7 x4 s( V
int 41h/ B/ [; i6 K% t6 y5 b
cmp ax, 0F386
1 w: d. X& G- S# k& H9 { jz SoftICE_detected- ^0 k; c5 s1 E( Q5 z+ X' K& A q
3 o2 T: h, C9 ~. |; Z2 w2 w/ B0 ], l+ O4 d% r0 [% O
Next method as well as the following one are 2 examples from Stone's
4 w: O+ F& d" K1 m/ i, ?! v1 y7 Z"stn-wid.zip" (www.cracking.net):
! k/ c7 u9 ^. V6 k7 Q
9 @5 h, O9 \2 S) ?5 U mov bx, cs
6 `6 w! u$ w; i; x lea dx, int41handler2; c2 k" ~' ]- k3 N+ U4 x; ~( D
xchg dx, es:[41h*4]
) L6 X4 d4 f) l: y3 t4 v+ j xchg bx, es:[41h*4+2]
7 m0 ^$ |/ h7 P; P4 F mov ax,4fh
) o. Z7 G5 Z, @1 g2 o! K! P" E int 41h. E2 V1 i0 R6 l" s
xchg dx, es:[41h*4]
9 i2 N2 p ~1 \' |0 U2 ] xchg bx, es:[41h*4+2]
4 C/ C8 B2 _1 p Y; G8 g: k0 R- { cmp ax, 0f386h. p3 m G. D% }! l% D3 R
jz SoftICE_detected& ?# d, E8 j4 G, A2 A8 u0 W, m
. ~( r' G; H8 _9 H* L' Q1 D( j
int41handler2 PROC
" ~& [' J) T$ E* w2 T iret# Z, k) w2 ]) x$ q2 c/ ^2 X& |
int41handler2 ENDP
% c+ F. a" d, E+ e9 U4 ?. @9 r Y9 l0 H/ w0 a# C: I
% y6 S& g& r" f
_________________________________________________________________________
' }$ U3 p8 ]8 }7 ]8 v6 U
9 f! @- J; }( ^6 r( l5 x) f$ Q
2 Y2 Y. g) r) {. h3 XMethod 06
' a Y0 ~2 S# j& ?=========, ? o4 X2 H" g2 K/ d% _
0 q% q7 E q8 H2 W# q) n, L
K) p, F3 r: ^4 R$ y- ^2nd method similar to the preceding one but more difficult to detect: o8 |/ i$ Y+ N
0 }3 S* M4 r) F! [/ \! m7 q" K
- R' N! z8 I: T, k; g. a+ [
int41handler PROC9 t e1 L* X4 w: M6 \
mov cl,al3 w& Q6 e3 v C" `/ u6 q
iret8 f# K9 Y) }( u" j4 M
int41handler ENDP3 O- K( F- Y) a- F$ b' B1 G! I1 ?
: ^+ _7 N* p. e
% Q0 ]0 k; {. h& r) G( r xor ax,ax
2 f. g% R8 V: f3 J5 h mov es,ax% D4 p, `* y- q5 i
mov bx, cs
; b9 C0 e' d* } lea dx, int41handler7 e" t; D: A# n
xchg dx, es:[41h*4]
; o5 N3 z' A6 Q- q xchg bx, es:[41h*4+2]
& j- O& ?$ W! w% O2 @ in al, 40h
1 }5 z" q4 C& ^+ i4 e% X xor cx,cx4 }# v4 p1 S/ y! |
int 41h* L: N G: G& V+ t" X
xchg dx, es:[41h*4]
. K8 q# P9 u+ w, u& g6 k8 T xchg bx, es:[41h*4+2]
) Y) a1 B5 P& X p cmp cl,al' P# e: `) N: u* a' ~& e/ L3 n
jnz SoftICE_detected
8 |3 V8 H x3 h
* \+ B7 r$ f7 K: O/ u+ }_________________________________________________________________________9 {/ L" i) G+ \; }
7 v8 H: b. }" o jMethod 07
4 d0 T+ B* y% q5 C=========
: U: ~4 G" W7 h C, V- U, R9 m- p0 I* Q) G2 h) a2 |0 O4 |
Method of detection of the WinICE handler in the int68h (V86). k9 k/ {0 ^& [
3 n+ R! N6 v/ e& ~# G mov ah,43h0 `8 u R- X# W1 u4 G8 W# i1 ^, ]
int 68h
# I- S, x7 v5 V9 \; r cmp ax,0F386h/ d! U( E( ^; @
jz SoftICE_Detected' ^; L. w- v# z: ^( _% M+ @
' J' I2 k% b4 {4 ~, Q
' y7 ^1 D/ {+ Q; E# r$ R* @/ k/ t$ C, d* R
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 X2 ]. q! O' ~ k' Z9 j0 [+ [ app like this:
! V" u3 p5 k8 A: K/ }- t) @- s+ |- \ J7 [
BPX exec_int if ax==68
6 |) U, F, X6 c$ Z$ f' r- I (function called is located at byte ptr [ebp+1Dh] and client eip is; i- k- ?. c& Y& W
located at [ebp+48h] for 32Bit apps)% \# l* A1 z# {$ g
__________________________________________________________________________4 x" Z/ l1 Y3 f- O& d
W. D( Z% O1 ^; s p1 o/ A/ J3 r
% ~, h5 d+ h: [+ K0 {2 ^2 hMethod 08
; v( C' _7 T8 P8 G. b=========; Q+ t# C+ \- j& P
) n) ?6 r* @' @- }3 w$ d( ]
It is not a method of detection of SoftICE but a possibility to crash the8 ~' |% X; R& ]4 }# ]# i
system by intercepting int 01h and int 03h and redirecting them to another
# C4 H- x0 T+ c7 d8 kroutine.9 l5 C5 Y5 R) A5 h' A& u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 ?7 w/ w9 n( l9 v+ l/ m& I7 _to the new routine to execute (hangs computer...)$ q) X! |7 o/ j2 @6 l
1 g& e; f/ I- C6 Z! F2 Z mov ah, 25h
; n* z; ]: X/ o; Z4 ^0 z! V( |( i mov al, Int_Number (01h or 03h)! J6 n3 T6 v/ Z
mov dx, offset New_Int_Routine
$ S* _& o8 X" H int 21h' \+ M' k/ A. C! Z* l+ z3 w# @
. Z: I W5 t, T% E" W__________________________________________________________________________; m, N7 z& V) r+ i
1 [. h' K4 O& n0 J( C+ v9 S! W: u
Method 09' q+ y/ R) |% q+ `, F
=========
- ^5 V N0 M1 W: B" _. A. w. \* G" b: J3 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. M6 y1 ^, p4 J" m+ f, [
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 V7 t$ W9 |' t/ r: JThe Get_DDB service is used to determine whether or not a VxD is installed! g$ X6 x, A; `% L0 ]
for the specified device and returns a Device Description Block (in ecx) for# G# C# s* m3 h+ V! }7 e
that device if it is installed.0 s H3 c! ?. z1 ~& n
0 f3 |" {0 L$ f% i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ P/ H+ x2 z& ^) {2 |) l8 i
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 n& e. p4 ^/ ~6 O, q3 y
VMMCall Get_DDB
, f# U/ c& L+ c- u6 \* Q mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 c$ W& O* \0 G, C0 |0 r
6 P5 e- y4 V6 ]+ O- h
Note as well that you can easily detect this method with SoftICE:# k2 Z5 w5 `5 Y7 I, O* k8 A; z
bpx Get_DDB if ax==0202 || ax==7a5fh9 u$ c; }; b0 t* i9 R) M
y1 f/ o, T$ Z& \8 S- i% N- ^6 F. i8 l__________________________________________________________________________6 E8 S' [, ^, N) _- `% o, Y2 Z
7 A- {1 j" j$ X) `1 f
Method 10
* `9 I: I% W* h0 t! k- M: `=========; a, r5 i( k4 h- r& U% m! O
f5 j1 Q# Q0 G3 M: X b=>Disable or clear breakpoints before using this feature. DO NOT trace with) C6 q9 Q8 q1 l5 |
SoftICE while the option is enable!!2 N, w- Y9 w& z, Z! @ Q
$ f! |% N$ h; e0 d8 ^0 T' a0 PThis trick is very efficient:
4 L# _, [$ r& \$ Dby checking the Debug Registers, you can detect if SoftICE is loaded; o5 N/ l; _; `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 h) @& h ~- L% z' h" e8 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their% a+ A# g/ |0 `9 s
value (in ring0 only). Values can be manipulated and or changed as well
1 q! N- f% b8 r% I/ }2 [(clearing BPMs for instance)
; k0 q4 `& ~: P1 Y( h5 @: ]" z" | B, J
__________________________________________________________________________$ G4 x Y+ r: r9 P; y f7 S
4 r ^5 v5 m; m/ o- WMethod 11# _% u; Y6 s; E' y( B6 l( ]
=========$ E1 J# W9 o- J; r% L4 D
. d% m2 v8 q/ q+ o GThis method is most known as 'MeltICE' because it has been freely distributed6 F- W. c- g& J- f b9 Y. ~- h
via www.winfiles.com. However it was first used by NuMega people to allow
# s6 ^% Q I) z1 v0 A3 {! |; }Symbol Loader to check if SoftICE was active or not (the code is located
$ ?- [# O# `5 V! xinside nmtrans.dll).
5 L; _/ d3 f2 I* R9 m7 h' |$ m- [ s" |1 f+ O8 L: w! f$ o
The way it works is very simple:
+ `2 l( i8 v5 _4 t zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 a2 Z$ C/ \3 ]4 R9 qWinNT) with the CreateFileA API.
3 u; [ E9 V0 ?4 i
9 ^9 ^& D5 h) o# DHere is a sample (checking for 'SICE'):; f5 |7 Z/ j/ r/ A3 d( n# T
* G' _6 |! t/ ?. q
BOOL IsSoftIce95Loaded()& o4 ]* e8 q- @) r. ^. G$ a' q
{% x) A% Z/ @5 Y: C
HANDLE hFile;
7 g/ K+ `4 P0 b5 i hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
G# {$ L4 I/ O$ E* \& F FILE_SHARE_READ | FILE_SHARE_WRITE,$ C% ^1 W# h1 p) t% W
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 T3 L0 t* `* _* y2 \, ~6 _
if( hFile != INVALID_HANDLE_VALUE )' N5 m. z& D: A% d3 E* d1 b% }( f
{
x r1 _. b/ B( \6 L: t$ s. D" ? CloseHandle(hFile);
5 G, `, k" [- I) A8 z return TRUE;& R. @+ c& y% J7 D0 Y
}
. ~& b5 n$ b: L7 O4 v return FALSE;6 T/ f7 Z0 k+ o# f3 F5 F
}8 w4 V- ?9 z/ j0 @$ Q$ f
" w6 J; ^4 [* [0 h! I3 C1 p4 G
Although this trick calls the CreateFileA function, don't even expect to be2 |* G: O, X. \ G+ R# u
able to intercept it by installing a IFS hook: it will not work, no way!
$ E3 q9 Q4 r- ?3 X- DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( K+ S0 b! [1 x* q5 b- w( Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* s$ _4 r* Z( I. s! G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 H5 r2 ?' ?" Y2 L0 t! ffield.
# }7 ?5 Q! z% G2 b1 ?4 zIn fact, its purpose is not to load/unload VxDs but only to send a % a, Y; O( [5 V/ p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! Z( p, Z. s5 S* R: X- `, Z0 ^9 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& d. O3 [/ ?3 }! R; U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 k( J$ [% l. j- `/ j* ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
, |5 x: g9 F Nits handle to be opened and then, will be detected.- M* c. S& U- e, w1 u
You can check that simply by hooking Winice.exe control proc entry point
]1 j( T2 _" z% T& Y ?0 h/ o& q9 Swhile running MeltICE.; I) D7 {+ p' L8 Q
% K3 W q$ `3 L% i( }+ |
! p& _: q$ _" o9 d L+ C
00401067: push 00402025 ; \\.\SICE" l% [/ q! d3 ^) Y# ^+ a7 w8 z+ d8 y
0040106C: call CreateFileA3 i1 ?) B6 r4 V! l: @
00401071: cmp eax,-001
8 m. C8 H6 I! ~0 |& b" Q) k& K 00401074: je 00401091
: d, s! n& X- w ?0 g
& q8 k3 E% r$ q* ]# a9 U# j: f6 l1 N# q
There could be hundreds of BPX you could use to detect this trick.( ?9 k+ A8 o, W+ [) K$ X. @: h7 r
-The most classical one is:
1 b6 a' K$ C/ A# e! d$ U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# z2 E* d5 r ]' g' K
*(esp->4+4)=='NTIC'
8 ?2 d1 h2 y* y) n% K! ~( S/ K* j( H Y |3 ^. e, p
-The most exotic ones (could be very slooooow :-(
+ N8 M* L: K% j7 {3 y2 \+ Z i. B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') + I2 F3 j; n% R: k; @! H& Q* U; G' S
;will break 3 times :-(2 O& [& w# {6 L8 Y. N( |. Z! ?
. w; |$ N' E: z F: Q# `2 Y) y# ~-or (a bit) faster:
! [. A) s# {0 K. d- s0 f BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ C1 Y1 r% n* K1 ]2 ?1 ^- o& [1 [, k4 p6 K& ^! M
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, t6 r. z* f( K u ;will break 3 times :-(6 R$ k' S3 i& z2 S& r! s) C
F; I$ a: B9 o2 J% ^4 N-Much faster:
8 Y9 s) J9 W. z: B: U8 n BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 W, W, V- [, d8 c% u: \: l
. `( A/ ]0 q, o: L6 E) I: L5 yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. j7 l w- e7 e& j$ m, ]6 Yfunction to do the same job:1 p% ~0 t5 [' `5 {
1 s; @* F7 ^. J0 p" u* J( n push 00 ; OF_READ
1 @" r; h; E5 }! g7 T- Y5 z8 k mov eax,[00656634] ; '\\.\SICE',07 q$ `# g: [9 m. D" J8 K2 y1 e
push eax
( \9 x" Z$ R. R) y/ v ^* B5 i call KERNEL32!_lopen
- y3 _5 B7 k9 p inc eax
4 V& J' v: ^. R( Q jnz 00650589 ; detected. a, u) M: u i p; y- Z& ]
push 00 ; OF_READ
4 {' q3 {* f* @/ y y mov eax,[00656638] ; '\\.\SICE', G! r- Z7 {) ~ O) Q
push eax1 r' W" F2 w" g4 V G
call KERNEL32!_lopen+ ]! D/ w3 H, B& e2 Q7 r% O- c
inc eax. F# {4 K1 K* ?! ?; K
jz 006505ae ; not detected5 ]2 o0 h$ E5 J
( Z3 E2 `% G3 ?6 z3 @7 {2 B" @
( U. z# D) N6 h! W, H u__________________________________________________________________________
% ~ e `& s# ] ] R6 i0 B, R3 T! h3 ?: G: e
Method 12
8 `6 B8 z5 a# g/ d+ A- m=========2 B/ F4 u# p! r
$ g S. {. G. ^0 b4 S
This trick is similar to int41h/4fh Debugger installation check (code 05
P8 y9 d6 ]# C1 J7 A0 [# h& 06) but very limited because it's only available for Win95/98 (not NT)
6 D2 n, X3 n% w- c% [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) k5 Z% i, q* ^( U
' K+ y9 v: k3 w k' r9 a; G push 0000004fh ; function 4fh7 T4 R5 Z8 w: [) ?2 _' J
push 002a002ah ; high word specifies which VxD (VWIN32)
, ~" I+ k4 U3 F ; low word specifies which service" x# t% k' D1 D; {
(VWIN32_Int41Dispatch)
5 ~# g& t! G* Q call Kernel32!ORD_001 ; VxdCall
( q _5 s8 @7 N5 A" f+ Q, n cmp ax, 0f386h ; magic number returned by system debuggers* s$ N$ t4 M. G: c
jz SoftICE_detected' T7 Z+ j8 N! g% d- X
* f" ~( O& A, K; x6 g" Y& z" O
Here again, several ways to detect it:
, ^' O. X/ R1 g3 C
) e: Q" t6 A& n, a& A+ ? BPINT 41 if ax==4f4 J6 u" q+ r, A; {' _
' |. l' S! X' G3 k1 A
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
( v7 a% t/ c; R) C( ^: h" h$ J {
1 ]7 ?- t9 ^! h1 ] BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, m8 T; K. s9 J2 v8 a
7 `, j/ Y' X/ z' `: S, v" f0 ? BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 i, H- [$ Z$ |( g7 m: r, m
1 V- A1 s; U8 {4 s6 d. u" u" o
__________________________________________________________________________
. n# N3 C/ G: H6 k) S* X
+ g. Z1 c0 O" i5 r. K1 E2 T5 }Method 13
: K1 |, }/ [$ j* l o=========
, e" N6 T6 G {1 v( m+ X9 t1 z. x4 r+ m: G# J J9 ?. E2 v
Not a real method of detection, but a good way to know if SoftICE is! X& |/ w& k/ i" K* O' S0 F5 I# z
installed on a computer and to locate its installation directory.
; N: s; I8 G6 {It is used by few softs which access the following registry keys (usually #2) :0 V$ [: n4 s% `9 M
8 o F7 A& `- r f" c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* Q4 t, W3 T# @* J: K% |- a. \& F
\Uninstall\SoftICE6 X6 M8 q6 x3 P5 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 F& M2 ?: C2 J0 {- g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# C, A2 \8 r' h5 W9 C; K6 V3 V
\App Paths\Loader32.Exe
! o8 R9 ?! g: h. M! \; A* @2 i* z; D8 w6 A: m# a
* e, x4 v% V, m% s: pNote that some nasty apps could then erase all files from SoftICE directory
5 H, d. U, K: p/ T8 Z5 X2 q(I faced that once :-(/ |7 _8 R. ~9 a4 {: \
9 C# C8 ?1 K) y
Useful breakpoint to detect it:
. h$ U/ Q, r5 P1 D+ n% A6 u {
: [# t; F- O' {7 o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'" Z- f. Z, q) f9 E9 k) E
( ?9 z/ {; M7 A4 \2 A# `4 P
__________________________________________________________________________
8 ]2 [1 s, \* H, C8 t$ f7 J" d* { L( y) m% h; \
9 R, I. d) m9 FMethod 14
' J5 V, M2 j( v/ C========= Z, M+ _6 d6 s- Q8 n Z
2 P& Z" I7 Q! M) }5 ~& L( a8 ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 f! T8 ~7 f; \' }
is to determines whether a debugger is running on your system (ring0 only).
/ s, Y- {* G8 _7 N8 ^
0 b9 }* Y; N4 w# t6 l, r VMMCall Test_Debug_Installed3 d! W, H6 ~% Q
je not_installed
4 O% S }0 i' Z" m
' `' M- Q: \: U% J, y* a# K: oThis service just checks a flag.
2 @6 N* o0 P0 \! I) J2 \</PRE></TD></TR></TBODY></TABLE> |