<TABLE width=500>- Q* y% h4 W1 s8 j. W9 m
<TBODY>
% b2 W* w* X9 M. y<TR>5 ~) l" k* r' M8 | B4 G) X
<TD><PRE>Method 01 2 U2 N) h9 b) E9 Q7 h: s) y
=========
- ]# M* {1 o# k. Z+ R' A# p
3 H! ^* M% [: ?' b! AThis method of detection of SoftICE (as well as the following one) is
9 Q* [# A$ L+ k6 A" Xused by the majority of packers/encryptors found on Internet.6 B( F3 e" F/ D
It seeks the signature of BoundsChecker in SoftICE
! ?8 s/ ^4 z* o7 ?
* ]' h0 y$ k5 C- w- Q mov ebp, 04243484Bh ; 'BCHK'
: ^' Q5 }, i/ o) X mov ax, 04h0 g- b- G6 ~7 e' a
int 3 8 Q e; T! V, ]
cmp al,4
, P' z5 h/ Y! S) q& C! P jnz SoftICE_Detected
1 r5 F3 [1 h7 r3 A0 ? k1 ^ i9 b2 l1 v9 E. t8 H) Q; I$ H
___________________________________________________________________________
* ]/ p; |4 M* W6 o4 {9 X
8 x' R# C5 H# }% Q, H* hMethod 02
3 g0 x! X" F8 F7 u( ~4 S8 N=========
* o' l. Y: z: ]( J3 L3 H& N" l8 K* Y' j+ c5 G% B6 g9 c% t1 {
Still a method very much used (perhaps the most frequent one). It is used7 i. j1 I% o- M# ~
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," G7 [6 v9 X# X
or execute SoftICE commands...
2 f! g. J9 @ B% S- A r+ `( xIt is also used to crash SoftICE and to force it to execute any commands
* ?, F0 ?; f2 Z A2 { e% d) w$ s(HBOOT...) :-(( ; Z$ S& k7 l' t# C6 }/ U
1 F9 I+ P0 V4 `: i hHere is a quick description:/ ?, k$ g3 C( {8 c/ s
-AX = 0910h (Display string in SIce windows)
! G& B; Z5 c8 ^# v0 a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
4 z, b8 w, I$ v0 m9 _-AX = 0912h (Get breakpoint infos)
( J0 |) S3 @2 e( n! M- M-AX = 0913h (Set Sice breakpoints)6 n; g9 K* G9 [; T% d
-AX = 0914h (Remove SIce breakoints)- V% A1 c1 o* t) e4 r9 p" m+ }
1 _7 l. x. B& L
Each time you'll meet this trick, you'll see:
3 ]5 f# X ?- Q! F-SI = 4647h* b* G5 d! t h7 D
-DI = 4A4Dh& b4 T" E$ x3 Z( J; m' V$ P! x
Which are the 'magic values' used by SoftIce.
; @& K" d3 p8 i' P# mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 w) a, u! Y" s2 G! g
: N. _4 I( ]* U8 `+ F; FHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 E- t1 {$ C& c# jEnvelope utility use to protect DOS applications:) ^4 b1 \# I! f# F3 K
& U8 O: ~7 g7 T/ d m0 G% y- H# O# j: B9 @0 V# W
4C19:0095 MOV AX,0911 ; execute command.& E( k g6 x; E' D
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
3 |4 H& Y& @: W/ {4C19:009A MOV SI,4647 ; 1st magic value., O4 ^ H; B$ H# K: ?
4C19:009D MOV DI,4A4D ; 2nd magic value.5 p: V+ F% e2 ?0 z6 N- y: u* [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 s" Y, Q( \. F6 V" S: c9 J8 Y
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
! p5 c& g' F4 V2 K/ E7 e; G4C19:00A4 INC CX
( Q9 e' r2 g3 V/ E4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- n& ~' r3 ^+ A% j7 z u
4C19:00A8 JB 0095 ; 6 different commands.
5 k, K- g$ A. ]- ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 d j# t* r; C4C19:00AD MOV BX,SP ; Good_Guy go ahead :)7 c0 Z7 }; i( u. V8 H7 a
8 }1 P& h' ~: W1 o2 }4 IThe program will execute 6 different SIce commands located at ds:dx, which. p6 \2 V- L3 E6 b0 S5 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( ]) M' O: B4 Z' N' k% @; P1 E+ m2 ]0 L8 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- l# t; v6 i! n+ x* l$ A# I- j1 a___________________________________________________________________________+ p/ J9 \0 q+ r" F5 `
, W% P! w- e m6 n {
?: r& h8 `6 gMethod 03
8 L- S3 F% h1 R `=========
( g6 B9 m: s7 j1 y( ~! g3 t% j R9 B0 D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h* F8 W9 G* U8 K+ d$ j: m
(API Get entry point) g; H, n3 y! q3 S. Q) f/ t
" M u( F& f/ l2 b6 U# h. P
0 V# ]- s# ]8 P, B+ b4 j
xor di,di
4 _* h n3 J( [' n mov es,di' a% g3 n) Q1 b# [) @- y
mov ax, 1684h O1 @5 T, }4 U6 i9 c+ f2 j# p
mov bx, 0202h ; VxD ID of winice" }+ q+ i5 q( v: t; _1 n
int 2Fh
- ]- g3 W! I5 w$ @ mov ax, es ; ES:DI -> VxD API entry point% [# G \* c. c4 F. F ]. C
add ax, di+ F( R5 l, J) W& e$ q* a& d4 u
test ax,ax& R6 \/ o5 ~" c v9 @
jnz SoftICE_Detected
5 x0 e* @+ e7 f6 s+ e! T; z A% u
3 @# p" z! _; A+ g4 X. k5 q___________________________________________________________________________
0 ?5 w- f% @( n- E6 C6 M0 s; z1 m) c& U( K
Method 04
, k" Y: A$ n6 i8 @=========
" j. g$ m! p$ n! p0 Y* ?8 }$ \& F9 V1 [' N7 B# d# _: |( O$ i
Method identical to the preceding one except that it seeks the ID of SoftICE
5 f3 M2 O+ b$ ] }# u8 k3 Q2 l6 yGFX VxD.
" P; }0 q) g. c% n- u d( E- U' Z7 d5 p7 l% a* }+ b9 D
xor di,di
6 z) K3 z8 y' A% T- w mov es,di
/ v" r( _% s8 p. f, { mov ax, 1684h + B0 s7 E# Y1 R( o" I8 v6 t
mov bx, 7a5Fh ; VxD ID of SIWVID
* ^' X/ s: j' a, i* j" L" I int 2fh1 E8 |/ {, ]4 v) E! S1 i
mov ax, es ; ES:DI -> VxD API entry point J* P6 m' a4 b6 C4 i: B
add ax, di7 g) B3 D, i( S4 |
test ax,ax
5 q- ~ S' e* e$ \# ]& \. } jnz SoftICE_Detected* Z6 b4 E; P/ J. H
, o: P7 ?, n$ d6 Q: [" q3 q( k5 Y4 L__________________________________________________________________________ H$ L( c5 l2 `' V- T/ q2 |
% }% N" z1 n( Z3 I$ G" }7 J! E# L1 J
- t1 Z, \; p3 ^$ ZMethod 05
6 I# Y2 k _% O( J; Z=========
j O9 E$ ^, D! }3 |$ W
5 j4 ^& E) [3 J7 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system! C" `, {; q( x$ u6 o4 d; P* k
debugger. It calls the int 41h, function 4Fh.3 D7 E$ n: g8 _( C& H1 f: x T" k
There are several alternatives.
/ l+ L" Y0 _" }# v! r( ~8 r* c% [, }& d
The following one is the simplest:
& c. T+ F% J" J; x9 I) x
`8 R: U: O( u6 K ` mov ax,4fh
% p, M) }5 ?/ s( U+ c; w int 41h1 u8 O; Y5 A: v
cmp ax, 0F3866 x* T! N" |, L$ F j' F/ o
jz SoftICE_detected
% D R# E5 U1 V& Q, q3 p8 u4 k; e$ w
# Q+ Z: x( e! O/ `9 W8 c# {& J+ ?" P& i) H: b
Next method as well as the following one are 2 examples from Stone's
4 x3 n4 F8 o/ X" G) e r"stn-wid.zip" (www.cracking.net):
' c8 |" e2 q. @* Z# B8 R4 Z/ ^" V6 U$ k7 L: i4 g, u Y8 ]; l \9 O
mov bx, cs, k3 K* ^& r C; U1 k& l
lea dx, int41handler2- j7 @8 R- ?0 z$ Q7 z
xchg dx, es:[41h*4]: L0 F4 F$ s$ D( J) |2 t
xchg bx, es:[41h*4+2]
2 R2 {, `2 [. H5 V9 n) Q/ k mov ax,4fh
/ Z% |$ [8 X- ]% s& ?0 c* U int 41h/ f( w7 ]5 Z3 x
xchg dx, es:[41h*4]9 c! }$ b/ t- G4 y! S
xchg bx, es:[41h*4+2]
& u% e" A1 }9 L; [( l) \ cmp ax, 0f386h% P) O( d4 n! ]/ B3 I5 R3 W V. C
jz SoftICE_detected
& [ q5 o5 K3 G+ X
' t! ^! |8 m- @! J3 V1 Tint41handler2 PROC0 Q* A8 P* q2 e0 N9 P0 L( ?2 t
iret3 g' e( N2 ~1 L% {# y
int41handler2 ENDP3 A' Z% G5 u6 K$ V
. U; u$ A) _ P E
# x) ^- g3 B) T, __________________________________________________________________________
5 x. ^; \; ^7 |( ]9 V8 ]6 }' U# D4 J: [3 A% j$ E5 e9 z$ t
7 ]# q/ U) U' DMethod 06$ d6 d! x4 |% r7 {' n/ q [
=========
+ a+ V D9 d" a$ V$ s' u4 t& X4 ? U1 b8 d4 |* U7 U* h
& Y$ X6 l9 {0 f
2nd method similar to the preceding one but more difficult to detect:
9 I1 S" k" f& w2 g1 F7 m# @3 n4 V- D( J9 N( `- d8 a# t2 y4 ?/ c
0 M4 w" K o0 {' V4 e( Z; h- q
int41handler PROC
6 v* h3 p- L! U mov cl,al
* b7 Z% ?. M: C: |6 Q; A! @ \ iret# c; \; n4 ]; ~9 Q# v9 @( g
int41handler ENDP
* y( ~1 T2 Q( i' h# }2 U s% O, q$ Y' [& t
! f6 o+ l% ^# B1 F
xor ax,ax
. X. o6 a% e1 \6 j! c4 N mov es,ax
- p7 b( u- ~2 n( o% g, T mov bx, cs; b+ Z# \ R2 u: [- ~8 C+ Z5 u! [+ d
lea dx, int41handler: c! X; _! v% J
xchg dx, es:[41h*4]
; p7 f8 z! \/ E- j- @2 v xchg bx, es:[41h*4+2]
- N* J8 M1 p& H9 K9 Z" t Y/ o in al, 40h0 {$ i- T. |3 U) ~% r8 k* {/ k% O
xor cx,cx
+ q& r) }6 b2 w3 ~+ o; g int 41h
" l( [& Z7 C- V5 T) @3 W f) { xchg dx, es:[41h*4] M7 j" m0 G' o1 F. W! z/ g) {. m
xchg bx, es:[41h*4+2]
+ Q% q7 H& x. b$ g7 D! x8 ^ cmp cl,al% t: j) n5 K' c. O' q- o
jnz SoftICE_detected
$ W7 @5 R# a/ _ K. w( S
3 ]" Y9 t# B5 y4 V. I* G_________________________________________________________________________9 c1 m7 y) C2 }* l
O) p+ K# a! U) h( {
Method 071 D& Q+ p/ l6 Q$ w; d
=========
& c9 c# M4 Z- F+ d: o$ H, Y
0 o7 K% M" a' g/ r, ?( z/ FMethod of detection of the WinICE handler in the int68h (V86)$ @$ V! M/ w( j6 y! L
* p# j& X% |1 P. L mov ah,43h# T, j$ b" v- Q1 S, ^; j% ^
int 68h1 a( `* {8 x {9 m: B
cmp ax,0F386h
; V; F, G. M {4 G jz SoftICE_Detected
% L& ^4 B7 w% l( \- H' b$ q
5 E- n4 I1 J1 l B. `! _, q! t/ |* H0 t( j- z) O. o/ S6 l
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: I |; M. d. |- H: O
app like this:
9 g3 u/ Z, g/ s0 J7 y2 \1 B4 e) Z' i3 G$ k9 H3 D' f
BPX exec_int if ax==68
/ r) f8 g0 |2 U; q( W& R (function called is located at byte ptr [ebp+1Dh] and client eip is
: R% y: T; h, g( {; e- L6 y located at [ebp+48h] for 32Bit apps)) s. z" p5 m. Q5 R( j! v5 x
__________________________________________________________________________
8 x: m9 V" d2 x3 R0 h/ T6 I
! B3 M' i/ B* x. b
3 r* \+ B# ]2 t9 V& V! L' G* |Method 080 V6 ?; g% X" _2 h/ K
=========
+ l* T2 \& f/ e3 \# C# h+ H6 _& b2 B9 ~$ y2 B8 T; {2 h
It is not a method of detection of SoftICE but a possibility to crash the, h* d; {- ^; Z8 S+ a' G1 [
system by intercepting int 01h and int 03h and redirecting them to another
: Z% a- R# ?) Wroutine.
+ m8 c* ~9 Y& H" {* lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( `9 H7 P' g, T' G& l( dto the new routine to execute (hangs computer...)4 Z3 {" V8 X8 M' {' |+ o6 D6 G
. I' |* X- V9 h0 @9 F mov ah, 25h% _# x% r3 i( Z7 {" J
mov al, Int_Number (01h or 03h)
7 x! u* Y7 @7 V3 ], j" K mov dx, offset New_Int_Routine4 B7 c z" T3 n- O( T7 {& C+ v
int 21h
+ `/ b5 W7 r' l* ?% H: l1 Q- x. y2 x6 j; T& b% R8 x
__________________________________________________________________________; `% Y R9 Y8 a; O+ U6 h6 V! t5 E
[7 J) H, @* WMethod 09; c, a* Q& z: T) W
=========
8 F0 _3 c! \( N; ]. H' S2 X$ p' Y7 H* X7 j2 i- F, d# A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 r& f) S5 S. X% Dperformed in ring0 (VxD or a ring3 app using the VxdCall).9 y2 [- }/ Y2 E9 x1 s# L1 C7 O
The Get_DDB service is used to determine whether or not a VxD is installed
& r% U9 q% Q$ {- Z/ Hfor the specified device and returns a Device Description Block (in ecx) for
9 H, n: g/ ]+ L* s- ~that device if it is installed.+ ^! D" Q' ]6 p3 H9 i( y; ^; p
& {* c" C+ F0 n$ D6 p q( g" U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' H( y& w+ k: O& p6 v3 J3 }" h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 r0 e% q8 v& H$ U VMMCall Get_DDB6 S, `; G# X4 V z3 X" q- Q3 T5 S( Z1 Z
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed& }4 E" B L9 x3 J2 O( n
& A+ `6 O3 N* o' H9 e1 ]) t
Note as well that you can easily detect this method with SoftICE:
7 V: W. [6 {& S$ P* v7 [- `1 @* s. S bpx Get_DDB if ax==0202 || ax==7a5fh. n2 f) n9 `) y3 [
/ o( ~9 W" T$ a6 e4 d+ B& c( u) T__________________________________________________________________________
" b! S2 g: S9 Z# J" P+ P |) h g' w: `; C: ]
Method 10$ B. E+ [ e5 H0 \# `
=========
" |) F' E6 W; O- l; c" X* G
# ]0 {$ s( E9 p1 e=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 h( w# C; p; `/ D! T SoftICE while the option is enable!!7 }) k6 ]3 V: X+ ]' z& o
( F: j+ T" R! [
This trick is very efficient:
" e! Y6 ]' j7 G( G$ T4 ?by checking the Debug Registers, you can detect if SoftICE is loaded
0 G' B3 a4 i+ _1 {3 u* O! m: ] a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# o& j3 M6 s w+ m% e
there are some memory breakpoints set (dr0 to dr3) simply by reading their* S. ^5 n" i6 W& Z1 ~+ Z
value (in ring0 only). Values can be manipulated and or changed as well+ R ]" A0 H7 `8 ]2 D \
(clearing BPMs for instance)
) ^6 W1 m# {( S3 @ \5 O' l2 a" J5 R: {$ t# g& s$ r! g: w
__________________________________________________________________________
! ^, r* y" z2 F# Z; `/ [& a, V/ k: g: i$ L0 G
Method 11
, x4 @* P. Y. \9 D; b) I6 c" {$ a=========( H# x6 ~; H/ r4 h$ r, m8 H
7 W4 J6 D- `+ k+ bThis method is most known as 'MeltICE' because it has been freely distributed
4 K! P; ]$ E/ N: i# u4 evia www.winfiles.com. However it was first used by NuMega people to allow
5 w8 C; F( J5 P& eSymbol Loader to check if SoftICE was active or not (the code is located1 X: E0 [2 }/ K( a& V Y; S1 `$ X
inside nmtrans.dll).2 [% z1 [) J3 |
1 D% ^' W9 e% }% A2 P- L8 JThe way it works is very simple:
4 B& }2 K t. }+ ~5 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ^- n9 R5 k0 Y( o2 ?
WinNT) with the CreateFileA API.' e* `6 P& ~+ ]( d) L
1 V" V% o- b+ s6 u
Here is a sample (checking for 'SICE'):
/ ~: s- F; {0 n& f: g0 H- q6 }) j' r0 W3 `$ m$ U: x( R
BOOL IsSoftIce95Loaded()% c; J% Z0 G6 I' y' m
{
" p) ]4 K# J, t' }8 B" E HANDLE hFile; 7 P7 G* G, M9 l% _$ J* X( s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( r* ? f0 b3 g3 l3 ~9 z
FILE_SHARE_READ | FILE_SHARE_WRITE,
$ \( m3 O% ^* m- K- E/ o( e( ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. r: h$ I7 Q$ x4 ]
if( hFile != INVALID_HANDLE_VALUE )# x7 `& s& r2 T ?
{( ?9 q& u5 [9 Q
CloseHandle(hFile);9 }$ Y2 K1 Q D# n# d( E
return TRUE;" s5 t) [" u+ B! A2 a1 N
}
0 h8 P$ M0 j& y6 A8 [( G' G. Z0 l return FALSE;
& {9 }. s/ U! ^+ x8 L}' T! L% j% M* g$ G
5 w8 A( x2 k, t' O, x
Although this trick calls the CreateFileA function, don't even expect to be
' o8 C" F0 w3 P2 ]! {able to intercept it by installing a IFS hook: it will not work, no way!
' P0 C) d, h' [9 P9 l9 ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ B8 u8 G9 f1 Z! @1 V, P$ r, a0 _. cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" @& R* l Z7 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 B8 N- W. _7 t/ X/ I$ f) B
field.: h" q& p, g: a
In fact, its purpose is not to load/unload VxDs but only to send a
& I! J4 G6 T2 @4 |, YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 {5 h, |2 P' _- ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
, B/ a! V, y; m. t& _to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 k" M. z' K0 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 }8 X) t5 I- @2 s6 ]+ Rits handle to be opened and then, will be detected.
( M' G$ S/ D$ A# \& s% y; HYou can check that simply by hooking Winice.exe control proc entry point
7 m& B- g# z# z/ \while running MeltICE.- ]- N! j) V2 {1 s- D2 J8 I+ P
* h6 J! I# {' o! C1 c2 }/ R! }7 @8 A( D7 r- D" U
00401067: push 00402025 ; \\.\SICE
' x* X; L) G5 F 0040106C: call CreateFileA
, M# l2 N- T) y, Z- { 00401071: cmp eax,-001
7 Q/ `( J5 P& ], F3 t' Z( B 00401074: je 00401091
& F. K9 @" a2 g3 Y; l) q2 P
+ S8 D6 l" a% q1 k* `3 w& Q# l" n
+ F, H% V( Y: {. j- K9 ]' _2 fThere could be hundreds of BPX you could use to detect this trick./ Q8 q% f) w9 Q
-The most classical one is:
0 a0 V0 ~- e! `, V6 p BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||- U5 O8 `5 [2 A# d2 Q9 W& T) C5 @2 |2 X' ^
*(esp->4+4)=='NTIC'
8 d; Z" m5 O2 ? @8 q
+ @: a) |' X& d+ j) d, Y- o9 F-The most exotic ones (could be very slooooow :-(6 z/ j9 w( ? |, G# W" h7 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 5 |+ y4 A0 @* |, Y" ]# X
;will break 3 times :-(
+ M6 O5 A9 E* K/ _2 k- k7 h, d8 q5 T" U2 c- F
-or (a bit) faster:
9 c# h' U/ F# b: T$ u7 R P BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); J2 M8 \- i% M+ B, X0 }, p D. }
9 V" P. m9 B0 ]: y1 N& U5 a/ X
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# Z+ Q& i% A9 F ;will break 3 times :-(
. j& F# B# `. v1 E" w/ `; I( b. Z/ f
-Much faster:
' i3 t, F8 v; R BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'2 J% l5 Z5 G2 O! f" b* N
0 f& z( C! a; k G9 o$ `2 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& d8 _ }8 m h Z+ K$ W- _* _( o
function to do the same job:) k) f1 f/ C! y: D
; B! }, c1 G. ]4 H. z% `5 |, _
push 00 ; OF_READ- U2 w/ y+ L o N
mov eax,[00656634] ; '\\.\SICE',0. f2 D+ d6 P0 N8 g9 L
push eax, J: W. e9 v# I- [
call KERNEL32!_lopen9 x8 E7 a1 h) [, n) p& B' d6 M
inc eax) x9 h+ U- m7 O: d7 B- x
jnz 00650589 ; detected7 E1 {3 P( T" }9 X) A/ v' Z
push 00 ; OF_READ1 E( M& I* ^+ A2 [
mov eax,[00656638] ; '\\.\SICE'
( \' G$ @2 N4 B. W. M push eax
8 g* B+ z6 N9 K8 X1 g$ g call KERNEL32!_lopen
* f' U6 W% J0 w$ O8 l) H inc eax+ ^2 `* c) E* Y' W3 }; _: \
jz 006505ae ; not detected
0 t6 ?- P3 Z1 g
& D, M6 O, _0 z, H S' X# |' b/ H) x& ^( s. J. Q+ A1 j
__________________________________________________________________________/ n# z. q7 ]8 E8 q
' n! t5 g4 q! c1 G) EMethod 12
3 G! V ~$ L4 s% K. s1 t=========
& Q' h* u6 j: F' g; `# |5 K: \' e# W' U% P/ W3 @
This trick is similar to int41h/4fh Debugger installation check (code 051 P$ ~$ L% U1 R$ C, S& s; w8 U& A L
& 06) but very limited because it's only available for Win95/98 (not NT)) s: P8 X- \2 k2 i3 A0 d( p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; l. n0 f' b6 e
V* e4 o( x6 P0 c: z$ \
push 0000004fh ; function 4fh
9 E- _! s6 a( Z+ f5 \5 x, n0 s' O) B push 002a002ah ; high word specifies which VxD (VWIN32)! o1 l; m) k& s3 M+ i
; low word specifies which service; g- k; j( y' g; k! I" @
(VWIN32_Int41Dispatch)
8 z7 b4 j: x1 S& E- K3 n call Kernel32!ORD_001 ; VxdCall. r7 |+ ~, j/ s* g9 S
cmp ax, 0f386h ; magic number returned by system debuggers6 d: x# b# }& p6 N
jz SoftICE_detected
$ @4 p0 b) V# q y5 h! K6 O8 B9 W$ _: n/ w1 e6 {. d2 O! O" i
Here again, several ways to detect it:
' `, l$ X$ K8 P2 ]( z' b% G1 R, K+ d' \- S* c9 t. h- ?
BPINT 41 if ax==4f ?: l1 l6 |# R- p+ Q
% i* P2 K0 ~0 B; `# @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 y3 X, q; ]1 K7 o1 b) ^3 h; x
9 G! ~: o1 B/ b3 g, U/ Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* G) x) q' h( m
: Q) l& F: V0 N' B9 M$ G3 I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* [( t" Z9 S2 b% I" @" o
8 n$ M. W/ z% }* [3 o) G__________________________________________________________________________8 D6 L& n: ]) V0 I( [6 ~8 e
. Q ~9 p6 x# ~! p
Method 13
7 O- u' b% G# k/ A1 a. u1 G3 [=========
- |7 f. ^; h( u5 N. P1 Q
6 [5 z: B3 H- pNot a real method of detection, but a good way to know if SoftICE is5 V2 ~6 C1 j# N+ O
installed on a computer and to locate its installation directory./ ~9 A7 Z4 d+ c- _% n
It is used by few softs which access the following registry keys (usually #2) :: q2 X+ a# X* i, o6 p0 R/ i4 s0 n
; y( J, `7 R. R3 h6 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- l& b1 L8 E9 J& [$ r$ x
\Uninstall\SoftICE
; o6 \0 ~: H. \8 E' u6 w2 K3 ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
R0 `5 ?0 u% L, o5 z. e' R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. S; B0 w6 H! Q" ^7 k
\App Paths\Loader32.Exe) @+ J0 b: q$ y6 j: K1 o
5 J' }' i% p( x% f% d; z0 P& E3 G
4 q m' e) e3 t/ NNote that some nasty apps could then erase all files from SoftICE directory) l. Q0 I, p3 p1 m0 p
(I faced that once :-(2 p5 ]2 E1 V% F) u6 m/ s
: \6 F6 Y! Z- e- Q. a
Useful breakpoint to detect it:
4 S+ s' ]6 ^+ Y: ]( I2 Z
9 a: v5 O1 B7 ]( e BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 L% t9 m3 o& ~% J* f* W p- @
9 c; m& x/ k. p2 d__________________________________________________________________________7 _$ R+ }2 D# O' V
8 h6 o j# m8 B) e" m4 N
) S3 V6 m8 S- l8 V% `Method 14 - R3 Z0 {: T6 f* z# p
=========) @8 f, r" o8 T
$ N2 g {) H9 z2 m4 C# R* AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& \$ d' ]4 Y- b* y- v, _2 r+ Ais to determines whether a debugger is running on your system (ring0 only).0 k3 g# X6 \+ H# m' B
" \2 i8 X+ Y1 Q0 [5 }' w3 G
VMMCall Test_Debug_Installed* T1 t- a, C3 x {( f- g! a) H
je not_installed: t* J) O, ~- A2 ?% A: O7 I0 s
! |0 Q& S$ G) N( @% \5 Q! j
This service just checks a flag.- C& E% i, ?( @+ y4 R5 n
</PRE></TD></TR></TBODY></TABLE> |