<TABLE width=500>: F. Y9 _% s: ~. w/ t w1 C
<TBODY>
$ c. v( P. d+ ?: d' d/ m" h<TR>
) h* d& r2 e/ l; W. c/ b; V4 B0 ]; c<TD><PRE>Method 01 * x9 v2 l& G4 w/ q: b
=========
4 p: U5 y( R9 n X9 G
/ N9 J" m* G# \6 {This method of detection of SoftICE (as well as the following one) is
; P+ |4 h& N" Q6 g: hused by the majority of packers/encryptors found on Internet.
+ |5 F$ k9 {. g& u0 y6 ?It seeks the signature of BoundsChecker in SoftICE
+ y' Q. B! i: W6 D& z7 ]4 s# d
: I2 |$ Y F2 |5 P I! ^* i mov ebp, 04243484Bh ; 'BCHK'
+ k6 R$ |3 x8 S! g" e9 | mov ax, 04h
* Z6 _0 f6 E7 i I int 3 2 z, T( \( D4 l6 r2 p; N; m
cmp al,4" [, {+ k* p4 I3 p% e! I4 D
jnz SoftICE_Detected8 e5 U6 W- M7 {* f( T
9 `. y8 k. |2 Z' ~' ^8 P7 S___________________________________________________________________________
6 O0 e* I) X! x( H2 A; R; ]1 @
' M* x* \, n4 ~% a! {' `Method 022 k: e( }2 y" Q G( T
=========2 j7 Y1 x- ^( _' a; I
' L: \8 b/ z5 ~6 g- p
Still a method very much used (perhaps the most frequent one). It is used2 L" i" z- H6 o4 \$ ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 P* b! {0 y( b# Y q3 q
or execute SoftICE commands...& B2 W" y; o1 r# V
It is also used to crash SoftICE and to force it to execute any commands
9 L9 E" v( m; {: `$ U8 m* O(HBOOT...) :-((
" f: {5 ~4 o; x) V! f+ e5 \6 p: ^1 x) T- ]1 a& M" y2 V; p
Here is a quick description:, ]; q' N0 t# w, U; F4 p9 D7 x
-AX = 0910h (Display string in SIce windows)" R6 L8 X" |3 l0 S# N. [/ n- |
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 V; G/ F7 C2 r% @
-AX = 0912h (Get breakpoint infos)
, P; Q$ {) m7 N {: J3 R9 Z8 h) I' f-AX = 0913h (Set Sice breakpoints)1 S( _+ B: \2 I8 }' ?/ s
-AX = 0914h (Remove SIce breakoints)
4 U; K4 ^' B6 d' O+ [
; Q/ \6 K+ @( n" ^' |4 `" v5 }) LEach time you'll meet this trick, you'll see:
6 F% E: f. C7 D1 f* l9 j. G-SI = 4647h; `6 r' m* ]1 Q% c& Y# O
-DI = 4A4Dh
. J, _$ |. O+ _* O+ i m7 ]Which are the 'magic values' used by SoftIce.
1 v) h& p) g, n4 E c0 ]+ GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- C, K6 |" h0 J0 G
/ ~3 S7 g! }# w, T% T- KHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 {5 h3 u1 P) Z. j. NEnvelope utility use to protect DOS applications:
# m0 }# }$ Z/ j+ O% n
, n8 F! a' `2 h: M5 d2 x0 U
! A, R0 H4 b- M3 J( G: s4C19:0095 MOV AX,0911 ; execute command.
& X& q8 T4 S8 Q& ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: I% ~/ a+ p3 |. Q5 G1 p- ]4C19:009A MOV SI,4647 ; 1st magic value.* B% N$ v' S7 n+ G9 l* _
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 g& {% s) B/ z$ O9 q2 m" o9 e4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- ?: Y# _/ g. X$ v4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" a1 u- o; b" f* E1 h6 ?6 |. m4C19:00A4 INC CX
- a3 @4 a/ {! e$ t4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ Z$ X" _ R& @/ @" Z% O8 d4C19:00A8 JB 0095 ; 6 different commands." L, I0 z. X7 I" O/ J8 F8 L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 X6 R* Y3 X2 ?$ Q4 s: @
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
3 s5 o0 k* j- s! o& y
+ j- l4 ]* n3 p1 O( QThe program will execute 6 different SIce commands located at ds:dx, which2 F$ `' n1 C. D$ J! b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 H+ G/ y' j0 P6 w1 K! k
, @8 B& J7 L3 Z4 G8 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& o. e7 y5 A _! ~___________________________________________________________________________
9 `# y! X% m1 [
, g& S1 L }* n, A/ V5 L% e3 Z. E! f& N0 m9 P) \" o
Method 03* N) B$ K# J) B
=========$ `) b+ u5 o5 E$ R7 @4 A2 Z
' c& s' x: G9 f7 N
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 c4 b* j6 W0 o) z2 F; V
(API Get entry point)
# g/ ]; \% y8 Y2 Y u& P* n- [8 U
$ z) L- ^& c% w: \( F: h' U+ v f4 g* Y$ H: a/ U
xor di,di
) ?4 A4 l4 B2 I. _ mov es,di
8 }/ i, C% q; q) [ mov ax, 1684h
7 j, L7 ]7 C( I* O) E mov bx, 0202h ; VxD ID of winice( u2 r0 w$ I5 N1 Y$ L- s
int 2Fh
5 e! e" H; P5 j8 `6 k mov ax, es ; ES:DI -> VxD API entry point
6 F4 U: @7 s$ b2 C& j8 @9 b add ax, di
& D' B" j% }5 O4 _0 h test ax,ax) t4 K0 I4 }; m
jnz SoftICE_Detected, ^- b' A$ ?' e; u
( I5 u; W3 Y( a! P* v! y
___________________________________________________________________________, |! U: ~( d3 k& Q% D/ u7 m
$ E9 L" f D& H5 k" cMethod 04
, {: j" M4 [# ?. x& h G0 x Z3 U=========5 r( ` l! X( [1 v* Q7 R" g0 w+ g
/ R& a8 t" I5 s+ U- U Z
Method identical to the preceding one except that it seeks the ID of SoftICE& c. M4 z* ?# [4 U( g# ^, I* S
GFX VxD.7 \' X& ^3 S v$ t+ P. ^# P0 j! N, e
/ B0 [8 Y% Q) J4 N: z xor di,di
+ O/ e8 q6 \* z7 Z6 ?, L mov es,di
v" r/ |; B$ s( r/ H mov ax, 1684h ' d, X1 q5 O: S6 s3 _+ `8 {
mov bx, 7a5Fh ; VxD ID of SIWVID
% R% g1 l# I) J" r; o5 o: d int 2fh
' n! t/ N2 ^7 ~% h mov ax, es ; ES:DI -> VxD API entry point0 L# U# l3 o1 _" h; d
add ax, di
! R) J# Z& r A8 Y0 l# a$ n: S# | test ax,ax
+ I7 O; {* @1 D3 i jnz SoftICE_Detected
V& p+ ]& J h# Q- y, I" j
F6 i; X: f0 [# s: E4 s__________________________________________________________________________
0 E5 E( o2 ]- l1 J( y v1 l* H w r8 W2 |% g, v! S5 p7 g: r
% V U; z* u1 V) E) ^' g, s3 o hMethod 05
1 h- m8 Y0 P) I% `=========( g; q7 W1 a1 D- H
4 U& \1 B3 p L* i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' R2 s- I. d, ~& ydebugger. It calls the int 41h, function 4Fh.4 C2 b' [: o: h" J, c9 `; k
There are several alternatives. ' a9 j& p2 e- e9 H
, U z0 Y& v; K0 b5 {. x% ]
The following one is the simplest:6 Z- n- V* ~- t5 O; }2 N( y0 }
, r4 h2 P$ S8 G" @ mov ax,4fh4 b0 h9 T+ ^; a5 a& Y" P
int 41h& G3 }6 B, X+ ~
cmp ax, 0F3863 o8 J3 A* F4 Q6 ~2 W
jz SoftICE_detected) f8 O5 Z( R) v8 T9 Q, G
( {$ W. a1 J* I4 K3 v
' b2 |/ g& {: a& C, TNext method as well as the following one are 2 examples from Stone's ) k( {3 p7 r* m& K
"stn-wid.zip" (www.cracking.net):
5 m( g) w7 [9 z. e# A0 K5 I) {8 ^5 }: j/ u7 ^6 B6 U6 c$ s6 D
mov bx, cs. [0 a, U6 Z7 _7 u7 j1 N; ~4 _8 |; n
lea dx, int41handler2
( D' Z7 n& B' B8 v3 u8 I6 m xchg dx, es:[41h*4]" C) E1 ?5 z# a, O1 c
xchg bx, es:[41h*4+2]* a, \1 b- d& w, |& ]7 `
mov ax,4fh: L& t0 \2 C8 t7 j
int 41h
+ ~/ b7 t0 R0 S3 k8 [ xchg dx, es:[41h*4]: E0 A) l' Q* q
xchg bx, es:[41h*4+2]
( W- q" W' o9 w5 G cmp ax, 0f386h
* u# }9 q! q7 e jz SoftICE_detected
# |) n. |& A1 I+ J8 x! D
6 h4 p" O, a, x1 \int41handler2 PROC
& u0 k* a3 N* U# } iret8 }/ i+ T5 w1 S. R+ q0 Z
int41handler2 ENDP4 b& z% w9 Y2 Z- j2 A2 G) ?
. H$ R" J$ D7 |$ q/ R" r" y7 o
+ s( i) E& N- s9 J9 G_________________________________________________________________________
" _% r! p7 ~- \( w* {7 B' h/ ^
6 }) i; x* J3 P8 @
' A. N0 f( j( i$ q* PMethod 06
) _( e/ o. g5 |! ~4 M=========
- y3 x: n0 z) A" p6 S0 D# R
! q$ J O5 w. M0 v3 k4 W7 m
' `& h# A2 k' z# x2nd method similar to the preceding one but more difficult to detect:
' Q7 l$ c! O/ @# y9 I; g( Z
1 }# S7 V2 U9 S! Q9 _2 `3 X6 C9 W g/ S1 ~
int41handler PROC
( |3 k F7 M/ h; Z: h3 f* s$ j mov cl,al' o: v6 r, }2 x+ r
iret
2 F1 l$ t4 G1 ^" R' m7 |int41handler ENDP9 T f( V3 l9 d- O2 o0 p6 U
; H2 e6 _( l- F% Y1 I3 i4 s4 }
1 k p' R7 P+ W2 [# x5 o1 Z) P xor ax,ax. Z7 j( f& J& P+ {; M ^' Z) M
mov es,ax) J/ i& V. \! x {! r- u# f/ M
mov bx, cs+ u, P. s0 Z- }: i% s
lea dx, int41handler7 \" L/ k* e2 b' t3 [
xchg dx, es:[41h*4]% {7 \5 m9 b9 X2 I; g/ `! A7 d
xchg bx, es:[41h*4+2]6 P" B* C9 X b+ k5 O! S; m: k
in al, 40h
5 b; v- n5 F) ]) k& R" ]. } xor cx,cx
9 V1 F, d( C7 I int 41h/ M. ^. c3 g* p
xchg dx, es:[41h*4]
$ g3 j3 K" y, ^( L* g2 {& o: D xchg bx, es:[41h*4+2]
& v g# P9 y" e/ U3 W cmp cl,al( K$ \; h3 F0 }. R% u9 f& D
jnz SoftICE_detected: p2 Z& @. w$ w( }8 D0 f
2 V3 R+ s. e1 A* |# {! W2 w f_________________________________________________________________________7 \- H) |+ J) |+ g
- v; f: Z+ n; V" K: L# ]9 s: KMethod 07
) Q* n1 i+ j; y7 b: k5 f=========3 {0 Q( \3 H+ y6 d! T4 V( T2 N
0 [, [3 d! c6 y1 T& N0 Q3 Y
Method of detection of the WinICE handler in the int68h (V86)
. f& ?& A8 ^! |' M( O" f
: V& t# M0 Z/ h mov ah,43h
, H& \% |; E* ^" s+ R: F" [ int 68h
' U6 F* Y% G9 t- x0 }! ` cmp ax,0F386h
9 ]$ @- v9 @# `2 H2 h1 {2 g jz SoftICE_Detected- X7 [9 f2 y: I6 i* _0 b5 D' B
9 O& M, Z! ?+ F. D+ b
2 C1 C5 G, a6 l" L( o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 l" Q) x) \3 _* Q. V% Q3 t
app like this:) j8 w" X! K* Z: ]( c9 S& H% w
" k* s# I5 i4 T" b3 I
BPX exec_int if ax==689 O9 x9 L/ l) e0 U/ e1 J
(function called is located at byte ptr [ebp+1Dh] and client eip is
' j7 q' T. a! H" F3 t0 U located at [ebp+48h] for 32Bit apps)
7 C0 p! [4 i: }5 g* L__________________________________________________________________________
! p V/ C8 G* r: b) w. K" ]
7 N2 k7 [. V( `" ^& [8 c1 J5 O |" B9 O2 k' h
Method 08( {0 }% k. R8 @: E# k' y4 l$ J
=========+ a7 e2 n5 m" \4 o
1 C; Y6 Q5 M% I' D/ u9 M, c6 RIt is not a method of detection of SoftICE but a possibility to crash the
# M' `% s7 V- ~$ @( f7 lsystem by intercepting int 01h and int 03h and redirecting them to another x, f5 h5 {6 N
routine.
4 Y U& G f7 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# F: j! S, @4 S$ h2 H' d# a
to the new routine to execute (hangs computer...)
1 k* |3 Y2 v$ A# D# b" ^/ i
u6 M% K9 _$ N0 V mov ah, 25h; z) ]# `- ~8 M. y6 a
mov al, Int_Number (01h or 03h)1 [1 W; k3 _0 r, o* s
mov dx, offset New_Int_Routine
' ?( f) `* |. o" k) W int 21h
& |8 f: J: W8 O% c1 {' a1 L3 ^7 A8 P5 ^+ ]% b0 K
__________________________________________________________________________
$ Y1 M. _! e ?. O" ^. r
# _" Y' o) A; N1 ?- a% yMethod 09
; B, b3 U. M3 j! H/ s1 ^+ e=========+ z" w' B6 N* N' }
, h# n6 i& l( ?# V% i1 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, I: w4 x+ i# F$ h
performed in ring0 (VxD or a ring3 app using the VxdCall). h2 d% i$ I9 P# {) O/ i" \+ U
The Get_DDB service is used to determine whether or not a VxD is installed
' E/ g/ H! |5 g1 kfor the specified device and returns a Device Description Block (in ecx) for9 O- E- x& S. j- p: F! i
that device if it is installed.
/ U2 a3 @/ }( c- g$ L0 U# i: U l3 M" B. m9 F7 F/ R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 _3 } v+ _9 J9 S3 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 v" O% ^; A, }. j: ]
VMMCall Get_DDB
7 g. `6 u& L0 M$ i mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
. ]9 M; s3 G! F% L% P
. A/ ^6 V- B. S# _; i9 uNote as well that you can easily detect this method with SoftICE:
. Z# k2 o% H4 f3 q1 y bpx Get_DDB if ax==0202 || ax==7a5fh
) Y9 J0 T/ }' Q% M7 }1 E- G" g8 `6 q
* [' K+ N0 Y/ H7 _; ^ |__________________________________________________________________________) s6 A1 {3 a* l0 \! ]/ s( C* i4 B
8 f& v4 |9 ~! VMethod 10
/ X( h3 e3 g' s=========! X: M! I' w% a3 g, W" Y1 _
8 }9 z& g" M& j1 T
=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 m, d( B% C8 [, H4 `& f: D SoftICE while the option is enable!!
. y. ]0 ^$ s9 c! n# C) P# L# R$ Z# k0 o% f
This trick is very efficient:
6 E2 W9 J. b; H6 u! Rby checking the Debug Registers, you can detect if SoftICE is loaded
! v/ s. v, T$ ]$ w, N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 m2 I/ `- b0 R8 q" sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! \% p I8 S9 @value (in ring0 only). Values can be manipulated and or changed as well
4 F* g: m- f, H(clearing BPMs for instance)" z4 n' y) E5 A9 t9 J& t# u, z; X* x
# \2 L5 ~. N* |' {* k7 B__________________________________________________________________________
4 Z4 S- l2 C, _. v6 j: ]* d; G3 X* Z) i
Method 11$ m, N) G! f; ~. L1 e( C* ^
=========( e2 s) r, w! ~" z e9 l; b1 X' j! N
6 E+ C5 B3 F- b* _+ w A' a- b
This method is most known as 'MeltICE' because it has been freely distributed
4 H2 i4 U2 W9 j6 \, [via www.winfiles.com. However it was first used by NuMega people to allow' V9 l* R5 {* ^# ?3 U
Symbol Loader to check if SoftICE was active or not (the code is located- z0 H |, G; t, {$ k# C
inside nmtrans.dll).
5 O$ x J4 ~: j) D# T, ~/ c7 F0 {4 I' ?( p# y9 r$ s( z) K: w
The way it works is very simple:
0 t0 P# h6 Y. d# x7 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. B$ m! _7 f3 \0 ^3 Y9 KWinNT) with the CreateFileA API.
, ?$ I! D6 |/ {0 e
9 Y# a( [2 W8 }0 z p+ AHere is a sample (checking for 'SICE'):, e8 P5 h y7 c5 m0 s5 ~0 i
H o, ~& e& o- n. W
BOOL IsSoftIce95Loaded()
! ]2 k* W# h6 J z% i: c* P8 `- f{
! i* S8 G5 O2 L2 Y5 t HANDLE hFile; , \* ]6 F0 f* Y7 @4 B" c! Z. V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' c. D }5 m! g3 Q
FILE_SHARE_READ | FILE_SHARE_WRITE,0 r8 w! j2 e7 r
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# }4 M/ [# y ^5 f
if( hFile != INVALID_HANDLE_VALUE )
0 r# T$ B) m5 ?% {/ r3 w+ Q {/ Z% W" I) z. I. ~% C2 w% z
CloseHandle(hFile);7 q) t3 r: R$ A1 ]
return TRUE;3 a, ~3 j) f" i: }, w3 a
}/ o/ r) t! ]. h% S6 q
return FALSE;
0 T5 f7 f& f) [+ g1 B- {}) G3 g4 ^) A& d
6 h* o0 e! k( [- C6 @7 F0 qAlthough this trick calls the CreateFileA function, don't even expect to be
6 D* v, _7 {( K. c+ [" E; N0 Hable to intercept it by installing a IFS hook: it will not work, no way!
% N# c3 Q( P# s* xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F i) \* C: }' }( J' q$ \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 a6 h* E5 H; i2 N0 r$ d- T% Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 c+ ], c+ j- v
field.5 r8 d2 |& B% k. `: q* d0 ?: P t
In fact, its purpose is not to load/unload VxDs but only to send a
; q9 L& a6 A! O6 F# x4 n, R UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# \: Y$ }0 E$ _% D8 ^. N6 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 y* x6 d6 N" d* D3 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! U. d& J7 j A8 e% o3 ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
" ?/ M8 @, G% \3 E. M4 I D. Eits handle to be opened and then, will be detected.
3 F6 [; T) ^* {You can check that simply by hooking Winice.exe control proc entry point
$ e+ m2 K/ U( L( M* d7 r; fwhile running MeltICE., e% T- N! V4 c5 I
9 c) q+ {1 D$ d( ~
% M$ o# X2 U+ x: p+ k$ _) y& @1 K 00401067: push 00402025 ; \\.\SICE
3 i8 G; G% d! Y3 H J/ k# ] 0040106C: call CreateFileA1 o3 E9 F) p8 E9 h7 T
00401071: cmp eax,-001
, @) ]) j0 ^. Y 00401074: je 004010919 F3 V: z% P( y: t$ j
) v. q" T0 Z; C
% ]- {/ ?" E! L! e' L7 P; zThere could be hundreds of BPX you could use to detect this trick.
$ w( F5 Y% ?- G-The most classical one is:
; f( Z% `$ `3 S/ S) V9 e7 C, ] BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) N- F3 W: y j4 v8 _! \# b *(esp->4+4)=='NTIC'
+ Z0 r8 w1 Y0 Z& K; k1 ~3 e- ^/ W' a1 T, D# s" k) k
-The most exotic ones (could be very slooooow :-(
9 J4 e( V, W1 {" q2 ?- p/ R- | BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " q( Y# J$ z9 j& E$ w0 Y& r
;will break 3 times :-($ m: T. M z6 [0 r9 H
n d0 R6 c4 v% p# |6 R% h& D
-or (a bit) faster: ( }( j' B" s0 D4 }% O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 u0 I9 `2 X' ~ U3 U: }# j/ z9 o& Z) r
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! H9 ~* u# }) C0 Y( x7 ~
;will break 3 times :-(4 f+ B4 H# s; R5 L
j4 F9 O% B4 `. J. K-Much faster:
; e, @9 K$ K3 e7 e BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# q) T" j) X0 s: r
0 Y2 K. O4 e6 n6 z/ wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 B4 n% k4 }4 I: u
function to do the same job:
+ h1 b" }8 |( T3 v/ w6 Y0 Z0 X5 x% ?6 i) V6 V! O2 p
push 00 ; OF_READ
, n$ v8 o+ G: {" S6 \. y mov eax,[00656634] ; '\\.\SICE',0
5 {5 g/ W2 {# ]8 b! G push eax0 _7 d5 ]' e6 ]) }/ A; R
call KERNEL32!_lopen6 ~- `* [5 M, D1 @/ L
inc eax' Z( @2 A Z$ Z* g+ o
jnz 00650589 ; detected
/ S% J3 G% F9 A" l9 ^" }$ | push 00 ; OF_READ, e4 |& R6 A, I. K' t2 S
mov eax,[00656638] ; '\\.\SICE'
, s: J+ }( z N% }0 w1 D' [ push eax2 G1 H* t: F! R. N* q4 m. j
call KERNEL32!_lopen3 s0 W0 W, m r7 E2 p
inc eax
) F- }8 v$ ~6 J+ y) k% B; } jz 006505ae ; not detected" ^3 r+ t+ g- e6 T
5 b7 h0 E: i% l* n3 p) Y
' U g, A4 A7 ?7 Z__________________________________________________________________________# `+ D7 N& S* Q* A U' s8 e
- g# O8 l# N b( [Method 120 W7 O0 _0 ^ z2 r4 z
=========
8 w5 ]* Y% q- M' M! `- k
2 O$ ? t. W, {, yThis trick is similar to int41h/4fh Debugger installation check (code 05; {! n+ p/ C: \ M+ w& n( \" ?$ F
& 06) but very limited because it's only available for Win95/98 (not NT)
# o |4 R1 |) S0 H qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 [1 C$ s6 P9 O$ N# F; U
' t2 g. k9 u5 j! Y, z push 0000004fh ; function 4fh
& B! k3 P+ R+ H push 002a002ah ; high word specifies which VxD (VWIN32), {8 `- o7 B- D5 J* k
; low word specifies which service% z- i/ m9 |! L6 U: `) d: m" K
(VWIN32_Int41Dispatch)
% S# R' f) @ Q8 j. c. I call Kernel32!ORD_001 ; VxdCall2 o. y2 G" f) B& ~" C* @3 i
cmp ax, 0f386h ; magic number returned by system debuggers, \- r g: o6 |- E' D+ n
jz SoftICE_detected a+ o$ ?+ `0 Q3 H
4 l' U3 s9 v" @0 K: v7 ^/ y' C
Here again, several ways to detect it:4 [4 R2 t( R+ }. g6 S: b
7 v1 ], v, t/ f0 h& Z1 z" \
BPINT 41 if ax==4f
! ~3 K# q% k, y& E" d7 H y' C9 T; z' h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 H- I0 D; O7 d5 P5 O; y- l& m% Z" x% }; {2 C7 G
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
5 \+ O+ E" m2 O
* @$ @/ q, ^0 {7 N BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 |4 w' R( J; x. O4 e6 C) q
; o$ `2 y8 V( t9 d5 D$ E+ i- U__________________________________________________________________________9 ?, {# [! o$ W
; d; U: }- K$ w0 EMethod 13" x: f9 G1 o+ U
=========% Y$ X8 k1 r e7 m; C. _
. J' C! Q3 n: U$ a+ T# E# C
Not a real method of detection, but a good way to know if SoftICE is
! @7 I' ]+ K/ \ r, Ginstalled on a computer and to locate its installation directory.8 O# ?$ b$ U% M. P
It is used by few softs which access the following registry keys (usually #2) :- [1 @: u) L5 O/ a
! D5 G( u) E7 B! c( b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' |5 W0 [* n _$ M, x4 {8 w\Uninstall\SoftICE! K; w; R) y0 s& \5 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 ~! R; I" ]# D P5 E4 E" E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' u7 O) D( c0 K\App Paths\Loader32.Exe
5 B# K- Z' _& T
: H* S. p& C" Z& H8 r2 u- q: z$ o5 m
Note that some nasty apps could then erase all files from SoftICE directory2 ^8 q# q% T8 _5 S
(I faced that once :-(
) e* T) _8 ]) Z9 D* p5 d, U: E) t" p( K1 j8 ?
Useful breakpoint to detect it:. W3 J) r& ?) L. b
9 o- z: b# q- O9 t8 D
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. W$ n+ S: @, a/ x- W3 p7 f0 ?
2 ~0 Z* ?$ V4 O__________________________________________________________________________( ` l2 B( @: m. t y! V$ b
z7 R% N3 V' R+ B/ l) M
0 K2 g0 H4 z3 d1 MMethod 14 1 ~3 r+ @2 M, \$ y) G) |* t8 N! L
=========$ }+ L9 {1 a9 m" e7 }
2 Q, ^: D( e# T) n3 X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& v7 ?! w) I! i* ]/ C0 ~5 P/ \
is to determines whether a debugger is running on your system (ring0 only).3 g# a2 J& v' ]3 n2 W4 i3 E
7 }! j5 U. [" }! N; ]* k. } VMMCall Test_Debug_Installed
L" `/ M# i4 v, ~ je not_installed& L9 K/ w/ B) t" b* c+ S) K- Y
9 J" q' M6 q Z8 Q
This service just checks a flag.
) D+ @7 c4 n z6 [6 S1 f, e& R</PRE></TD></TR></TBODY></TABLE> |