<TABLE width=500>- |% s; k3 z% v6 z9 Z& W1 E3 L
<TBODY>
5 K: ^/ @4 o3 ]& `/ ?, U3 s' j/ D2 b<TR>
! i. B% o. Y3 G. s% J7 L2 }9 ]7 K<TD><PRE>Method 01 ) y# u" n5 c$ H, Q2 C
=========# k6 a9 B: {/ V: M+ W% g; M5 r: Z
8 a$ W5 M: R8 }" U, w& |" U9 ^
This method of detection of SoftICE (as well as the following one) is* R9 l; d4 Y }' y2 T5 f5 [4 `
used by the majority of packers/encryptors found on Internet.
5 A" ] B) N0 s* F8 BIt seeks the signature of BoundsChecker in SoftICE
5 T$ @0 u) P+ M L. E
" [2 d2 {5 {( J7 m" J1 l mov ebp, 04243484Bh ; 'BCHK'1 L7 G: b& I w! O Q! y
mov ax, 04h, B# M- j$ e# V0 |7 A6 w* ^7 }
int 3 , Y& H. q# u: X4 r) r( G
cmp al,4% A3 d+ h1 u6 w% a0 P$ n
jnz SoftICE_Detected6 \. P/ X; q9 K2 x' X3 N1 E
: \0 I! Q. ]- R- p& Y; U4 A0 U0 F( t+ D
___________________________________________________________________________# R: A) b% L0 e* D/ v2 ~
U9 v5 u; |) t3 z
Method 02/ Z$ f( S7 L o5 ^
=========
& |+ b `7 y8 z; [6 u' |2 G* p3 ]' [2 J4 i4 W
Still a method very much used (perhaps the most frequent one). It is used
# k* }: ?2 [9 W) W* |3 j/ y8 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- {5 E" ~- J/ V4 s. wor execute SoftICE commands...8 L" f" k: W7 T. }+ t) E
It is also used to crash SoftICE and to force it to execute any commands
- i, c$ F- p4 H* O7 e(HBOOT...) :-((
; Z* h+ w- B, g* E- ?9 S
( `. F+ I2 K, v# Q" L. JHere is a quick description:3 |7 q9 g( g3 D+ D9 A" }6 O
-AX = 0910h (Display string in SIce windows)+ c3 F% H) \- H; \3 h7 m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)' \; \1 N1 A' S; E& w4 r/ e
-AX = 0912h (Get breakpoint infos)
0 m r9 {/ ^. ^3 y2 y-AX = 0913h (Set Sice breakpoints)& l% M- g/ b# u, x8 T$ Z3 v
-AX = 0914h (Remove SIce breakoints)
+ s: t% g8 a. a; I1 E( G) e2 I
3 H: I* S! @% o( `% S$ oEach time you'll meet this trick, you'll see:
1 }2 i j/ U8 ]! e: ^-SI = 4647h
( h; I1 y- ^+ }; {8 M/ j" h-DI = 4A4Dh
5 n4 W i2 r. @2 e+ ^0 XWhich are the 'magic values' used by SoftIce.& ]6 R% k5 }. Z6 ~$ f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 U# {7 X8 z- _1 |: `% ~2 z. r
1 Z& b5 Z) ?; O2 s9 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 P) X X# Z6 b5 P- H; D e5 ~/ sEnvelope utility use to protect DOS applications:% K- |6 ~5 |. O$ Z1 Y
& o% x" l( \* f6 N U6 j; }4 P0 }; r% k+ u/ C
4C19:0095 MOV AX,0911 ; execute command.4 [/ l% u' q! }& I+ L3 u' b( o5 R
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
* c0 x: F4 W" n5 ?% Y4C19:009A MOV SI,4647 ; 1st magic value.
& {- p' l. N. a! W4C19:009D MOV DI,4A4D ; 2nd magic value.
' c# e9 V! ]1 A% a8 Z- N4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* r6 v1 Y! o. i+ o
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute& w' }9 t: `& B' S4 y6 Q
4C19:00A4 INC CX3 S& I1 D# A" I$ l1 h$ }) s# r, r
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 P" Q# |2 `: j1 }. v+ L1 T& Q% E4C19:00A8 JB 0095 ; 6 different commands.) u% m* u j$ q# ~" p/ o4 d) g5 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% T# L, R, X8 C: C8 F2 s- l& {
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 a4 m' X' Q9 e2 p. G
7 ?) G8 ?$ X; XThe program will execute 6 different SIce commands located at ds:dx, which7 M* W; ?+ S' M# z& q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
o7 D* m4 b& ~/ e
3 d! q3 b$ X9 C- C9 U6 H: t8 T7 v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ B6 Q5 V4 a+ d( Y
___________________________________________________________________________( ]2 T2 O q! c3 g' o( ]" H' g$ U+ B
# H2 x4 j- y4 n$ o' g8 f" ^
/ D7 q- A1 J8 }: AMethod 03" ~! N' R6 L; L$ j7 @% _4 `9 o
=========" I. T2 z! K1 l( }
( Z+ [/ u, {7 y( ], L9 NLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, O/ C5 i, p- m8 F2 I7 _7 `(API Get entry point)# s) J9 m, T, N
- d: j$ d- P! E5 E4 G
! G7 x) O/ ` R: l8 J xor di,di
0 O9 Y* @+ ^5 N. S9 a1 N! k3 t mov es,di E2 W6 Y6 K& y/ h1 B: y5 ]
mov ax, 1684h
4 g9 w, Q# D P# S h mov bx, 0202h ; VxD ID of winice
9 b% H+ Q3 m4 g `0 M int 2Fh8 i1 J" n t" H( H
mov ax, es ; ES:DI -> VxD API entry point
5 ]. t7 @4 [' Z$ o add ax, di
8 e3 ?& G8 w* C3 y test ax,ax
. `% `0 y0 j" M5 s jnz SoftICE_Detected. ? ?: g5 p6 G: r( R6 l
8 F5 i; T4 B/ I
___________________________________________________________________________# ~7 c- p/ z6 n. p ^8 `9 G; ? D/ [
/ q6 Z( j. |7 ]# k7 n& u% F! t
Method 04
) N r5 c# {. t J: Y6 d O4 Y+ d=========$ b1 Y: A4 B3 h8 i: g8 |! ?+ l
/ z. A9 B8 l1 L
Method identical to the preceding one except that it seeks the ID of SoftICE
! u! e4 D H: JGFX VxD.0 v' Z2 E) H, z& V d! U! t' x, B
( s: i9 _; o1 L7 }
xor di,di
9 g3 {) F3 H) q H* x mov es,di7 D' m( z. Z5 h) L2 j9 j5 T4 p3 P
mov ax, 1684h , s1 R% ]" L' c# h$ M3 v7 U; e
mov bx, 7a5Fh ; VxD ID of SIWVID
3 l4 g& ~9 a. f k; H int 2fh. m: p8 y) ?$ g/ Y3 ?1 B! ?
mov ax, es ; ES:DI -> VxD API entry point
\: v @; m6 ?2 k0 S( N7 { add ax, di* A0 J$ y: n' q3 p8 m* z
test ax,ax
- e& |6 e5 P& L- Z, h jnz SoftICE_Detected
. Q/ R0 { }/ m* x! F: t6 v) i% j" c( ]% ?3 v& V1 }
__________________________________________________________________________$ a7 S! P$ _0 ^, r" C6 E
4 m) O2 [* j/ [ N: _1 `! e
: F9 g0 Z( V$ A6 u& O. j1 r+ JMethod 05
! y( q; `6 c8 i=========* e6 ]/ j; k0 Y, A4 h
: o$ J9 h3 O( u- J
Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 r- k1 _7 ]& U: Z6 a/ N8 [! Ydebugger. It calls the int 41h, function 4Fh.- P# S, k% W' F) ?, o' i- }4 j
There are several alternatives.
( p& c. T9 S$ ~ [; G
- y3 v. z7 I) G, G% ]# j0 W: Y2 u1 Y7 lThe following one is the simplest:
# f) v7 I" O) u& U( h) u3 m" s+ \0 S/ o/ ]! V
mov ax,4fh5 R) z: s9 m* _& Z$ {7 W% N* r
int 41h! G5 @0 A- W5 O! _# h6 \! ^9 l3 ~
cmp ax, 0F386/ S, v) C7 f$ k2 q. a
jz SoftICE_detected
- C: E- o# p1 u
2 B6 T$ J: Q4 N! R: D6 P0 E$ p
Next method as well as the following one are 2 examples from Stone's 6 h: _' b, Z! o/ n
"stn-wid.zip" (www.cracking.net):
! [+ `$ b/ I. o% c! I
) M( r4 e3 d+ K2 d- H mov bx, cs
6 W2 t; |% a6 l% D! e2 y8 G4 u lea dx, int41handler2, l2 }" o! T+ g: B6 k7 {
xchg dx, es:[41h*4]% H7 X6 ]1 M4 [' y+ L& b
xchg bx, es:[41h*4+2]. |. _3 p g& ^
mov ax,4fh% B( t% U V. r* C
int 41h
' ?) p1 E; U9 g7 g+ ~4 @2 T xchg dx, es:[41h*4]
3 u( E* O: |+ Q( J xchg bx, es:[41h*4+2]1 j& Z- X/ Q6 k3 ^4 I4 y0 a9 ^
cmp ax, 0f386h- ^3 P9 S7 I4 u& E6 o7 w, x
jz SoftICE_detected
* w& j% a6 O. I- G5 [+ B6 U' y, s: G B& E. N; i* a& X0 _3 h$ J' k
int41handler2 PROC$ D7 K3 u- q0 x* v8 V
iret
0 r2 A5 K& t- W, p) @: J Qint41handler2 ENDP
; s: O" X" k! _$ p3 D! I' g* J* l* U7 G- D
$ {; l- w5 {7 A, `- m
_________________________________________________________________________
0 h/ H8 [8 [8 I3 J0 ?% p! F" B$ l0 ^0 t, x; R+ J. O
# M0 u8 c% q/ y( c( M8 z# [' c+ OMethod 06$ y. r3 G% E7 U$ `( E4 m' [+ f2 V( A5 v
=========4 e9 z' l s( M9 \
" i& X" [, s) s0 I ]" q$ q0 l
@* k, d1 L: {' p% B/ H/ E; Q" B2 s2nd method similar to the preceding one but more difficult to detect:
. S( Q) r6 E/ a- n# R0 F$ m" n% s
_+ O: G. S' E1 ?) z4 C
int41handler PROC
7 V; y: \# U9 B mov cl,al
! P; p- R0 ~9 n0 ~$ z# U! p6 ?" f. F iret
1 f) y7 `2 z) Q1 @9 I' yint41handler ENDP
3 b3 I: L9 ]6 Z8 u+ g! ? j2 ~3 n8 o# a! c8 ^4 p
2 o( }& F, {; P3 e6 N) o xor ax,ax6 \ L I/ j: c U
mov es,ax
# o) s1 N0 O1 e3 s: N( g; T mov bx, cs9 p; W! @4 E5 c) m
lea dx, int41handler
6 M4 z2 T5 Y; g' W xchg dx, es:[41h*4]2 u/ n( Y5 ?. P' v! q
xchg bx, es:[41h*4+2], | M4 q* @& q: R! @# N2 D
in al, 40h
9 g6 U% @) N/ B) G' ?1 ` xor cx,cx
) A0 ]; L8 Y9 i' P5 G( b int 41h& N X5 U+ x5 O! s: N( w* ~
xchg dx, es:[41h*4]* v8 |) Y H/ {6 C; b q" |4 y
xchg bx, es:[41h*4+2]
. G5 N/ C; O* E/ M- R; t cmp cl,al; A% D9 n8 c' R0 u% m( ]. X
jnz SoftICE_detected
: C1 N! g; t8 i% s- E+ c2 s
5 W6 ^2 `' \7 W* {4 g* h* P_________________________________________________________________________/ b/ E$ c0 b6 p& i9 Y6 k: ^
5 k/ G# l, O& P& x- \$ q
Method 07: b p: y6 H: K. R
=========
) {) ?% |+ Z: U' k$ Y+ x1 y9 m9 C# M' O8 V) K. u0 j5 \
Method of detection of the WinICE handler in the int68h (V86)0 y2 `, I/ S- a; j! w" M% B5 G
) _9 S! H; {9 U' b/ j* e
mov ah,43h
: j4 h- l3 ^$ i$ K, h int 68h
. w5 o% c7 A, m o3 Q cmp ax,0F386h( n' `/ ]1 a% `2 M- j
jz SoftICE_Detected; t9 U$ j7 _$ z4 z6 y! ^
2 _( T4 A% R6 |' E- ~
" E+ e9 E. T' ^# m& q* k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# a$ Q; m# F; w2 @/ V app like this:
& A' p6 \# k3 v/ @; o# u e3 R( u7 ^: Z7 s1 ~
BPX exec_int if ax==68
4 X/ m: v- Y) u( K: s (function called is located at byte ptr [ebp+1Dh] and client eip is/ Z! m! Z# ^, I# X) B& X; C
located at [ebp+48h] for 32Bit apps)
7 M( ]& P/ G# W; C! c3 h__________________________________________________________________________0 H' \4 ~4 n( p% Y" [
2 _1 ~6 \5 R$ y: c8 |7 @; b, o/ k
. x# V l! N9 O: AMethod 08
% R) ~$ j! n9 g0 U0 I" H: R9 C=========
7 Y/ \4 \9 e5 F, {# B* J* Z* M0 x6 @/ x7 f
It is not a method of detection of SoftICE but a possibility to crash the
. K X# p1 v+ E1 b, ssystem by intercepting int 01h and int 03h and redirecting them to another
8 ]' n2 [! L6 a/ c. [3 \4 M9 proutine.! M( t& e9 C7 N2 \% t" V; Z- j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ I9 W$ {0 K% Hto the new routine to execute (hangs computer...)
+ X3 R/ o) N% p) f5 [6 z$ M3 {
8 u- K$ i. v, {, V: X' d o mov ah, 25h
" O' F0 F3 }: H5 t% _ mov al, Int_Number (01h or 03h)
E' d/ `, Y5 E% |# `- e mov dx, offset New_Int_Routine
' |& ?4 U, R& h" F; m- V6 x" E int 21h
P5 R7 v8 x9 C, Y r
2 s' {' U$ d# ]$ O! _# @8 _% q__________________________________________________________________________: c, h) z9 p1 K8 _" x
6 }) M6 }% {& I$ E p
Method 093 s. I# G: q9 I
=========$ q% x* K5 S; N- d
- h+ \1 c) X/ TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ~. ?' q1 m3 x& ^* S* d4 operformed in ring0 (VxD or a ring3 app using the VxdCall)., F) p/ U$ V: R5 G
The Get_DDB service is used to determine whether or not a VxD is installed9 `4 M' C2 u# I* u' X
for the specified device and returns a Device Description Block (in ecx) for+ R1 [: q7 o v8 Z: l. e
that device if it is installed.4 S9 Q8 ?" k5 p" m8 |/ Q
; u1 `: m w+ @! ]" S
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
Q/ w3 A! `1 w0 R& I) I mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 C% X1 m5 u: Q. v! Y1 D
VMMCall Get_DDB! H, l$ W7 T0 H+ W; A- _; k
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- l3 x) j" a2 C
5 j7 a& |7 [ c9 W) \/ v' H3 ^
Note as well that you can easily detect this method with SoftICE:
" B+ j3 W+ q( g3 [ bpx Get_DDB if ax==0202 || ax==7a5fh
3 k7 e2 j: D% }7 I$ u+ h) X
3 f4 l l6 f2 V0 x( b8 E+ O5 Y9 N S__________________________________________________________________________
/ c1 A2 g5 w+ I+ e9 j
& Q0 {* J! N1 l/ }+ r; _Method 10! \8 a5 r: D* q% v7 x
=========
4 K8 X; O/ |8 ^( z2 q& v+ E9 }. c+ T$ {1 E( T
=>Disable or clear breakpoints before using this feature. DO NOT trace with# r$ [% W7 j. y E3 y5 F
SoftICE while the option is enable!!
3 m/ l" x% F( q8 q& ?* j, B! h$ g+ e
$ B5 K/ R) G0 w" W+ d- g8 yThis trick is very efficient:8 \4 H* S" |! ^9 l, o) k+ |+ H& u
by checking the Debug Registers, you can detect if SoftICE is loaded2 R: e) O+ Q6 Q, C+ n7 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) }5 y4 u2 S# n( i* Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 A! }. e6 |% ^! w6 U
value (in ring0 only). Values can be manipulated and or changed as well# k5 U1 I' H. q b
(clearing BPMs for instance)% J! D/ {' M" u8 D0 `4 K" @* x% Z4 j% T
) s; J+ M, Z8 X+ c# n5 U
__________________________________________________________________________" F3 b6 l' K' K& n
( N. O) ~# H: `" Z; d" u& P
Method 11& q |- M$ E- f( U |. T7 ]
=========
9 x, V' |3 O |. _" D# U$ Q: v2 e$ g3 i
This method is most known as 'MeltICE' because it has been freely distributed
) }, ^' h. _4 y7 P' C4 c: @via www.winfiles.com. However it was first used by NuMega people to allow9 u2 m$ {, H6 V9 |( Q
Symbol Loader to check if SoftICE was active or not (the code is located( a( r2 q& C. Y" M" d
inside nmtrans.dll).1 c4 O' |5 A6 z2 {0 [2 W; p) B
4 u7 U7 b3 [% B. D9 A. H: G: @* ~4 _
The way it works is very simple:
! ?: K& m" Q0 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! @' A6 r9 @0 s1 j( S J, `WinNT) with the CreateFileA API.& y8 s/ p/ `; v" y) K* \5 Z2 p
1 |3 T0 {0 H; C( gHere is a sample (checking for 'SICE'):
. l& i, F: [( ?, R( V0 T" S6 q3 {2 J* b5 S5 n; A7 |9 R2 M- @
BOOL IsSoftIce95Loaded()$ J% j$ v* {0 ]1 U
{& h/ ~- k' Y5 j6 Z6 y; s
HANDLE hFile; ; F& Z0 f% g$ c4 H9 Y' I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( f; Q' G/ d& B( S
FILE_SHARE_READ | FILE_SHARE_WRITE,3 G6 s( m: p. Z' P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- H f1 e y, [% f ?# c
if( hFile != INVALID_HANDLE_VALUE ) o, a N8 Z# }
{5 }. l1 p1 ]% q
CloseHandle(hFile);
9 y' k, c/ Y; Z6 g7 b5 A+ j return TRUE;' G/ h; u( T6 X) z* h5 C
}9 E, _0 e& t, j
return FALSE;6 b- A9 W4 s0 K
}. h% d4 `% t* v6 j
Q1 A- h8 `2 BAlthough this trick calls the CreateFileA function, don't even expect to be) O8 L/ ?. C- ]
able to intercept it by installing a IFS hook: it will not work, no way!5 y' w6 P6 ?% F2 r; Q$ \. ]0 B& s( i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 r) K# z9 y6 {; N: _& `
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 k* `) P4 X4 f9 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! z6 [6 E9 K+ o/ e% }% Z9 l& gfield.
5 R9 ?. Y c0 C" v# l3 D# r4 x# B- ~In fact, its purpose is not to load/unload VxDs but only to send a * v# i8 X0 `+ Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) e4 g9 o" G1 a+ X/ W0 y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: o) m4 B6 H- T$ W: A" uto load/unload a non-dynamically loadable driver such as SoftICE ;-).* G( ]2 Q$ f B+ s3 j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! l2 ~4 E3 h- Z4 W6 m0 j. gits handle to be opened and then, will be detected.
3 W: \( p; q1 Y. q/ q) SYou can check that simply by hooking Winice.exe control proc entry point1 E5 Z; J/ W! I
while running MeltICE.
+ j+ t% `/ W/ W9 ]7 `- P; Z$ z6 [ @/ o* ~* p5 Z
$ l) B- C o, r
00401067: push 00402025 ; \\.\SICE! d* u% m' x: i( u, ]4 w0 j( h
0040106C: call CreateFileA
4 _& B5 l" u2 E# V# E! `; ? 00401071: cmp eax,-001/ S, v# W# G( S+ G1 j9 D, Y
00401074: je 00401091
' m) n9 {! Z: w- y# x( ?* b' e1 i$ O: L" s Y3 j$ ^
8 y. z2 o0 r2 [4 eThere could be hundreds of BPX you could use to detect this trick., r" n2 }; H/ }7 j
-The most classical one is:
7 r, w! ]3 T" E- v& m- e BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
/ P4 Y1 Z5 e7 Y& j* O& w. W& n *(esp->4+4)=='NTIC'4 R; V, Y# H6 X% S% c$ P _
' } R5 O i4 }# Y+ D2 H. r3 W-The most exotic ones (could be very slooooow :-(
( a9 x2 R, {# R T2 R: b* t% k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
+ a( a" {( J ?" x! r4 x ;will break 3 times :-(4 [4 A1 I3 T! E2 ]& a! R1 l- w
6 R$ V% u/ h+ c- v S& w
-or (a bit) faster: * T, M$ s; i/ [, [. n G; M
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# o3 L/ `8 K# p' Q, b$ w
+ B9 G# [: M# L) g8 ]' v, Y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ n) v$ \9 ?8 z6 }/ @ ;will break 3 times :-(1 C) H& ~6 M g$ Y; E
, s7 g# C2 f6 D$ L5 l) @4 Z-Much faster:
) M+ N& O" X u. _6 e8 m) S6 K BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
: i7 S/ I2 ^# ?+ M, v# L- n, \1 z. u6 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ v) a: f# Z# u; Mfunction to do the same job: r& r" n% k* U' ^- r* }
, f3 p! m6 ^: [( n A6 I
push 00 ; OF_READ( ~$ R* ~. @4 t+ e$ `+ c+ m$ `
mov eax,[00656634] ; '\\.\SICE',0
3 z/ t+ s$ k- K" g' w0 ]6 p push eax& S* D4 B7 b5 |9 {; H( I: p
call KERNEL32!_lopen
$ L0 _' u" ~2 o5 a3 P% {4 U inc eax
+ r! L6 h" K% r0 l+ f1 c1 l jnz 00650589 ; detected" d2 f* `. L/ _3 [
push 00 ; OF_READ$ L9 d+ L8 k0 V. y; H5 m. k, a
mov eax,[00656638] ; '\\.\SICE'5 T8 T% T2 u/ s5 o! z$ o
push eax
% h; K; P' `9 ~/ D call KERNEL32!_lopen) x. X$ m# N( e+ s. {1 w
inc eax
) M2 E+ c/ u0 j9 D0 ~5 u) u6 x jz 006505ae ; not detected
% Y) `+ T- l* z! m/ }
" E+ v' T/ R7 b5 _& b9 T7 v' p) I6 Q; P; r W! o$ g( U5 _
__________________________________________________________________________" a0 k7 w! ?( F
% y& Z. V' ?* q
Method 125 B" C' K+ B7 s1 X' |5 Z! H s: \
=========
" O4 M0 v" \1 R! K1 G- G: G- _
& N; c% J& b8 q/ eThis trick is similar to int41h/4fh Debugger installation check (code 058 {) j/ W2 m) M! `% g/ c6 e: e+ I
& 06) but very limited because it's only available for Win95/98 (not NT)2 R4 I7 X+ R. ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" o2 \* t6 t9 H6 g( E: ~- l1 S4 I8 U# A, Q
push 0000004fh ; function 4fh2 E) j8 }$ C& |9 H
push 002a002ah ; high word specifies which VxD (VWIN32)
* w$ `$ P6 N+ T( L6 J ; low word specifies which service- v$ {) H2 k8 s% _+ k9 G
(VWIN32_Int41Dispatch)
) O+ s9 ^; U* f" g, T8 R call Kernel32!ORD_001 ; VxdCall' h$ x9 m! F; e
cmp ax, 0f386h ; magic number returned by system debuggers
, m/ b: @9 W" |0 t. p$ H0 {2 C) X jz SoftICE_detected; H) h6 l# k# P- g
. ~6 k4 Q2 l) ~
Here again, several ways to detect it:3 Z9 X4 z$ l: V, G5 s
* \5 u) J0 ]# i- p7 D BPINT 41 if ax==4f6 U/ n3 k/ D ^0 T; o
4 d+ y" r& x& {" O4 o; q8 I. |& G BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. }2 S6 e: f0 A [% U7 x3 d1 V3 `9 F( y5 l [5 X
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; T+ _8 n% d: O& T' s: D
) R" Z @ M+ [4 H' r; T! i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 M# c, T/ E$ b$ o& Z q, S* o; H: t* q/ w! ]8 X* l0 X& R
__________________________________________________________________________8 t3 `0 X2 H+ u: _1 {
: b6 o" Y P: T$ D- B' Q; L
Method 13
8 }9 l4 ^1 N; b" i$ o+ u! C=========8 a9 @' T' [0 c: `4 u" w
$ U3 {# X, [! F' J: BNot a real method of detection, but a good way to know if SoftICE is
) ]% d" w% d" Z- R7 H ^installed on a computer and to locate its installation directory.
# `5 {0 o" Z3 F' D- W3 L% c E" QIt is used by few softs which access the following registry keys (usually #2) :
8 z8 C1 `* {( \. f) Q$ N( x. ]8 Y% w
6 q0 z4 M. ?% H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 T/ E1 p B, P, H( Y\Uninstall\SoftICE
8 y6 H2 O5 Z) b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# c: s, o9 q$ N1 j9 n; C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. c0 ^: D% E* ?; r\App Paths\Loader32.Exe
8 u6 g- V' g1 x0 ]' x7 W. v4 f1 @4 ?; o/ o8 @+ A+ n# o8 g8 X
) E- f. \% t2 X O. S0 E* RNote that some nasty apps could then erase all files from SoftICE directory
" V9 @. y, J$ M(I faced that once :-(
) I+ \3 A0 l8 R; U9 a3 T; U! s7 }5 z; _
Useful breakpoint to detect it:% w7 C" D% W' F& k5 e+ V
8 J b4 D7 W7 }. q3 n$ @ BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' m/ y" f) j3 d- A
+ x% [; @+ n8 f0 @# J2 i__________________________________________________________________________
- X" i: G! j2 s. s: C
/ _0 ~$ N) c5 t, P; s4 u$ \5 c0 z9 C0 L
Method 14
% {8 [# ?* @1 [=========9 s1 g# X" L8 f. s) k: b3 S1 O8 I, e
- `- U" J5 Y. z. ?% f, B$ l* z9 s, Z, ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 Z6 P0 Y. T. E8 t0 H
is to determines whether a debugger is running on your system (ring0 only).
+ x$ K" x- S; G
$ s+ X! C" U) x+ q- W5 p9 S i VMMCall Test_Debug_Installed
% j( |( l' G! E je not_installed
# w6 m, V! e$ R3 o$ _
' S! B0 u! u+ L$ M' j" XThis service just checks a flag.
G3 N3 h" x4 \+ {</PRE></TD></TR></TBODY></TABLE> |