<TABLE width=500>
; n- u3 n9 U D, N5 v9 {1 h8 @<TBODY>
/ A7 M+ _' E+ t @; B. |<TR>
, i, c& @ K0 }3 a, d<TD><PRE>Method 01 , f; k; q& Y- Z( T f! ]
=========, O- K2 f' q) e% V* ~5 P4 }/ M5 H
/ x4 o1 w) ] I) W6 [9 L9 i7 aThis method of detection of SoftICE (as well as the following one) is) G1 \6 k4 Y4 E- x, l& b9 x
used by the majority of packers/encryptors found on Internet.$ Q& @3 a" W9 X1 Z4 F
It seeks the signature of BoundsChecker in SoftICE8 b! F- d0 ]- {/ s: {2 \+ l! f
- [1 W; o, [$ d/ @- Y: g mov ebp, 04243484Bh ; 'BCHK'
" ?! `6 u5 D' v mov ax, 04h
* ^3 H5 |5 s+ `5 r' A" D7 ~, j int 3 ; I8 q0 o# I1 N- N; Z( c+ _1 V2 E
cmp al,4( |! q8 n! m- w0 \5 Z) U7 |
jnz SoftICE_Detected
* f; ~9 d) z W" V
3 F6 G3 f- {) b1 R4 p___________________________________________________________________________% J- r3 ]4 }% ~- f- v
2 S5 f" t2 X, W& `9 S. j
Method 02
4 G1 {& c) e- F( { m* M# y=========+ Y0 I Y: A# J; X- j, N$ ], e- |! R+ @* q
3 x$ M3 l* I" B" h: i: N& X' m; eStill a method very much used (perhaps the most frequent one). It is used
+ v# F) n7 c" h- N3 p: [6 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. Z3 |6 I3 P3 f) D/ P% v4 Lor execute SoftICE commands...3 }0 ]* V6 `6 V% I+ ~ I: O. n
It is also used to crash SoftICE and to force it to execute any commands6 r3 V. [) V$ E! `# P
(HBOOT...) :-((
% a9 c" s/ o5 h! T1 S- b9 o0 b
2 Q0 H! B0 c L. hHere is a quick description:
?6 X; r9 ^9 \4 _9 n9 ?-AX = 0910h (Display string in SIce windows)& b2 n! g/ C) x; {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) f. a6 C6 y! ], r
-AX = 0912h (Get breakpoint infos)
% a1 f0 M( k! S5 `* x; M-AX = 0913h (Set Sice breakpoints)
' T" X$ C8 f+ e. {-AX = 0914h (Remove SIce breakoints)
. A2 o/ H3 P+ S9 }& ?4 U
( S5 S+ ^" K" I {* e9 PEach time you'll meet this trick, you'll see:, b5 N' ]) f+ a0 Z
-SI = 4647h1 ~) N U% O4 h# |; Z3 W. `+ i
-DI = 4A4Dh* ~' {( a+ a1 [5 q
Which are the 'magic values' used by SoftIce.
" g" T: |5 c A2 d: L9 e5 BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& Z( p# f2 \* e
8 U5 }9 y; u; CHere is one example from the file "Haspinst.exe" which is the dongle HASP) j: j4 l( j% y* c' W8 p+ V- P
Envelope utility use to protect DOS applications:
) `/ G- t K/ [8 O h9 q
/ L T! [ ^' Q# J( O) g) ^) d- [; d# e* a, c* c3 o( |+ i
4C19:0095 MOV AX,0911 ; execute command.
, I& \; ~( B1 i. i2 {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 T) L/ R: y: d9 j+ T( G8 r0 Z' A/ i
4C19:009A MOV SI,4647 ; 1st magic value.
$ B# E! X; T* u$ A4C19:009D MOV DI,4A4D ; 2nd magic value.
" W# i: \. T w. J' E( q' Z4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
, d! t8 M2 Y3 X9 L( k: ]2 Y4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, D ~# J1 S0 U4C19:00A4 INC CX
9 l$ t/ |/ H& H# \% q8 ?0 A# q4C19:00A5 CMP CX,06 ; Repeat 6 times to execute( j! ~' a* }- V Q
4C19:00A8 JB 0095 ; 6 different commands.
/ x+ s' n+ W0 h" \4C19:00AA JMP 0002 ; Bad_Guy jmp back.& X& |' [2 C* T: P2 s9 Y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ Y: ~" ?- E1 W8 q8 k
2 U: R/ C7 {" ?# g. x& X, _The program will execute 6 different SIce commands located at ds:dx, which1 t1 E- i! ]' Q1 M( o: e
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 X( b3 i0 }8 [/ ]/ e
( T) V' Y2 V" M6 Q1 p7 @! ~( w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 `- H, i) m5 m$ L
___________________________________________________________________________
) o9 A. n$ k6 j9 H6 s( F
0 D, X3 q* N/ F. n3 m7 C; r8 V+ N- A$ g- U z
Method 03
. d V2 d* y2 b7 _- [8 D+ y. T3 N=========* c; U: v- a6 L+ t4 E: d: d' l1 j
) t8 W9 t/ T w! eLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 P, U2 X, Y+ }5 K' E
(API Get entry point)+ ?' K+ C) c N, ~3 o, k
7 U b7 j* r- e% b# D B" J9 N3 G% L& r- s( o) z
xor di,di% C6 k0 l6 M8 d/ b% [& O
mov es,di" w* ?2 G4 v- K" a5 I) _
mov ax, 1684h 4 N `* q h, b& v: {4 B* m
mov bx, 0202h ; VxD ID of winice
& s- _1 F5 l% F# T0 T. d int 2Fh) W! ]5 S: y4 }9 A+ G
mov ax, es ; ES:DI -> VxD API entry point
: v# A3 Y5 X) U) N add ax, di
% k/ Z C3 ` ?3 P test ax,ax
7 ]$ \/ N; D% \% X jnz SoftICE_Detected
) T i/ W7 [ L3 c
8 ]; ]* M: H% w" B8 l# S, S___________________________________________________________________________* {% q0 k% w8 U% B
% a7 Z* I4 a X7 x/ d
Method 04
. K( m) ^; ?+ X6 E" q=========9 A- p- y1 U1 V! m3 L' Y2 @7 v
2 c' U! H4 X) s$ `Method identical to the preceding one except that it seeks the ID of SoftICE/ H) x" a1 P* A! S. \; ^
GFX VxD.1 \: ^1 N( J( |, k8 S$ P
$ M/ `" j8 S* d. W# a xor di,di2 w/ ]' u7 s4 z' ^1 k4 H
mov es,di! u5 Q/ ^. ?/ Z8 Y* ~
mov ax, 1684h
' ]# A/ p" B( x `% e* Q( Y+ S mov bx, 7a5Fh ; VxD ID of SIWVID6 ^5 d. x9 e5 d1 z( o- L
int 2fh
7 g* o% e+ D4 `* O- b mov ax, es ; ES:DI -> VxD API entry point
4 Z' _% D) J7 u5 ?! b- R9 K add ax, di
: q+ D" `( q% ] test ax,ax
2 H3 z3 h( M# v5 G3 B2 }& q jnz SoftICE_Detected% f* y( u/ f: B* F
, ?- k7 r4 u9 u% V) T3 x9 s" `( w; J__________________________________________________________________________ ?; q+ G1 i5 b( i
( ]$ y. y! i" W, y0 _0 [9 o9 [* Z& p( P& H+ x
Method 05
7 H l+ b8 H+ S6 q& ~, ^=========5 z$ [4 R- |6 r) E& c( @
- B: i( S/ L$ |7 gMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 }% K- L, h. S% ^
debugger. It calls the int 41h, function 4Fh.
$ K, p+ v7 ^. {7 E$ A( @There are several alternatives. ( G, i6 U: t* c' w- E
$ E2 ]+ \, G9 }( S7 Q; }; o8 V- s
The following one is the simplest: f! ^- s! C' W& E1 T: M
( s/ i5 V4 m' U- { ^# o% Z mov ax,4fh
6 L$ p& ]: R* ]) r0 [ G int 41h- A( y7 K3 Q9 W! p! a( D) X
cmp ax, 0F3861 V- Z/ {5 c3 X( y1 ?3 v
jz SoftICE_detected
- t s; h4 L" v. r0 I. G; \: D9 f/ j* E! A
+ [, M( ^. ~- O' e8 `9 S3 k+ _$ G
Next method as well as the following one are 2 examples from Stone's
) s1 N$ f& Q- J& I& @" E+ F$ o"stn-wid.zip" (www.cracking.net):: a3 U! I" Q/ J
3 E" a( Q* c, f' p
mov bx, cs3 L0 p Q: E& q5 P d7 n
lea dx, int41handler22 n8 n0 X2 g0 a5 D- @& S3 U- j! Q
xchg dx, es:[41h*4]
5 S2 _2 A6 [$ Q# Q! d, ^ xchg bx, es:[41h*4+2]1 ~) z0 L! B, Q! o
mov ax,4fh3 B, U9 H1 i" L7 M* m+ p: `
int 41h
4 t, x6 C" E: q xchg dx, es:[41h*4]
4 {+ `, j7 P, y* C( l xchg bx, es:[41h*4+2]! J' c) q2 y: y8 w0 ~8 C+ ^
cmp ax, 0f386h
: b( T7 ~& {, e" q jz SoftICE_detected: R/ B9 w+ D( v+ D! _2 a7 `
7 _. U' {# P- ~6 i+ C& uint41handler2 PROC
. l% l+ B( V$ B1 d' l3 v iret
# k: r8 l7 D0 O& _; cint41handler2 ENDP
2 N& k/ r+ G2 I
& Q. R" S7 @1 E/ h1 B, w- k/ Y. Z* x# M5 y8 \9 `5 Q) r
_________________________________________________________________________8 {+ y8 x5 U0 u4 d+ c" t$ h
# D8 l: C, V* L5 k. G! `4 a' r1 r- }3 u+ ~. Z" m4 X7 `- n! E, G
Method 06- G+ v9 X7 c1 i8 n3 C: y' q
=========" S* U5 b6 O5 s+ S' x1 {# F
$ T" S. g5 k" i5 U" M# u
- d; C( l" `* {6 K/ g; |" z2nd method similar to the preceding one but more difficult to detect:+ C) E: G# l! Q, y3 u2 |# M. T
, w: |* ~7 Y! ^( G' u/ p! S1 l
+ @" V' m {1 f) c+ y' k. Eint41handler PROC
: F/ e) X" c I. \3 n6 ] mov cl,al
2 Y% b+ ?% h- j, s# n" h, e iret' s |+ M+ A% M# z4 ]
int41handler ENDP
2 M. h) Z( R1 G& e- P0 `; C# c) p( l' s* U
/ r, H8 `: B% t9 S% w. v xor ax,ax4 J$ h7 N/ M) p. a3 j
mov es,ax' y9 {9 A0 x( S
mov bx, cs, p4 `1 A( c% Y6 q4 m6 j; d8 b G# Y
lea dx, int41handler9 z: {; U2 g; i/ d; n* H
xchg dx, es:[41h*4]
4 W \7 P; B2 v# |3 r0 k# Z xchg bx, es:[41h*4+2]
5 }9 }5 W. w2 `" T, `2 T. D in al, 40h
5 y1 P9 j) H; C# j! _: X1 I xor cx,cx
8 `( M) V2 q$ U" |0 L" H" p: K# e: x int 41h0 g4 Q" R9 ~. V/ I* a0 Y
xchg dx, es:[41h*4]
6 ?. d! A8 Q2 W2 [5 d+ S' X) m/ \ xchg bx, es:[41h*4+2]
* ?' r4 A" O( Y( D v, Z$ F$ T cmp cl,al
+ C) v& ^. G% Y7 A jnz SoftICE_detected/ R! _7 k, I' A! [
6 X2 h7 B' U& v/ N* z: Q! U_________________________________________________________________________& W' {$ Z V# Y1 f; ^; }/ S: W
% j% a/ n6 G- s9 k, b V) ]Method 079 Q' C, W' |% \' Q( }% D
=========
, R& y5 g- f" m/ @: l5 H
6 r6 l! p% I2 r" Y9 O! {$ i# JMethod of detection of the WinICE handler in the int68h (V86)1 G+ g6 X# B# k- e% }0 _* |6 p
( f2 s ]: Y2 W
mov ah,43h
7 ]8 ~9 v9 Y+ X int 68h
6 Y- Q; Z3 O" r' B cmp ax,0F386h
$ B- O& S9 f" d( g% n, M jz SoftICE_Detected' O9 y7 V& R& R' ^
) h$ o: P, J" P9 `
9 Y2 r& D J0 G=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 y9 W9 ~8 g- d2 u app like this:) `9 Y. Z# f- ~8 ?
# j5 Z) E% r5 \2 R I BPX exec_int if ax==681 Q1 x- a5 {3 P" o' K/ X' s3 o
(function called is located at byte ptr [ebp+1Dh] and client eip is
: A( h( Q! D6 N' l located at [ebp+48h] for 32Bit apps)$ N% Q9 D j* F5 w( ~6 w/ n
__________________________________________________________________________) x1 n5 A! w+ n* a( U9 X( ~
/ k! P5 j. @+ W* k2 v# |. ?3 l) p4 i! f' E" o3 m0 p6 b
Method 08
) @1 X* _4 k7 w' h s=========# V& B! p5 ^# X1 |* l/ |, [# |
- h5 W; ]* f/ J% }
It is not a method of detection of SoftICE but a possibility to crash the
1 n1 ]4 _$ g2 f, L9 Vsystem by intercepting int 01h and int 03h and redirecting them to another
* X \0 K! P/ e {& ~+ ]+ troutine.# a" x! l$ X+ R% o/ @; Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ Y# g4 M9 A& c$ c/ i
to the new routine to execute (hangs computer...)% C/ e% K8 ~6 q7 S6 C R
3 I$ ^ j7 b/ j c/ _2 e mov ah, 25h6 T, R- {4 a$ l4 |# v, {) g
mov al, Int_Number (01h or 03h)# o! ^+ T9 n8 Q& f) Z
mov dx, offset New_Int_Routine* _% a" O3 \ q& U4 X
int 21h1 ~& C+ ^; L) T3 i# K
6 t8 d1 t8 v: i3 ^
__________________________________________________________________________. ^. `# p3 s; S0 B3 `; p" U
/ D2 G! F# Z" m( n) B5 ]! r2 O
Method 09
3 A/ ^( i4 O# V/ P2 N, e. c6 w$ ~=========
$ J0 o4 \* U3 } B/ i, R$ @
% P- A2 }5 b+ `: S+ S5 o% AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 X$ A- R3 o; R0 r2 c+ ^) operformed in ring0 (VxD or a ring3 app using the VxdCall). ~% k, F3 T! b( Q# L! P& w; a
The Get_DDB service is used to determine whether or not a VxD is installed
5 W9 V/ y. ?3 xfor the specified device and returns a Device Description Block (in ecx) for* n2 M$ a! W& e# o. g5 s
that device if it is installed.# u, Y4 C& d0 `
! ^0 \( x8 H& z! _. i/ m mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ L! W& m% z! C4 q! J* o5 ~
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ i# H% T9 U& F3 _7 L
VMMCall Get_DDB
* c; r, j# [; A3 F% f" F- M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ u$ q0 b. _# v' }1 }% y, {9 m* p
% t* @5 U! j2 R( CNote as well that you can easily detect this method with SoftICE:
- \5 G* K) c. r! H bpx Get_DDB if ax==0202 || ax==7a5fh6 U' [, V, X7 S6 u/ m2 E
+ @& y1 X& z3 j4 |
__________________________________________________________________________9 H& I6 `; g1 A5 U7 q4 o' c/ G
' g0 S3 ~ _$ g9 eMethod 10
! N" C2 U6 ~/ |, Y' x& [=========5 `! |4 J/ c! v. B: V: a6 m. v
( {+ `5 F5 R: K5 T/ f# C0 h2 S
=>Disable or clear breakpoints before using this feature. DO NOT trace with
) T4 H8 n% P2 b; @% \' U" s SoftICE while the option is enable!! N- W. W6 U; m- _
3 _& f& ^* K7 x( V& C9 m$ ]. i
This trick is very efficient:* D8 A/ f7 W" J/ @5 P
by checking the Debug Registers, you can detect if SoftICE is loaded
$ L' R2 b/ z: t& v' y, K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 g$ [4 u0 B$ q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 T, Z3 K) D+ l$ d3 h$ }6 P3 Mvalue (in ring0 only). Values can be manipulated and or changed as well3 k+ e+ v( e8 T# k# D# J
(clearing BPMs for instance)
0 m- f1 r4 d T! {- j# J. T$ S* X" ?# e M, P; s6 k/ B) ]5 m K
__________________________________________________________________________2 n" E, b9 A; f: U% Y/ R: p
6 A3 |1 |" Q" E/ i7 c& J& {
Method 11
" Q: Y$ m _% i=========! E" O( }3 _6 P) o
; b$ ?; N3 o& _2 n
This method is most known as 'MeltICE' because it has been freely distributed
0 L: \1 q7 [' V6 e& Qvia www.winfiles.com. However it was first used by NuMega people to allow
) p7 k; v9 _9 _: HSymbol Loader to check if SoftICE was active or not (the code is located
- g1 o; ]0 d2 `8 O6 hinside nmtrans.dll).5 E3 ?* X8 f! o
' Y3 v( b6 A- h
The way it works is very simple:
# k: y# Y4 `7 r2 B JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
~0 u$ f4 r3 ^$ w6 h, M+ bWinNT) with the CreateFileA API.
4 b/ J' d$ U/ R: C! S2 I5 u# |) O0 l- p+ D% C/ w
Here is a sample (checking for 'SICE'):! B( \- P1 x. n" @4 Y7 Z0 n! T
5 n. ~, f2 ]9 V" y, l8 R
BOOL IsSoftIce95Loaded()1 o, Y; o- F3 O; ]
{
# p, q$ v0 j3 P- c+ B1 w HANDLE hFile; 5 u- l- X( \6 W/ X
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% C7 K; M. Y* E FILE_SHARE_READ | FILE_SHARE_WRITE,) R a: u \0 ]
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 H4 B6 O: R. k! P5 s- ^# E8 D q
if( hFile != INVALID_HANDLE_VALUE )5 a$ X" E2 c( j6 Q
{# Q' d5 o. I! _/ Q* Q
CloseHandle(hFile);
2 N0 |7 [$ Y( P: k( l: g return TRUE;
j6 W& b1 ?& e8 m; b }6 }4 I6 {( ~7 F
return FALSE;+ w: y N X& K; M. y
}
( u* A. H# ^8 ?1 h$ _7 G, s1 p- W8 M% F
Although this trick calls the CreateFileA function, don't even expect to be5 j& I& @8 a3 W5 j
able to intercept it by installing a IFS hook: it will not work, no way!
# Q- |- d- }& c6 e2 ?* ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F# ^4 o4 T4 e6 V+ u- J# ?+ O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 s' Y/ `$ I; D! U, l8 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ G0 e% P1 e% j& p; g2 gfield." t* g: {$ X+ _1 ^
In fact, its purpose is not to load/unload VxDs but only to send a
2 Q, o9 |( n# |9 X/ J6 `" ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 }9 N" j7 q. K$ K( t' Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) Z" S" M( h5 ~# L$ G3 _; u! ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 d4 t |- `5 p9 B: z. h! j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. M, J, `1 h+ yits handle to be opened and then, will be detected.* n @5 i" |# ^2 u8 N
You can check that simply by hooking Winice.exe control proc entry point
7 H9 L8 G2 J# p0 i8 Q* a, [, h+ r: Lwhile running MeltICE.
4 ~: T9 r! _# ]0 N t. f% r! ~7 E* T# C& r: w& a3 U- C! F# [
/ C; D% C9 d% b1 ^+ w 00401067: push 00402025 ; \\.\SICE
; @# s0 X- D5 O 0040106C: call CreateFileA
7 V7 [4 r. B# t. B; p5 @8 e3 u 00401071: cmp eax,-0019 m6 \4 } p) g
00401074: je 00401091
) H% J: V! `. ?, f# S6 s" k' y$ {3 G7 B! J7 o2 S4 Z$ r
) ?+ I! D" `' |9 c- K2 }There could be hundreds of BPX you could use to detect this trick.
/ t* F* m% B- `, V$ o9 G-The most classical one is:6 z' g; P' x7 S" i& m! S, X! K$ q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 v( E( I& l) T! y# d, t1 A( j *(esp->4+4)=='NTIC'* H- T( N0 t" ` ]# x4 K4 |. ~
a+ {+ r* p' t7 M' m
-The most exotic ones (could be very slooooow :-(# j$ k( }0 D: M* v3 i1 Q
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 1 z$ [1 F/ m6 h% @* T
;will break 3 times :-(5 e3 _* z2 r5 P6 D Y5 b1 ~6 \% E
6 m Q/ Z, P) |1 T$ { z3 _% _-or (a bit) faster: % W, r- Q" f4 X4 z6 l4 K; B! F
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 ^ Q6 C6 A. R- ?
; \% v( {7 H& }- |6 R BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* u4 ]2 ~1 ^' X* f1 Y# W4 _& I% z ;will break 3 times :-(
' S% k+ O: z' K0 t q- z T1 \1 x& C7 E: k7 a5 j
-Much faster:5 `0 ~( G3 p/ X0 K- q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
3 ^) L3 X- r2 p! F! Q% A( d- R. [$ q8 D b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ K1 }: s* W& d ~( o8 q8 ]
function to do the same job:' A" Q: _9 Y6 Y4 y
# b3 O/ }6 g1 D3 P
push 00 ; OF_READ
5 r& F. v( u; t5 ]9 B" \ mov eax,[00656634] ; '\\.\SICE',0* _% b! O/ [0 S- i% @, _
push eax
( M( Q h. N! l, q" t call KERNEL32!_lopen$ V' p8 W; a( @5 p( B# j
inc eax* ^% F8 ?1 p$ o) \
jnz 00650589 ; detected2 j& q9 J6 X9 |, ~9 X) O0 K. y' R. x9 U
push 00 ; OF_READ
! I& L5 e8 ?' @ mov eax,[00656638] ; '\\.\SICE'
9 [. }) m H- T; Q- z push eax
0 t+ G+ `3 [- C call KERNEL32!_lopen
' z( |- p$ U& l( q: X, R inc eax4 z& @) c' E1 j
jz 006505ae ; not detected G# z$ V9 r* E" G8 ^
% k1 ~. B4 \/ G& C' H0 |
6 G, t- B+ `, y9 R7 i4 ]
__________________________________________________________________________
( H2 j4 t6 Q E/ S8 I: f) L n) K' j4 M! ]
Method 12
) b4 e" T3 U: M' @: J=========
; }" o+ L$ S1 C" Q* D# H. r7 l8 E! F
This trick is similar to int41h/4fh Debugger installation check (code 059 Q7 ]6 E5 |' g* ?( s' Z: x6 Q+ G
& 06) but very limited because it's only available for Win95/98 (not NT)
$ T4 ?: g) ?/ k* N0 }2 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 U$ f6 r: ~; k1 v: D$ X
; c9 N7 q0 D1 t push 0000004fh ; function 4fh/ I2 m% |* Q ^7 z, K5 v
push 002a002ah ; high word specifies which VxD (VWIN32)0 H! M: v/ ~ M( I
; low word specifies which service% ^ P8 |) R6 w" Q# K' A9 L! C+ t/ p
(VWIN32_Int41Dispatch)
8 E+ \3 g7 I! p! ~: V4 _1 _% v call Kernel32!ORD_001 ; VxdCall) i" f5 m- O' L; ~+ x
cmp ax, 0f386h ; magic number returned by system debuggers
3 \% Q! M7 R0 w& J jz SoftICE_detected
6 D/ x8 j9 _' v. U# p; g5 n( X! o. A
0 d' N% Q3 S0 F+ GHere again, several ways to detect it:
5 h7 r0 q5 m. q+ N9 ?: r0 ^7 A. {) v. L5 B0 y5 A! o: L& i
BPINT 41 if ax==4f
9 u, F) y# Z A2 L: B: q5 _- d. \! j+ x5 W5 \+ \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% r/ C( D, w9 H; r" @# u! q: u3 ^1 `& \, C( w- J
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A+ S) e/ x w, u- Y
! c8 `4 ^1 A& e2 l: }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* S2 p0 g* A1 o$ Z2 W: P
$ }7 ~4 b7 l; l__________________________________________________________________________
2 m! I5 V& S; E4 T) @- P1 }! v% w6 B0 d+ B5 e3 \
Method 13" C3 D' J9 T. Y9 f0 d: o9 L
=========
' J1 D4 o" w; [, @6 x- V- j1 B* s6 T f9 g
Not a real method of detection, but a good way to know if SoftICE is, x& J( ]) H2 N) @: P/ G
installed on a computer and to locate its installation directory.0 f. J% h1 w9 R' }
It is used by few softs which access the following registry keys (usually #2) :
5 P! s$ ?5 a+ C" e( k+ m( y# |
6 {) Q$ {' Z' j6 K7 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 T$ \' B9 _" W' D
\Uninstall\SoftICE5 A4 r( y1 y& Q$ {# I7 R5 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! B* W0 q4 w! l6 _3 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# N4 N. f. z! s9 K U7 G0 e\App Paths\Loader32.Exe
& N# J0 s4 D$ P" i
. W" L+ c5 t2 g' I( z3 M
7 _# u, Q7 T& Z! \, @8 Z+ D, R3 g8 eNote that some nasty apps could then erase all files from SoftICE directory4 w- i6 R9 Z) S) W# f
(I faced that once :-(4 n# L! {% N" n
- a: g) K# ]+ [( O% y, yUseful breakpoint to detect it:
' j7 q9 [2 R) Q0 G
6 \% b# O1 g8 I8 }9 T7 w4 u BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# y7 _) k% Z) ?3 Z' ?2 E$ F0 Y9 Z0 k( m: a' _7 v: W* D
__________________________________________________________________________) v- }+ T' P0 h4 t
& P* O2 m7 ~% L$ b# b1 I- b
! l* C( a. L* y' wMethod 14
7 b+ _9 D# d3 v) e=========
$ [0 @2 b2 j; ?- S+ f+ o" N4 ?$ Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
L! U2 ~8 r9 ]3 R9 T4 lis to determines whether a debugger is running on your system (ring0 only).
4 ?2 U( R1 n6 Z4 o5 ~ {
& C# _! j+ [7 q* d1 B. ? VMMCall Test_Debug_Installed* ]4 y: p$ n/ p& K
je not_installed3 \. O% G3 X3 |; E4 T. y3 Y
9 U$ i3 q) {3 D0 R3 m
This service just checks a flag.8 |6 `1 v) U: V* d9 }' b, S" |' w: H7 z
</PRE></TD></TR></TBODY></TABLE> |