<TABLE width=500>: _$ A5 D1 C7 S. N
<TBODY>
/ O: ~/ y; e5 o H<TR>
2 E# L# W( W" n: p( y( \4 C X8 l<TD><PRE>Method 01
( [# q5 Q F% `=========
% q: o: A: d1 \$ Q+ r8 V& Y# U& ], j9 E9 n# ?# z: _/ {5 y' L: Z
This method of detection of SoftICE (as well as the following one) is8 y; F) g8 o" U D
used by the majority of packers/encryptors found on Internet.. z4 V% g- V9 \8 q" [
It seeks the signature of BoundsChecker in SoftICE! f( X7 w+ t8 H& ^; Q% p
9 F0 B5 T" D. G5 S% P mov ebp, 04243484Bh ; 'BCHK'
: B& a6 o' ~0 e5 r9 F mov ax, 04h& u) r5 o3 y* M7 D6 m
int 3 8 \# z& O( d! x- ~
cmp al,4
5 ]4 b$ p. \1 T0 y+ D jnz SoftICE_Detected4 G- U0 ?- B0 \2 ?
( q% g8 O, I8 E! O/ ^: |& h( l ^
___________________________________________________________________________) K9 l' T( ^7 G9 f7 f6 {
2 R4 S( I3 y7 a/ v" {: A; MMethod 02
7 v- f7 ]/ {: H3 q0 F2 i( |" T% o=========# ^' O) D* w" S2 U
2 E5 p& y+ y; l
Still a method very much used (perhaps the most frequent one). It is used ?8 @: K/ E& I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 ^5 Q' X0 r" t8 ^+ z1 ~! Xor execute SoftICE commands...
9 N; Y$ j1 G# w( qIt is also used to crash SoftICE and to force it to execute any commands' c( z/ I3 a/ a! T8 W
(HBOOT...) :-(( & j- s0 b2 i0 r9 K# j; U9 r
* M- o3 k4 Z. k u3 A2 bHere is a quick description:
; o* u% c+ Z' R) v-AX = 0910h (Display string in SIce windows)
+ h+ b+ V4 e3 d" P T- N9 u% h- u" a-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 G* h& x* ~9 d-AX = 0912h (Get breakpoint infos)# y+ F6 v9 }$ S" T/ t3 }* B# B6 k# t' ]
-AX = 0913h (Set Sice breakpoints)( N& R# b- d1 Z5 R N8 z2 _
-AX = 0914h (Remove SIce breakoints)
: f2 I$ p' r' y
y& R( |4 Z- w( z/ _Each time you'll meet this trick, you'll see:
: s% I1 W9 O4 z$ Y1 R, B-SI = 4647h
. t, g* d1 N# [/ ?. X& b6 p-DI = 4A4Dh# p: J1 U$ @. O4 H) V" A
Which are the 'magic values' used by SoftIce.
+ U/ A! v# U- {# p6 P* I5 e8 M/ aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 i; I L: W. L$ \: E" w- n3 l ?" `- k, J6 l" d n1 d: E
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 _( M, u) j9 }% ?# J. ? Z
Envelope utility use to protect DOS applications:" h1 }2 I$ v8 c: P% m, K
( J* g9 h8 B) O: K% }- m
/ g( k1 p* b6 J+ h8 K( O+ `. _4C19:0095 MOV AX,0911 ; execute command.5 L: T# {. Y! t5 z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, m" L5 ?( a- M% d4C19:009A MOV SI,4647 ; 1st magic value., D( B% E: p _" R: ?5 Z
4C19:009D MOV DI,4A4D ; 2nd magic value.1 J9 c# c, z; |* h: I l0 P) h. z/ @, X
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ E2 B6 q) B; U+ H6 W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute$ k( U5 }5 q, w7 X, r* G
4C19:00A4 INC CX
7 [- d# ?& k9 _! M& N6 y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute/ Q& y- A9 _, I; n7 k0 A
4C19:00A8 JB 0095 ; 6 different commands.
+ @7 I/ t. s4 c# P- B% L% S2 ^0 H4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 V( I, w, k; `& h4 n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" y% @' @ o% [0 n) ]! v0 F4 u3 h
5 a% [+ d6 E) E! dThe program will execute 6 different SIce commands located at ds:dx, which1 L X( F' _" D. ^+ B5 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 ^5 {7 _( h- L/ n, ~3 q" N0 d6 K& h& j/ e7 `- Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* b/ `, j7 T0 W% I0 L* L
___________________________________________________________________________
- W# ]+ e7 }* r' \' a. t/ V4 s; H; C# d7 N5 o+ o$ G
& m. Q! f" H$ a- R- t: q4 uMethod 03
! Q, O" U' @. ~- b=========
" O* o8 r |9 m0 R+ P/ g A5 |2 K! k9 p9 K- C
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 W4 j8 e6 M& i8 f( O5 r9 ?; c
(API Get entry point)
/ x* ^( U' C: K4 r ; I; C: _( I0 B( K7 \7 k
3 M- P6 E) F8 x9 g4 Z7 M' ]2 g' I
xor di,di
$ _. |. A( R/ {, d4 V+ ^ mov es,di
% r8 i* T1 \. r mov ax, 1684h % i3 C. `; `) Y
mov bx, 0202h ; VxD ID of winice5 X9 F a! Q1 o8 p; b
int 2Fh! C b) |2 ]) S7 H5 g
mov ax, es ; ES:DI -> VxD API entry point( d1 X( y3 F4 v( z4 z
add ax, di# h- i9 G! E o$ j
test ax,ax
6 C: ]( p* F( u jnz SoftICE_Detected
# G1 a! E4 V* I! k# O! t! Y
+ q8 r N, R" X' k___________________________________________________________________________
: S6 ^0 F1 t& y" t
7 _/ M0 A, K0 _9 z9 w. n- EMethod 048 ~- ]0 x6 B# b o3 }2 v* m
=========
1 I5 k2 w" {/ S+ d+ V& @
5 f! y( _% `, } f7 M, qMethod identical to the preceding one except that it seeks the ID of SoftICE ]+ H: |! G9 o! M- ]# F
GFX VxD.
- a/ f/ Q) }4 E# A/ H7 O3 @' N2 M
8 a/ u9 A8 |2 }. q k7 ~$ `# p xor di,di" h7 m$ j# a Q! n7 S. X
mov es,di1 `. i! n1 q: @$ w* b/ _
mov ax, 1684h : \+ x3 o3 N# A! C, x; u
mov bx, 7a5Fh ; VxD ID of SIWVID. f6 ]+ N3 u D- d$ Y/ c- P6 E: j
int 2fh
! }5 M" u% |* N( ]" G8 k mov ax, es ; ES:DI -> VxD API entry point
4 q9 m8 y8 u* u7 X6 ~% M8 N add ax, di) s5 {" ?4 F. j9 D# w
test ax,ax
" v( ^% ^' ?" N% `( m8 U5 u jnz SoftICE_Detected+ L. r% t- f H# J: Z- N9 K$ O
! ?. e2 U/ M+ m__________________________________________________________________________
- L( p2 q2 C1 x8 N; }5 y: ?/ h) u! l4 @& m% S7 y f% r
3 P e3 l7 p+ Q+ B! W) W$ }
Method 05
& m$ d3 W: L7 O4 Y0 Z( N=========3 z! A7 B6 D6 Q w' B @
+ _; E4 p+ e3 _( g# SMethod seeking the 'magic number' 0F386h returned (in ax) by all system) N N7 ~- R1 d, k0 B- g
debugger. It calls the int 41h, function 4Fh., D$ a7 ]$ o0 H5 _( K/ B0 H- D
There are several alternatives.
" W5 t. W6 [- z4 W& V# y% i+ h9 z; C( w
The following one is the simplest:
{) D8 V# o: @! E' ^2 l. N2 z% Q' b+ g1 R3 @* S
mov ax,4fh
0 P/ d) r7 X! \8 `5 r- U3 K* @7 G int 41h4 O' m8 q9 U5 r$ x7 Y- a
cmp ax, 0F386( Q- u. B( E8 O: L
jz SoftICE_detected
* i/ Z+ r Q3 R% P( J+ A6 P3 B: v% e V* p0 i
. B5 D2 {0 b& A' z8 Y: n
Next method as well as the following one are 2 examples from Stone's 9 H% x _' ^, j* z- Q# v* @! D9 S
"stn-wid.zip" (www.cracking.net):
9 H/ L2 G$ _# F+ q5 W1 B; B/ T& u8 x! h1 m
mov bx, cs
% K3 S4 e# b8 Y7 |% ?8 Z lea dx, int41handler29 _8 T( q0 I7 a# D2 B
xchg dx, es:[41h*4]
& \& `" l! p+ b5 ? xchg bx, es:[41h*4+2]
) X% P2 g% g$ c" o mov ax,4fh8 K3 b9 z2 H! g4 y
int 41h
$ R" `. K' e0 b7 G9 k/ M% \ xchg dx, es:[41h*4]
. r# N, |# z- V' [2 c xchg bx, es:[41h*4+2]4 U4 @+ W4 I6 S5 ]# v8 I
cmp ax, 0f386h( x+ Z, E% l' l+ S6 m0 y' H
jz SoftICE_detected
: J6 H$ B, ^/ z% {# i5 O) e- @+ ?4 S% f' G% `$ g8 }8 O" y4 K8 I, Y
int41handler2 PROC
# [! } W5 z V iret
5 k: h7 |; z7 K, C2 I# Eint41handler2 ENDP
+ i0 J- x/ E0 H& M2 |( l8 W
W/ f" c& W8 G) t3 h7 P; J) K4 B# B$ O P' r. i2 ]: d8 _' e' o
_________________________________________________________________________
5 W' k1 k4 y# a( l. e4 ^$ a* h% F b
# R; ?& i2 ^% H5 |9 ^ j: p: }2 H u9 d# {" x7 |+ ?
Method 06
6 w. |. ^: S# \2 Z7 _=========
% w4 h5 V( P, E0 |* R/ ~2 k; _7 z6 ?. ]. I5 W7 s
3 w9 N( g# i, P7 w) h" r) m1 S
2nd method similar to the preceding one but more difficult to detect:9 C1 G/ t# W1 @! L, R
& A* L8 @' ~! J% F( q7 E) t) y
4 j8 }4 V" f8 \' |: _) v* oint41handler PROC
" v) e r% u* ]3 E3 |4 ]2 Y mov cl,al
2 I+ V: |2 v0 L( t+ W4 H9 { iret/ t; U/ Y+ e' y# h. r9 e
int41handler ENDP' _' K# B: p4 z& g& @9 |8 V
/ r+ `) h0 z6 p$ Y' X
3 s% R8 K, t6 q+ n
xor ax,ax8 Y3 f1 V7 ^" c7 T t2 n. H& w
mov es,ax7 x l/ Z0 e& Z) {0 @' y/ x$ T& V
mov bx, cs
* ?! K: b( K9 r lea dx, int41handler
) C% N/ A, x5 V xchg dx, es:[41h*4]
5 U' Q1 m& @( x G$ x* m xchg bx, es:[41h*4+2]5 h. _7 Z1 ~: T+ z$ Q: ~/ A, y: y
in al, 40h
+ T8 I F9 q6 }' T xor cx,cx+ V' n) N% W. ?9 F6 S, E* C
int 41h
, c/ `: ~3 H4 G, r4 | xchg dx, es:[41h*4], k k' U* K( L2 \" k: U
xchg bx, es:[41h*4+2]
5 ?1 \ j, B* H cmp cl,al( x+ X: d& k: o4 L B& j) Z( p
jnz SoftICE_detected
/ t' `- [' d& M6 p4 |& L) r6 y& ~9 S
_________________________________________________________________________
, i" r& ]; i7 P0 S/ E
% T( K/ E6 G3 L9 F9 S# n+ d$ s" LMethod 07
, N4 r* s( S1 ]+ v b. B8 o* N% K=========$ o. g" h0 f+ g
+ X4 L" P) }) J3 ^3 QMethod of detection of the WinICE handler in the int68h (V86)" }$ q) `6 l3 a" f
1 K0 z3 V9 \" b+ M mov ah,43h" l4 p3 v% ?% v7 b
int 68h
7 j2 O+ {- ?' x, U! F cmp ax,0F386h0 ?" G) S) F. d
jz SoftICE_Detected+ _/ Z3 Y8 T5 v, K8 d5 I6 }
8 @4 h" l0 W1 ~3 H A3 r) w+ ]% D
% s4 {3 v- |* H/ Y" }=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; V3 }4 w a7 }
app like this:9 i8 w) z: v0 e, I& o. ?. l* c
- E0 b" S( p1 J+ T
BPX exec_int if ax==68; m- ~& e: g4 ?, G
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 Q- p! W1 h# e8 K3 w: x T: A f located at [ebp+48h] for 32Bit apps)
8 X/ c% A# L# p+ f( u( V7 Z4 n__________________________________________________________________________
A+ | } H' l" j- \+ m- Y. L8 u/ U0 R* l
3 [9 H2 a/ o7 U2 Z9 A
Method 08
6 z1 {/ v4 A) a=========
) j a4 X7 h8 @' [8 n4 A/ T c9 U' T# O
It is not a method of detection of SoftICE but a possibility to crash the
$ K+ U. q5 X6 @! ]4 C' Ssystem by intercepting int 01h and int 03h and redirecting them to another
+ J+ U) e. n- p: a% O# Z8 Broutine.$ N* z& I W; ~5 E6 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 L# t6 W. k. H- d" K2 t! L9 E. Uto the new routine to execute (hangs computer...)% b, I* P( t# V0 g( e% @. ?2 t
$ `' E% K. r1 w- v mov ah, 25h
- i1 V" c; h) q) l. E" S. ~, E mov al, Int_Number (01h or 03h)
0 Q* U' @( j- b- }7 r mov dx, offset New_Int_Routine
# p e. E/ q3 V int 21h
+ L7 U! d$ Z* c: W8 b5 O4 T* E' {2 B" ?! K6 Q% H) O& x2 v; o
__________________________________________________________________________
' p3 I" Z/ E& A- N& y2 m& N, K ^
) f9 H: O! h& Q8 `% u8 A* I6 R" D& nMethod 09
1 Z6 I+ B8 ^3 g: ^$ n& Z) r=========
( n7 F8 v6 ~- U( n) O6 c! w( |2 q& _" `- s: z9 Z4 T4 W7 T6 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 ]: S* l1 o% V" Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
& q) S3 ?0 Z4 L9 c, q/ HThe Get_DDB service is used to determine whether or not a VxD is installed& A& Y5 z$ ~" [- H( L# c; b* Y
for the specified device and returns a Device Description Block (in ecx) for
" q/ A! o7 ^! h& g. mthat device if it is installed.2 ~$ f7 l1 N/ Y) Z2 q& F- w6 W+ V3 c
0 ~* ?# ?" v% j5 s; @1 I* i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ u* k! a* h% v7 D
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ s' R0 m3 \! e9 m VMMCall Get_DDB+ k3 E. Z5 e5 `: d5 o! o2 R. i# H
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 \* a" l6 m: \- y0 k3 z) e' m$ T' w$ [' x3 b8 Z+ a
Note as well that you can easily detect this method with SoftICE:
. ^% u- z! U$ ~; W. A bpx Get_DDB if ax==0202 || ax==7a5fh
+ d# S" M0 L% Z' w7 ]9 K& B9 _* q8 f% j/ k$ k3 w
__________________________________________________________________________
+ d, N& ~1 a; `& X0 w1 z
7 x1 x7 H- B- H5 x. }Method 10
7 f+ D- A* Y+ l* g2 C) ~3 Q% _=========* J% u. P* i1 w3 A) F6 v
# [2 p X9 W2 `$ T/ f* }- U
=>Disable or clear breakpoints before using this feature. DO NOT trace with3 v x4 R+ w4 X e6 f3 o, S0 I
SoftICE while the option is enable!!2 H# o8 L( Z) m/ M% i
/ N! @ I: v$ | Y% l8 Z: m/ B' L1 {This trick is very efficient:
9 X9 |3 ]% _4 L1 G9 V% cby checking the Debug Registers, you can detect if SoftICE is loaded
! J2 G( o% G Q$ X- l! A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 o; [: J) G! ^* q1 z i, N! U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 R, f# W# j" H6 u" hvalue (in ring0 only). Values can be manipulated and or changed as well
& ^1 I3 H* `2 j7 n" j(clearing BPMs for instance)' Q) A+ s- S D4 c' L* [
: }" `% q1 y# j* o& }* ~__________________________________________________________________________1 ^* l' `$ S! ~, t0 Y
; B7 b# H9 S HMethod 119 S+ u2 \# f! r( w$ _. m, X* H' o P
========= [# F" f3 K4 T
3 O: m% a( z6 d+ T, i0 EThis method is most known as 'MeltICE' because it has been freely distributed
% k, T9 m3 v. N# n$ {" fvia www.winfiles.com. However it was first used by NuMega people to allow
6 z4 @* a, u7 H& p8 P! a+ T& I' eSymbol Loader to check if SoftICE was active or not (the code is located
0 K$ o( ~0 h4 u/ p* winside nmtrans.dll)." F q; [& n5 t" s
+ w$ V/ z+ R$ U- ]1 l
The way it works is very simple:1 g; i4 C7 } B2 c% V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ F& d1 l" ?& o8 [. b) SWinNT) with the CreateFileA API.
9 c; a) e. a* D, A1 z. S H7 C# l; A+ G
Here is a sample (checking for 'SICE'):
/ f/ z/ E% ]# R T+ }* b4 K( Q l9 i
BOOL IsSoftIce95Loaded()
. G$ W% [) f" F' ~8 I{
$ ~6 Y6 H( z- }( M4 P0 N& X) O) N HANDLE hFile;
, t" N( S/ P6 k; g* ^- Q hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 }: w& N( P( C/ F- F) D FILE_SHARE_READ | FILE_SHARE_WRITE,
7 y+ Y D) y4 L) N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' x+ A5 Y( H2 @: k. s6 o# {* k
if( hFile != INVALID_HANDLE_VALUE )
u6 |+ i/ b$ g6 c5 ]7 @) a {
) P" U" X* U: h" R8 W+ ^" i/ L CloseHandle(hFile);6 P) B0 P0 L9 b' l. Y& _2 y
return TRUE;4 p! y+ s8 L- A! C
}$ G6 X, ?, d: \8 c5 C9 U! v7 C% @
return FALSE;! Q1 X6 m4 ^3 {4 V: V+ q: [
} \' l: b$ O# _1 g
( u5 o, b L8 x: N
Although this trick calls the CreateFileA function, don't even expect to be$ a- X0 C4 m' h K
able to intercept it by installing a IFS hook: it will not work, no way!4 V5 p* W- l: a1 B& z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 B R( X) p1 D! J6 Z8 ~- E+ X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 @" l& a; E- P3 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 }# P+ T1 `& Dfield.
5 l0 q+ m. P7 X" |& m ^" y5 fIn fact, its purpose is not to load/unload VxDs but only to send a 5 x1 s0 T _# [4 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" Z1 @( V5 p% n7 a5 [- G7 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 P2 @4 Y, O/ s* r" V' a6 U( _9 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 ?5 |$ w8 i, ^9 h% ]2 F7 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; J8 Y/ p% t- C' Hits handle to be opened and then, will be detected.
$ b7 g% w7 ^2 C4 n$ {, b5 VYou can check that simply by hooking Winice.exe control proc entry point- Q4 ~% |$ |4 g* {
while running MeltICE.
6 K4 k6 Q: F" }' _- d6 \5 T3 C
9 n7 f) _9 l. \; P- `! ]/ O! G/ u6 q3 ]9 I& {( k
00401067: push 00402025 ; \\.\SICE
: ^8 Z! R! j/ P0 k7 a, [ 0040106C: call CreateFileA( K6 N* l6 H; P
00401071: cmp eax,-001
3 L9 T# x% a) P 00401074: je 004010916 S6 \: X* z8 f. H& a7 G
) `: E- r/ O# J1 e! I8 ?5 k7 q$ e% y/ R8 W7 [( U5 G
There could be hundreds of BPX you could use to detect this trick.
2 o1 @1 K5 S+ J9 K-The most classical one is:
6 T* e% j( t' ^' ?/ A/ F( H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& ?! U! r: C% q *(esp->4+4)=='NTIC'
, R' r5 H8 {/ a5 k \% I# E
8 J4 @; C2 h. _ I5 F5 `) d3 L6 b-The most exotic ones (could be very slooooow :-(
2 v! a% y* O( P' ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
9 W- X( _9 j7 H; u5 g% ~ ;will break 3 times :-(
( |' V S. P$ V9 f2 ?6 T- h
6 K2 v; J; w" ?% G8 Q* Z-or (a bit) faster:
; ~. Q- P0 r$ k/ c$ P1 \; o BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 Q' z: H0 _8 m7 G( m1 t
$ ], T4 l- i; j8 d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) R1 g* i+ Y- Q7 [- y% G! s4 X ;will break 3 times :-(( M" h; P5 \2 ~: r
# q [# J* g3 }8 R/ _. g
-Much faster:
, v2 m% w& f: I% A0 x, D7 @ F$ n3 f BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; w7 a! L3 }( K( _( F& z3 m( v3 g. O
% Z9 Q7 A! R3 f9 c/ ]! n+ fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# `2 r' F: J+ x8 s5 v% ? h7 Ofunction to do the same job:4 }0 x6 m" Z+ ]1 L% ?
4 S2 O- i t: F
push 00 ; OF_READ
* b7 O( ^! o3 E9 {5 m# J mov eax,[00656634] ; '\\.\SICE',0+ c6 p) \; Q" @' g* F7 l
push eax7 Y: B1 ^) O6 |% q: R: V4 x
call KERNEL32!_lopen+ H) x! i, |4 n& y
inc eax" o5 t: t; k( h0 |/ V- ]' v
jnz 00650589 ; detected
% [. [( K B2 N/ ^9 Y6 A push 00 ; OF_READ2 a0 P) F3 t/ M1 j/ [- a t
mov eax,[00656638] ; '\\.\SICE'
+ w6 H! g9 A' ~ push eax6 N4 Y% j7 x% t5 {7 C* K7 j
call KERNEL32!_lopen
4 W' ~6 s0 R; X+ B1 B% I7 ~& b8 M inc eax
% `% q* ^3 w5 s jz 006505ae ; not detected1 K# R+ t" u2 p4 m( f! T
* r( _8 ^5 a3 P' P# U8 E5 F( ?: @) ]- m H# z7 }
__________________________________________________________________________
; z$ t- y2 A" T7 _* Y$ M" s0 M1 F& R [. J
Method 12$ H r% h& E% w& u, l8 A
=========
+ f& `! q Q- H1 _* p' Q% p
5 O1 @- z0 J% j- I8 } g' qThis trick is similar to int41h/4fh Debugger installation check (code 05
% k B6 N# ]1 a' X8 d r# z& 06) but very limited because it's only available for Win95/98 (not NT)
/ _, {0 k2 l4 g J+ Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' i) |) p) c$ U9 F' L, s
" Y2 \* o s6 F: x. ~+ y6 B
push 0000004fh ; function 4fh8 J x1 f% q/ s* y
push 002a002ah ; high word specifies which VxD (VWIN32)4 K7 G& N$ n8 h) t: G4 j7 _$ {; b# S
; low word specifies which service
1 I/ x `9 V/ k, b1 m (VWIN32_Int41Dispatch). p% Q! z, A1 g3 ~2 M4 |) t
call Kernel32!ORD_001 ; VxdCall
" {. C* m( e3 | M: D1 p cmp ax, 0f386h ; magic number returned by system debuggers
A. r! u2 ^9 v( r' v7 c jz SoftICE_detected
. B4 l1 S3 |9 H D8 P
\' r5 `$ a/ m% K" AHere again, several ways to detect it:0 ?6 H- W& R( |+ \4 U; B9 m
4 R* z) V2 j% J" ` BPINT 41 if ax==4f& p7 A+ e3 D( u# }
% b. h0 O& R/ F9 a) | BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 m0 c+ `' G( N6 n, y3 i
* X- v# i& D s BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 Z9 i1 M1 V' [: \+ T9 z/ e( R0 H7 U0 x8 [# y- H( ?9 w
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ b J( b! n3 f) Y8 w E0 v
7 L, |- }8 C! W6 q" D7 h) V3 t+ Q( [
__________________________________________________________________________& j. _2 r" W& m3 @
( ~# ~+ i+ f7 E3 S HMethod 130 D7 x. e0 x' F
=========& N3 K' n% f! c2 }7 k( T. W
3 n0 K' W5 a1 j1 ]- [& X6 U/ i/ \* l; KNot a real method of detection, but a good way to know if SoftICE is
& B- h. E" @6 h# k& M$ `installed on a computer and to locate its installation directory.: ?8 Q2 Z+ k8 ~' a0 @" u9 @( h
It is used by few softs which access the following registry keys (usually #2) :
o# G3 T. t/ n8 v5 d# ~
8 X# s' a1 l3 k+ s2 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ k j: G$ C5 ^- i9 u d\Uninstall\SoftICE- Z4 ]3 l; c8 }0 ?, ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# K: Y6 T+ @. h: ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: ^/ m+ @/ @) W
\App Paths\Loader32.Exe3 y/ m3 c4 g0 Y d% ]% i, @' B8 [
. z5 Z& d- v9 M0 ], C, U
& g3 r' t* T" W+ W4 dNote that some nasty apps could then erase all files from SoftICE directory
. h5 b% x4 k! p h(I faced that once :-(0 k6 ^$ @* g9 l
) Q) s/ ?( R+ |! r4 ~Useful breakpoint to detect it: {9 z! T6 I* z' \9 w: l0 E* O8 s
+ [" q3 g" j1 [" \1 L
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
2 X1 s* p" {+ n9 ]+ A8 \, u4 |
' Q s5 U; N9 h' q/ C" a__________________________________________________________________________
8 q$ J8 P3 i2 Z
& r9 y% E. a; V! s% M3 a \1 ?1 Q0 ?$ t
Method 14
9 W1 F& b9 I% b=========
}# E, O( C- _, d8 g! D' a* D& Y( S3 v% X- i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. ]+ a* E. c; S* n {
is to determines whether a debugger is running on your system (ring0 only).3 K" d7 o% [) h2 b% ]
( A* n3 p1 @ j VMMCall Test_Debug_Installed/ E/ |0 h( n9 D6 X3 D
je not_installed
) K% n; e& }2 B; n
5 K6 q0 z/ c" l# h' l. \. Q: `6 GThis service just checks a flag.
- G) S" F5 z2 s0 W# C</PRE></TD></TR></TBODY></TABLE> |