<TABLE width=500>
# e. q9 ~" ?, _<TBODY>
$ z/ ~1 j* v0 U3 J* w<TR>. @6 L- M- z7 V$ T0 L( ^
<TD><PRE>Method 01 0 b( O1 B ~; H% G! B x0 n+ j4 t
=========
/ O) b4 s) Z3 n* O6 S k+ K6 G6 h/ S4 S& r' b
This method of detection of SoftICE (as well as the following one) is K+ Z# q. q8 ?
used by the majority of packers/encryptors found on Internet.
6 _6 t& p6 v9 ?7 K' t e G' RIt seeks the signature of BoundsChecker in SoftICE
4 x% ?* h' Z0 E. l' F3 @4 U! ~
: [5 w0 R' b4 R mov ebp, 04243484Bh ; 'BCHK'2 V# u! d/ u& S0 S
mov ax, 04h% r( ?3 y6 x; n) g' s* X- [8 I+ D
int 3 0 x, n9 n8 `7 u' [1 O& ?
cmp al,4
( Z% E4 P7 b2 G0 C C! [ jnz SoftICE_Detected! a% d/ E) v9 S3 H0 E
; b* D+ `5 v0 @+ w# D___________________________________________________________________________6 { A" D% A7 C1 s! p
8 C' ?$ {6 h) AMethod 02 |" A. N$ f4 S- H0 V7 f
=========7 K4 x4 v& T' k5 r y
6 U6 D4 w6 V3 w, B# I1 a
Still a method very much used (perhaps the most frequent one). It is used
1 J+ ]3 f' X/ z3 e0 W: n; b: n- Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 A, x) R$ I& H- N5 _
or execute SoftICE commands.../ ^" `$ ^- k. ]9 U" K, W$ C! w
It is also used to crash SoftICE and to force it to execute any commands
; |" H" h: x) d9 S, a(HBOOT...) :-(( 6 x0 f7 T9 {3 b
+ b' v) S. p9 |1 w4 F6 THere is a quick description:1 T q- B$ W& {3 i! e
-AX = 0910h (Display string in SIce windows)/ l& X5 [+ g, Z8 u, b
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
2 z8 d8 p& a% M7 J; u% z8 r2 I O" g-AX = 0912h (Get breakpoint infos)% P% E3 o8 ~: f% k
-AX = 0913h (Set Sice breakpoints); o2 h% s+ B# c4 P: `7 t
-AX = 0914h (Remove SIce breakoints), I6 r5 h3 ]) `' j
( {0 ]3 B( \/ ^6 S. ]
Each time you'll meet this trick, you'll see:
& \) l8 ]: c4 D- ?-SI = 4647h
5 C. D0 a0 h0 l, `% i! b. _: ]-DI = 4A4Dh4 N6 m1 ?6 {1 Y* d7 V: ^
Which are the 'magic values' used by SoftIce.7 h f# O! }- q) h0 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: ^! b4 a* Z ]5 @- ]( E8 I; B8 s
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 T( G, A, ]8 O) vEnvelope utility use to protect DOS applications:+ a& j. p3 O h$ `9 [
/ R" E& {; \* D' h6 U
5 I0 i! O( i& N( p5 B+ G( J
4C19:0095 MOV AX,0911 ; execute command.; I( i2 U, S k3 h$ y C
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) M; ?& h8 }" h6 A" k4C19:009A MOV SI,4647 ; 1st magic value.
) [8 q/ d$ d- E3 A. W9 q4C19:009D MOV DI,4A4D ; 2nd magic value.3 x" Q, G7 ^6 e0 H# ~8 w& _% Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# E! W8 O' U% G) _4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute- ]9 J( L. t1 O3 R
4C19:00A4 INC CX% [3 |- b2 K& p9 `7 K% G
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* J( g( d# e0 ^8 _/ [) p4C19:00A8 JB 0095 ; 6 different commands.' [' J' T2 ^9 k. m7 i* \8 H: @
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
: T! K, t! ` Z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 Y) H) H! ?/ ^, \- x1 V: d* N; o% f# D( H* Z' z( q
The program will execute 6 different SIce commands located at ds:dx, which. f6 I% A4 H: h0 Y6 [ _. u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
C# I/ t+ m3 z/ h1 W+ c' j
1 g( o0 L3 X8 i' b* Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 a# v9 n& s: V$ \! [
___________________________________________________________________________
$ f9 {, [- _& j6 h0 g9 P
% c3 Y. V6 I! H! E; _' L/ W% f0 Y" K u5 n: }) P* f6 O5 j" R
Method 03; t# U0 |9 W1 I |4 Q1 r
=========
# ]( ?0 n8 A) H+ U5 D# ~) P; {$ o& Q( U- P, J4 H. D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# s; }+ C9 g8 j! g; y(API Get entry point)
9 T5 p1 X/ T( V2 { 8 B- a! T: j6 H7 }% s* \) P
! M( X3 G* {: m$ w0 V2 a
xor di,di4 O- {3 v. e6 l9 H6 _2 K6 a: v
mov es,di! h; X @! }0 N' ^6 H, S
mov ax, 1684h 0 W- a" q* g3 E+ x
mov bx, 0202h ; VxD ID of winice
0 P+ X8 w- O6 C# y5 S6 k3 w& c int 2Fh4 r- x$ m% z/ ~ H' S
mov ax, es ; ES:DI -> VxD API entry point
! Q* \- L8 z, j: |2 v# u' z add ax, di6 u! z: k- ^# L! M
test ax,ax9 V- J; R8 A. d. A/ w# j
jnz SoftICE_Detected
Q. q. U/ h' ?
* ]& A$ T+ W* f, Z8 n9 ?___________________________________________________________________________5 c0 k0 a8 G. U
& U7 B; ?/ ~+ n' @1 B% W0 pMethod 04
1 G% ^$ _' I6 u& V=========, o0 A- i; j0 {" @( o6 Z
1 ]7 k. U' ~4 ~' e4 R( x: x
Method identical to the preceding one except that it seeks the ID of SoftICE
! h1 v2 n+ w/ N% w- J8 Z& aGFX VxD./ n& d a: w( Y$ A/ `9 @
1 U+ l; C, d. K
xor di,di
- j0 l/ {& `' U; d" k9 r+ _& p mov es,di
# }* Y. K% [5 H6 c+ [ mov ax, 1684h
, e; p1 t, S4 V* K+ Z, k mov bx, 7a5Fh ; VxD ID of SIWVID
& L. [: m5 @7 G& C# [% s7 p int 2fh
5 P! K) X9 I" r/ F5 A+ r0 w! E$ Y mov ax, es ; ES:DI -> VxD API entry point
' ?: E D3 b% X- X4 o$ E, E, ` add ax, di
' u Z" r; U0 }. x- w7 |6 j1 ] test ax,ax5 g( M' w) M0 y3 s5 V9 Q
jnz SoftICE_Detected
) w& I0 W/ i7 B$ o
1 {6 I" I8 n$ L V( J! \" C; [" c/ g__________________________________________________________________________
4 U" R! d# L0 T- s. o% S, ]& @1 @- d& L; D0 c2 [! L) W" _( f. `& ^9 E
" g, H" p H8 y9 I! t: k4 R1 s
Method 05; a4 l# X0 t4 x+ n6 q' a# T
=========. I) b3 M% [* N. e# s7 n; V0 `% M
- K5 B& J) c6 d/ BMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ ~, W S" h6 |2 S* Y, Z
debugger. It calls the int 41h, function 4Fh., |7 N) a' }) ?+ [7 Y/ C4 G
There are several alternatives. : Z1 y; t$ b$ ]( K7 q
1 ?8 L# [! R- ~( \2 yThe following one is the simplest:* I1 }9 ]# _: B+ a: g
) ?+ ?: `7 ~* r- p1 G& h9 v
mov ax,4fh. j: s( N. ?2 F0 Q! J& r
int 41h
1 _( P; R9 k, v# E6 S$ t% M5 \; Y cmp ax, 0F386
9 K) |- j7 q$ n9 W jz SoftICE_detected E6 y7 q7 W) Q3 u$ h0 o6 y
* q' S5 v4 d" O9 R6 ]( b6 B; T" }
, e8 m( o3 W3 q3 ^Next method as well as the following one are 2 examples from Stone's % w( Q1 A, M/ E7 [3 T8 s) s
"stn-wid.zip" (www.cracking.net):
' \+ q: V. w$ g5 `1 D5 _" N4 _) _ j! s: R
mov bx, cs
3 g( ?6 |# T5 q$ a: a lea dx, int41handler2' ?/ `. m" x+ u/ C4 s. f! S! f3 Y/ `
xchg dx, es:[41h*4]
! B: L4 ^9 I- L2 ]% g& z9 A* b" y xchg bx, es:[41h*4+2]
/ ~4 V) Z. u* B1 F7 G5 n$ e @! p8 } mov ax,4fh
3 t1 g/ R5 p6 \3 C4 t int 41h) g5 C# r, F4 R2 t$ g4 P
xchg dx, es:[41h*4]; [& ]$ l A7 ~3 o
xchg bx, es:[41h*4+2]4 b4 q! U& `# I. L
cmp ax, 0f386h, M& E0 ^6 D% M# z V' h6 h
jz SoftICE_detected
" P, q z5 [- |& L0 d1 x
. B; r. R8 }3 t7 H3 q" O+ ~: G$ Cint41handler2 PROC
( Y" ~" W6 G6 k# a) Z iret
& y6 {- ?9 j+ Z! A2 C) ^int41handler2 ENDP, u( r e& \, P) Z& K- h& ?
" Z. v4 Y/ r6 J* S
$ l; ^. c9 _( O) \9 R1 A' L_________________________________________________________________________0 i* B' b; N T3 W6 [9 |! D5 a. [
# E$ u+ L. I" f3 R' q2 ?* g5 t: s" E/ ^; c
Method 06
/ ]$ Z7 N1 e+ Y; A Q9 b+ z) [ {=========, o! h# _" p; b0 X/ {3 _* F% E
9 t. g0 A" c" L: j
8 }5 o) k2 `4 L- v* q2 M
2nd method similar to the preceding one but more difficult to detect:7 J# B0 J" D3 V. L7 ^. q. C4 z) ~2 s
# g3 V- w6 k- `- V$ ]( J# L8 W& r
& X4 F5 S o$ V3 y" {! z: s; w" bint41handler PROC. d# y& S4 `3 x& b2 h9 S- O
mov cl,al
* d) P( M5 X. B# F f( ?& @4 V iret4 j# E8 G! U6 z5 T
int41handler ENDP1 [: ] r- L! s9 L/ a I
# q- D+ j) f) j7 o1 C6 k/ g9 ~8 o! n+ v' A- `) S1 K
xor ax,ax: x# Q5 [6 C# _2 `8 a+ D
mov es,ax/ D: j4 Z$ _/ h& K
mov bx, cs# A+ x- E3 R% t: O( i
lea dx, int41handler
: ^/ |7 G6 H2 N* @+ E xchg dx, es:[41h*4]7 U. O* v. ]& ~, Y' M
xchg bx, es:[41h*4+2]' q0 T" g; _+ G% A9 d$ o
in al, 40h5 t7 v, d( m8 m1 t g0 C
xor cx,cx
8 B4 a* }, A. _ int 41h# ^+ |* h. e5 Y3 b8 o; t0 b
xchg dx, es:[41h*4]
7 `) m5 b1 X0 E+ ? xchg bx, es:[41h*4+2]4 t3 U9 ^ ]' B
cmp cl,al
n3 m- t4 z; W- B; h jnz SoftICE_detected
+ _1 R" @5 u; _7 n/ A% k/ z7 n# l( }( H [$ c
_________________________________________________________________________
% U( Z+ x% m7 |4 z1 k3 Y
- N) \: a# E; v3 K4 uMethod 07
9 {. H- h& w7 Y) {=========
) f: \, Y$ G3 z. a6 q% s
$ O! o) x7 n+ B9 V M4 ^" BMethod of detection of the WinICE handler in the int68h (V86)6 O! y" ` w+ y* N# k. U6 e
( K0 H2 g+ w) p3 c: X+ G* R
mov ah,43h+ v) t* a: O- b) Q+ p N$ M' B7 i
int 68h
( ^4 {; _7 W1 w" R4 } cmp ax,0F386h
) L3 e t# Z, [' Z3 }/ E$ o- L7 t8 X jz SoftICE_Detected
, l/ ]. S T/ j% _0 U4 Q# k/ Z3 d3 S# y; W
& K1 y1 Q/ w' V6 `! }
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 F+ p' \( g8 S( J- K$ W
app like this:5 z8 [+ h: o( `" E, ], ~
6 w& N! [& F+ f# [ M9 Z
BPX exec_int if ax==681 _+ c" F4 |1 F7 B' d+ m
(function called is located at byte ptr [ebp+1Dh] and client eip is
0 k! c0 \+ X0 X: I5 U6 y" r3 E located at [ebp+48h] for 32Bit apps)
/ [, t% [+ v: F( c; |' J__________________________________________________________________________. z1 x8 _" G( l1 a
$ ]. p; {3 K5 h( M
; d. ~: n! e1 k& V- \8 X- lMethod 08
# c0 o) d7 V b% E4 D5 z s/ v0 C& a=========. Y- I7 v8 Q2 I( {$ a9 F
* k5 n6 u$ _$ W/ h! v; @
It is not a method of detection of SoftICE but a possibility to crash the: ~- L, G; C8 I' [) `/ G
system by intercepting int 01h and int 03h and redirecting them to another+ P: X# D' C: a" N- O
routine.4 D4 f# w1 ^1 U2 R8 x# j
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* p6 F! n' k$ k6 D" z, |% {; G
to the new routine to execute (hangs computer...)
( i4 R- o4 ? i& Y- }. K; Q- @4 J1 m3 T) a
mov ah, 25h+ ^2 n" e2 Y% p6 V+ c( T# D/ Y$ @# {
mov al, Int_Number (01h or 03h)0 N6 g% e; F2 k9 |: V2 b3 H4 ~
mov dx, offset New_Int_Routine0 i5 R2 ^3 {$ B- u2 J
int 21h( A& G, `1 G2 w. J
6 M; |% p/ b2 J__________________________________________________________________________
0 ]$ R0 H- H. t- x/ m3 ?6 |: l
$ C- M: u0 u/ G7 BMethod 093 j& R/ `0 E, p& C
=========
) P/ Z, O# K5 U3 E# X& f7 E1 j3 R" o+ n5 e. w6 i( ?! d$ e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* J! A5 H8 m# y4 E, \performed in ring0 (VxD or a ring3 app using the VxdCall).
8 U D6 J7 D/ Z! cThe Get_DDB service is used to determine whether or not a VxD is installed
/ a& I$ k, X% G T) e- w# f' A. dfor the specified device and returns a Device Description Block (in ecx) for7 J' m2 |8 V N- P6 T5 A$ S
that device if it is installed.) x# L: h$ P4 z9 A) j
/ x9 V0 q! @3 D: g7 H mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 P! g& }% P7 L: E3 a3 o; } mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* |7 f' x2 [! o. U; L8 O v
VMMCall Get_DDB2 V' r# d7 ^% u5 q- O3 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed: I0 c; k' ~2 v) m9 h6 P
# r3 G; d( S0 i [/ P- u0 j
Note as well that you can easily detect this method with SoftICE:" G7 h5 P. I6 L
bpx Get_DDB if ax==0202 || ax==7a5fh; k- z& i, Z7 M7 O1 m
- l5 t, Z1 ^, u" e( ?7 S
__________________________________________________________________________
( a. D- N4 {9 j" k. F) y' d2 o1 N+ O+ f! z1 f$ I0 ], o4 C6 R
Method 10. t* o9 s4 V( s2 P: R' ~
=========
: a+ j' q( q. W! v
( ?4 {7 I0 `! d3 E* o7 ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 E! v( Q$ D0 I* r SoftICE while the option is enable!!. w" F4 r0 z' c5 l! _' j/ }
$ o" @* P/ h$ W6 [
This trick is very efficient:4 G# E% H2 v! H3 I
by checking the Debug Registers, you can detect if SoftICE is loaded
* d/ o7 K& V& B; m& u2 _6 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& @2 }# ^) q, j Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 n, H& U4 \: z# [0 F( ] hvalue (in ring0 only). Values can be manipulated and or changed as well( c( \% T! r, Q ~" S/ O* q2 t7 z9 }
(clearing BPMs for instance)# ]5 T$ `; V) W# _2 ~9 n6 S
" V4 X R: r3 W, j. O9 @__________________________________________________________________________ M/ k8 t- s. C9 z V( |0 ^
. o; ^! v) f: L A! XMethod 11
4 v/ P+ {3 G: C7 t4 j7 n0 e=========
* o J* b1 }. W8 T' p \
/ O1 d* B7 [; L" T! _8 M% @This method is most known as 'MeltICE' because it has been freely distributed. x e! L$ A) ~" C2 I4 S$ w
via www.winfiles.com. However it was first used by NuMega people to allow% J+ ^, e0 @3 t
Symbol Loader to check if SoftICE was active or not (the code is located$ @$ v/ d& i+ \& F
inside nmtrans.dll).2 w* M4 v) C7 K4 q) Q9 l$ d
$ J- m0 f7 u: p; ^. zThe way it works is very simple:7 L1 V7 C4 d- k% a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& J! x' g" X( k) {/ WWinNT) with the CreateFileA API.
5 x0 o2 n( U% F! o/ N7 _ H% l4 J' ^& B# L0 b+ p& t( [$ Y1 X
Here is a sample (checking for 'SICE'):
4 X0 @* O$ e, Q, A7 q0 u9 S" u" h2 J( L' W* Q: h7 r# ^
BOOL IsSoftIce95Loaded()8 m7 K+ q' c) u
{
4 D$ i/ z' _$ v; `- x2 z' M* K C HANDLE hFile;
* H: ^; c& E7 r, W/ C, x hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" Y" s; v n/ A* Q% X/ C0 X* r- X FILE_SHARE_READ | FILE_SHARE_WRITE,/ J u: Z* R" T* W2 ]; G
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' T2 w6 d0 g6 B0 [( z
if( hFile != INVALID_HANDLE_VALUE )- u+ X9 y2 O" r5 k+ O9 C0 ^ T4 C
{+ O3 i1 a* v( u) A' X; p
CloseHandle(hFile);
# R" @2 l2 y8 A! H5 y" ^ return TRUE;2 s# ` G# l( y2 {2 k
}
, v& A$ d8 w" I4 _6 d5 f" ^ return FALSE;
1 y/ B: ^, G/ T. X9 X}3 h8 ^0 ^2 b0 c' Z3 R" p8 y/ |) c: t
0 d' N2 x8 a/ ~, b- c) I
Although this trick calls the CreateFileA function, don't even expect to be
B3 r0 d) |9 P' Aable to intercept it by installing a IFS hook: it will not work, no way!+ M" e8 W. E% g' M1 t6 u' J! v% y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! f1 \4 J/ ?7 t8 H% d' F% lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 @& x, E; @2 H& l+ N* X# G# G9 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# d/ M% b2 W& Gfield.7 y5 s; |+ c, x# r
In fact, its purpose is not to load/unload VxDs but only to send a
) z$ m S: o3 a, ^7 K8 w4 v3 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 \0 B4 Z; }$ T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( o6 B5 }2 Z% L* Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).: k& p' y5 B0 `) Y, C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
J( K2 q9 i! @; Q. ~its handle to be opened and then, will be detected.
4 Y" p9 X+ ?9 c! AYou can check that simply by hooking Winice.exe control proc entry point! f3 m# v: T! G* `% o
while running MeltICE.( A0 C) i& X1 n6 A& C: c
4 }8 v, S* F2 Q- w2 {. k( J4 l% e3 {7 E" B2 f2 J" ]% {
00401067: push 00402025 ; \\.\SICE2 H; v* P# {9 E- u8 ^: Y: `. d3 ?
0040106C: call CreateFileA
/ G I6 A2 s/ C' l4 i: D 00401071: cmp eax,-0016 _' ]( }/ O% u; \! E* \) ]9 B) W
00401074: je 00401091
; k) [0 a2 Q3 j( R& ~! m# C" { Z" K) `% i1 }5 b5 K( F
- r4 W. E( K, K9 ~There could be hundreds of BPX you could use to detect this trick.# \ T$ ^+ t( [+ r+ @
-The most classical one is:
& M% l% l! |! U. \% o- m& K6 P) w+ o BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; D/ A% o! O% K( `* W
*(esp->4+4)=='NTIC'( z; g, l! Q/ _
; I! s7 K9 ~0 f; i. {( |+ D-The most exotic ones (could be very slooooow :-(
: R9 i( ^( m4 F: T BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 t% g3 p' @# Z& j; x6 F ;will break 3 times :-(
5 X. y8 V$ e9 b* z+ A$ H- V C; l- m
-or (a bit) faster: 6 b" F! M+ Q& V. p! t1 x7 U" e* g
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% K* _* H8 d% W5 I7 m* m( V) @
" s3 |# M$ y/ h- \9 Z3 E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( O) E) U" W' }1 n$ T ;will break 3 times :-(
) C" \7 c( g4 D5 d0 O4 t' |& A( k
-Much faster:9 \8 Q2 h6 I( o: L& E' l3 f8 |
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
# r* q3 C' v# ^, f
- t: T, `% o3 h- @/ Y5 N% K: yNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* v; O5 h! A0 t# d: Tfunction to do the same job:
' v- `3 @- Z7 m/ a) T: j2 B2 H2 M$ K/ s8 s2 E4 [- n" |. k
push 00 ; OF_READ+ n* K' J9 t! S- C
mov eax,[00656634] ; '\\.\SICE',0
- O* O5 f7 Y! x push eax
4 U! `+ d+ s/ z9 t call KERNEL32!_lopen
6 m+ t/ D _' f0 n0 M/ [/ w2 A inc eax
) A: P+ J; P: K9 q# g1 l% z jnz 00650589 ; detected
2 u+ o- S/ j+ F; Y! C push 00 ; OF_READ
) `0 S; |' x# c7 z6 U mov eax,[00656638] ; '\\.\SICE'
7 I5 B( R) V& h* F2 h5 |+ }) _ push eax
5 i9 T; E; m4 O( ] call KERNEL32!_lopen
3 E3 H* |& ~9 R$ F inc eax
z1 P+ G8 P) s jz 006505ae ; not detected
) |0 h3 t( o7 O) [/ I' z/ E6 p& Q
; L6 Q9 e) ~: A X) w1 A
9 ~) Z% }8 y$ r( ]__________________________________________________________________________
y; |/ _5 Y* `5 f, Z) E) s' |* h+ K+ i; P! M I; }! d
Method 125 a' B' T4 i+ j; C, W! D8 o
=========
4 z2 Y/ F0 u# R' H# C+ @4 F
' A9 c2 r* [1 f; l9 n. CThis trick is similar to int41h/4fh Debugger installation check (code 05( n. w% g2 R* ]0 `+ T
& 06) but very limited because it's only available for Win95/98 (not NT)) P) o' }: ~9 H: x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 ~8 w2 {9 ]6 ~7 R2 f
2 @6 Z, W/ G5 B2 u* L
push 0000004fh ; function 4fh- _5 g+ O- s- Z$ f: G/ j
push 002a002ah ; high word specifies which VxD (VWIN32)
1 }( }! s6 I' f( ^ ; low word specifies which service
* P! L; D* K1 \ (VWIN32_Int41Dispatch)
* x2 J+ m: y% _4 Q: D5 R" F call Kernel32!ORD_001 ; VxdCall$ Z0 _3 v4 D7 M! E: v! N8 F H
cmp ax, 0f386h ; magic number returned by system debuggers* O' y K* E2 j
jz SoftICE_detected3 Z, P* |# m; C3 \
6 v6 D& M; B; J. e5 I8 g' AHere again, several ways to detect it:+ H* M& _( [6 Y0 e+ p" v; C
* X0 ~2 \8 O+ W5 P; ^
BPINT 41 if ax==4f
1 M! I& D# h4 e% Y- }* n; }+ p2 |" }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& ~; f0 r2 b2 p+ B9 ^9 J
7 F8 g& \( z5 X- S BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A8 d2 D% b, L; R, m5 t
+ {$ z h5 c* Q9 ~, I: I BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& \4 T0 }5 B, @1 Z( O, Y* t/ R7 q0 ]/ X/ R/ o1 G* ?8 ~7 e
__________________________________________________________________________
& n2 D6 x% R* V/ g, F- w1 l& m+ J3 U) q8 v# x, Q+ U
Method 13/ e8 C, q8 k1 g, ?
=========7 u. f7 x# t8 r9 C; ~6 N5 p
& _2 x) M! A# v2 W& W
Not a real method of detection, but a good way to know if SoftICE is
) v3 X; U% X2 b |) Cinstalled on a computer and to locate its installation directory.
x: @$ \6 T) b. \$ g9 n. `% KIt is used by few softs which access the following registry keys (usually #2) :
* d) z* b3 G* e9 g1 X/ m; V6 c; P5 G6 l% X0 R" h/ d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; `7 k9 R! J- N& \4 d0 v2 W! I/ w$ y0 o\Uninstall\SoftICE
- B5 b9 ^$ ^* c6 S( b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) |) F1 j( _( F" w" P% g$ W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% m0 W ^, S7 x d\App Paths\Loader32.Exe
0 p( F: X `( C$ L1 v6 H! Q/ U6 K- V0 b! G: L+ h1 A+ s
/ ? o( P$ O; ]! i* v% e
Note that some nasty apps could then erase all files from SoftICE directory8 z0 g% Y# \/ C2 t
(I faced that once :-(
# J3 x: G0 {" r
' G) j3 L& F/ ^+ e- W$ QUseful breakpoint to detect it:
2 f9 [/ L% K# w% Q. E
. A4 k3 J. `5 V6 X8 T4 { BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 q6 B. Q% L; P3 x5 D& ?
7 D2 @, r& i& g' V: p' \( x. t
__________________________________________________________________________: ?+ u0 w2 b4 i
4 Z9 W* x* x" x* D- ^+ D
) T+ y3 o' O" E& NMethod 14
. N( V; b: Q8 {5 Z% G=========7 y* i$ _1 Y6 Y, }! O2 L
T/ L* u( o2 U! J& b/ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ j& v7 K, _# Y- D& ^ lis to determines whether a debugger is running on your system (ring0 only).
) O' C/ g- x% b8 }; I& j8 i$ b! H9 S/ |% A5 x4 }- \" |# E2 A
VMMCall Test_Debug_Installed* u" |. a3 d+ _2 [ [' ^7 M
je not_installed9 X% f# \! u) m. r# B8 o: L
, I, E2 c/ E: o' D! V z1 l& hThis service just checks a flag.
U4 V3 ~4 {( k# V, ?' `5 V$ F4 }- @</PRE></TD></TR></TBODY></TABLE> |