<TABLE width=500>) B# [7 I) d, T4 s; J" R
<TBODY>4 `9 k5 t/ P# ^3 H
<TR>
) C& ^ C( X/ I<TD><PRE>Method 01
* `. n# x% z9 e) M7 R5 D3 X) o/ D: g9 P/ U=========9 b0 p6 T- o0 _+ W2 l T4 k
; Z2 X9 M" Q: h- f" A& a
This method of detection of SoftICE (as well as the following one) is) h5 w8 X7 W8 Y+ {1 r t
used by the majority of packers/encryptors found on Internet.' Q/ H! j. j+ i# K; ?/ _% a( u- e
It seeks the signature of BoundsChecker in SoftICE" J/ d. S, j3 X5 F2 c
. P! A! n- W, z8 U& D6 _
mov ebp, 04243484Bh ; 'BCHK'
& ~8 p; z0 L/ ]; G mov ax, 04h `4 k: H1 d/ L; E: A( G4 W6 r
int 3
1 I! y1 r$ k/ d: S$ L" m% C! l cmp al,4) ?7 }8 N9 I: t; y5 v6 ^, x4 ~
jnz SoftICE_Detected
) [* j5 v: Z% N% j5 O2 N) G1 j; ?* \* L% e1 _2 P; {
___________________________________________________________________________5 ~6 ^: i5 L, J( w8 U! G
# _, F& l7 J5 D8 p5 O1 r" i: ~
Method 02, K* K# [5 {9 y0 n2 j8 M
=========
* V. `2 w9 K! Y. [! @# s- n/ z0 x9 o7 ` P0 I; x( }1 y
Still a method very much used (perhaps the most frequent one). It is used+ `% _' Q8 B% q L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 ]6 d! T: |# h7 b, l) c
or execute SoftICE commands...# w) O5 d! e6 |; x& u/ H$ ]8 w
It is also used to crash SoftICE and to force it to execute any commands- U; h7 n" `3 _3 M& ?
(HBOOT...) :-(( " `* H9 c9 q: J- \, G8 m
4 J: L. D! {3 T$ D# N
Here is a quick description:
* ^6 f. |' \3 g! O. s- V0 ?-AX = 0910h (Display string in SIce windows)8 A; W% E* n5 }- h- v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
5 s1 i( _. h0 \4 C0 a. s-AX = 0912h (Get breakpoint infos)
8 U2 ~- N* Y; i+ R6 x-AX = 0913h (Set Sice breakpoints); j5 E1 s; T7 Y& `9 j+ Z+ _
-AX = 0914h (Remove SIce breakoints)
2 C# k# P; | [* m# u. I8 p
3 b: L5 S w5 p4 HEach time you'll meet this trick, you'll see:9 [) J- o& w) t6 {# o! z. i7 V
-SI = 4647h' m5 _7 L2 P- g% L0 a9 I4 r' `9 H
-DI = 4A4Dh( k' f% C# l% L( ? z1 d: K: L
Which are the 'magic values' used by SoftIce.5 Y- N2 K4 W. n9 x% o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. D) r) t$ s# R! L! e. D: m5 V
1 k+ Q$ q' L" m
Here is one example from the file "Haspinst.exe" which is the dongle HASP& l4 z* N4 D+ v. x7 W; [3 q
Envelope utility use to protect DOS applications:
" u; {8 _, q @+ P0 N0 d% B
' J9 F3 z" V8 D1 @; ^
! B( t$ [/ e S4C19:0095 MOV AX,0911 ; execute command.$ j0 [) a" @1 ^4 X
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).9 ?2 J4 l& z4 ~8 t* K b/ ]' G7 \
4C19:009A MOV SI,4647 ; 1st magic value.
: }# a1 g9 v, v/ d6 J+ q+ j( [4C19:009D MOV DI,4A4D ; 2nd magic value.$ {" u. {6 Z8 ^ f. p, S
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ `. R$ a0 T2 V7 P. j7 {
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 e+ J! g5 y3 m" X3 E' [4C19:00A4 INC CX
- k7 i, } {! Q$ V# a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
7 C( ^1 u0 E o, [; c; m4C19:00A8 JB 0095 ; 6 different commands.! T* o" F! k/ \; R/ L* v8 {8 U
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% q3 g; }: k: m8 W- {4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 _9 }5 M: e: |3 S, Y9 G; p. Y7 G9 u$ j
The program will execute 6 different SIce commands located at ds:dx, which
! s. b* u. H* ?# t; S: D* Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 M/ |: N6 p5 G- [; C+ u% S5 A
8 j# K' F6 n, u. U' ^. b3 F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- f) Z$ m0 b6 j
___________________________________________________________________________ _ _' T" N# S
" p( E5 p* T0 k6 o( H0 R; Y2 V. i. \
Method 03* @# u: I, e. l1 w" i; G$ h
=========# L( C3 ?0 s% M; [& P. b
6 }4 y% I$ C) \" h5 ]1 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h# R1 _8 i) V1 @& \! q# ^8 U+ ?- E
(API Get entry point)
6 C: B- j+ R# W7 T' z! q
) ?- k6 {* e4 W/ n6 {0 Z- q' ~3 {
2 R0 x2 F1 d2 u+ J# y xor di,di! q9 X7 s5 G2 R& I% }# G6 W' o
mov es,di
+ z; w" o4 z" _9 n' n* I mov ax, 1684h
3 P$ H3 |5 U0 I4 Q1 \ mov bx, 0202h ; VxD ID of winice* B( C8 N2 b. ]/ g! V
int 2Fh
7 c/ E; K4 W0 i& @1 d( M/ ~- u+ | mov ax, es ; ES:DI -> VxD API entry point. l! ?/ d" I1 B7 ~9 s7 D
add ax, di
! m; P# E5 o3 W1 a test ax,ax7 A$ H) ?8 K( e6 s, w( k
jnz SoftICE_Detected/ l1 ` E8 A: M3 B6 l6 W8 ]) d
' i; w/ L: D6 f6 r& }8 E- x___________________________________________________________________________+ G [9 {5 e4 K0 k. t7 L4 p% D" s/ F- m7 W
3 O9 @: X7 |5 r+ S+ j: o# dMethod 045 A' M# l3 V$ X; e% V
=========
9 y, }% l! N, P# q) s2 U% N4 l e# `$ B& V( V/ G4 p
Method identical to the preceding one except that it seeks the ID of SoftICE
U9 s0 n7 G8 Q4 P: {: [GFX VxD.3 t& N* U1 P! G8 ?0 _5 f, B
8 L) c7 L: w5 i, Y6 F$ r xor di,di$ V9 F4 r2 W, y( E' B4 w$ n# U; F
mov es,di
8 q5 i# Y9 o- Q5 W mov ax, 1684h
1 p! ?! I& `3 Y. L9 X mov bx, 7a5Fh ; VxD ID of SIWVID/ e7 L/ X c( ^* n! |, ^8 O7 n+ g
int 2fh( l7 [7 p+ E1 z- d
mov ax, es ; ES:DI -> VxD API entry point8 R. Y1 F. {0 C: z/ ?" L# [ a: X: H
add ax, di1 ~+ C. O( f' r$ t" w$ g% p x
test ax,ax
" O3 G; n# |" X4 M% _2 G% k, q3 d jnz SoftICE_Detected
0 _! Z9 f" h. _) Z' v* E$ ^1 B$ T1 I; C+ R4 A* V3 k
__________________________________________________________________________
w+ {. N1 p7 Z( I7 ^& d0 X
: ^9 O A- u9 A. ]! L [
' r& o0 Y1 j1 tMethod 05
- R+ n# a/ v& N; m3 c8 y' ]=========
6 `; D6 I& ?8 w% W5 |! @7 ~
6 E# u1 A2 M' i' oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. w! V0 H) g4 x' `: c5 m3 w+ B3 pdebugger. It calls the int 41h, function 4Fh.% Z5 H2 y8 j$ u+ k
There are several alternatives.
4 o5 z7 J5 Y, [5 O$ J/ a. n5 @1 C' r4 |9 K$ @
The following one is the simplest:
O) v/ t9 c( k; r- M. m/ q+ _0 K$ f+ H$ ]
mov ax,4fh0 j/ {! j! B1 j. O% d l( w
int 41h
, q0 S7 N d4 }& V2 ]/ E cmp ax, 0F386) x0 g( u* E+ w( w
jz SoftICE_detected
3 t4 b% g# g5 Y
) G- ?% p# {' r9 ~7 J$ s' b$ ^; {* ]
Next method as well as the following one are 2 examples from Stone's
) X" u3 h4 Q8 F* K* a"stn-wid.zip" (www.cracking.net):
6 @4 |, `* A1 p5 @- }
+ v8 }2 ~& j) l; o" P mov bx, cs
1 O7 L _3 d2 d M4 f$ l) O! @ lea dx, int41handler2
8 U/ ]7 a9 w9 L8 B: | xchg dx, es:[41h*4]
% K3 z# P9 y8 u6 V" K( u% r$ Y" m' u& E xchg bx, es:[41h*4+2]0 f v& ]4 ^% |+ X. g9 F
mov ax,4fh6 l7 [5 ]# `9 x$ f
int 41h
8 U4 ]+ } ]8 E xchg dx, es:[41h*4]
" f' c8 W, o$ k9 t" k xchg bx, es:[41h*4+2]
4 R# j7 {: J0 L) O( m9 F2 f cmp ax, 0f386h/ y, c$ Q2 l. Q
jz SoftICE_detected. z8 g1 ?9 D8 ~( P% _0 S$ K
0 K5 H4 V; K1 m0 v& D( Wint41handler2 PROC
- F: _4 n7 u" J* _2 L iret
* s- Q% k5 v$ p1 A+ @* pint41handler2 ENDP0 l. a. X1 i. c5 Q
3 u0 ^4 ^6 y- N6 n
+ s" D5 y7 U0 @% M( Q. A
_________________________________________________________________________) F( r$ d) [1 i9 M' T! c# ]" x' S! Y
7 m) a2 c$ A* _3 B- Y7 o6 ]& q* m- j J; U! L* Y' Q+ F
Method 06
$ T9 ~" y, s; e4 @: Q8 P4 i=========2 W. s; R/ O. V" a2 t' o$ {
) `, T8 O& D; B' W6 t# ~8 i) b4 J* L; I- \) B) n4 A
2nd method similar to the preceding one but more difficult to detect:
% ^- [4 v6 [9 y0 [' W
' F) X3 R# q `/ H3 J0 i9 G0 I9 M
int41handler PROC
0 N/ N2 o! `8 t. o+ b1 G9 U4 @ mov cl,al
7 d; t. _5 B6 \& b/ B. z8 L iret
4 S$ M# _% m( ~5 k Vint41handler ENDP
P- J0 u2 e* d' d$ b% I$ ^' T; Y% C9 t3 j
* \3 q) u( ^; }+ z/ L3 U+ K xor ax,ax- N& F/ G- w; D% D2 x
mov es,ax
/ D( v* s8 O+ Y mov bx, cs- n$ o9 Q# | J3 j7 s
lea dx, int41handler' y7 G8 {3 K4 s# T) b# W, \% q+ a
xchg dx, es:[41h*4]
# R, ^$ c, ^7 v4 i$ C. j xchg bx, es:[41h*4+2]
+ g8 l, \+ m' x$ K in al, 40h
1 f0 q$ {5 H. w; X* n xor cx,cx4 K5 d8 o1 B; g: F5 z) ^- a
int 41h2 J) K& y2 e0 U$ B
xchg dx, es:[41h*4]
5 p* G& M4 @. K; | xchg bx, es:[41h*4+2]
0 T' X/ e# m5 M$ W& [( U& @" Z }, X cmp cl,al2 @/ R: @$ Q0 D5 }5 q0 s
jnz SoftICE_detected
( t+ V) {! h: a0 E: L
* ?, P# A5 @" ~_________________________________________________________________________! T0 G s5 K( P+ z9 P
`& }: \" t3 {# z; `$ MMethod 07( G+ F/ G8 y! s& ?
=========
/ E* z( [: p5 P. W/ X
" g: [0 U" J' D7 F8 @7 RMethod of detection of the WinICE handler in the int68h (V86)
8 R, U7 h9 Y( K# u6 m' ]5 {& N) `( A& _# G( F; t( d, E
mov ah,43h* j$ e9 u1 }$ E# t" W4 \0 G$ M
int 68h
; K- Z0 i0 W6 m) x! O cmp ax,0F386h
0 @4 F1 o6 I* \3 `0 e jz SoftICE_Detected6 a: D& o6 A2 E+ W. D
) U5 u6 N' L2 I8 B3 f+ H
) `9 `: P" B1 h+ m H=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) e% T/ k; R2 q1 x1 a6 k app like this:
: B% C3 K1 s: ^4 P" t5 R3 o2 g7 v Z5 a' y7 V' E: C. G8 x0 e- ^( m
BPX exec_int if ax==68
9 u, ?4 K# K& [) u- y$ B6 I# G7 W (function called is located at byte ptr [ebp+1Dh] and client eip is1 w2 @" U$ k$ I0 e
located at [ebp+48h] for 32Bit apps)
% U5 E% `0 a( t$ @* h# O9 ^__________________________________________________________________________+ z% o; f' q9 z7 v* e6 D
, h A' M# |- `" y1 F$ V
. e4 V6 a7 [- `7 u+ P0 BMethod 08
( ?; l# A$ y# I3 ^=========
" B6 n% X- h# |" z; `; U* ]. {8 p3 D: N6 S
It is not a method of detection of SoftICE but a possibility to crash the
! g* u' a! ~5 S0 u6 r; Fsystem by intercepting int 01h and int 03h and redirecting them to another5 `' `% X% [& r* L, {
routine.
5 O6 n- w- {$ u8 W+ u. yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ j1 I3 [$ V$ r, G. [/ x1 j. W- k
to the new routine to execute (hangs computer...)) B h& W& A) g8 E: D) @' e5 ?
i/ z/ y/ P) @ }2 Z; y( P
mov ah, 25h7 y+ e8 E+ ~( {3 H/ Q5 u
mov al, Int_Number (01h or 03h)
' Z) l! c& J# h) ?$ J mov dx, offset New_Int_Routine
" \# U% l8 i. t4 H int 21h' l7 Y% d1 C- e+ _, u% p. S* W
, r, ~6 K' X% \/ g
__________________________________________________________________________" c4 B4 |' ^6 ]. k5 X: i0 @; a4 J
& o; e$ P' Q5 _6 v6 v# k! w8 @
Method 09
2 }( k1 ~+ g) ] {; @4 t! m=========
2 E& n' U! A# r& K _3 Q7 L
' Y. Q3 {& c. O2 C; `: }" eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ l4 J1 ~1 g* T6 ?8 W/ t! }
performed in ring0 (VxD or a ring3 app using the VxdCall).
) i! B M1 [* @/ Y1 kThe Get_DDB service is used to determine whether or not a VxD is installed T" c1 B6 x% o
for the specified device and returns a Device Description Block (in ecx) for
9 _: S/ O1 Z# c, Q( b8 O8 hthat device if it is installed.
$ y+ ~0 u2 B! W4 w# o3 l1 B9 {) H& u8 y" o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 [7 j6 E2 g( Z1 l% M mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; { q) r2 R' J- {8 w! W* P# z VMMCall Get_DDB
1 t$ K! l* S* @/ \: g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
8 e4 S w* @7 R! L! P B* B! p
5 |7 V! ?5 g+ Z; V' jNote as well that you can easily detect this method with SoftICE:
. f. r* i- `/ R bpx Get_DDB if ax==0202 || ax==7a5fh
5 I: h8 W9 G6 R" o1 u
( l$ d0 a! f; }2 ]) o; ___________________________________________________________________________
! o x$ _$ ?& L) Z
z! b9 g- O5 V6 X6 D$ l+ A2 N$ mMethod 10
, f/ Z2 |: K; [' a; p2 Y5 I=========) [- h0 V V+ P7 a8 p! U
& d; j6 s; I! D6 q; P. w/ T% s=>Disable or clear breakpoints before using this feature. DO NOT trace with
/ [! _3 j5 E0 r9 Z SoftICE while the option is enable!!% ~9 C6 w4 p- i
; u& h* B/ I& cThis trick is very efficient:' ?+ f# T" Y7 w+ [6 X
by checking the Debug Registers, you can detect if SoftICE is loaded5 p0 F8 X7 }( i) x# U) `3 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, L+ |( v) G7 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their% B! `- t* I# m. J, ]
value (in ring0 only). Values can be manipulated and or changed as well0 _$ x- ^, [& P2 L: {. W6 S2 O
(clearing BPMs for instance)$ x# ?& x9 H1 m9 J! q0 i
, r% w% E, g1 G5 u5 }0 J
__________________________________________________________________________9 h/ L# f6 P. S. t. k
& g. W5 x7 j$ A, a) H/ f
Method 115 `2 `3 B* \$ g/ [
=========
+ D: ]; M! Z& X6 i8 u: ~' e, X4 S9 l8 ^" f, R
This method is most known as 'MeltICE' because it has been freely distributed
9 b) H5 p' ~5 f2 F9 t2 B6 I' xvia www.winfiles.com. However it was first used by NuMega people to allow
" H! H6 L! Y6 o& {9 v |8 z. g3 _Symbol Loader to check if SoftICE was active or not (the code is located
0 t" l7 @ Q# g3 s% u# U* Sinside nmtrans.dll).
: a' B8 m8 I. s1 ]7 ?
! ?! }. H" S) ]% U8 WThe way it works is very simple:
' \! Q$ b, c/ N. S5 {8 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ H! D/ q4 A' ~% T+ W
WinNT) with the CreateFileA API.
2 B+ G2 t. c$ y `
7 V1 m3 n. u/ _5 R$ O$ y* THere is a sample (checking for 'SICE'):
5 |2 Y9 f0 b) v/ O/ z0 z5 R, c* k; C/ \8 `4 c
BOOL IsSoftIce95Loaded()
- l2 H# H8 x0 z- }* B4 I. k{
/ O- }2 }; Q/ i% V HANDLE hFile; 2 w% {% l6 @' ]
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 g# [8 d# ]& s" S' L FILE_SHARE_READ | FILE_SHARE_WRITE,3 D* ~$ B, q$ s" ^/ p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ t0 ]6 \2 Y: ~, Z if( hFile != INVALID_HANDLE_VALUE )
8 ]7 I3 S7 b3 \, h3 k0 i% B {+ s, s* J0 c R" z; E& T
CloseHandle(hFile);
) d0 a2 H7 Y6 x0 K; I% C8 m$ r* ` return TRUE;6 S( W$ A/ B' k7 L( V
}
) w# a4 F3 o0 ?. q# z6 y' C return FALSE;
( s1 s: D/ D; w/ T% R C8 n4 S5 c}( y% G* N) f) s7 M
S. J. N- U% z! ] EAlthough this trick calls the CreateFileA function, don't even expect to be
/ U' ~9 `$ a& }- f% xable to intercept it by installing a IFS hook: it will not work, no way!
: j: A7 v% W; n$ J' {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. P5 n" T( b7 M- Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' i2 \! [$ N+ d0 A3 ~* w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 Y7 D2 _: D. b2 b$ h7 Afield.
. y# Y1 X" k1 H4 q, rIn fact, its purpose is not to load/unload VxDs but only to send a
: M! ^ ~8 t6 l0 T2 ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) M7 U. B$ z. v6 i3 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ h. W g; E' U) T+ H4 t0 t: r' ~0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ s1 f) z2 J1 Z- N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
( [! p8 b+ C; f7 M2 Q0 ?: G% qits handle to be opened and then, will be detected.
6 E( u7 D6 G( o6 p- pYou can check that simply by hooking Winice.exe control proc entry point
8 `" V3 j! [: Rwhile running MeltICE.
; _) ~( w" f8 ]$ }/ b: Y! V
v# Q7 a% B4 ~: I7 N4 a6 k% x* X( T8 t W! i# k% Y5 @% R
00401067: push 00402025 ; \\.\SICE9 h4 @& F, R% ?, z5 ~
0040106C: call CreateFileA4 Y6 \* _- l: H. c( B- B
00401071: cmp eax,-001
. E) U3 _4 z5 J; X, P' a 00401074: je 00401091
5 B# O2 `7 F. G1 w, F6 o2 `
2 F9 c! m" D1 }& u
) P7 }, P# h1 Z" ^) Q% OThere could be hundreds of BPX you could use to detect this trick.
8 g x- P: W# c. \2 J# w; W, w-The most classical one is:! K2 y0 D" S6 e; o2 |0 e2 s+ f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! K/ Z) G/ n4 S% ~1 h5 z7 \/ k
*(esp->4+4)=='NTIC'; U+ q1 _0 B: U: `( }8 o
8 b' S/ X" m( V2 x5 `5 ?-The most exotic ones (could be very slooooow :-(
* `7 q3 q( K+ A, {; A- b& U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ! Y7 L. [, L0 u* i* X. C
;will break 3 times :-(
* Y2 b" b X- E1 ?: Q7 k% E/ _: w+ U* T5 i6 P) R: ^1 S
-or (a bit) faster:
4 l6 F0 M& A5 w! ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ _' B' p! e# B+ N" S, J8 q' i* {0 K7 b& Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: v: z f+ h- f+ V; o F4 \ ;will break 3 times :-(
, l# h+ B7 m/ A. y! c$ R% T7 E
/ O. G8 j; g" x3 _8 Y4 i-Much faster:4 r/ {) l0 z& T" S; d
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 M% L0 A* v9 ]( D1 c) y/ E
6 Q2 D+ e& p0 c0 ]) Y2 e0 W+ O2 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 Y( H5 q0 J7 u# v; w L& v
function to do the same job:
) I$ ]( u6 j' J- w" K7 V; p7 N4 U& O3 s7 S7 U1 a8 J! M8 w
push 00 ; OF_READ
# X. }" u4 \3 r9 n' u$ G1 U mov eax,[00656634] ; '\\.\SICE',0" b3 J2 K' [, u2 {
push eax* }# E' u3 Z8 R( c
call KERNEL32!_lopen
: M7 G9 U8 j5 U) e+ v. [/ c inc eax- p! R8 w: O, A; Q5 `
jnz 00650589 ; detected" G2 P/ }0 X' O9 H/ H* L- \
push 00 ; OF_READ1 W( l0 y' Y. X: [; T2 s+ [! H
mov eax,[00656638] ; '\\.\SICE'/ T2 r+ i* h$ ?3 O0 X6 e& E; g
push eax/ g, t( ^( t1 n
call KERNEL32!_lopen
; Z/ y0 J4 s- R2 B w$ W inc eax
- i$ K: X0 ^: A; u jz 006505ae ; not detected' {; B7 g5 h y7 k% Z
$ c* A. Y. z! a: I9 f' n0 G0 ?7 S8 r% I% W4 j+ ?
__________________________________________________________________________
& [: n4 s, q, k8 w9 O6 h: g! L1 Q% u4 j& G" K! ~
Method 12
3 v ?3 u9 i( v* o=========. t1 E/ y% A8 L4 m; U$ l* c
+ X; u+ i2 {6 v+ v! _7 t* u
This trick is similar to int41h/4fh Debugger installation check (code 05- n2 k/ z% T# [6 {( {
& 06) but very limited because it's only available for Win95/98 (not NT), G V* }4 [8 C( d1 y0 t3 A% l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: K: Y. a; @: F6 e2 V6 \) v: U R9 {! h
push 0000004fh ; function 4fh
/ e4 w' x% \# E; X" g push 002a002ah ; high word specifies which VxD (VWIN32)
5 k5 w# Q+ g/ g ; low word specifies which service P2 }5 ^. j, n% |" z! C5 b' b
(VWIN32_Int41Dispatch). H0 g. E& [9 l9 B6 B; ?
call Kernel32!ORD_001 ; VxdCall& E8 e5 k3 I h5 {4 v; b2 m
cmp ax, 0f386h ; magic number returned by system debuggers
" o4 G+ g9 L O: R0 l! g jz SoftICE_detected% @ f Q5 @% a; g$ d& X
' P( h, C9 ?8 t: j6 ZHere again, several ways to detect it: L" `1 l. B% J9 {4 |4 [( H( G; c$ j
/ P3 R8 L# R( `& O- A( ~$ b
BPINT 41 if ax==4f1 L+ K8 L1 y6 z" E2 A
M: r# F$ O" w; v) |
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 A- b% V8 b5 h# l# w6 ]
2 f$ a& J* V# ^# h( H
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
; U: R2 b U% `9 Q2 {4 b; e5 q5 o0 q- C. `( x* U) `3 P$ q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& h q: K% E f! `0 |
" ?# M* F" O! ?: ^$ F
__________________________________________________________________________
5 r: ] u: y; h- s
. J9 a D3 S9 }: `" M9 wMethod 13' r6 g6 L e* Y0 m" S8 @
=========
i$ |# R% u6 f0 r" B1 l( ~
9 e+ s" g" Q _1 N4 Z* zNot a real method of detection, but a good way to know if SoftICE is& r, g7 r3 S' b0 q, C! {
installed on a computer and to locate its installation directory.
! A! c' o: Z# ^/ E1 NIt is used by few softs which access the following registry keys (usually #2) :- P9 w# Y; {( A1 A A3 I+ x
$ z2 d/ I* W3 D q1 s7 c( j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Q6 z$ T7 e, `. o( S- `4 t\Uninstall\SoftICE; T, E' t) M/ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# U9 B8 R2 e- r v( ~! T1 F c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% z$ F; g, b8 {/ a2 J1 Z) C. t$ P/ q\App Paths\Loader32.Exe. L" y: Y% g0 X& n/ s- D
7 v: C" G9 p! b0 g7 w/ T" P" p
) z5 O6 A! f/ D/ L' I
Note that some nasty apps could then erase all files from SoftICE directory, ^0 I! [, }& X6 V- t% _
(I faced that once :-(1 v1 ^* O. Q g! n: p
8 L7 Y4 p+ H, J5 E5 jUseful breakpoint to detect it:0 H8 f. [9 N+ j2 ^! s! x/ `1 B
) S$ H. u1 y$ D; ` BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'& H. Q1 J. ?. E. X
0 g& }9 n5 `/ t" g__________________________________________________________________________
; L$ \- l" ~. S# e3 o5 H- N! J; u2 S1 ]' X, Y2 O$ r- s8 X$ v
9 g8 L1 C# T5 m! d3 e; Q _1 hMethod 14 $ x+ U- P! j5 A) G% ?
=========
9 [, k% Y6 E% i9 e m% t* u- Y M7 p! c. G! s. ]0 c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) n$ d2 y* w. j; F8 m1 P9 J" p
is to determines whether a debugger is running on your system (ring0 only).% h" j* X! \. t$ Q
+ X! ~5 Z1 v2 {- g; A0 z, I; Q
VMMCall Test_Debug_Installed
; p2 [' H; B* { je not_installed; ?: {. G" Q2 w
# l, W7 f3 {# GThis service just checks a flag.
4 }# r! J7 e( o) j" B! Z ^4 i</PRE></TD></TR></TBODY></TABLE> |