<TABLE width=500>% k; ]* w5 X4 D$ H$ ~; ]1 T+ `
<TBODY>* I6 _4 \# e- y
<TR>
& y6 d7 k& V- v/ h$ ?4 r<TD><PRE>Method 01
( ]8 h# \- @6 C, k! ]0 K=========; K2 f0 ~( P+ l: l0 L
1 B# _( }: z% Q3 Y5 bThis method of detection of SoftICE (as well as the following one) is
0 ^. {; j P" d# ?' kused by the majority of packers/encryptors found on Internet.
7 H1 L8 X3 _/ }1 L. K) M3 ^ MIt seeks the signature of BoundsChecker in SoftICE0 O. ]" ?: r# ], ^+ f: P3 g: N: Q
; ]3 A4 s6 o' M3 k' b! b
mov ebp, 04243484Bh ; 'BCHK'
6 {% h) J: O; s8 R- F& F+ @ mov ax, 04h) l7 E; P) w J; H% Z/ _
int 3 ' q$ w L4 d9 ?2 ?- C
cmp al,4 {0 k) N* s5 ]$ B+ ~
jnz SoftICE_Detected9 o$ I1 {& ^9 t& p8 i& Q8 ~7 @
* c- Q& o& \: T9 U) y7 J" m___________________________________________________________________________
: W L3 p3 u: f5 c1 m/ P: G
4 e, n& N% o: k6 \' hMethod 02' b" X0 ^. d) t- o7 J7 q( W$ A/ T- \
=========
, u C7 _# `7 f3 A% A- l: g+ B. U t c& m" ]
Still a method very much used (perhaps the most frequent one). It is used
4 [# m5 J" V, Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 F7 Z- F& o1 y, R* P: X
or execute SoftICE commands...
8 ?+ _9 D2 e% s; V( p- CIt is also used to crash SoftICE and to force it to execute any commands
; V( E- \8 ~7 b4 q, F(HBOOT...) :-(( - l- p" D: M# C7 l
' z# t& L5 K1 K& ?Here is a quick description:- [& H& m$ E) z2 |5 M! @
-AX = 0910h (Display string in SIce windows)
9 c1 e: q9 R% u8 k9 H N7 F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
9 Z$ G8 p" {, b-AX = 0912h (Get breakpoint infos)
* M% ~2 l: _, Z# T( @6 R( E-AX = 0913h (Set Sice breakpoints)
4 ]4 H$ y3 o9 i9 n/ i4 t9 G8 w& h-AX = 0914h (Remove SIce breakoints)
- x0 W& F6 t% n+ e5 V' Y
* G3 T) H8 _2 S {/ B; E' t; U$ YEach time you'll meet this trick, you'll see:; m- v0 U( h7 r; m
-SI = 4647h
# Z/ i9 T9 t( P- V$ g6 Z-DI = 4A4Dh
$ j* y+ P% }$ W! f9 n5 X1 Z9 YWhich are the 'magic values' used by SoftIce.. r. p) n4 j+ b& c5 S/ w2 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 p) o! x6 g8 v3 R9 ?
/ a, v) ^5 |9 I- n5 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
& S g7 d9 ]( t: |2 t' T9 GEnvelope utility use to protect DOS applications:: e- o. n. {2 j+ T! a
* V9 V6 m* Z! g; @5 l( K' T+ O" M
" U% s" J2 R2 Y2 `9 h6 @0 i- |: z- c4C19:0095 MOV AX,0911 ; execute command./ t0 `3 V) u, L2 I' `$ ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 r$ \0 w7 x4 ?# B+ F" t/ x D7 {
4C19:009A MOV SI,4647 ; 1st magic value.; t1 e" M# y, U( w9 V' G% Z9 z
4C19:009D MOV DI,4A4D ; 2nd magic value.6 P7 H* Z3 U+ |$ I- }. r( G
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)2 s' Q. Q9 A9 h, `' ]' S
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute8 a# R" X% d4 l+ D# F. w) I$ a. x g
4C19:00A4 INC CX
6 D6 I- R9 R$ O7 k: O4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
) d3 y' z7 w3 E3 v1 w4C19:00A8 JB 0095 ; 6 different commands.
. Q! {* F5 h6 i# K: N4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' e2 _, z0 x5 `2 L4C19:00AD MOV BX,SP ; Good_Guy go ahead :) a. m4 Z; V7 M3 f/ w' l T
Y* I/ I! v/ _, Q5 P
The program will execute 6 different SIce commands located at ds:dx, which
5 b0 Q. N7 E9 h& lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 u4 c% o: _& d1 N* }7 b
! R5 D7 {+ E) G! Y" ^* l3 U/ }$ L5 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" m9 Z3 {0 h& h% a___________________________________________________________________________% K; A- }) J# E0 [/ m
, |: C& L) Y- z6 U5 \
H1 n6 ^7 k/ t m
Method 03
. a6 F4 b" m: s: n. n1 ]=========+ U: R7 K/ t0 `$ \5 z
, N6 `1 u# i# @4 A4 H: }Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ }& m. I+ d0 g* {$ b$ F3 H9 a
(API Get entry point)' b* s( [( C& ~$ [& {
9 L- C) N. g/ a6 B3 j% v: _
$ H! B+ p! B2 B
xor di,di% n" t0 P2 \8 Z3 x5 c: c
mov es,di
5 x8 A9 a% n) ^; F/ ]% I1 ?$ b9 \" [ mov ax, 1684h
2 P4 j" @. N& x" i6 S mov bx, 0202h ; VxD ID of winice
1 G2 _2 A" l- V4 Q0 b! O int 2Fh
. l3 V3 ?! Q% i V2 w0 y mov ax, es ; ES:DI -> VxD API entry point
2 o" \; K6 T" S1 e8 k add ax, di
5 @! ]% d* a4 R& V test ax,ax' W( o$ W8 M% h' L' T% L: G& m
jnz SoftICE_Detected, v9 t) O) F# g& i
, ]9 ^4 O" A/ g9 Z- `8 o, `___________________________________________________________________________
3 g V; a; g$ O! v& Y0 O2 G) I, Q u, v5 |- ^
Method 04+ z9 S6 j( ~' t2 c2 a: Q; G7 v
=========
# a( X5 ~, @# w3 W& {* n
9 K2 \7 N# W) [& ^) WMethod identical to the preceding one except that it seeks the ID of SoftICE2 Z- D" m6 Q9 I w) K$ C
GFX VxD.
5 L+ M0 }& m- L9 Z" }) ^1 e; [% D4 P
xor di,di( p% N& p0 v4 m; j+ T# K5 S1 d
mov es,di9 O: ^* b+ L* n& w. A
mov ax, 1684h ' O6 K8 G& M( i7 R
mov bx, 7a5Fh ; VxD ID of SIWVID* b! C. I0 y/ b4 x8 X$ y
int 2fh# @ x- g) {3 L% q/ {2 [9 z A
mov ax, es ; ES:DI -> VxD API entry point
: Q% H- `9 B% F3 ^- R add ax, di
( V2 ?2 [% o& i# K. _5 N" a! K/ k test ax,ax
6 V2 o' Y5 @! f jnz SoftICE_Detected
4 f, C- K' ^) v/ |5 x0 u8 `
/ h: W* f: m$ h7 P' R( e+ \0 v4 R3 A__________________________________________________________________________
! V; V& H2 v3 M. m* I6 F
1 y3 A! a; ~2 T* Z" h: u4 h+ a) v* h) j/ |3 S% b
Method 05
r3 K X: d3 D$ `6 m=========. _, ?5 T1 ]' Z4 U. {3 k
: [; {3 g% c9 k4 VMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 t O" z9 Q: x1 i$ G; A( N
debugger. It calls the int 41h, function 4Fh.. G' n7 M! }; `& R4 T
There are several alternatives. 6 A4 c% r6 W# k" N
: G' @' L9 E' h. F( T
The following one is the simplest:
8 U/ w% W2 w1 T* d$ r: X2 b5 u, n; \$ C9 a+ l9 ~
mov ax,4fh
5 T% l" m9 F! T1 Y* q! r1 d int 41h
8 N- E9 e% R; j0 | cmp ax, 0F386
% C$ V0 K. x% m; [: ~3 a" w jz SoftICE_detected6 \8 t4 a" f. [
. m, B" L% e- ?$ `6 j
4 i+ n8 Y- P" C) KNext method as well as the following one are 2 examples from Stone's
! S, ^4 s" d9 p: H"stn-wid.zip" (www.cracking.net):/ u9 }' `2 h X# x5 @3 B- t
& l& R" k; x3 n$ {4 \3 F$ V
mov bx, cs
/ G" [9 j# `; s lea dx, int41handler27 g1 A8 q- u4 t8 n* ~# p
xchg dx, es:[41h*4]
% V1 {7 g. g( F& f! k* z3 E" k0 g xchg bx, es:[41h*4+2]3 n& v$ p6 L) T4 e! c4 `4 J( w
mov ax,4fh9 ^2 P# g( j4 a4 ~
int 41h
* p0 M1 U7 |* Q# T* n6 O! [0 n( F: X xchg dx, es:[41h*4]
% y+ t! ] I1 L$ G0 P xchg bx, es:[41h*4+2]
) l) i2 {2 j! x s- x cmp ax, 0f386h2 s$ B$ y( X* H+ {3 I% q& X& c
jz SoftICE_detected$ O8 a/ P" q6 D2 h* v1 J- r- W
1 o4 J D* F- h8 u6 E, Dint41handler2 PROC e/ `; Q I# r/ B) }
iret
M+ i2 o' Y/ |4 v4 @) {: B0 m; Uint41handler2 ENDP' g! _6 Y% U4 K& _; Q
5 m6 q5 v* z# z; m6 a; }2 {
8 }' R$ j) R5 K& @* n_________________________________________________________________________
, G, V( V k z( R3 T0 y$ E P: Z, }3 w; d( m
) n$ X* z& J! L/ z4 I {Method 06
( U- U6 Y" o* O8 A- j0 Y( ^" V, ]+ w=========
/ g/ [( r# V+ Q" |5 F5 f% V5 N% X7 B+ F$ s6 `" K5 I
5 i6 k! Y2 O% m
2nd method similar to the preceding one but more difficult to detect:7 G/ X" w% H1 J% x& t+ j+ V
$ d3 g" s# u( d6 u: v( f: L
: ?/ Y- N2 s2 f, B; u1 oint41handler PROC
6 j8 a+ @% a0 ^3 r# f; s mov cl,al b1 J- Z0 t0 v
iret; U# p! J9 u: K$ e1 ^: A
int41handler ENDP7 t% m7 b' W# ]; W, r/ S, R4 C8 G
, L4 |) h- X0 B+ ?$ V* P
1 r3 ~: v' H: W9 ~/ ~) Q xor ax,ax5 h" X! @! h1 G' D/ V) p" p, ]+ t* L
mov es,ax% G4 T1 Q1 O- n- p
mov bx, cs
) ^/ b; E9 G+ o lea dx, int41handler
& G6 K. Y3 n" M! g, C xchg dx, es:[41h*4]3 _9 q/ {4 \& E, T
xchg bx, es:[41h*4+2]! n3 J Y7 f+ T5 H2 B
in al, 40h
: V( E! u# g& o# R7 _ xor cx,cx
* Y- v$ b, ~0 D# h int 41h4 n/ b& f, m8 g: \& {
xchg dx, es:[41h*4]4 I! r% ^& S+ D/ R/ c
xchg bx, es:[41h*4+2]/ |0 i& K8 y, z9 R! Q* @. { R
cmp cl,al
% T' K" f% y7 a jnz SoftICE_detected+ x& w6 Q- O) D! ]2 ]
, l! h: B9 S, ~ a+ b
_________________________________________________________________________% C7 k' }! i9 P, E
% ~( n) b, M0 ]( HMethod 07: T3 s; |* w3 H+ A! ^
=========, j. ]6 W) I; U
! F# m. P( Y% }/ L( VMethod of detection of the WinICE handler in the int68h (V86)
- M6 Q" ~2 {: t" v, ?
; I2 F2 G0 p1 A% L1 z, E mov ah,43h- [$ ^8 K! B) `. R
int 68h" L! C/ ^8 _ U% a% F& [3 u- A
cmp ax,0F386h$ a, {, N# N, }0 q/ t
jz SoftICE_Detected
?- V7 t& {- o$ ^' A" G# a! P" Q( @! g
/ e$ b7 y9 a X. n/ v& F# q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) v! B0 F' P3 _
app like this:
) q" X% o' {# J7 p/ Y" T8 C* N+ d% j2 l- m3 x' v
BPX exec_int if ax==68
: S: a* l' \) s0 b( d! D (function called is located at byte ptr [ebp+1Dh] and client eip is a" x, Y- C8 M' [; S0 Q
located at [ebp+48h] for 32Bit apps)+ G* ^. h( R8 F1 k. i, t' @
__________________________________________________________________________; T4 F, T* A( d" F0 V& s% ?( L
- H- ?6 a* g& e/ R: z6 m. ^4 U/ s
$ v. |+ I+ \4 O9 j2 K; c& eMethod 08) y* D% Y9 e" ]' ?
=========4 D6 p* M; J3 X
/ n# G7 a( g+ k& S" H- x8 I8 G/ cIt is not a method of detection of SoftICE but a possibility to crash the/ I! }/ Q: ^4 n2 V4 V
system by intercepting int 01h and int 03h and redirecting them to another- L% ~: V& {% S& X7 u1 O) {# ~
routine., w: A4 ]9 F7 U+ x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: T6 U1 o7 J/ e# zto the new routine to execute (hangs computer...)% [" q, S k) F! u2 Q. Z$ K- N0 G
" u1 G% M: x8 ~% g$ S/ ] mov ah, 25h% o1 q. @8 X/ m: a1 z' s1 t! M* d
mov al, Int_Number (01h or 03h)$ q- ]6 k% O4 b z [1 L- |2 s8 [/ ]0 y
mov dx, offset New_Int_Routine
q! a# X/ s+ A2 D2 l+ N8 Y4 U int 21h
1 Z$ u" u' S$ I3 S# r" M& r( b) \2 G, ^, e1 T; h/ i# K
__________________________________________________________________________% q! ]3 K+ E. z+ h' ~6 E, C* P! k
2 T B( Q9 k$ x! I0 l* mMethod 095 `3 m- ?: E" i
=========
0 W3 S9 k* ]6 O5 D. n Z& H8 i- I- q2 [" u: e. G7 ?, q4 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 h/ m* F* @0 u0 C M1 w
performed in ring0 (VxD or a ring3 app using the VxdCall).
) ~- K6 k; M6 [/ D- OThe Get_DDB service is used to determine whether or not a VxD is installed9 B8 u7 i5 g" ?9 B
for the specified device and returns a Device Description Block (in ecx) for
% d6 i$ i9 {8 [; l; nthat device if it is installed.
' |# ^0 [; }, {2 A6 L& [& V& a. K- r- b' Y% z/ g
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% c0 f% e, [. f& `6 |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 k; b# p1 U/ } VMMCall Get_DDB1 N7 z) r3 M3 @ Y; q+ V. \
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed" j% t( a4 C# K- ]% P! B# W
, D3 V5 ]: o% Q6 S: H
Note as well that you can easily detect this method with SoftICE:
; Z! \6 D" K; E o" d# _9 W t bpx Get_DDB if ax==0202 || ax==7a5fh7 V! ?4 v0 [% J& c7 t* E3 v. I
+ U" N% Z n: X5 Z' ]" ]9 z
__________________________________________________________________________
, s0 ^6 u7 ?8 q+ G, }8 [% f6 m+ O" W/ I6 Y9 _8 a& E
Method 10" n5 n2 n& F0 }% J! b
=========+ l2 {& P3 d! w1 i+ c6 L5 _5 N
2 L8 G8 `; ~# Z2 m0 M9 h
=>Disable or clear breakpoints before using this feature. DO NOT trace with H, }- [+ ~/ e1 [5 K* S! ^% K
SoftICE while the option is enable!!$ A9 J) ^3 }' a
0 N( c( C9 k4 G6 b3 }This trick is very efficient:
5 B: G1 C- D( g+ Z, R+ rby checking the Debug Registers, you can detect if SoftICE is loaded* B* c/ Z$ f% h% U; i
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, P6 J7 q+ n0 b( V7 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their7 h3 H% \* M, F4 q( j" u
value (in ring0 only). Values can be manipulated and or changed as well9 A0 k3 E9 ~8 n8 t! c4 z
(clearing BPMs for instance)
- G5 s$ X/ x ?
* p# E/ y" o/ L7 \__________________________________________________________________________
* c5 t" ~& t' R5 |. C; ~* F. K6 \# t/ Y
Method 11
. u4 e' ^) J& R/ r% a/ _0 n=========
% I; q3 K1 c8 n" U ~. G0 V0 q3 ~$ U
This method is most known as 'MeltICE' because it has been freely distributed$ O% S3 @0 h( R2 V
via www.winfiles.com. However it was first used by NuMega people to allow' S' J8 R6 S3 Z5 `2 e
Symbol Loader to check if SoftICE was active or not (the code is located
, K- N; i7 ] I6 p' U4 g* d8 ]% binside nmtrans.dll).
/ @2 }* l+ w0 {3 X4 H4 l7 W8 v, W& A
" v5 L" C0 f: v/ G( aThe way it works is very simple:+ p7 D, K: V! A5 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& e8 b! t6 E( E$ G' h8 SWinNT) with the CreateFileA API.. E. F/ c) v7 R6 B* {& {
2 d' o9 F; o$ c, o a3 Q( t1 kHere is a sample (checking for 'SICE'):& k D7 r' `3 p9 @6 w r
$ o; q5 v* M- o. q/ I+ iBOOL IsSoftIce95Loaded()5 I; D% R; X) j" T( ~
{
+ o$ }, i+ g8 j X1 `( f0 r7 N HANDLE hFile; 7 x B/ g# e/ d& Z2 d9 b2 A/ e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 E5 Y% J6 [: I
FILE_SHARE_READ | FILE_SHARE_WRITE,9 C4 C _8 N1 q, ?. q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ p% Q% h O4 e/ u% V1 C
if( hFile != INVALID_HANDLE_VALUE )1 ], `" D7 C5 p/ Y* K: Z- j
{4 h7 h9 P7 s. j; I! N4 X* B# O
CloseHandle(hFile); m/ G. Y4 m9 e# w% o* ?
return TRUE;4 h3 c# x2 @4 I+ C- J% R5 x( n' P
}( O" D1 g+ r! Q8 Q x( T6 V5 ` F1 a
return FALSE;5 F; ^" z. r+ P& F
}) \9 m3 e! ^0 R3 |9 t
6 |, x% F5 f* g# ]/ \" J* hAlthough this trick calls the CreateFileA function, don't even expect to be
9 m4 H- R, N; [8 U& j1 uable to intercept it by installing a IFS hook: it will not work, no way!' j* m! F0 j- I8 n$ s' H! }# F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 _ A2 `. S1 i, E* e$ x$ z, W8 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 U7 B; c* O8 a: c- ?' e& f/ ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. Y! ^; V* X: J' Q1 H' a6 jfield.( X& O3 F4 i! r
In fact, its purpose is not to load/unload VxDs but only to send a
% s% u; j1 x5 P0 g% m5 kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. U3 a9 ^# i: m0 {, Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ e* N- V2 K4 @, D u) rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! [# [/ K: f+ HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" a" H1 `8 n2 A5 S' t, Rits handle to be opened and then, will be detected.
4 D9 v; A; Q7 t, ^# {You can check that simply by hooking Winice.exe control proc entry point
* y. Y( B7 F# v. m; m3 Twhile running MeltICE.
7 c, Y4 N% e7 Y% j8 k4 d# Y4 A3 [, a3 G6 U
F {( E# p5 a5 M( h 00401067: push 00402025 ; \\.\SICE. e* k2 ^) X! K
0040106C: call CreateFileA
" S7 f0 S& n+ D9 ^. |+ L4 L 00401071: cmp eax,-0011 D( ?# M8 g" d! q N- j/ W2 A: j
00401074: je 00401091) Y$ k7 a: a% f$ q K3 W" `5 J5 l
+ R1 ?0 U/ d/ x; ? c( X# x" W+ k
, u- v4 y- i' ?1 G# K: y0 IThere could be hundreds of BPX you could use to detect this trick.- K" V; P" z) T* V2 J' j6 i4 ]4 R
-The most classical one is:
' I+ W/ Q3 i9 v& v1 E& M( V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||* g8 A3 x* R+ t- M# |! @9 N. P) a' i2 w
*(esp->4+4)=='NTIC'
0 e- d& ~' H+ `
* h v( ?2 g P6 B3 ^- }-The most exotic ones (could be very slooooow :-(
: _; H. f! }# w% E1 e2 _ U BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& j/ ~9 k Q8 A" W- r& ^ ;will break 3 times :-(
1 e$ t2 I" B- B& A2 \( S& k8 o) f1 f H3 R
-or (a bit) faster: 1 S k0 Y1 u4 z5 ]; h
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ Y5 _5 X7 L) a3 V1 K
5 }* ?! o4 l, ?1 }8 w1 z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ M% F. f' ], U$ f ;will break 3 times :-(1 _9 V8 C g2 V+ f% p" b9 R7 @
1 H& ]6 |- G1 d& U, o-Much faster:
) N$ R2 O) f* c# x! @ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 u; g% ^1 w2 s% [9 z' v( S
8 e! G e% ?! s/ o7 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" z$ u/ L9 a/ d4 y/ Q/ _function to do the same job:
, F3 F0 B0 p( l8 a7 m( n! ~ }$ X* C9 q2 Q* W& z# Q9 I( j
push 00 ; OF_READ
. N$ W" Y7 b. t" c mov eax,[00656634] ; '\\.\SICE',0
/ m5 j/ Y- d. @& k push eax; L- [. H, v& p/ ~/ d) T
call KERNEL32!_lopen8 f1 ?/ [1 x+ b3 ?0 N. [6 P$ n
inc eax2 Y/ o. P9 t) Y ?
jnz 00650589 ; detected
4 l" @9 e& g$ L J push 00 ; OF_READ
" L+ o5 ^8 R5 w, m' Z8 {. d mov eax,[00656638] ; '\\.\SICE'
# G* c" J/ T! }- G push eax3 J; b$ Z, y5 w1 T. ^% ~5 M+ d, H
call KERNEL32!_lopen# d% D1 P1 Z) b! W M
inc eax
" {" w4 O. L; d jz 006505ae ; not detected
- B7 A7 j* Q- {6 b; `. Q3 t, y2 p! l+ ?2 u3 J5 ~- f: f
( M0 t5 Y' g3 e! s9 f__________________________________________________________________________" v3 D* ]5 q; e9 a. y% r
* p9 p d$ ]# e& a& pMethod 12
# R. F p. w$ g$ q=========3 l# ^8 Z, w2 K
# D$ J' ^: f* s3 ?
This trick is similar to int41h/4fh Debugger installation check (code 05
1 i" u' G; J+ E- ~" s& 06) but very limited because it's only available for Win95/98 (not NT)
8 J$ W/ q( J, q# z% l/ R) @; Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 \& y' C$ e; ]
; s5 }; e8 b* l7 o) V
push 0000004fh ; function 4fh m; S# q/ h! u( Q. C) E W
push 002a002ah ; high word specifies which VxD (VWIN32)6 ` }! d5 F4 x+ W
; low word specifies which service" h" I% n/ u' N6 R' O9 d( U
(VWIN32_Int41Dispatch)
* {; ?0 B* D# A) F call Kernel32!ORD_001 ; VxdCall+ f2 U/ H7 Y! c/ |& P
cmp ax, 0f386h ; magic number returned by system debuggers' d8 y+ h; G3 `5 \4 X
jz SoftICE_detected
" m: A. [ i) R9 {
! P8 m$ ~" S; c: UHere again, several ways to detect it:1 T6 N/ E7 j; e$ v. ~
" T* ] k- V- a
BPINT 41 if ax==4f
0 w# [6 [8 c! q& c. C/ [! j
3 a9 x# O1 y) _' y% o+ \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! z3 M) a' H5 V/ a
- \, @0 u4 G$ l+ T+ |; @ BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ P/ l1 \: m6 r% d
* R5 b' J$ B% H6 i8 M& H# S1 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 k; K2 J+ v: e- y6 \
z5 j2 Y2 Q9 { S3 @; {__________________________________________________________________________
* @& [$ O G3 B% W3 D, K
# c9 l- p) F; L% ?7 @2 dMethod 13- w; M, y1 z3 U" [6 B$ ]
=========3 L$ G2 `9 u" w! Y, ?! z
! v( g7 i! o7 }$ R5 F8 I1 \
Not a real method of detection, but a good way to know if SoftICE is
, z2 F9 b6 ^2 Z% sinstalled on a computer and to locate its installation directory.
0 c5 N9 Q4 }6 E, Y+ k, }! T' RIt is used by few softs which access the following registry keys (usually #2) :- s) Z' R9 p2 R, B8 ?9 i
7 x8 Y$ P( z' N& A4 m+ h$ T$ P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* x2 K: G. ~) a" j
\Uninstall\SoftICE* l( G( j* a5 \- W, s; i/ l& L9 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE H5 Z/ u! ~8 y9 G" f( s7 }; F9 d' w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 G% i- f" \* H' [5 n0 P( n
\App Paths\Loader32.Exe; R) S4 t+ p5 W% w+ \" [) U& P
8 `/ Y) h; Q- e4 ]9 i# Z% h
* U& W" E# N2 P( _! S( c5 BNote that some nasty apps could then erase all files from SoftICE directory
: j% T) [: ~( G! |(I faced that once :-(" u$ z: U- u0 [8 S X7 e
4 Z' S8 x" d7 M1 Z+ B' [/ ~Useful breakpoint to detect it:) D8 _0 p! U+ c$ r5 M- B+ T
2 z, \8 N' ^! Y- p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
$ }7 x6 Z/ S& K8 A& u' _" A* `' u4 B3 \
__________________________________________________________________________5 V# Q" z' T/ k! |' ~0 Z/ ~" ^
/ I" W7 g7 F1 {
: D1 y: I; h6 RMethod 14
/ W( }7 F h0 N% W9 `=========( E9 v8 Y& K4 X6 h. f0 T/ s y
8 s$ O/ D& k% G1 ], E1 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& _: @: o5 Y" }# i% _
is to determines whether a debugger is running on your system (ring0 only).
% O; _* m' C1 i$ K( Y& E) K0 I* E, }6 V4 r I* k. w3 i
VMMCall Test_Debug_Installed6 Y! o( R, B, r% `
je not_installed
' V4 l! j5 }( K7 N2 _
# J* T/ f. y+ z/ cThis service just checks a flag.
% J2 i7 p2 [; P7 ^' W/ w! T</PRE></TD></TR></TBODY></TABLE> |