<TABLE width=500>
; b* ]9 v3 C9 G# g) i<TBODY>
1 W! o) X9 w. V' d<TR>
% P: X" @2 n% @' R6 z0 U<TD><PRE>Method 01 9 ~5 w# y4 H7 G/ `$ P0 N! l8 G
=========) s% \2 D( [2 J" ^+ Z
5 ~% P- c: a7 W9 I5 SThis method of detection of SoftICE (as well as the following one) is# G$ D: }2 R- s% ~( o( t0 x, m- [
used by the majority of packers/encryptors found on Internet.5 J% t0 V- e! m l3 D
It seeks the signature of BoundsChecker in SoftICE
! R* p) r7 D7 y+ s A) }! k4 y! l4 N; {) _1 F# p
mov ebp, 04243484Bh ; 'BCHK'$ B" j! V: @ g* w1 e, R* X# G
mov ax, 04h
4 S7 x$ D3 e" H int 3 ! `: `+ O% K! _- j
cmp al,4& Y- ]9 g. d' R/ ]' O
jnz SoftICE_Detected# H" ^# s: H% d t. W. ^
' ~" _1 S2 i5 u5 i
___________________________________________________________________________
5 j& {" _. P# T, Q& {% d
7 F; k7 c% O/ ]8 d0 ]7 j( |/ ]Method 02
2 D7 u. Q; e: m$ ^" ^=========
. p" M- ^4 y/ ?* d
* n: \: c: Q8 S2 ^Still a method very much used (perhaps the most frequent one). It is used' A! O4 k5 C' [6 q3 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) R7 j( ^7 A m) ?7 l9 d- wor execute SoftICE commands...7 B" O9 e+ T" e0 C' x2 O
It is also used to crash SoftICE and to force it to execute any commands6 U- s& K7 I! b0 i) v+ I
(HBOOT...) :-((
?" g! ]% i, f( W% L& w4 p+ d8 j9 ~$ q! V; E
Here is a quick description:
/ I- C+ h ^) F7 j; K-AX = 0910h (Display string in SIce windows)
; x5 Z( S& U5 u$ a. Q4 S2 Q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)! ]) B% y6 R1 ?( u' T4 T: Q
-AX = 0912h (Get breakpoint infos)
. ~# R! H6 h1 N' M: |-AX = 0913h (Set Sice breakpoints)
: }0 @, |% I+ a" T* @/ @0 q" ]-AX = 0914h (Remove SIce breakoints)
+ c9 }6 V) v# M# @8 r2 e q0 j: U" c2 @ F/ s
Each time you'll meet this trick, you'll see:7 B5 E% ^8 G C: t
-SI = 4647h
, T( k, N4 Z' S. P) L, t-DI = 4A4Dh. L+ y1 `2 w3 @' _ y, v# Z! p
Which are the 'magic values' used by SoftIce.: w+ V/ E+ x8 f) t' q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 @3 _3 ^! ~- _2 p$ m. Q/ q4 R
6 ]4 F. J% a8 M( i4 L7 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
; `% H, k: m: y* b1 P4 hEnvelope utility use to protect DOS applications:" G8 y) w3 \ v! j
, G9 a0 F' C1 J( B9 L8 p, f
0 L+ c* L$ T0 U: v! o# I N4C19:0095 MOV AX,0911 ; execute command.& E! G( e$ T- [5 T' x5 t. g' A
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).- ~# _8 L: r. c+ o
4C19:009A MOV SI,4647 ; 1st magic value.6 }2 M) |! h% x m1 I2 g
4C19:009D MOV DI,4A4D ; 2nd magic value.+ C3 r- Q5 z8 M& m2 J% Q2 P
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- |0 h! V! W# c/ x: u" F% Y1 \4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: y6 Y7 V. f0 D) ]$ _
4C19:00A4 INC CX
5 H- @9 w- V8 `! v- B# _: ?5 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute% l5 p7 H# ^9 u/ x1 d$ k: i) x/ {
4C19:00A8 JB 0095 ; 6 different commands.7 f- z$ P( w, D+ c. u5 S
4C19:00AA JMP 0002 ; Bad_Guy jmp back.* ^9 {9 y& b. r) n
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 ~& L$ y! `" e/ m/ r5 j
; B+ k9 t# W+ P; `0 SThe program will execute 6 different SIce commands located at ds:dx, which3 M) b* a$ z2 B9 K! ]5 k* U4 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Y' e7 y# Z6 @+ p8 H& E1 ]: u7 |! R1 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* e/ z b& Q5 ?4 X y" L___________________________________________________________________________
& T) Q/ L, e; O5 u; j
- D. L" Z1 K6 |, W
, k0 j1 P' ?3 O% t# DMethod 037 {# U8 ?. d# Q0 r5 E
=========) S. i' j; X0 U d. M/ z0 E
0 j! G6 [; G0 a3 Y0 }4 j% Z) o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" @! U+ i, i. t' L8 [(API Get entry point)
1 f4 g& r3 u2 P; L + D3 d+ @9 w5 g- n
# I b' Y1 `* J) w- \ xor di,di+ B+ ?8 ] v# w, F8 @5 _
mov es,di. [4 ^9 h, M. `
mov ax, 1684h
9 y/ L$ k. S1 u0 e mov bx, 0202h ; VxD ID of winice
: {$ C: d5 c7 j) l9 f int 2Fh
5 c; z2 C& Y$ y mov ax, es ; ES:DI -> VxD API entry point. d1 [: @$ q1 @6 v/ x
add ax, di$ ]* L4 y6 [+ S, m% T
test ax,ax/ l6 Z0 X' | {: X/ M0 d: N; J
jnz SoftICE_Detected
( l; h) u; Z& b. x. t- |8 R. }& Y0 o
___________________________________________________________________________5 t" D8 ~# D1 ?2 ~1 |
% |( X1 f( M$ `) m
Method 04
3 Y$ U L: J! Y% p y% u=========* ^% [ ^/ @( A
8 N+ u/ M" L |
Method identical to the preceding one except that it seeks the ID of SoftICE
6 W3 {( O: B: e* o2 g) H' [; T1 YGFX VxD.
; z* M1 h3 P2 {; Q- I) c4 q9 b' `0 p6 L. O$ A5 q/ p" K2 q
xor di,di+ a6 V- g/ E: e" o: @; B" E
mov es,di: @5 S' U4 ]+ w
mov ax, 1684h
/ p* f7 l% Y% Q# v a, R, } mov bx, 7a5Fh ; VxD ID of SIWVID5 E7 g/ Y0 @; @1 B$ h) v0 u: ?
int 2fh( H1 B0 M8 h; J# D6 k m
mov ax, es ; ES:DI -> VxD API entry point
' P, g7 ?8 w" ^2 V; K1 v2 o add ax, di
$ D1 c5 u H7 x9 l- Q7 @! @ test ax,ax3 a) x8 G; s9 o9 n! D% q
jnz SoftICE_Detected
% e# J6 @ x& Y8 n
2 g$ n5 e$ p9 \3 O! w7 H; I0 n__________________________________________________________________________
6 X0 Z" L" f- y% P1 N" V/ r5 G/ n& p
1 \" @5 B, f6 Q# R: r5 @& _- } c0 ^- @+ j, o. ?
Method 05
. L2 E) F; s2 c4 E: w% ]5 j=========* O$ I' y. A" D" l& E5 i$ A5 e+ D
" p: t4 P0 S" a# j* NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
q- M/ c; [# f0 l( c; z* o9 ?debugger. It calls the int 41h, function 4Fh.1 } C3 ?) ]* E3 x$ |
There are several alternatives. ! J9 z! P. @( u% u. f9 U, K
- _2 \* Y( g' N3 [3 E& A
The following one is the simplest:
! | g$ e) Z* q- D. F3 O F- ?
# _) ]0 ]; s& P1 Z: U mov ax,4fh; W/ ?1 ]# g) }+ ?1 @" u
int 41h4 B$ Z) s5 h% S" t
cmp ax, 0F386
( }9 x9 b/ S5 f jz SoftICE_detected
( V4 Q8 g5 B: d8 ^& @; L) w4 h/ _$ Y Q$ @3 n( y
$ ?0 @1 m# I% p+ u0 I
Next method as well as the following one are 2 examples from Stone's
3 h* O' R. G$ R; q9 T, k# F. H"stn-wid.zip" (www.cracking.net):" q: e0 O4 b: T9 ~/ D. P% _9 K
, ^* F5 c6 B* ^" i1 Y: s6 M
mov bx, cs
6 F3 j! |- c& D+ ` lea dx, int41handler2 O4 ^4 @5 k( U7 ]* _
xchg dx, es:[41h*4]
b" A8 U0 C4 ]+ u6 o xchg bx, es:[41h*4+2]1 P, Q$ D; G5 ~- P4 Z& i5 e
mov ax,4fh% T/ b( }3 Y, g8 m9 c! Z
int 41h
* | y# ~6 ^$ ]7 U xchg dx, es:[41h*4]
3 o0 U! P5 m: E0 ?$ C* L; u xchg bx, es:[41h*4+2]
1 D' U* n7 i$ J. W cmp ax, 0f386h
- _( s5 [7 N+ C; K/ W: d6 B- O, E jz SoftICE_detected3 s$ s# Y4 l+ Z3 x
% H: E3 V8 K1 H Fint41handler2 PROC
- D$ I) F0 T6 z# ~: t' P9 t8 Q iret
1 c' e; ?) F% y! G) q; h. u7 }int41handler2 ENDP1 h* Z! H& M6 U6 r2 s+ Z* ?/ A5 k* e
2 z3 R4 h) X G
6 N; l8 Q% u% @( W- A& ^% \ C_________________________________________________________________________
0 f7 ~! E: x% V4 p" H( w4 `% o
# o7 }, T$ e8 H% L9 N2 F7 Y3 ?8 |% o( ? Y/ d3 p6 E; L. p
Method 069 N" T% N- n9 ^7 q& i
=========( n$ G! k; p9 h8 c8 Y8 n' d
- @; F7 `& |% [2 ?, W
7 c$ N' c4 C, _# O' T& _* h2nd method similar to the preceding one but more difficult to detect:( \, ]: H; Z$ b% J+ F
; C* D0 X$ U6 u! p: z( k
, \5 x' i: t9 b' h
int41handler PROC
: H6 E$ m; q, l: k% k8 I& g# p B mov cl,al
; X D7 ?- C7 j7 ]( o5 N" S9 ? iret3 K. B6 ]# a2 Q
int41handler ENDP; f, z9 b1 y. k/ x' @; M+ U
8 e% e+ c% ^/ E8 q6 } Y* M
! x( ^/ \6 x: e* S | xor ax,ax( ?# c4 o, G: ^3 R9 t0 \7 v
mov es,ax
1 D3 ~3 A: [% E/ Y. l mov bx, cs( E2 Y# n/ w! s* f8 S8 \. r6 M# y
lea dx, int41handler2 ~& F0 Q" t) L s r4 M$ m
xchg dx, es:[41h*4]( b$ B# Y) D0 \5 B
xchg bx, es:[41h*4+2]: a3 |3 n& D* R3 |+ E
in al, 40h N4 X. ]% D7 q: }8 v, T; |
xor cx,cx
( z8 p" Y* o9 V5 _& A6 o% B: E2 | int 41h
5 R# F' L9 [' z O4 Y7 G xchg dx, es:[41h*4]
- G; N7 b% ^( z, l5 U xchg bx, es:[41h*4+2]$ N$ ^8 C) c6 K2 I9 ?" c7 r
cmp cl,al7 }4 B% v# I8 [* b' T* N
jnz SoftICE_detected
5 ? E2 r2 u) u0 P2 V! v
& y1 i* S! O7 F* b: O4 K_________________________________________________________________________2 u P! g. m+ B( y% a$ r4 Q. r
& ~& y3 ]( z8 O* }Method 07
4 Z) ^. V. j: e( h=========* p9 B0 t! N1 ?1 R5 g, A' q
# k |0 Z) H6 R7 \. ~7 Z6 U( I
Method of detection of the WinICE handler in the int68h (V86)
# u: N) n2 ^7 I! F8 Y
5 |2 N9 [ A1 [7 D mov ah,43h
. |; { o! x" ~( v/ @: ~; a, C/ Y int 68h
2 o) r# a. D9 e cmp ax,0F386h
" F4 q5 c; _: a, D# [! Z& j jz SoftICE_Detected3 O! j& _+ K, _" |5 A/ m
" u1 I+ k6 Q/ n! }( T- _5 q) E' h2 u9 j* D( f
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# T6 U6 l; x6 U! @7 {
app like this:1 q4 ~* ^5 @. {3 D" Q% G+ Q
5 g2 P. o5 E9 W% n& t- W BPX exec_int if ax==68# |% z9 S$ J1 V
(function called is located at byte ptr [ebp+1Dh] and client eip is
1 t' b9 F! ?2 s* {' v located at [ebp+48h] for 32Bit apps)) u+ a! S* K6 C( Z& ?
__________________________________________________________________________
- N6 {$ `+ m' t' D; n$ k9 T9 P$ l' O5 h( u
/ m4 P }) c- a. n0 L9 Z5 h
Method 08* p. |" r1 `) s: S! a4 M5 l0 o
=========* [7 _$ w8 g( E" v
' j: a: \2 W, j" ]9 gIt is not a method of detection of SoftICE but a possibility to crash the
8 [. H% f! i$ ssystem by intercepting int 01h and int 03h and redirecting them to another1 e; G( s7 W" ]& [; X
routine.
! W) M9 z. g: a, \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- \' C- J2 k+ z1 ?" ^4 F0 d
to the new routine to execute (hangs computer...)
$ W) L) K6 C3 I5 |7 A" o$ \) k4 b% u+ t
mov ah, 25h# ]' [$ L8 t9 d: W v" a
mov al, Int_Number (01h or 03h)5 f ^5 ? n% p; w6 u# P
mov dx, offset New_Int_Routine
) {6 K3 `) n' m( K" P, q) q2 v int 21h, W0 c* @ B- B6 T9 p* ?
- L6 h/ [2 P! q
__________________________________________________________________________
6 O) ]; M, A0 O2 i$ V- u( R* v5 T _4 h" t) I
Method 09% Z& g7 e/ Z+ u, D
=========
4 d; p- @" C% q4 t$ d; }/ U, c l
8 H+ s) H% Q& E# v8 ]. ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 ?# X3 d9 z; c% _3 v/ ^' x; h2 e& Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
# M% E! w4 G" s' n2 kThe Get_DDB service is used to determine whether or not a VxD is installed/ m* T @2 g5 W& Y5 Y2 u
for the specified device and returns a Device Description Block (in ecx) for
8 q# X( p( _( ~$ e# o l6 F ^that device if it is installed.+ ?" q' I2 X' [! I
, I0 p1 i& W6 k, d; E+ U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" V. J8 \/ q0 y/ f+ T4 k' u. b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 ] [7 b- ^) M2 I0 @ VMMCall Get_DDB: z Q5 q% U* p0 J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 W& i" Y7 Z& l! ^
9 m, f9 {1 G' S8 ~$ Q0 y1 ENote as well that you can easily detect this method with SoftICE:9 ]- Q8 ]8 l/ a7 N2 k! d# n2 e
bpx Get_DDB if ax==0202 || ax==7a5fh
* `6 J) q; ^% Y0 f) ~3 b9 G0 F. F B# B; l# G ]7 T2 ~
__________________________________________________________________________9 G9 J8 t2 E1 B; _/ q
/ l% s/ Q ?7 W0 X/ ~0 |# s8 ?4 aMethod 109 o- I' ?/ c( L, ~( u
=========! v" \' }- B+ j5 c U, [" v
7 \. n& P: M; z2 K2 D: C, {& K=>Disable or clear breakpoints before using this feature. DO NOT trace with! {) [* Y0 T" W% {5 o
SoftICE while the option is enable!!
# ?; r: u- b: f0 t4 `
6 E$ m! r% E% N4 _' G$ V) KThis trick is very efficient:
# N# l6 ^0 B2 T: ]4 Eby checking the Debug Registers, you can detect if SoftICE is loaded& F2 Z: F3 p7 g. |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: |$ A) S3 y- ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
. k2 j% j& X; Qvalue (in ring0 only). Values can be manipulated and or changed as well
4 |' v8 z' B+ T# ]4 p(clearing BPMs for instance)% k- r1 A% |1 d# J7 U
: M# v4 `5 W6 u# y. i
__________________________________________________________________________1 g7 H6 U) ^( o6 v& \ K; @) O( R
9 A" E0 P& v! q- g
Method 114 l2 {2 x4 D, T' v& B
=========( w1 @1 e$ f/ S' d- |
' r: t% d, Y; t4 ?1 L, u; {This method is most known as 'MeltICE' because it has been freely distributed6 O1 _3 u. B& {0 \3 a( H: }
via www.winfiles.com. However it was first used by NuMega people to allow! C% h7 L5 O7 o2 a
Symbol Loader to check if SoftICE was active or not (the code is located" e+ k2 g& ?% w
inside nmtrans.dll).' y V( a, H6 R; E6 A* m0 M
/ z1 Y- W! t# S! W/ X5 y6 x) f
The way it works is very simple:
$ l7 \% N& Q$ t7 n1 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! H" i, W' Q+ R/ F2 }7 t
WinNT) with the CreateFileA API.# G9 g8 o6 O% t4 A( c3 e0 u
6 u! ~) m8 ^& K1 x9 K% N$ F+ Q
Here is a sample (checking for 'SICE'):9 X( z; z* @6 f# E. z7 N
! Q, `: i. A, }8 E6 z- W* J2 v2 T
BOOL IsSoftIce95Loaded()4 H; _$ }2 m, j0 G' O4 u. b+ W* _
{
- t1 o+ M d$ B0 o( }- B3 D9 Z HANDLE hFile;
9 B6 ]: r* ?, {# V7 x$ ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 z _9 f8 ]' |" {! O' |
FILE_SHARE_READ | FILE_SHARE_WRITE,9 d0 k- C( z. e! y
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 n+ s$ _& Y8 Q& ]
if( hFile != INVALID_HANDLE_VALUE )
T8 G) q% w2 f9 r/ l+ m8 A$ E" q {
+ [ M8 k, `) X% y' R" q; p0 D CloseHandle(hFile);
/ Q2 ~+ o k8 r( |( t4 M return TRUE;
/ I f; Y' y8 c0 ?# h( K- p1 P }
0 K2 a4 d8 f- @1 W return FALSE;" T# |" F+ k! \" ]' D
}1 B) j. O; r6 ^( j$ U% x
' |+ e$ }3 f6 D* V: N) GAlthough this trick calls the CreateFileA function, don't even expect to be- d) E4 ^! e3 ?7 E3 u
able to intercept it by installing a IFS hook: it will not work, no way!6 e7 u! I1 q* N' ]/ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! _, @, m4 d. uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 | H7 o" e) v# [3 f9 Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc' b% e9 i' K+ V) i* w& y4 o Z$ u
field.
+ z6 ^( v. b1 T1 T3 i6 \In fact, its purpose is not to load/unload VxDs but only to send a ( M7 @: S) i, e* A5 @/ H4 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 b. C+ r O, L* d$ L- t' ?. ato the VxD Control_Dispatch proc (how the hell a shareware soft could try$ @* L& m. g \9 w* Q: w# B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& {9 E- M) F, w7 J, _1 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! F3 u! v! ?) ^its handle to be opened and then, will be detected.
' B0 [: M8 X: pYou can check that simply by hooking Winice.exe control proc entry point5 {5 j" Y; N, T& X0 a [; A. o
while running MeltICE.( \# f1 |4 H& R/ Q
; @5 [% A Q0 w$ Q" c3 K
7 o1 x- R+ v7 x& k2 e 00401067: push 00402025 ; \\.\SICE
$ ]6 K+ Y4 g5 a0 q0 o6 ]0 R) ~7 | 0040106C: call CreateFileA9 g1 W3 o) _! K- `4 K/ L! Q
00401071: cmp eax,-001! `- @0 e1 h- v7 l
00401074: je 00401091
& d- g9 Y! n$ }7 K% |* [
$ {9 V l9 b8 n* f4 x' x' j. V( ?- q" e h# X! a5 _4 c2 @
There could be hundreds of BPX you could use to detect this trick.% R6 W5 ]1 E0 w) v0 ]7 p; u
-The most classical one is:4 g0 G# s5 A2 U% s* I" [) V4 ^% x X0 D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 `; H, w& F: X# T
*(esp->4+4)=='NTIC'' ~8 V8 W X$ g4 A
- {/ O# A$ f' z-The most exotic ones (could be very slooooow :-(
2 }( f; E/ K! `5 |) o BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 h& p" f7 g1 v3 Z( I5 c/ b2 f
;will break 3 times :-(
& K: i" X. d$ s9 n+ f' k. @; ?9 B; O6 G/ X
-or (a bit) faster: w8 z9 E: T; F; R
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 p) a+ H5 G2 d9 H: o" w5 G7 G7 n2 O7 Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' - K* N7 T* x0 }( t/ X
;will break 3 times :-(
, d! b# l9 a) }/ T% T% z; z8 ~9 I
2 R# c: k" I; d( M8 W-Much faster:4 [+ ~; u8 ~$ V% ~ O( B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
; q6 l+ E3 E( d, Z, D+ ]
' j( n5 l& |) E6 a/ o7 _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 u) m5 h0 q: N7 H+ G* Y
function to do the same job:- l8 a. Q) |: \( e* P+ \
( `- ~$ W/ U* \- A
push 00 ; OF_READ
* E/ m. B% \+ m2 B' r" w mov eax,[00656634] ; '\\.\SICE',0
# n' B3 J; y- `% q; V push eax5 l1 S% f; E) H1 h: o s6 k
call KERNEL32!_lopen
1 x* s1 _/ X+ _ inc eax
9 w, O3 b" q6 k/ w* P) i jnz 00650589 ; detected
4 y% d5 \) K& A% X9 e push 00 ; OF_READ
9 F8 S1 _/ v+ m$ r$ K mov eax,[00656638] ; '\\.\SICE'4 }* Z" [/ a1 l; ?2 X% k# ^$ |
push eax
# }! M c, m" C) c* o call KERNEL32!_lopen
7 y4 o. B8 N* i; o: A inc eax
' U/ t8 h8 M* s; U o7 ~6 l jz 006505ae ; not detected/ g: m9 S% O2 ?; g3 F8 N5 J5 ^6 ?* a
+ A( z( U& ~ z4 d: X
: k/ B! {& O o9 v' k( o2 ]: G
__________________________________________________________________________8 k& q+ V: Z* d* d2 w* V
, K* s" N( I/ ?+ ~& [3 E
Method 120 _- ?2 ^# p' w) q- H; L; n% V
=========# Z S2 I* L+ d
5 m& A6 {/ u) PThis trick is similar to int41h/4fh Debugger installation check (code 058 P- r0 J2 F% }
& 06) but very limited because it's only available for Win95/98 (not NT)
/ ~* A; I; X( z$ Y% |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ^. w* v$ i) ?" p$ y4 s h! N( q. b: O$ q7 u1 ?
push 0000004fh ; function 4fh
- c. [: b7 |/ K! E. y# r8 h7 ~' \ push 002a002ah ; high word specifies which VxD (VWIN32)1 _# z, x! p; I/ B* p9 I: \7 f
; low word specifies which service
/ z8 @) j1 T8 h- ]4 @( A- Q+ ^( _: M (VWIN32_Int41Dispatch)
# V( O, q2 t q+ p/ Z call Kernel32!ORD_001 ; VxdCall
8 ]+ d" S9 [$ D4 t Z cmp ax, 0f386h ; magic number returned by system debuggers
1 [/ C9 [$ f' \ jz SoftICE_detected8 N; g+ x/ _" T" F# O
2 o3 |1 y' r& g2 N( }8 o
Here again, several ways to detect it:3 r2 K! S1 X. a( h" n7 c) ?1 D
1 a8 o, F( l* H; Y& D- K
BPINT 41 if ax==4f
1 c( ?: |% B4 F x: A* w: H! T) z& N5 O, T- c! w- _
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one: V, r& l ^ m
) D$ K0 s6 n8 z$ x1 Y BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& Z- J( m' t: i. e# u# I0 [* L+ u7 ^2 J! G% N8 I% ?' h
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: `: M) L) ?5 w1 m5 m
. h2 l& u3 O' [; ?6 r
__________________________________________________________________________ v& N; ?7 b# W
}/ s. Y2 [4 l) J# t" F$ {
Method 13
! X- T+ y3 C4 n6 m) v=========
* i8 m7 l, y( \" @- z( y t2 U, ]* W1 G- H2 v9 c
Not a real method of detection, but a good way to know if SoftICE is+ _. x- Y% k" }' t) `
installed on a computer and to locate its installation directory.
! o- `6 Z, B5 ~/ y6 E( s g5 w7 rIt is used by few softs which access the following registry keys (usually #2) :
. x) \& e8 r" W2 r9 p
! L& Y5 p: }9 M5 o5 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 u# K2 l4 |& j3 B; G3 P
\Uninstall\SoftICE/ {) B5 Q4 X. x; f* v v& s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ M6 s7 N$ o8 ~3 v% Q1 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% G e; ?/ a& F* k6 z\App Paths\Loader32.Exe
Q9 `+ j9 }( ]- `" j# k. I4 Z7 z( t; t8 E
: x6 J; M2 N6 _# pNote that some nasty apps could then erase all files from SoftICE directory! {2 S7 z+ u- ^
(I faced that once :-(4 j" c, m+ h( w- [6 X% \ D
2 I/ f$ e' O3 \+ r3 d) `/ aUseful breakpoint to detect it:% f: w7 F, g$ A. ]9 m$ c( a
6 v0 F8 [% ?# k. L BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ H2 v* t* b4 b/ z8 ?0 t4 U. A A! y" s, X$ u
__________________________________________________________________________
7 T; I: i5 m$ i$ T% x" k) c3 D
) C! U- U- {; W; u7 o
. y) B7 I9 D8 } xMethod 14
6 E$ ?! ^! ?" s* v) C=========) {) t T5 E( j* e, @0 a
3 y/ T- z- O% S* r+ B2 W8 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 ]5 {! G5 q% K7 x' D
is to determines whether a debugger is running on your system (ring0 only).
+ R: W Q. {" m3 N! F/ N. _0 G4 ?$ @0 ]- |
VMMCall Test_Debug_Installed
( x* t% }2 g8 g5 o! \; |' E je not_installed+ W# t6 A) Z1 x* x/ {
2 E4 G K+ T/ r, ]. ^
This service just checks a flag.8 \6 ]' x0 L# i! x# R# d
</PRE></TD></TR></TBODY></TABLE> |