<TABLE width=500>5 q( s {& z$ d/ P
<TBODY>1 J f: @, j" J& W# `% @8 i, c2 a
<TR>
e; k+ h$ y2 X: O4 T4 o+ G<TD><PRE>Method 01 " k3 T, y3 H& X( F2 V# J- \) v0 o4 ~
=========' c& t4 \) F; g: Q0 D$ [6 x* c
8 c' ^( F' x0 z9 d4 jThis method of detection of SoftICE (as well as the following one) is
' g/ g I( h! Q. R" yused by the majority of packers/encryptors found on Internet.' ~9 r+ y; }$ }2 F; i; x7 C
It seeks the signature of BoundsChecker in SoftICE
! r2 [. H" E, A r' o0 q/ J7 w# x4 x0 B
mov ebp, 04243484Bh ; 'BCHK'
4 _, K6 i! m% T$ p. u. i. r mov ax, 04h$ N& w6 o0 }* j3 m6 p% a
int 3 ! I: J2 |* i% c: v, L& c/ i2 V8 ?! l
cmp al,4( C: J6 @9 E( o4 e
jnz SoftICE_Detected
+ _. d( B# Z6 g W4 @/ R! j0 ^& H; l3 L, t# u W
___________________________________________________________________________
+ H) A2 F, f( i M9 f' ^3 G8 O! ]2 x3 B+ C0 P/ u
Method 02) S! T7 h) S3 F4 F. t) g
=========
' ~0 U( e M {$ M" x
2 X+ v, Q* Q: a x8 Y! r! L0 y( OStill a method very much used (perhaps the most frequent one). It is used
1 l( Z$ p! J; j, V' J7 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& w9 T3 Q+ F0 C& W- b7 p
or execute SoftICE commands...2 K/ M+ E3 H/ y8 B7 E
It is also used to crash SoftICE and to force it to execute any commands6 N9 }3 ~# [" H3 D; L
(HBOOT...) :-(( 6 [+ K5 e+ q' Q- F y
5 t/ ~- {! J, Y+ e* b A5 D+ jHere is a quick description:
0 S( \0 |$ T1 j& ]-AX = 0910h (Display string in SIce windows)6 a6 V- S! U6 o+ |% g6 \
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)8 Y# J1 A: l) q* o+ P
-AX = 0912h (Get breakpoint infos)
5 {8 E1 p7 P `5 n6 @4 x3 ~9 ?-AX = 0913h (Set Sice breakpoints)
, \0 v- T! M3 n( T- A4 v9 @-AX = 0914h (Remove SIce breakoints)1 \8 K7 x" D3 L1 {' a* t
L$ J9 `( U- C( S# \" C6 e1 y1 D
Each time you'll meet this trick, you'll see:) I2 d. O5 k) H* s
-SI = 4647h
1 t! b- c2 p8 }% X: F) ^1 I- t-DI = 4A4Dh: q v8 g6 D8 h4 [0 e5 w
Which are the 'magic values' used by SoftIce.
, W2 J6 O" F% Q4 U* r: q0 z% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' U& H8 u9 z9 k2 I9 \0 y0 Y5 p3 R" F* ]
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 W- y6 V# k8 U. N1 y) g6 e! O# H- kEnvelope utility use to protect DOS applications:
: ?* h, l3 o: q
1 h" h( `. o' u4 H2 z# {
! }2 a& H5 s$ y4C19:0095 MOV AX,0911 ; execute command.
0 ~* S+ x- v8 n+ v G& `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 j; ]- m; d: S% u/ H
4C19:009A MOV SI,4647 ; 1st magic value.
% z5 J6 w" u1 r( V4C19:009D MOV DI,4A4D ; 2nd magic value.' b7 _0 d6 }; |3 {$ j! ]$ D5 ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
- W ~ a8 `9 K% ]4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# X! X; y- | n: \- _! M
4C19:00A4 INC CX; b, y4 h& u/ T* a, b. E3 v
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 {/ i K5 F1 J$ V2 A; H
4C19:00A8 JB 0095 ; 6 different commands.! y% [; R+ e/ A4 k" t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
9 S) X0 t" ]/ b0 T4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* D2 M/ G$ t0 ?* A7 @/ G
8 A# g9 r; j* qThe program will execute 6 different SIce commands located at ds:dx, which0 V# @6 Q; e) z) y; h8 Q& I- p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! ^1 J; S ^* `, M* @
+ G7 X# F; i- V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) K. Q$ p, ^0 C1 G; U* ^
___________________________________________________________________________
' a2 @2 H1 ^4 _) u' x1 f9 }8 R. D0 ]$ D
: O0 V# H# e5 Q8 VMethod 037 I, F1 \: t1 c- Y% ^) \3 d5 Z
=========* D, Z/ B1 Q6 ^
" B9 E& \3 n1 W. u
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 @# X% D' \6 y3 @; v/ p
(API Get entry point)" S+ H2 y# N! D" P: ~- e) @
, j9 u& ^: l: r6 D
0 m0 V9 R0 O* f8 K K U
xor di,di. \9 b' E0 h( {: E8 q2 ?( {7 `- V! h9 L2 E
mov es,di: m8 i3 n7 c% l0 a; J% g
mov ax, 1684h ) y8 j8 R( x( J
mov bx, 0202h ; VxD ID of winice
1 r/ ^7 H- }$ \* b0 T int 2Fh3 ~; w, [ |6 {5 T& h1 s2 t0 e. l' P; ^- \
mov ax, es ; ES:DI -> VxD API entry point& ~9 T4 l Y1 A% i- ?
add ax, di- ?8 w6 k5 j" V' Y# M; M, R. _% w
test ax,ax9 S: t6 @4 |7 D) I% l% B
jnz SoftICE_Detected& z* V* |. o5 {6 z( Q
# D: g$ q j* W2 q% \___________________________________________________________________________
7 B3 ]( s& @+ S- ?- i6 F ^& M, `- P5 d% Y
Method 04. R, V. X: Q: U9 R# }; b
=========% u7 z, F8 A6 B# L4 W' Z, T! n! \7 R
" Y( C" h* W4 pMethod identical to the preceding one except that it seeks the ID of SoftICE7 y% C9 s" l6 d0 o, s! o
GFX VxD., k' {) E: A# {& S3 H# ]1 F0 u
! e3 b' L, ?+ t0 Q xor di,di
& x8 d; h8 [! \+ C mov es,di( n8 H' c7 @9 ^
mov ax, 1684h
# \$ n7 |3 J& r9 j$ K' P mov bx, 7a5Fh ; VxD ID of SIWVID& D! z+ E* E+ x: S
int 2fh
7 X- ]9 F( E7 v5 | s* E mov ax, es ; ES:DI -> VxD API entry point+ `% Z( c4 r8 Q
add ax, di1 V1 o3 Z7 O& F9 I' J
test ax,ax
* m2 [: h( w( i, b3 {: a- H. a5 [ jnz SoftICE_Detected
, [( o. N7 j7 n+ _
* w) k# D! j. [. p: \6 N9 b__________________________________________________________________________
) A8 ?$ x' b- K6 k' Z5 \
, a3 R" |6 r" }6 u7 P" H+ Z/ ]8 O/ G/ H/ z% q' v0 H$ S& V
Method 05
" [9 D* M- g$ v; f=========
% ` y$ Z" ~8 Z
/ _. V6 o: g4 m$ RMethod seeking the 'magic number' 0F386h returned (in ax) by all system, @" E1 Q$ r/ ^4 i$ I) Z
debugger. It calls the int 41h, function 4Fh.
' D0 O0 J; a9 f$ `0 z; E+ YThere are several alternatives.
; S \, w, V3 n5 p2 }# @. f/ J; t/ [ P( }
The following one is the simplest:
# q, n* P6 ~' [. d* I" ~3 }( A* ]( @7 \; _# ?3 w- b4 M: J
mov ax,4fh
4 z5 t9 s* z9 ^/ l% l int 41h
! L& U4 y" J) K& C3 N4 N cmp ax, 0F386
2 S, h5 ~2 V6 N jz SoftICE_detected
% i# n: R& d& f0 ^# J
& L0 v- W% _, _' k# \) ?
+ F/ M8 _7 f4 U* iNext method as well as the following one are 2 examples from Stone's + s7 K( m% r" b' s9 Z% ^( B
"stn-wid.zip" (www.cracking.net):2 ?$ h/ U+ Z* T* a, Q
4 [8 v. T+ |+ M" P
mov bx, cs
# P; f; b/ X" E5 i4 M lea dx, int41handler2
/ z5 v0 v" N! B1 g xchg dx, es:[41h*4]( w- U2 _+ b2 a. I
xchg bx, es:[41h*4+2]
. P m) v+ R+ q V mov ax,4fh0 E2 E2 I& ~8 k8 m9 V( F
int 41h& d1 |) Z. g8 L# I
xchg dx, es:[41h*4] k6 E! ~; ~+ v7 u
xchg bx, es:[41h*4+2]
! P+ ]: ~! r" I# n& B6 b cmp ax, 0f386h
- d$ ^6 q& X* \8 }. ?, M jz SoftICE_detected K) v# e. j+ j/ r* R% `
( h1 Q1 B4 T! e7 x2 qint41handler2 PROC
% ]& ~& O- }% f; R) x- U iret0 U9 m4 o" ]7 `6 l' D
int41handler2 ENDP1 G% Q) ~% O" n9 U/ Y9 c! A
2 M: t6 B Q- z* e' x+ n9 o& t+ s0 p2 y8 q) u ]" U5 j6 Q% h
_________________________________________________________________________( o" L0 M/ C; t
5 U5 u8 F/ v9 P0 t" z% V" M- w: N+ y) c; L- A
Method 06
& Q' A) j. w/ ?- t7 g=========
# @: T) l& @2 l; M. Y' u+ \- j& L( |, d
+ M2 n6 F4 G& K7 G& P
2nd method similar to the preceding one but more difficult to detect:2 I5 U! z8 x8 s1 U3 _' t' t* N$ y
' @! G: O2 G( A2 r1 K
/ [ B3 t& K( U) p) h) Q5 p! rint41handler PROC0 k, W7 L" }1 {
mov cl,al
5 J X* j! I! Y+ [ g. ?( L iret2 c9 I; U- V4 ~6 Z& m# H$ V* i
int41handler ENDP/ A% T# w3 X3 G! p
- U' }& N& C+ U" P* Z' Q
$ ~& V' _) H2 T) i+ E( g xor ax,ax
! C: i- J7 f0 a% A0 [ mov es,ax( u5 G5 K( }7 L+ a3 f" A
mov bx, cs
( t# @( t. I: @$ W3 T lea dx, int41handler
* r3 ]; v( m! P2 M xchg dx, es:[41h*4]' a7 x# l, U- J( r$ C8 g
xchg bx, es:[41h*4+2]. p5 }* b5 P3 u. |3 O- L/ Q
in al, 40h
. u- J. c6 O ]* ~# ^+ \ xor cx,cx
# o: ^/ Y/ H4 |* `5 { int 41h; \. i7 k& U: Q
xchg dx, es:[41h*4]! O0 a/ `! m, F' ?. T9 g
xchg bx, es:[41h*4+2]! ?7 o6 \! w% M6 m; v
cmp cl,al
/ l# S! ?, Y5 z$ R jnz SoftICE_detected
# o3 J7 k7 Z! x2 v. k( f: B; H1 q) t& t- U; \5 u
_________________________________________________________________________+ }/ _. u o3 I2 ?
. g& p# m, z1 w1 ~( _1 u' D
Method 07
, t0 L0 p2 Q( ?! }* B=========
- k( f& a; U: K* C( F
& \+ d! _0 z; x' U+ C, e! IMethod of detection of the WinICE handler in the int68h (V86)
$ B7 o6 h0 z& u# \7 I
; H* Y: [1 c' P: a `* W: l6 A mov ah,43h" d- j) L2 f u. q, ]1 ?9 N
int 68h
0 t2 y; L' n. u. Q3 N cmp ax,0F386h& C, L/ K- b: y- C$ z
jz SoftICE_Detected
7 C9 h0 L1 j4 r* I! c) P- }6 H) @! T7 r2 i7 D! k
, a# O* _5 P. S# I9 Z$ g$ T% Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 _% z3 {) f! }5 i/ e) g# R; P
app like this:8 j5 Q. q! Q1 m! k: ~
g' s7 S! S X BPX exec_int if ax==68
' [1 T/ \. G8 R7 y: M' N (function called is located at byte ptr [ebp+1Dh] and client eip is
2 k' Y- ~2 ^* r0 Q$ P4 w# |; ^/ [ located at [ebp+48h] for 32Bit apps)" U2 |2 M1 r/ h2 s5 j; l! s
__________________________________________________________________________
" c" y) v8 V: G" A4 {5 H
0 B' q# {' `/ S* o( N A4 ` T6 C
/ {3 r9 e5 h& W9 W4 h! i& v aMethod 08: f3 B* ]% u3 p, q, A& r
=========
: o2 v, ^7 A: W" j8 ^
* x8 f9 `- k7 _9 f6 e) `) tIt is not a method of detection of SoftICE but a possibility to crash the
7 s5 s: K% u3 fsystem by intercepting int 01h and int 03h and redirecting them to another
4 G! c N3 y4 W8 M0 O5 {routine." Y+ V8 {6 r+ M: Y5 }2 O \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" _# j: p+ p- Ito the new routine to execute (hangs computer...)/ F4 \/ F) Y; T( P1 M. k* b8 ^9 {4 ?
( f. e' g0 Q% h9 z0 y5 Z& k
mov ah, 25h0 G* Y" h4 I1 l( a8 C
mov al, Int_Number (01h or 03h)+ D# b D9 W! v. [) A. ^. M7 e/ U% \
mov dx, offset New_Int_Routine* n0 ]: Q0 r) Y" R; z
int 21h
6 V$ U2 ?( d7 k) R2 u
- @" C; N' B0 {- y" b0 T. z! [__________________________________________________________________________
, Z* o, c6 C; _& o- K1 `) D( y1 g. I# Z& n4 d5 S7 u
Method 09
) }9 o* B8 m& a8 F=========& A/ j$ Q0 {8 ~4 f
& z6 w- F+ \4 n: q; w% l; N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 ~& _- n9 z; l0 ?) \8 Z, _/ t6 O2 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).+ Y8 s! ~. k" z8 F _1 F$ k6 N1 l0 }: b
The Get_DDB service is used to determine whether or not a VxD is installed% O9 w; a3 t3 X8 I. n
for the specified device and returns a Device Description Block (in ecx) for( {5 s# `/ B0 U- k; \6 a# b
that device if it is installed.$ M3 h) @' M, K. Q# b4 n
( s+ O' J! l# Y6 U9 v, \
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 L- L! ?8 t$ X4 p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); j; Q5 j. X5 B8 D
VMMCall Get_DDB) l2 Z/ M4 V) E
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
, a C2 e2 j$ {; K- q1 i7 Y3 s3 A- U% v# B2 \- t7 V- l2 L+ n
Note as well that you can easily detect this method with SoftICE:2 {& H/ o" Q; y& I
bpx Get_DDB if ax==0202 || ax==7a5fh8 d5 m! }9 u: D0 l x
5 o8 B3 R" G- Q i% k5 R__________________________________________________________________________
H% X- O% t+ {, X! F1 `8 g: u/ E% y1 g0 E3 ]# c& v
Method 100 g# J0 F; x9 {7 q' `
=========$ h' B+ o$ `# k- @) F, Q
% Q% ^9 @7 `4 J W: Q7 l
=>Disable or clear breakpoints before using this feature. DO NOT trace with, a9 ^9 G, s4 u* A
SoftICE while the option is enable!!8 ^# |4 F0 g, p+ h# ?
$ \2 a o+ T6 N
This trick is very efficient:
" R% q5 E, o9 A4 S% Z2 G$ V6 H H3 Oby checking the Debug Registers, you can detect if SoftICE is loaded2 Y& }* A& h- Y0 d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, b K g' x J, q1 }+ v; G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 i+ q2 \5 D* E' Y1 o0 _* lvalue (in ring0 only). Values can be manipulated and or changed as well
4 w. l3 A' p$ {: W) q(clearing BPMs for instance). q0 W/ l6 N- C' P/ U
8 G4 k5 V) ^/ E% E0 X; c, f1 F__________________________________________________________________________% Q) R% d) _' k! F+ x+ {" b' ]
8 }4 U: e! Z! }0 W4 `
Method 11# L9 X! N9 Y t: Z9 r9 A
=========" J6 |% Q: M+ P; Y2 x% R5 Y
# a0 V. ?5 l0 N6 W
This method is most known as 'MeltICE' because it has been freely distributed
: ]" m+ p9 c% { m; [$ {via www.winfiles.com. However it was first used by NuMega people to allow$ T- z7 O2 d2 p$ `1 |% I! N* ~+ c
Symbol Loader to check if SoftICE was active or not (the code is located3 _' S& \% {$ t) y
inside nmtrans.dll).
' g8 T1 |! W! s+ F+ z9 o* G9 l( b, A( ?, A# \
The way it works is very simple:- m a! U t. K1 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% Y% u! s/ e; i. IWinNT) with the CreateFileA API.
$ [1 H/ e4 m+ x$ u. s4 [. ?1 C1 j; ~) Y3 q5 s0 ?# U# ]
Here is a sample (checking for 'SICE'):: b. f$ K. W, b2 ^0 @
( a2 d( ?& m8 Q* q/ ^. O1 R
BOOL IsSoftIce95Loaded()8 s5 _! M; o' ]$ P8 ~( U
{) k0 ^" e: s; Y/ a
HANDLE hFile;
! S" N8 n" d' g( e5 p# Z hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 I8 v& e3 H( k2 `) S, ?
FILE_SHARE_READ | FILE_SHARE_WRITE,/ F& O' j3 }0 g
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 n# H3 U, J$ g& i if( hFile != INVALID_HANDLE_VALUE )
; Z; O7 d/ K: T$ X3 h {4 ~: c, f6 R8 m& A" J G
CloseHandle(hFile);4 I: v* I6 g; r
return TRUE;+ |8 H" E4 Y0 E- l4 y2 v; e
}
9 a( N0 M2 K1 U0 p return FALSE;
2 w; r9 \6 { N0 m1 a}* Y( Q3 l2 M# t9 l# B
E! V/ c6 l5 ]. F' M5 J3 L8 \/ ~
Although this trick calls the CreateFileA function, don't even expect to be
2 U |& @+ i9 Q+ n7 k1 E$ J+ k/ U+ H$ zable to intercept it by installing a IFS hook: it will not work, no way!' G+ p# Z' L! R/ E* ]* ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ x! z# s/ b' q! P: t! a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) j1 n H$ b7 P' J/ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: W7 G' t* Y. i5 |field.( b+ P9 e! d, {1 F6 k+ p; F) |
In fact, its purpose is not to load/unload VxDs but only to send a
% b4 m$ s' f- v. K- y3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: v' ^1 H; [' `# ~9 Z4 @9 L& E+ ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 E* K8 ^. w& Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
! `2 r4 C( }' h. IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ d$ e- u8 S d. g$ sits handle to be opened and then, will be detected.1 J/ ?; W! M% r/ v9 u% _9 t
You can check that simply by hooking Winice.exe control proc entry point2 D4 F0 g$ ?# g) ~# K d
while running MeltICE.
8 [/ u3 z8 z2 X
+ |$ p8 O5 U U+ ]3 R) }
% M1 p8 y1 I0 f* b3 S: v 00401067: push 00402025 ; \\.\SICE, R7 |0 }6 h9 @1 s1 {8 o( }
0040106C: call CreateFileA
% X% q- f r4 R8 V# w8 @ 00401071: cmp eax,-0011 E: J2 `5 O+ d# Z% s8 C. k
00401074: je 00401091! p9 }% |! y# ^7 o: V4 p, j
4 C: ]$ l6 O& o0 S0 H! I1 `, [9 r
0 |1 g+ g: [$ z+ r( [0 ]There could be hundreds of BPX you could use to detect this trick.
& {$ u. v; M9 r5 Q8 z-The most classical one is:0 X1 S, {0 }* v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||: ]5 V9 s8 B1 c: p( Z
*(esp->4+4)=='NTIC'$ ~( R% c8 W1 i# m$ r
7 s" q1 `; _% L* S- g-The most exotic ones (could be very slooooow :-(3 a" x8 u( |$ D% O8 h$ m6 [
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; ~% Z s% A% F/ M) q: ]. k
;will break 3 times :-(0 B x$ y, w1 f9 z4 S( { @8 Z4 _; ^
$ L) x- x$ N4 c9 U8 X+ w
-or (a bit) faster: 1 s2 |& q: w- u6 e6 U- Q: l! D
BPINT 30 if (*edi=='SICE' || *edi=='SIWV') G( n- I- k+ |& d
3 v, r$ i0 {' z; I4 p6 L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
. r0 u& k$ ?/ t$ a2 f6 H- ^: u ;will break 3 times :-(
$ R2 e( _$ ]: G( G) M
$ s' G8 g4 j+ n1 n# I: @-Much faster:8 Y% g' e% {3 c' o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 ?, }2 p8 k# {; M" s* E* X
; H! R0 m2 g- I, n4 FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. k& F+ t* d- a) G' e4 \0 z2 w
function to do the same job:& @& V: s- P: F) L% B
' w# b1 m+ m G; w# H: c2 R$ w2 H push 00 ; OF_READ
K1 W8 m9 \- ]* r3 h$ i, p. a mov eax,[00656634] ; '\\.\SICE',0
5 r. v7 k# t8 C6 q' v' D) W push eax
" t3 U- }; j. }1 I: {/ ?2 @ call KERNEL32!_lopen
' s1 A |7 a1 d3 C1 f/ i5 u8 M) Y inc eax9 S0 I+ f9 A6 v' q7 \. Q$ f/ h
jnz 00650589 ; detected' O0 F; X/ l( h' w x( g
push 00 ; OF_READ
- Q% u7 S; o, Z' Y3 L- r9 a mov eax,[00656638] ; '\\.\SICE'. {, M9 j, ~% I" R
push eax
+ }5 a& M, }4 f* a call KERNEL32!_lopen
3 t, {+ x9 o# L, `. b inc eax
/ k1 b' P! L$ G* m \ jz 006505ae ; not detected( b/ `0 S Y' D0 `( K/ I! A# [
/ w3 x* _" W5 |$ ^3 @" n* X; l) T+ C0 `1 ?5 \
__________________________________________________________________________
[3 N1 G2 N: `4 d4 L; @2 g8 y# A+ O7 G& U% N; n9 \& q
Method 12; w( V5 m: R1 y, u. S
=========
2 r7 F3 T. X( V7 w
5 l2 G Q% i6 v. A+ A6 y# mThis trick is similar to int41h/4fh Debugger installation check (code 058 u% \8 X+ _% `# y; [/ |( ^! d
& 06) but very limited because it's only available for Win95/98 (not NT)
% f+ {8 W" ^5 S" x) Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) s. I! a0 G; ]
6 h! u; B! ]3 p- t1 ?7 F: S
push 0000004fh ; function 4fh3 Z- W4 o4 T4 I' b: |$ ?8 J
push 002a002ah ; high word specifies which VxD (VWIN32) c }* P/ H0 O& g- |/ `
; low word specifies which service% I. a& x# q# I- B, f3 f6 w
(VWIN32_Int41Dispatch)
0 F; l$ L" u! N8 y3 _* a& K call Kernel32!ORD_001 ; VxdCall
) [ j/ V y* R, H0 c; r cmp ax, 0f386h ; magic number returned by system debuggers
( B% B4 [6 S( M. f5 w8 a jz SoftICE_detected
( |8 W( ~7 X' x0 D( P8 m) r8 D" |! e! b H6 ]# Q
Here again, several ways to detect it:( R$ Z1 N$ U* k3 y4 k
! c; ^% D4 n) I6 C* J \ BPINT 41 if ax==4f
9 T& N& ?! u' f
0 N, P6 ?% C# z' J% q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 f t2 a" u8 W& e
8 {2 p4 x6 h0 Q' J9 h: i+ U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# q& `& \$ N) h1 @6 u2 f, F0 N
- @( E. |1 a q3 N3 |+ c9 O, q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* L/ ]) v$ f, D4 D+ H- U
0 U. y D. |2 m! ^9 E8 ]__________________________________________________________________________9 j( n! c" W( z1 X
5 \6 a3 v" _: J& \Method 131 k, s4 l5 E; S! W
=========
* n: Z% e6 \$ U m3 k- }
$ @- }1 p3 F' m! D$ {Not a real method of detection, but a good way to know if SoftICE is
) X. B. M5 N% Binstalled on a computer and to locate its installation directory.$ t& D: P$ a m7 V
It is used by few softs which access the following registry keys (usually #2) :
. F( p6 B% K4 q# ^* R( `, }
0 d. ^9 V8 }( v# ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ^2 X8 r" O! N; r' d
\Uninstall\SoftICE. a [8 P! E$ ^$ k& r9 Q* e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- v7 I! Y7 Y9 v2 i1 F$ h$ |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" _1 z( y4 e, ]$ u7 V4 X\App Paths\Loader32.Exe, `" X( e- L- n8 p p) Z5 R
& @) w+ i! J( l7 n }
- Y* R* D$ A$ a2 Z
Note that some nasty apps could then erase all files from SoftICE directory
/ R& y6 i6 |( ?" c- j- R& Z(I faced that once :-(( H& b4 v. r- E _# u
' v; N" c& }, O; M7 K
Useful breakpoint to detect it:" B4 z8 s" w. P% {
" Q+ P" Z6 w, |( s: j' k" R8 d
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! k* A Q6 W5 F1 \7 G
9 [# x9 u0 T \ ~__________________________________________________________________________
4 Q9 I9 A$ v4 J% X8 \: c) R& B9 K" A/ X( ^1 W' E. h
6 W3 {7 \$ |0 g wMethod 14 ! r( d Z6 } a) e1 g7 }2 z/ p9 t" I6 c
=========2 V/ j; W) g9 W
1 _- f3 u: F7 v4 O, _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% R" {3 K/ a" Y: M6 ^$ i" h: Pis to determines whether a debugger is running on your system (ring0 only).
. g, ?" `% y1 a4 x* B2 f. O" m3 u% E8 X
VMMCall Test_Debug_Installed
6 }* \! X: _) } i: ~/ K je not_installed
( }, L( O x# C
) S5 I, ~8 m, \" v' EThis service just checks a flag.
/ |6 Y2 e! g" z</PRE></TD></TR></TBODY></TABLE> |