<TABLE width=500>+ f7 a5 x7 D3 L) d, a# |4 E; d, o
<TBODY>7 p6 r* u4 k3 `9 S" X
<TR>
}' ]9 o5 A1 @<TD><PRE>Method 01 " z5 z- p* x. f9 n' S! C5 i
=========
7 P4 ~ [' X, o+ p' M) ]* X$ ]: @8 t5 O% S8 I6 {
This method of detection of SoftICE (as well as the following one) is: Z. a9 h! s* h j
used by the majority of packers/encryptors found on Internet.+ X% l' [& }% H# f
It seeks the signature of BoundsChecker in SoftICE
1 r: M! q2 u% w5 B) L! A+ R+ m. C, J Q2 i7 h7 h
mov ebp, 04243484Bh ; 'BCHK'
3 h, _8 v! |* u8 d( \* V4 d& A mov ax, 04h& f/ {! K" B" H/ {# B
int 3 - {, Z9 H2 T- L$ ?2 [8 X
cmp al,4% H/ B/ B7 D( h8 {/ @
jnz SoftICE_Detected+ l" }3 W# v: K7 C9 S2 d: o
% @+ w% N- A' w7 }___________________________________________________________________________$ N+ F }" z6 d( A4 r+ b: k: }
/ F* f8 y1 O* a6 c) L. r
Method 02
% {) y1 W% z0 ^: y! L, }=========+ w7 x1 `" R* b& P1 i u
6 r3 g0 J$ U/ ?% E6 G' X, b+ h% IStill a method very much used (perhaps the most frequent one). It is used, N, }' N% Q; i; ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* e% m" Y5 \6 V: d. _+ R5 p1 j
or execute SoftICE commands...- U5 R/ ?. X9 M: f5 I
It is also used to crash SoftICE and to force it to execute any commands
2 l0 C* @* B3 r# x0 _) l! A$ w(HBOOT...) :-(( 0 v5 t" N4 _& g6 n7 g9 r4 G
1 _8 K4 i2 e8 I6 f9 i% t
Here is a quick description:2 @$ o9 P& D+ D" H# @
-AX = 0910h (Display string in SIce windows)3 i( T& b. r$ {& j6 H: X
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# ~7 l; Z& x5 w
-AX = 0912h (Get breakpoint infos)+ C% ~1 N$ x! \2 J: E
-AX = 0913h (Set Sice breakpoints)
: O9 E) m1 W1 F+ G5 t; ~9 Z-AX = 0914h (Remove SIce breakoints)' w1 X" F: U9 p+ R) Z. Z" x
k! R! g$ w0 Y, [* J/ X) F! l- D" wEach time you'll meet this trick, you'll see:; m( R9 B% c) Y8 @0 T
-SI = 4647h& R+ N, N3 m/ t) T
-DI = 4A4Dh' Z9 q' d ], Q2 |
Which are the 'magic values' used by SoftIce.
- S9 X6 G! ^$ H& g; `For more informations, see "Ralf Brown Interrupt list" chapter int 03h." [! b# c2 i8 L# D
# l( x L# s. K* f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- d, c) n8 k: TEnvelope utility use to protect DOS applications:9 o7 M) H7 n( V$ h, |, d2 ^, Q" j. H+ P
4 ?: W& R: @, i! `
/ |$ ^! c" i7 B: L) K$ W
4C19:0095 MOV AX,0911 ; execute command.% X- o2 G$ Q4 z/ ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: [7 j+ t& @/ W5 f& _- p4C19:009A MOV SI,4647 ; 1st magic value.5 W3 ^# }0 {) f. C6 |
4C19:009D MOV DI,4A4D ; 2nd magic value.
+ L4 r. K4 `+ V$ h- Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
& J( F% [" z! z7 I* y; A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* ]6 w0 N* T8 L" u; v' Y+ O
4C19:00A4 INC CX
" y! D9 M' E* F1 T, J- ^& K/ \* H4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" s9 S7 `2 s% H7 b6 u
4C19:00A8 JB 0095 ; 6 different commands.
$ W1 ~+ V2 ~$ d7 s4C19:00AA JMP 0002 ; Bad_Guy jmp back.! h0 B" ]1 W" h" Q5 [0 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 m% L! }8 a+ p" ]" }% \' u V
@( R# V5 O# R, \The program will execute 6 different SIce commands located at ds:dx, which
3 [8 q- C3 Y1 @5 hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* I7 u! f* r+ r( }: r# r6 A
0 G- q, p; I0 u2 d/ G* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ F; d* m5 [& t. S* k) s& m8 q___________________________________________________________________________& }* R# x+ m# |! E9 v. }
F& O" r5 a" o8 Q
. c4 u/ j4 G |/ Y: L) XMethod 03
$ d4 s* l# a. l# n/ M8 |=========+ s6 T% w- i; U8 g/ V5 _5 f
3 L% d& @) I2 A8 e& A8 U# U2 HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' A0 `) k& E: E' ^; d; d
(API Get entry point)6 F9 \7 X4 |% b
: h E: k0 K& ?! j
/ a2 ~1 P0 J) n/ `( r5 R xor di,di
3 F' S9 p* X. F/ o+ M' i mov es,di
, v( g- F/ S E8 }* }4 I/ |" J* n mov ax, 1684h $ V5 V# o$ V9 P! p
mov bx, 0202h ; VxD ID of winice
; Q/ q% `" C% f# \. K% G int 2Fh0 ?& W, h8 _' v
mov ax, es ; ES:DI -> VxD API entry point0 @9 L# Z. N' P" W2 C
add ax, di3 ^$ w- E+ r+ n# f
test ax,ax7 _# M' R m- Y5 q G# x2 K+ R: d
jnz SoftICE_Detected
& }9 c* c- ^8 X! \( z0 o. U
- S4 }: h- ?; i+ i" r4 l5 V. L u___________________________________________________________________________- N' ~- q9 o, X$ u \3 p( }
# H8 P5 T Z3 M; v- \2 y
Method 040 ]- @0 T9 [ u8 T) ^( q4 f
=========5 Z! w6 p% t" ^) g. X6 Z! a/ |
. `/ u& e" x/ q: b8 r
Method identical to the preceding one except that it seeks the ID of SoftICE
7 P( }# m2 A" z2 dGFX VxD.% a7 {( X/ t. w* }
2 {3 M5 B4 ~* q" k( L0 v0 c' B0 n/ s4 ^ xor di,di
3 F& a* J% v: v- t# Q T mov es,di
8 M- F+ p& a3 V5 X8 i mov ax, 1684h 6 b0 ?/ P; G2 x5 d, p) y
mov bx, 7a5Fh ; VxD ID of SIWVID. Q" |" \+ c. z0 m4 ^
int 2fh D" F9 ]/ S2 z O) m) a! n w. f) c
mov ax, es ; ES:DI -> VxD API entry point0 ?7 E7 M7 p- r! ^+ l5 c
add ax, di
) g# l; A9 P# I M8 a0 e) P test ax,ax
# P8 j6 Z J- c jnz SoftICE_Detected
% {$ s( E9 `6 j/ ?( B
2 R* T$ {+ g5 K1 n) h q__________________________________________________________________________2 y* z- i$ m) `5 X/ ^
5 Y/ Z0 X) t/ B( U) Z: w# m
9 B# k+ j1 O! m- O7 l' L
Method 05
! r6 [# K+ s. x% x( T=========! V8 S0 t* D# P/ E* c5 ?$ K3 p' w
' K& j( y) z4 H2 _$ w/ [
Method seeking the 'magic number' 0F386h returned (in ax) by all system" I# O+ Q. F9 Y0 [! _' i2 ~ n
debugger. It calls the int 41h, function 4Fh.
, A; h2 R2 ?' w" p/ |% AThere are several alternatives. & G, X6 @( y* J
5 X# ^9 r7 {8 q) y b3 T5 x- }
The following one is the simplest:' G- o& S6 s# u7 ?* d2 Y* a, ?
# } [/ P& W2 N0 y* o+ f% | mov ax,4fh) K5 L% p7 A& r4 L( }( z* } g
int 41h9 L8 U" I5 z4 k0 u
cmp ax, 0F386
9 Z6 @- ~1 N, L. L* [+ b+ l jz SoftICE_detected
5 x3 V l. C- ?, _9 N2 n* c+ U8 u2 X7 W
1 n- ^6 B2 n4 _
Next method as well as the following one are 2 examples from Stone's , O4 c: b4 _3 r+ g7 j& P" e+ ?
"stn-wid.zip" (www.cracking.net):
' C5 W! y; q" S& h( x5 [; Z3 g5 E9 H5 X. j9 k9 ^: m; ^, w$ ]
mov bx, cs0 b5 r0 a% k/ l6 W# g5 T2 R
lea dx, int41handler21 \4 ?; M& D. D1 r8 [2 g
xchg dx, es:[41h*4]* X7 x& w1 `# i. S
xchg bx, es:[41h*4+2]6 u' H4 |4 l" P- e. j
mov ax,4fh
3 k% t8 U2 q* d' c( m int 41h& a; G: O# g5 ^" `
xchg dx, es:[41h*4]
7 {' a( ]9 Y2 R2 P c1 I xchg bx, es:[41h*4+2]$ z/ F/ E; F+ w' m! U; s, U
cmp ax, 0f386h
) D" F9 k7 e: \- M% s+ O9 _; ^ jz SoftICE_detected: d- B# |" F5 b$ n6 j" y
7 v$ S1 d& G- ?int41handler2 PROC
8 c8 A/ L: |8 g iret
9 E Q9 t: Q" v3 n+ c0 r8 q1 uint41handler2 ENDP, e* Y# [4 j( e+ \6 I
8 J5 o7 y2 C% n4 i" r* s2 S9 z2 ]) w3 w2 j# t- w( `; a! O
_________________________________________________________________________
0 B9 A4 c. Z" C" A, n) ?$ |* c3 J- P( O n
+ g4 `' Q- G1 p
Method 06% K- s3 x! d% r' ?8 I
=========
" d# U; G% Z2 k$ x) N9 `+ f% t. I
; q% _/ G" F0 z. Q. Z5 t' q3 x$ V4 ?* a6 G% Y4 p) V
2nd method similar to the preceding one but more difficult to detect:! q& ~" @; M# ^0 Z9 h7 U
R! s! m( h$ n6 a5 x
3 ~) |* v$ q" m" o' G# V; g Cint41handler PROC
) B. W2 ~/ T) u7 {4 {; I4 I mov cl,al
/ T H! @' a, w6 z% c iret8 A4 i( Y0 m1 j3 x/ O. ?2 W9 {
int41handler ENDP: q% }( W' F7 Y g4 c7 x
K. | F" u6 f- N0 ]* [3 [
: A0 H/ Q% {" O! v3 l! z; z p/ a xor ax,ax
, Y' c, q) ~. A; p8 l4 I mov es,ax& j# R4 N! W3 h/ ]0 R y" q O
mov bx, cs* J6 }$ k m+ X0 |5 ]
lea dx, int41handler/ n- h% u' Q! [: `; d
xchg dx, es:[41h*4]: I$ S0 v2 x" O; f9 m, h
xchg bx, es:[41h*4+2]6 \5 g% U$ G$ b0 m0 {! }
in al, 40h
, ~5 Q4 L- h1 `* L) N xor cx,cx
9 z* s) B6 n3 w; k+ q+ S. M int 41h1 \! f/ c9 \* k0 h3 C3 k& o4 O
xchg dx, es:[41h*4]
7 n1 f0 b, D. h, v* e4 D xchg bx, es:[41h*4+2]
2 J7 q" ]/ U5 O( [6 o cmp cl,al
}% ?( _3 l# ~. U0 i jnz SoftICE_detected
6 {6 h& H6 m: o6 M* B9 W# f! q! q2 l8 L- K1 `/ l0 ^
_________________________________________________________________________
% ^$ K5 Y$ A1 }7 B. s7 o) K, X: ^$ E( m" w. U! \9 c8 ~0 r
Method 07( S, T( ?$ Q/ e6 {
=========. G4 z. L) L) R4 m6 Q& `. f3 J
* x4 ^# h9 m5 TMethod of detection of the WinICE handler in the int68h (V86)$ g w3 C5 ]7 d7 i; ^! q
' e) l9 j, A5 H" J3 C. S! f4 G: d
mov ah,43h! C! D5 G- m7 f. d8 }2 W& {
int 68h
A7 C1 g% e- k; t: g cmp ax,0F386h( I N' ~$ O' I$ G; c
jz SoftICE_Detected
I9 {' B/ _" @4 i% Q
5 }0 ?: L) E: P, r+ S
$ U1 G! E& M5 f' ^* Q! X/ B( \5 H* N' k=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; B0 ^$ J$ x$ ~# O8 X# x( B
app like this:
, S6 j! y: m6 D6 s9 J9 D' T
0 h8 `$ R$ q2 o& O: {4 Q BPX exec_int if ax==680 A( U6 U0 q! v( S0 y, h
(function called is located at byte ptr [ebp+1Dh] and client eip is |2 O/ `- N0 f N
located at [ebp+48h] for 32Bit apps)
3 ?) L! F' o; I: K__________________________________________________________________________
, M9 L& ~, {: A8 J, M
/ y* U; ?( t+ F g' M% a' T9 P' K$ i% k8 _; a6 H1 @! w# r
Method 08- w% b7 y! f; A" H5 d7 a
=========( m" A$ Z6 b3 I6 t( I
2 r3 z' k! {% J3 \+ JIt is not a method of detection of SoftICE but a possibility to crash the3 u+ f! M) K% n- v$ M$ C6 r
system by intercepting int 01h and int 03h and redirecting them to another
- D1 Z" W- U O7 T6 Vroutine.
( ?/ d- k# {7 |% V1 @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, }, B7 Y) C# W9 t* Fto the new routine to execute (hangs computer...)1 y9 W" J+ V' g# o: ?0 H
5 p/ i! O( k1 n1 ?/ W
mov ah, 25h2 }, r/ i7 \* J8 s3 K$ O" H
mov al, Int_Number (01h or 03h)5 ]% J0 G; s) J7 x( @9 V3 j& T: S
mov dx, offset New_Int_Routine* i+ C( E$ s. U1 f; P6 w$ w% y
int 21h
" C& n: t% Z# B. \" D7 N g: V5 N. w( m f E( {
__________________________________________________________________________
4 j0 F% _7 L1 i$ v& V" U$ Q9 y+ U" y' o& _) B* u) q3 z9 K9 f
Method 09
/ m1 b, m5 {$ J9 F' P=========1 f+ X& }+ [3 ?) B
Q# B% ]0 R3 T4 \/ i- sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 s) |; R1 k' U: F
performed in ring0 (VxD or a ring3 app using the VxdCall).. d- `( V7 N9 S3 d7 G7 z7 O
The Get_DDB service is used to determine whether or not a VxD is installed. S$ p& K/ M4 E, N2 G0 x0 Q
for the specified device and returns a Device Description Block (in ecx) for1 x! v2 b C, ?* I6 p9 L4 V
that device if it is installed.6 n+ N p+ o5 Q! y
+ {4 O7 d; c5 k8 e0 V
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' x/ o; R2 \9 a* [- p
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ G: `4 n) M- y1 T! _6 Y) N3 X! c VMMCall Get_DDB/ r# q1 X5 Z6 O( \! L9 l) T6 h
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 X& k1 F- y5 E4 s
! l6 Z0 N8 m5 k0 m7 {0 o" k0 x# G
Note as well that you can easily detect this method with SoftICE:
9 {6 H0 z* \9 I7 q u7 n9 h9 c$ O- x bpx Get_DDB if ax==0202 || ax==7a5fh
+ }* f! j7 i1 F4 L9 [+ x5 E, O& h" D# N6 s: [2 _) Y
__________________________________________________________________________2 D! h% N5 `( }4 l9 ?3 A
" N% c9 ~6 ~0 l9 y5 \% OMethod 10
7 i0 G0 Z! p( m=========1 u8 Y! H4 C. `1 S' J0 e: `' U
3 z b7 Y" _5 i0 r
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 ^3 b5 U4 M( y1 S SoftICE while the option is enable!!3 ~4 t! h0 b& x! ^3 ?
1 {) B. }: T$ D: Z) W
This trick is very efficient:
$ D. i7 p; Q1 }; xby checking the Debug Registers, you can detect if SoftICE is loaded
3 r, S/ m+ _( N1 t5 L7 U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
H. U& c% y+ }" L6 w/ _0 c. Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 k0 W2 n! @, f" ovalue (in ring0 only). Values can be manipulated and or changed as well: x/ G9 e) J. S# A
(clearing BPMs for instance). W, a) E* j& T1 F' _
' `- r4 A |% d0 n& b) ?__________________________________________________________________________
e* t, o0 a' }
/ ^4 N/ d4 A9 q ^6 hMethod 11
/ V8 Q8 ]) f+ w8 H/ T7 E3 K* W=========
4 o# |" K1 L6 l8 o% s( J8 o S1 `! L- \* V/ i4 \8 B
This method is most known as 'MeltICE' because it has been freely distributed
; M, U7 z; X5 \. f9 G+ k( {; Avia www.winfiles.com. However it was first used by NuMega people to allow
?- ~( w% [. a" J4 g3 |- CSymbol Loader to check if SoftICE was active or not (the code is located
+ E8 i6 B) a2 N6 ginside nmtrans.dll).
' V- q* H6 y: p( Y* Y& k* g
8 y+ t+ o8 O$ W8 ?# R$ ^' c+ ]+ GThe way it works is very simple:0 y/ g; V9 }8 D9 f8 j4 o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 c( } q# X* M( U! b, Y7 H
WinNT) with the CreateFileA API.
H, m) d3 k" F3 O5 w6 S. x, {- D* G% k* B4 ~4 N, P( ?* b1 d
Here is a sample (checking for 'SICE'):
. N- o$ f5 d5 X( s. f2 d$ z0 i7 r8 n' P, E$ Q; A- g# L' J
BOOL IsSoftIce95Loaded()
% t. b7 Z; e$ w8 c' [5 L' Q9 V6 Y{' V% i# l5 B; a2 O/ Q x# p) S
HANDLE hFile; ' J$ L& j' e* [2 [2 U1 L4 f
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 D: s# Y. ^& e7 | FILE_SHARE_READ | FILE_SHARE_WRITE,$ [0 v/ [3 C) i7 O) v \
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ q& ?) l _7 B( D q
if( hFile != INVALID_HANDLE_VALUE )$ H0 r' ]# ?" o! r7 ~
{$ @7 D6 B$ }1 \ n( t0 _% S, A
CloseHandle(hFile);
, @& e0 A% |' r9 B return TRUE;
# }" I$ d0 X( Z5 |: i9 c }
F9 u* J. ]5 n: w return FALSE;
4 i* W) x' V; C& F4 \}6 B! w+ @4 F1 P5 M. m
" m% M u. @, a; a1 `
Although this trick calls the CreateFileA function, don't even expect to be
! _$ O# `: `$ a' A6 \able to intercept it by installing a IFS hook: it will not work, no way!/ D, `" M$ A* {: \* A k' b2 z5 n0 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 _3 Y9 ~- B. P* D9 c0 Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" Y! e6 ?: ^& c: w X: gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( i7 v5 F. v* c* ^ Z0 d t$ \field.* m5 q6 |! T4 e, N
In fact, its purpose is not to load/unload VxDs but only to send a
" o2 b* {. T) t. HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 s& p% o& h/ }# }: W. lto the VxD Control_Dispatch proc (how the hell a shareware soft could try- y- S# j+ N; ] ^% p2 ?8 F' P5 [( M
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., }/ P# n. R$ L* ]7 r/ Y4 e/ o2 p* `, b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' s3 c5 ?7 Y: H$ o# ^( i, tits handle to be opened and then, will be detected.1 u; l1 R8 P6 `8 |0 P
You can check that simply by hooking Winice.exe control proc entry point* a; s( N O" R0 S5 ]+ @
while running MeltICE.
5 i1 a3 P, b8 }: t9 k/ j+ A6 D# o I
0 i, Q' k1 N: {, I
00401067: push 00402025 ; \\.\SICE
; t( F" z& C" H: X% r; A5 Z 0040106C: call CreateFileA: _0 N+ g4 r% p% V2 Y; K
00401071: cmp eax,-001
7 ^7 p' y! |& @8 ]; p 00401074: je 00401091
* I) u- ^$ e w& q8 g* j# b& d" }, n4 j3 V
; T0 x, f- r. s: Y$ q2 w+ tThere could be hundreds of BPX you could use to detect this trick.
2 z: C2 [: i' v3 f* a1 ~-The most classical one is:
1 B6 ^- e) M7 U: u* z. a BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
& {0 r. D) J! a) R *(esp->4+4)=='NTIC' `( Z6 m' V: g: D* r2 J
# ]9 B% S; Z1 X* b
-The most exotic ones (could be very slooooow :-(4 O; h( l1 I$ @0 T% t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') , m4 ~* d9 `) Q
;will break 3 times :-(
8 O4 c" _9 T$ C0 M( |
" t" o! F0 F" j-or (a bit) faster: 2 B5 k' i) H& S! B& j2 @( [8 q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% J4 H0 w- ^; T l5 U5 v
& @% I* _. G; ]! n/ A' Y* u4 w. | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 B* l% ~' a9 r# V
;will break 3 times :-(; H! K) V8 L$ h% ?2 X
1 T0 ~1 h9 Y7 ?4 ]$ A5 |1 T5 }6 V; E-Much faster:
N9 q1 I, `5 R7 O6 Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, f, N( k" }5 ~/ g; O
, l) ^; Z4 ]% M5 t) t4 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) K. M1 d- M+ g( j2 M
function to do the same job:$ R8 x7 z9 |' y$ Z) r! W* Y) w0 @
3 E* R# `! l* s' V9 Z6 m
push 00 ; OF_READ2 O* ]. k6 X! M) m
mov eax,[00656634] ; '\\.\SICE',01 g: L, E. e w @. Z: P
push eax
# H" P* ~* r! D* W call KERNEL32!_lopen+ H) H" X2 s& J6 \- F4 M# o" L
inc eax
" p. H8 I0 \& R# L _9 B jnz 00650589 ; detected: a& F8 d5 M6 Z0 I
push 00 ; OF_READ
: d. q' I% Q& n5 C" a4 X3 j mov eax,[00656638] ; '\\.\SICE'- T! C; e3 x4 M& ]- a! e0 n
push eax3 @3 ~3 ^9 K& D8 ~+ l
call KERNEL32!_lopen) q5 O7 c8 w6 M" n' F' t. R
inc eax
. e- V/ _. I+ R jz 006505ae ; not detected" Y C! Z6 g8 |3 Z# D5 h$ V# D/ R+ S* d
- `5 r3 u, @2 t* a1 H9 `' j, m
) ? V+ s- G8 f# K% q7 M4 {+ v/ r__________________________________________________________________________
1 A0 a: x, Q% }/ F: x/ R- q* E
+ i, A$ x4 r8 K0 P7 l3 b; t; qMethod 12
- D; J! f. k' c8 f0 U=========' J& M/ f; ^0 V- O' G$ F; T
1 _3 X, ^- `/ a% \" \+ yThis trick is similar to int41h/4fh Debugger installation check (code 05
3 R' o( k6 u; e& 06) but very limited because it's only available for Win95/98 (not NT)
- E7 i. D' u( U) nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 _* S& K# s1 {4 J: ~$ w8 n( h
3 e* O8 E' _4 Z' j L+ W" }9 U push 0000004fh ; function 4fh
+ @' A4 C. B! N& `# A ] push 002a002ah ; high word specifies which VxD (VWIN32)
( e/ F( M. j, j+ O6 r3 |' L( c7 q ; low word specifies which service
0 H" I/ A& G/ W1 E (VWIN32_Int41Dispatch)
) ^- W: ]2 R( a) Z9 H% v call Kernel32!ORD_001 ; VxdCall) u5 W& ~* U: F* {8 D
cmp ax, 0f386h ; magic number returned by system debuggers; H& B. `; y) e# U+ Q+ @
jz SoftICE_detected2 _) X7 x3 D* b% f$ F8 ]- n' R' c
9 Z3 g6 ` M* u. ZHere again, several ways to detect it:
/ K7 z% i, ]+ o' t( T) j6 m8 V& T1 [) O& S$ t
BPINT 41 if ax==4f" U* g7 e/ m5 O, y$ n
0 \& Y& C+ A+ g4 [: t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one A+ D" B V0 y; r9 a+ D. q; L( A
* M9 V f! f' ^' x) v9 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 s6 u* P* E8 f1 A8 t3 x) g
" d- F& P- y- K BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!7 }" G: ~9 m) A9 x/ g
) W5 v, c" P8 h" p8 n__________________________________________________________________________ n$ S* S0 @+ p
$ ?4 k: j& s3 {% [$ a- S" T0 H" L
Method 13# N6 N% m% q+ U$ q: @3 B. Q1 H% @- `
=========$ |* ?/ q' k8 q$ C$ F/ R6 X
7 Y5 i- j1 s1 Z% kNot a real method of detection, but a good way to know if SoftICE is
4 x3 V9 f4 p! L0 T2 O; cinstalled on a computer and to locate its installation directory.9 h, ?' s8 R% H% E
It is used by few softs which access the following registry keys (usually #2) :
/ s6 y6 }+ _7 o. c& g8 s/ X' ?' K: p3 r* D% @/ s0 \* ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ z! N, [4 E) B\Uninstall\SoftICE
8 i/ {9 g: y# A: _- ?- P6 i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 a. R# R7 a! O4 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 s* k9 s0 e, O! \\App Paths\Loader32.Exe; G% Y1 ?0 T. d
$ w ~9 Z+ K( L. g" u' n9 _$ ^* ^0 w/ Y; D' o( _% i6 l: x
Note that some nasty apps could then erase all files from SoftICE directory2 C5 q8 @3 X3 j1 ?
(I faced that once :-(0 T7 G5 T- s8 N7 s" ^
% B" [$ o! V7 S
Useful breakpoint to detect it:
9 J7 j3 d( Q8 Z7 Y' \9 O7 Y0 T6 ?- |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' M9 H# ~& ~ ~* L/ ~6 _% T
. l: ^- A& Y: _; k$ `0 ~2 g__________________________________________________________________________
( V% _! Y5 D6 V c8 A A
6 [4 b4 Z8 \) ]
) o2 ]0 C. `0 H- `4 [Method 14 - Z$ f+ m* T9 j
=========# b2 ^1 B" Y7 j' }; H4 a: I. K& V& B
; ^* L" F; X# k' y" [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Y( m4 o( o9 Y' `3 zis to determines whether a debugger is running on your system (ring0 only).7 V6 T Z* ^' C8 c, t8 v4 I4 o
4 u% R% `" |" h) n% O) W VMMCall Test_Debug_Installed- J2 u( q# f4 g
je not_installed# I$ K: f0 h9 ^& ^4 Y
7 U& S% c9 N. N m( e% f4 m9 V
This service just checks a flag.
0 e& _ P. l5 ]3 U/ k</PRE></TD></TR></TBODY></TABLE> |