<TABLE width=500>/ Y; @! V h7 M9 b" A% z
<TBODY>
2 O" H; _4 x! I T8 x<TR>
2 x! h/ k5 ]" I0 e O/ T1 |<TD><PRE>Method 01
6 m: c$ x. N. _6 }=========
1 l8 p+ F+ f5 z4 V' s5 w) f1 P% N8 L l7 k
This method of detection of SoftICE (as well as the following one) is9 E7 G+ {6 x; d( M( @# I
used by the majority of packers/encryptors found on Internet.$ E. E2 L; N( n; a) {
It seeks the signature of BoundsChecker in SoftICE4 o/ R+ b9 \- S# w" z! @
7 Y6 [( p& r: d1 M8 @; \
mov ebp, 04243484Bh ; 'BCHK'
- | G+ a" U* g* O8 y; g( u mov ax, 04h) g/ x t& |' p0 o) F' ` m
int 3
; D) U, L0 [7 U7 m- ^3 l# {' T2 c cmp al,4
. W9 Z/ `6 Q' t2 u7 R4 B2 ] jnz SoftICE_Detected% i& R+ `" o5 S" k; b
) j; E( s8 L6 `7 o$ j___________________________________________________________________________! w' Z7 e% k4 X' s& ~+ G
0 n$ `( S2 H1 V, Y8 q1 @
Method 02
* Y1 v" Q/ J) H% r' Q& }=========
5 Z) P0 K3 k1 U1 b. N2 ~2 ~* s# e) w4 S4 C5 j X$ b: D/ a
Still a method very much used (perhaps the most frequent one). It is used7 t+ z6 `$ y4 W" [/ E, q$ x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: `4 E" u: V9 R9 I" B- p! J5 @- R8 x
or execute SoftICE commands...
: B6 o; T1 ^% SIt is also used to crash SoftICE and to force it to execute any commands
7 [4 _# i+ S- Q5 o' X: N% I(HBOOT...) :-((
7 S, u( |% I5 J3 e! ]8 d8 q$ @
Here is a quick description:
% Y0 L! c1 }( t. k-AX = 0910h (Display string in SIce windows)* f. k; V4 i3 t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( s, d3 [ d2 y3 Y: p
-AX = 0912h (Get breakpoint infos)
) Y# Z' S3 q, I5 T. E. J-AX = 0913h (Set Sice breakpoints)
P- q0 }6 C+ U& `7 f& ]-AX = 0914h (Remove SIce breakoints)
% H+ L) @/ L6 o5 @# B' c1 B2 s, p0 g3 E0 \0 _* s2 o
Each time you'll meet this trick, you'll see:; Y$ ~; n6 V3 j' }( s" }
-SI = 4647h& w1 l/ B* N# ~; Y0 s7 T) x
-DI = 4A4Dh
0 d6 ?4 ~; R8 j( z/ ~& w/ d5 hWhich are the 'magic values' used by SoftIce. R2 E! H# p4 K8 U8 \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 C- I5 l4 Y$ w9 F, y/ R
3 M+ U7 |- \7 I' W& OHere is one example from the file "Haspinst.exe" which is the dongle HASP* H3 V, s6 n9 l- f9 a
Envelope utility use to protect DOS applications:" E/ Q' g* u ~+ C6 x
' F8 m( Q: y! P6 ]4 A5 D; k8 s/ v4 o3 w( v% K
4C19:0095 MOV AX,0911 ; execute command.& [, C- U; w) _6 D4 _3 `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
) Y: n/ e$ B8 c& f4C19:009A MOV SI,4647 ; 1st magic value.
, D/ k" I1 d3 K; d7 c# {/ |4C19:009D MOV DI,4A4D ; 2nd magic value.5 V P6 t' ?# I0 K1 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# Z" f/ G; L1 m: j' {6 j1 y: d4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute" I/ l! [% [$ _
4C19:00A4 INC CX: T- P. t3 x$ W4 }( Z6 Q5 _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' N( l+ @1 l9 ^, o; D/ h6 q2 h/ X2 ~: d4C19:00A8 JB 0095 ; 6 different commands., c( J$ ?7 `8 U) _ l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 U* Z: ?: `& K8 k4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& U# U' C: l, |; p x- j2 C, K" C L: U U7 F: P: ~0 T
The program will execute 6 different SIce commands located at ds:dx, which
' U8 h* q! y; ], m6 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ a# l1 d. A$ ^! l( S5 K o' _: k! Y1 |. S$ J3 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 R' t( A0 Z; u5 H7 }0 @
___________________________________________________________________________! p) F0 a# a/ S$ C4 T
5 A7 v# e5 T5 y3 }7 Q0 V# a$ q
6 L# r# O, H- UMethod 03
+ o% D: @9 w- e% u' i6 S' Y+ ]=========
3 l0 w6 L q' m1 T" ^0 l1 l
" |6 i t. g% K/ V7 xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! W. ]7 a# @9 h3 l(API Get entry point)
0 O3 D( g* e; ?# K: D4 J ; b2 q" d1 J& x
9 R( ^$ \* ?6 d# g3 P xor di,di% O |) u4 Z; }0 @4 m% b
mov es,di
5 @$ y9 Y+ Q2 b7 k$ A( b mov ax, 1684h
. a& w7 d3 p: ?3 N1 m) w8 S mov bx, 0202h ; VxD ID of winice
( U7 B) @8 F. b6 n Z9 `, z int 2Fh! c) L+ o' H, t
mov ax, es ; ES:DI -> VxD API entry point1 L( Q* b; ~0 `" B' |7 ]
add ax, di
9 F: l- ~* g" z3 l test ax,ax7 Z7 z" F6 ^0 c
jnz SoftICE_Detected
9 d# E+ L7 h) {) u/ v9 n- a% A
. `1 D1 [7 J; N/ s$ V8 f$ K, B, @4 u___________________________________________________________________________' m+ `; K4 c0 e! h9 d
/ o6 s Z9 z" c, ^6 Y x
Method 04
. h- R' i, C' e=========
+ V0 f/ r7 Q4 c# r7 z! J" |1 D# i! `+ o" T% E
Method identical to the preceding one except that it seeks the ID of SoftICE5 M. @0 i% M2 h2 }5 \% r
GFX VxD.
' L J) {5 ]' m, P1 T6 Z$ t0 Y: s7 L T% Z% l. O$ C. N* O
xor di,di5 k$ Z+ O& P' @0 Y* q# i7 Z
mov es,di. j1 J( }3 Z/ v7 ^" {! H
mov ax, 1684h
/ k$ D0 Q% @4 c9 k: o mov bx, 7a5Fh ; VxD ID of SIWVID
7 c; t) j6 d/ [8 V9 U/ ~* L int 2fh9 @' v: ^2 N) }6 J+ m
mov ax, es ; ES:DI -> VxD API entry point5 t n, d+ _, t
add ax, di
$ u9 ~" n' Y- _$ f6 Q test ax,ax
6 n1 l2 K3 v3 V$ z' \ jnz SoftICE_Detected+ F2 d# S7 T; y; ?* E, e" e
H8 c1 y9 U( r2 T3 R+ o6 y# v
__________________________________________________________________________+ A8 h) K j5 r6 U
6 [' O$ m+ M: P' a
" H9 i+ T5 Q6 E% A2 g1 XMethod 05. [# K/ b2 l8 @) ~& T- @9 C- r0 V
=========( c. r3 f! V4 U" q5 X4 s& z: t
2 x4 D& h2 v! ?/ U8 |Method seeking the 'magic number' 0F386h returned (in ax) by all system# |. L5 |* x: n' [! v. V6 O+ `
debugger. It calls the int 41h, function 4Fh.* V4 q! S8 Q+ k D' f
There are several alternatives.
9 X, y u6 n# Y8 H5 a1 M- E5 l# {4 c4 Z
+ S& t: R4 ]5 SThe following one is the simplest:4 C6 M$ h4 F1 b
6 }' A8 x3 ~9 J1 ~
mov ax,4fh
* }7 m/ w" U) i5 k& I, _6 D int 41h! P% C* {2 m3 H' Z4 o
cmp ax, 0F386
( z% x5 [, T; H7 E' c9 G# I jz SoftICE_detected/ |: K" u+ G, a5 L- ^) A
% X+ I5 [$ t3 M2 u3 v# q5 l) a4 H' k( m9 e& v3 j; F
Next method as well as the following one are 2 examples from Stone's & g/ i' F2 L+ ^$ K1 p* B, \- k! ?
"stn-wid.zip" (www.cracking.net):' t0 ~% e7 J g7 C; r3 E2 Z7 c \
3 c5 |. }' O- T& b( { mov bx, cs
& r+ M2 c) d9 Z. C5 a lea dx, int41handler23 c! {& R- }3 G9 m+ U
xchg dx, es:[41h*4]
4 ~8 g9 q2 k) a* ] xchg bx, es:[41h*4+2]
" g ?; t5 \" X: Y3 h9 Y mov ax,4fh" r. ?0 h; j: b. P, ]6 g( k% z
int 41h3 i* E; a! p# H, q# m9 |6 T
xchg dx, es:[41h*4]0 a# K$ A: Y3 A' t" e
xchg bx, es:[41h*4+2]2 |7 a+ Y% |% ]" S o: E- i
cmp ax, 0f386h
6 d3 l; p& c/ e. y H: G' M3 v! I jz SoftICE_detected
0 H* x- e2 a, O% `! `' p+ j
9 ~7 i# E! {6 _0 k9 Yint41handler2 PROC
; {, Z5 E) q& f iret
* Q8 i# } m0 |& ~' Eint41handler2 ENDP
7 e7 z7 }* m5 ` j( P9 M" \4 J3 y: k9 Z! P+ T; B3 t8 |! J
L6 y4 L) b0 @5 t4 i5 H+ B3 R6 \_________________________________________________________________________
& }) z3 l# B5 K' R9 j& d5 p# P+ V, ^0 X" d1 y0 J5 `' _
8 w$ o' c. S: I. L2 T$ T$ cMethod 06/ t: ~' w$ g E
=========
0 J- A- z6 s& X& |4 C: q4 U' R9 ` L, N; ^; R( j
4 Z4 V7 `1 t- y# Y2nd method similar to the preceding one but more difficult to detect:
5 z& y7 c8 ~6 F' u6 c) E! r8 G+ p# u' y. {4 E5 A6 q' ^
& Z9 C2 d) i5 B* d+ F; r; Nint41handler PROC- z' P* q f2 y
mov cl,al: J2 B7 E% z9 ]4 C$ x
iret
, z. f8 A6 j7 E& R5 {int41handler ENDP
0 G" e/ m/ H& j3 ?' {0 I9 N, e0 i+ B
* L' b5 H; a9 q& F4 C( m xor ax,ax: n9 { q: m+ a5 v( [! s G
mov es,ax2 F# K- S/ R% d/ m' @5 b
mov bx, cs, P K; E, p: ]3 ~8 y6 p8 Z/ h
lea dx, int41handler
5 w8 R% ? @" B2 v( m$ j xchg dx, es:[41h*4]/ y }5 Z1 M: i- {) ^ p! ?9 \
xchg bx, es:[41h*4+2] g1 J. c1 } w0 u9 n8 r
in al, 40h
9 K! e- e; v* _* i3 u- S' U xor cx,cx
4 S4 F/ V" f6 S' ^ int 41h
8 x$ v: a7 n @1 V0 u# y2 c xchg dx, es:[41h*4]! ]1 K* T2 ]* e( y: ~. ~) W0 H. \7 I
xchg bx, es:[41h*4+2]
% o1 Q6 W9 ~3 l cmp cl,al& u3 x# @$ O: f6 M/ O7 ^$ }( o3 T
jnz SoftICE_detected5 m9 \' b/ m4 ~2 c3 O* [
9 I8 N$ F' Y: U- _! }( n9 \
_________________________________________________________________________* D/ t& r/ W$ T4 L* [9 m$ E
; A- C+ u: ^- l# a% q0 ~6 I3 z: l7 BMethod 071 m! K9 h+ H6 c% d
=========4 Y1 {9 ^" s4 p: P
; Y6 N9 C2 U. |& v. v9 v2 qMethod of detection of the WinICE handler in the int68h (V86)
|+ E9 E1 K/ U3 p1 j1 F6 [
' s$ I& D+ E4 A( u mov ah,43h$ A+ Y" \4 t) p2 q$ _: P5 a; l8 r
int 68h. Z' U, x% [% B1 o! ]
cmp ax,0F386h
* Y: j/ w2 \; }- Q jz SoftICE_Detected
X6 b& S) _2 H. V9 H" `" @3 e8 h5 S4 _( K3 V1 c# V
8 t3 F9 f( u+ F- D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 d. ^; Y. D. i5 D/ n
app like this:
$ z! t M! m# M! D# I: N- ^( ]5 h9 E/ T+ R$ g
BPX exec_int if ax==68- R$ Q d# S5 F. B
(function called is located at byte ptr [ebp+1Dh] and client eip is
: S2 W- n" i- {+ [ O located at [ebp+48h] for 32Bit apps)2 q6 _+ O M1 Z3 ?( i( i
__________________________________________________________________________
/ } o. N, {& P) e9 W, c% i( N( R M: |: [/ e
# T2 o' s5 L# K( G) DMethod 08
/ \ m6 \! e9 |* w% N7 c=========
$ n- U8 S9 d5 P( W( O7 `! a* ?) @' R& a- q, P
It is not a method of detection of SoftICE but a possibility to crash the
( n$ Z$ i. X" l3 j6 E* I+ Usystem by intercepting int 01h and int 03h and redirecting them to another4 s+ h3 l8 _; q! g% l
routine./ d; p! o+ E+ M2 N& M7 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 j. D/ X% l7 [( P, c7 P* Vto the new routine to execute (hangs computer...)8 ~$ g8 M$ g$ a4 ^
' \" Q' X8 v3 Z! v' m
mov ah, 25h) _$ f0 U" H8 N7 A
mov al, Int_Number (01h or 03h)
! K1 R1 g2 J B+ _, p mov dx, offset New_Int_Routine3 n4 Y" [" Z Q. c
int 21h4 o$ l9 X1 a/ H7 N
( F3 B6 W$ @" [8 O$ x- z. y
__________________________________________________________________________% r/ E, b# D T( T/ V, w
- Y! j" Q7 |' N; J
Method 09) B( o8 n4 v( \1 x# l2 }( u4 ~
=========
- k6 p+ `, e* \5 O& \' R1 r+ U) @. b* `0 {2 f( e* X0 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ |4 C; k& S5 U, q4 k; Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
s) _4 u1 z; @: j3 `6 V. UThe Get_DDB service is used to determine whether or not a VxD is installed5 }- ^& q1 i' U6 q, J0 f
for the specified device and returns a Device Description Block (in ecx) for
5 @9 b2 J+ y" \! {/ fthat device if it is installed.# K# q0 G1 Z+ _5 o! Q, m
; q0 a% L1 [) y& `+ P0 Z4 L
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) l; @& I% ?: S- d; {
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ f3 H# Q( b, z0 g: L; C, `# P5 H2 R
VMMCall Get_DDB" h0 i" Z" Z; z. X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- K% e X, o8 F; m* @
9 L( M& \- B! O$ `8 I. gNote as well that you can easily detect this method with SoftICE:4 X) g6 N0 [$ t7 V* K0 j
bpx Get_DDB if ax==0202 || ax==7a5fh
0 V: k+ V& K" q1 J4 ?$ Q
* S, e4 J2 q# h. U__________________________________________________________________________& I+ L: y# T8 Y
! Y& E% H, @6 E' Q4 q& X. O" J4 XMethod 10% f \) B( U2 O" p
=========7 [$ O; z( f- v( Q8 x
2 p1 @3 `- D% D=>Disable or clear breakpoints before using this feature. DO NOT trace with( _* A* X- D8 d8 y+ l" v1 a
SoftICE while the option is enable!!
0 B2 z% H* b* _9 y# U4 \0 O
f. I: @- {* p6 b# b2 q2 e0 }This trick is very efficient:3 Y+ U0 P2 }! O% S
by checking the Debug Registers, you can detect if SoftICE is loaded+ U! g1 R7 r6 b' Z7 t H, H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( d6 X, d/ v( D; Q: e' X( q1 ]: v( bthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 n7 J( v) k( Z K; @
value (in ring0 only). Values can be manipulated and or changed as well' H' z. R( p/ B
(clearing BPMs for instance)
3 G1 j y L, B4 x& {
. }4 Y' J* D) c n" I! a__________________________________________________________________________
; _- Q- u8 W6 v; x& i: y3 S ~4 c
Method 11
& \0 L; e8 ~2 N2 P; Z3 R+ Z0 D3 H=========. L! b1 }3 `+ k' G) t
6 ~7 q4 E4 @) m- s4 @( ]* JThis method is most known as 'MeltICE' because it has been freely distributed! d. L+ N- r' D6 g |4 f0 o
via www.winfiles.com. However it was first used by NuMega people to allow7 ? l) o$ m6 l. q. _
Symbol Loader to check if SoftICE was active or not (the code is located
4 g3 k* a6 j) Q! v& U4 P4 v2 {2 Vinside nmtrans.dll).0 ?" y1 c" t M! ]
. N8 s- a. z( `0 M2 |The way it works is very simple:8 ]3 I7 Y0 R. a, d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" F% T9 x% T; ?& q+ m4 }# wWinNT) with the CreateFileA API.
X0 f! ]* S/ H9 d8 O" g2 @1 t: i& l- Y" `, E3 N- U
Here is a sample (checking for 'SICE'):+ |- E) x3 w0 o: _% R" J( y" H# w
Y( x8 `. Y1 r
BOOL IsSoftIce95Loaded()
$ ]4 ?3 n5 _5 I4 h" W" `2 v. j# J{. k& Y2 E. A' W- D: M+ @! d
HANDLE hFile; ( N/ A* F# R0 x* F* m! E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& |. e! F( T+ }5 g FILE_SHARE_READ | FILE_SHARE_WRITE,
' `& q1 _3 L# R- n# R' _2 q NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 @% K9 l' E! D) s0 z4 }* ? if( hFile != INVALID_HANDLE_VALUE )
) E* [- i4 V) p$ X2 \% E j {9 V+ X8 j R; u: |# m9 t
CloseHandle(hFile);; x$ D# I- l3 r* v% s C! K
return TRUE;
7 H3 Q0 I/ e# [6 }7 I& G7 G }5 `7 g4 g' j+ R
return FALSE;4 c: q/ c( |# {" p
}
- I& P- k& p1 A! y$ {% _" D. w# s: T9 `, {; ^. D. `
Although this trick calls the CreateFileA function, don't even expect to be
, ?, Y' `- h( j* {# |' u. dable to intercept it by installing a IFS hook: it will not work, no way!9 z) J* p. W% r& o( K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& D3 l& e I0 H; Y3 p( |: ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' D' J! i6 N" c6 E) S4 z$ Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 T D4 u a) k W n% K9 ]+ A4 j
field.
: q* g- a ]4 rIn fact, its purpose is not to load/unload VxDs but only to send a 8 s' ]( H) K; I# F. |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" z$ L0 }! ?( j. y9 R7 Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ l$ ^2 [! i! u Q: a2 ]2 E0 y7 _to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 r- k( z/ p' `3 H/ u& x5 O tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 u2 O$ }+ J* [! Uits handle to be opened and then, will be detected.
8 @' o' R. x% S- r; S7 ^You can check that simply by hooking Winice.exe control proc entry point
, X; ~" g# x+ O( K" H/ ]8 M/ |while running MeltICE.
( j+ G, M/ @) c& S% e# _) j
6 V5 J( m" O8 C- w! J& X2 h& }" u! D5 u V6 x1 E8 |3 Y
00401067: push 00402025 ; \\.\SICE
+ L6 n. T- Q: Y3 m8 J 0040106C: call CreateFileA
7 _* E; a5 {$ D1 Y# [, r 00401071: cmp eax,-001, Y4 R) [ j) m5 y5 d: O
00401074: je 004010918 x6 O% y# h, S9 w
( \/ ~9 W* n& g6 e9 ~
! G. D" n& C5 [ n( EThere could be hundreds of BPX you could use to detect this trick.0 h$ ?4 }* c" l' j
-The most classical one is:( M* ~. z; W+ Q( I& G2 T
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ v* D6 T7 Q+ L4 T% V) l# {1 ~; J$ T *(esp->4+4)=='NTIC'/ ^# L: t4 g3 j2 T
- H1 Z% ?6 k, o, q4 I
-The most exotic ones (could be very slooooow :-(
, D* D* t4 j" U1 c5 K9 g BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 G, I) M: p) h- E6 c
;will break 3 times :-( d& I* b X7 D4 P C5 A+ w
/ |1 e$ Z0 y$ i1 m9 i! e8 C, c- d) m7 O-or (a bit) faster:
3 r2 d% \2 l! s' {2 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 ^5 `4 \0 W" f1 ]$ O3 p. c* ]6 Y0 ]
$ z8 n6 U5 w9 } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' U6 n# w k/ Y7 y X# Q1 I
;will break 3 times :-(1 `: i7 k8 W1 h; H# m3 ^* }4 h
& K0 j- ?- g* C: Y
-Much faster:; E) z" K- e6 J. L! r
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ ~0 q( W4 P0 Z0 v
9 l0 P0 z+ G+ l& N# pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 s' F2 J: |( v: P& _function to do the same job:8 O+ d8 l; G& b
$ c, Q; b) ^3 p6 v* y push 00 ; OF_READ
( S; k& d* N1 [# {2 @ n8 C mov eax,[00656634] ; '\\.\SICE',0
6 B& W( G, u5 Z2 i push eax
! D, s- N$ J3 I7 g0 a4 I+ H call KERNEL32!_lopen# t; N0 P- f+ G! |# t H p
inc eax
6 O& Y2 E% i$ P: }0 w jnz 00650589 ; detected, ?. T& n3 K8 B! W7 ]& o7 M
push 00 ; OF_READ
7 W- r% G5 s! j6 y8 B) ~ mov eax,[00656638] ; '\\.\SICE'' Y3 t7 J3 i" {& x# s
push eax
2 `7 S& a) B' ~$ S2 v6 |+ _! W& r0 L( W call KERNEL32!_lopen
) C3 \2 R( ]# @( U& C) e' U inc eax8 r0 c, n; ^# r- @
jz 006505ae ; not detected
! V6 q' I) u0 |2 c6 t- k2 Z1 l, Z0 b% p/ ~2 A1 ]; z, e
- l$ Q( h8 f9 F- D- y6 G% t
__________________________________________________________________________$ e" N, P( l: p3 O
6 J. n! M7 b2 n3 {: X7 Q* Z
Method 12
8 R! B6 p9 x+ _' m2 X3 S4 Y6 M=========" v c! D' t* j. |1 v, i' G
I; ^+ |- A6 D; ^' QThis trick is similar to int41h/4fh Debugger installation check (code 05
y' m9 \' B2 G9 b, L6 |2 ]" q# `# B d& 06) but very limited because it's only available for Win95/98 (not NT)
! t& B) i; u1 T$ H: X: fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ q5 n* @4 j/ E4 N& w
; @: _; [! N3 g9 r- V' v push 0000004fh ; function 4fh+ `+ U9 O" ^+ U4 \9 h$ o9 ~/ b/ F
push 002a002ah ; high word specifies which VxD (VWIN32)3 o* X8 K: @, ^$ i( V
; low word specifies which service
$ H) C7 B) o, B3 u- ]& b6 h4 b (VWIN32_Int41Dispatch)$ t5 A9 n0 _4 v- i& g% z7 |# c' a
call Kernel32!ORD_001 ; VxdCall
1 ?3 ?% ?7 Z9 d/ D1 @ cmp ax, 0f386h ; magic number returned by system debuggers
( y- p& y9 [: ?/ U jz SoftICE_detected5 x4 |0 o" G2 b" f8 e4 n
5 f9 M- }: Y. H) o7 dHere again, several ways to detect it:
0 c" V4 ^; B1 ?0 V' K0 L7 o/ d @& H) ~1 F7 \2 R
BPINT 41 if ax==4f
" O# K `; x+ H" o; u
1 G! r; ]8 |/ n3 g BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
4 A, S* c# [ Z# I3 M0 d) v% M( M5 \4 o, S3 _
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 S. H- d0 }: I# k$ g1 l& U9 ?. Z) C
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!6 F R# B2 }% L. t" `7 C- x
3 r" \/ K* s8 g3 |1 U8 a__________________________________________________________________________" g( U1 H' j& B+ E: c0 |
( _' y# W5 ^9 n4 @9 }Method 13
7 ?* G0 [7 u, E6 S, Q+ @=========
% U3 v; V& a6 |7 u2 c; G0 ~7 n5 j& U6 i+ n& @& X" G3 b
Not a real method of detection, but a good way to know if SoftICE is
. T* t. u, \% f* V* h- p7 \installed on a computer and to locate its installation directory.% r) ~: W. ^0 c6 B0 i: C
It is used by few softs which access the following registry keys (usually #2) : U4 _8 h+ _- }7 k0 V: D! ?& H
# ^( d4 v: P% l9 Q+ j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 {# a" v- Q" @ [) X7 }\Uninstall\SoftICE8 ?" t4 R- R+ J0 Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- I4 k* _; l5 k) L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% n* i; U/ @1 m
\App Paths\Loader32.Exe
) H2 O- D6 H6 p- a1 e. f/ t" k& ^
: u' X1 f. y' a) _. `( T6 O6 ^9 _! W" X5 z3 M
Note that some nasty apps could then erase all files from SoftICE directory6 S' P; S7 t* c1 g$ v
(I faced that once :-(
) d4 ?5 }' m: y3 A n2 A# C0 {; o0 o! ~3 C' Q6 e8 W
Useful breakpoint to detect it:0 Q$ _2 e4 N7 e, s- }5 r5 J! h+ x5 X
9 H) j3 L. m0 w2 b9 C7 \4 x
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' v6 A/ u1 x$ I# @% h+ V! ]
9 E3 @- ~& \" h5 k4 ?$ @" P__________________________________________________________________________
+ {- E' X4 s* |8 o$ X2 I7 \- f/ j; z" d& [$ ?8 w& c
( v) n- P! ?$ X
Method 14
1 k& P3 f" [! T2 f=========
# V- \. H: H8 f3 I0 _7 b' A$ G1 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ Q5 w; k9 ~0 \. _is to determines whether a debugger is running on your system (ring0 only).) M, B+ _ T' _2 E- u( w! t
) h) n2 A; h3 M
VMMCall Test_Debug_Installed' k T. X7 s3 }
je not_installed: {3 A( [# G3 W0 N- J
. L5 {$ d% m8 b
This service just checks a flag.
) w" w+ `5 R' ]! Y+ A @</PRE></TD></TR></TBODY></TABLE> |