<TABLE width=500>
) q6 E9 i, v( W2 e" L<TBODY>
0 {! d4 P, h; f) O( E: }<TR>8 s6 w/ l9 U1 Q. K2 B
<TD><PRE>Method 01 / k& y6 C& o8 A+ |" V
=========4 O) W! B8 }0 l- P7 B4 c
- p/ g7 I% c! I0 @% p& I% |( |This method of detection of SoftICE (as well as the following one) is
" s! }2 d. E" Bused by the majority of packers/encryptors found on Internet.4 i/ p& c' ~8 B! k% N; n* R( l; Q
It seeks the signature of BoundsChecker in SoftICE
4 x P9 n& @. i# [/ c
7 _0 a; h; M* J7 Q" Y; d3 R mov ebp, 04243484Bh ; 'BCHK'6 B( l S* @* G: K& F# e( H
mov ax, 04h& P o4 p$ D: d4 y7 V6 r
int 3
' {& s/ B; Y6 w. f5 ~& A n! K cmp al,4/ a6 ], C* I( m- G: @, r
jnz SoftICE_Detected
, H" r& R# E% P" H3 L$ m( F( B$ m* x& }" A4 Y: ~
___________________________________________________________________________8 Z% C6 n ?0 _: E
3 J! O o C! A; z( V9 H
Method 02
1 C$ D4 y) Z' U=========/ ^$ e2 r9 X) a3 U: n1 |4 R- w
8 V) G$ b4 n5 vStill a method very much used (perhaps the most frequent one). It is used1 Z; ~7 N- o7 ?) x* b3 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 i G9 e# j- M& j3 u
or execute SoftICE commands...3 H+ W" S9 p% h) m2 @0 O
It is also used to crash SoftICE and to force it to execute any commands- K; X. g" a6 O) f1 A$ y7 `
(HBOOT...) :-(( " w, e8 T9 E- \' Y2 V3 h
: V% c" u, w6 a5 yHere is a quick description:7 }( [# ?! B& [4 j! P$ v
-AX = 0910h (Display string in SIce windows)
, R/ b U4 v/ f/ g5 ?# d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: e! |+ d Y0 s& Y# u) M1 z-AX = 0912h (Get breakpoint infos)
8 J7 ]$ @6 [& m P6 R9 V# Q-AX = 0913h (Set Sice breakpoints)
7 j- h; j7 b; j-AX = 0914h (Remove SIce breakoints)1 Y. c. ]% m0 R& f
5 a- m) O+ T5 w5 ^& }9 \" P
Each time you'll meet this trick, you'll see:
6 K! z3 O. H) w+ c8 `-SI = 4647h# x, X5 V9 e/ v& D* Z% }5 I
-DI = 4A4Dh
2 a4 i, [$ F% i2 f+ o5 h5 {3 ^6 QWhich are the 'magic values' used by SoftIce.
8 {3 H' |- G) c* ^; ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% v( _4 t6 a( Q, R6 N
; e* P- e) H+ n( t7 G6 [' E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& e, H; x4 y6 j3 YEnvelope utility use to protect DOS applications:
! k5 T$ {7 h: w4 e& A3 H
7 @! u/ |$ `, ~- U+ z' _
" V2 `5 I2 E% c' [9 F- G# @- \4C19:0095 MOV AX,0911 ; execute command.
~4 @# k8 E0 D! s4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).$ H4 h+ k1 P" c C( d2 @1 Z
4C19:009A MOV SI,4647 ; 1st magic value.
4 t' ^/ F' P/ y: }, l' K' h2 G1 C& {* `4C19:009D MOV DI,4A4D ; 2nd magic value.
) L1 L; S0 b5 O& o R8 ?) a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 r T/ r" y2 k1 F2 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! Q D, w# c$ I& y5 T
4C19:00A4 INC CX
2 X$ ~' W# g( [6 U1 v! b: o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute, P( j1 ?" n/ b- _4 B9 O9 y% j
4C19:00A8 JB 0095 ; 6 different commands.
, B; P1 ?( w$ B- m4C19:00AA JMP 0002 ; Bad_Guy jmp back.
" H* q8 m" ]- e! R% f6 S& V4 @4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& m3 x( n0 m* l+ o3 ?
2 D- P/ `( ?% |! Q% t, `The program will execute 6 different SIce commands located at ds:dx, which) H8 X$ u: B5 j( ~6 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ b5 N/ v* _" N# u) c$ G5 E
1 u" V4 C1 g+ H ~$ M$ k6 V0 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! H1 p& P+ L! f" ]) q___________________________________________________________________________0 J* j9 Y& G* I" T- T
; }4 K8 L5 v6 y5 V9 }& T6 a
; d# _+ t; ~# X3 V! G& v& U; X) xMethod 03+ B A. g7 r8 z% M
=========0 v6 w% h2 h3 ]
# i0 F' G7 N- Q8 s3 {* |Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 N9 V) X) H h8 X& _: l* V! T(API Get entry point)
$ r0 [8 F( q- t% C0 y% R( _ / M6 k T3 l2 I
3 g% B. E2 b6 r0 P. X+ Q; u xor di,di6 D9 B7 u# g3 @! S! Y- a
mov es,di
8 _8 X- l9 ~ _8 Y& U( n2 h7 s mov ax, 1684h 3 }8 t; Z9 o$ q
mov bx, 0202h ; VxD ID of winice* q3 j. H+ t8 A, e# j8 V
int 2Fh
0 Z: [, a9 A1 m mov ax, es ; ES:DI -> VxD API entry point
" O! T. X1 N Y, `" ?+ ]$ S% r add ax, di
2 ^2 w/ \! Y& `7 l J. { c test ax,ax% C" w* }9 c+ _. g6 J/ E
jnz SoftICE_Detected2 F+ _4 \* ~1 V
0 ^7 x3 Q: X n7 t/ V___________________________________________________________________________" n% c% @2 w3 E: B0 L, o1 {
- X3 w2 r" W" f9 S9 K% v' z2 Q: B
Method 04
5 `3 s3 g: ^9 N0 ?$ P- S% `0 w=========/ H' a L/ F! d( _' H! f& X1 ~
8 G- w3 W) w6 [/ A& D$ y
Method identical to the preceding one except that it seeks the ID of SoftICE2 m( B- C: ^* q
GFX VxD.
3 E+ A- H% x- u9 b2 A3 m8 g
' b9 D- r$ B; p$ z( F( s xor di,di
$ O* B, \! ], e1 A' y, w/ n& O mov es,di. ~. b4 _3 V4 K" @2 F3 O
mov ax, 1684h & a" U/ z6 |- ]6 q5 N
mov bx, 7a5Fh ; VxD ID of SIWVID
! ^9 |! _& C6 c5 L* @ int 2fh/ t2 U3 O( T* u+ c; e3 E- R! C7 g
mov ax, es ; ES:DI -> VxD API entry point9 E' v$ P4 W6 Q3 u( P, T
add ax, di
! G" G/ j: o" Q; t3 m# c' k test ax,ax
3 d! b; f- U! C jnz SoftICE_Detected
& q' y' [! T* S" d2 R! `/ F1 v
3 |4 L1 s2 S* M# P" v__________________________________________________________________________) F: p0 h. v% Y& z. I T1 u
, R2 | w6 |( Z1 J9 G, S* l
+ N- r) s& ]8 JMethod 051 L( \1 R7 s- E, e ]
=========
, [6 j+ \& ?+ o/ J/ y
+ k+ q0 X; F. SMethod seeking the 'magic number' 0F386h returned (in ax) by all system3 Q; ]+ a. T ~1 h6 L C
debugger. It calls the int 41h, function 4Fh.+ R5 v% o2 K% ~
There are several alternatives.
/ p, D9 y/ ?1 @3 b; c
6 N i8 ~0 e7 g MThe following one is the simplest:
" b: {$ ?8 Y4 e ~* o/ f; P5 F
8 k9 M- a8 A! K% Z7 d mov ax,4fh
7 e4 j; ~ ~3 e6 n: U% V int 41h0 l7 d7 X7 \9 v4 h) m7 X& }
cmp ax, 0F3867 ^! Q' F" h0 U
jz SoftICE_detected
3 Z' O6 N4 w2 O: _3 i$ V4 w. Z/ ~$ H7 ^$ u' @
: U9 t# K7 n. {: T1 |/ y4 m
Next method as well as the following one are 2 examples from Stone's
6 c% F7 s8 I+ Y7 [/ y# V"stn-wid.zip" (www.cracking.net):) C( }1 e1 C# X2 b1 I
% o1 n9 V! L& V- B! v' Q" }" x
mov bx, cs
2 T, O4 M4 z. [. A3 T lea dx, int41handler23 w J0 o% M5 J% E4 W
xchg dx, es:[41h*4]
& j+ t3 F! a. V: K, N9 _6 P: Z; r xchg bx, es:[41h*4+2]) R% C( {$ g* K2 |* z
mov ax,4fh
& k4 D' J, T; i7 S5 U+ C$ h int 41h
3 }5 s! V+ ]. P! |+ {# K7 k' B xchg dx, es:[41h*4]. @; ~- n9 f5 H" V N! @' a G
xchg bx, es:[41h*4+2]' V" c7 Q0 X ^ V' ~1 v/ N3 l# W
cmp ax, 0f386h0 {3 h7 a. e8 H; ~* Q8 H
jz SoftICE_detected) k+ m& p( h5 l5 N; Y$ A% r
7 H+ m: l1 C) `! N# G- r: x( Rint41handler2 PROC" w7 ]" U; e$ H
iret
0 F1 t9 _! X1 c% ]7 Lint41handler2 ENDP3 j' }1 Y$ z3 E. d1 W( _5 D. I
6 w9 _7 R8 D+ r# B
8 o/ @$ K* ]) j) t# S_________________________________________________________________________" a" C0 l1 Z) x, V8 q; z
# x* z: ]$ B: ~. [4 Z6 Y
& }7 V: i: t, P- l# |Method 06* U' B, F+ Y" @4 n
=========- Y1 G0 L. J6 r2 r2 A+ b8 d
9 z0 k& M( Y5 X s) J% }& v) b
# l+ v y5 W# N# F( ^2 k2nd method similar to the preceding one but more difficult to detect:4 S! j( {- S" e* Q+ t& s
; N: O' e0 R; d- W+ m! r2 F
% y& |# M H5 d; Y$ f4 E5 w+ ?int41handler PROC. S# Q: b) R3 D7 Y8 P" r7 C
mov cl,al
3 V1 l: |0 C! U+ q, a iret/ C$ a/ j' o# p6 H- _
int41handler ENDP: @ Z* K- Z1 F* t2 ^" X5 T
, E* e, K3 ^, ^' {# T, @" C) p) k% \! o& [ c' `; k# K8 e
xor ax,ax
j8 q W; G3 Y" u' ?# t mov es,ax
; |2 k' a# W. a( H+ C6 W mov bx, cs0 e1 u2 l/ x9 [6 X) e2 M9 J
lea dx, int41handler
- q) B6 ~: K0 ^ l xchg dx, es:[41h*4]& C, }( X6 [2 I I# k
xchg bx, es:[41h*4+2]
" s/ _& q" p. h in al, 40h% ^* ^1 O1 [; u2 ^6 r8 q
xor cx,cx
) D' O% X( `4 H' Z int 41h9 @% @8 V, J9 O- Y# F
xchg dx, es:[41h*4]1 ^" ]1 `: C* U) d- v( T; S. A
xchg bx, es:[41h*4+2]
$ A6 t" E: `2 K3 Q2 ^) W cmp cl,al+ L8 x6 N" U6 D0 u- Y. k2 y
jnz SoftICE_detected
9 P- R6 e2 b x# W
) Y( W; c; a) }3 X_________________________________________________________________________
0 \- y5 I$ T: T8 {0 s3 x) L: P* h- C0 J' q: D7 Y
Method 07
- W6 O7 w: C" I# k; [5 ?* o+ @' P* f=========+ o6 `$ {' T4 g
3 q6 }% i6 Y! E1 u) b! C
Method of detection of the WinICE handler in the int68h (V86)+ F+ \: e- f5 i8 Y
8 w4 ?3 {% O* Z- j
mov ah,43h
% p, q/ f* X! a* G/ Y int 68h
6 ?. Y6 c D" y! D) D% I# N cmp ax,0F386h
/ ]$ B$ \1 ]# H9 A# Y" m. J( M: y jz SoftICE_Detected$ b" J. j; {) J. }
9 t* e+ A) }/ e
5 I8 i9 l5 p3 V$ F8 C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ^' r4 N. y' v& r
app like this:* ]. U: A4 ?% e
* [) M, x3 T& A- Z8 E% P: N BPX exec_int if ax==68& O6 H3 y. x0 @) H! O
(function called is located at byte ptr [ebp+1Dh] and client eip is9 ~1 w3 [' A% i- ^( b; ?
located at [ebp+48h] for 32Bit apps): @1 m3 _5 u0 ]7 s- z: `
__________________________________________________________________________
: G V; K8 o1 e- A) t9 {) t/ j7 D; A, S- n0 e( D+ y& Y9 ]3 |
( Z. K2 {- t* f, qMethod 08# ]/ X0 l9 W' Y. Y8 M
=========. w4 ^ r# x! p4 }
6 `# p2 I4 Q1 x5 S( u
It is not a method of detection of SoftICE but a possibility to crash the; k6 I& `; ]6 h6 o2 X) Y: E
system by intercepting int 01h and int 03h and redirecting them to another
" p; n2 J/ y, j' T3 k; `routine.5 W# t$ Q% J1 p. o. J/ K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 i: M6 k0 X( l
to the new routine to execute (hangs computer...)( z' C9 i4 ~9 |6 Q; z
) R9 w/ z& X+ V- D( V' q) H2 Y, H
mov ah, 25h
3 n5 A: f, a* r' N mov al, Int_Number (01h or 03h)4 ~4 `8 b6 u0 E7 y6 ?- d' I
mov dx, offset New_Int_Routine4 E7 b: s) d. C5 n
int 21h
/ ~$ ?6 r% k: V! `% i: g* K, I0 M1 h' k* ]2 K
__________________________________________________________________________# p& r; k: o1 H% P' i8 X
( s& t3 g# R& g* S) X2 K' YMethod 09
2 d8 h, ^" Q- {0 b# K4 `=========
( k9 A# I& J U% S! T3 p# E
8 i+ @: S6 R g- { k0 z; W6 NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only i6 F7 V$ Q" [- J0 L
performed in ring0 (VxD or a ring3 app using the VxdCall).
" y T4 G0 N8 |& C1 I* MThe Get_DDB service is used to determine whether or not a VxD is installed
& ^- M" Y4 s+ v |for the specified device and returns a Device Description Block (in ecx) for
) i6 v, b3 l& ^' I6 _. ithat device if it is installed.; h* [ r& {. i' |. Y
; G, ~2 @8 M" t. G mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% B. `7 [- |2 ]( H: \) G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 _+ L0 L$ W) o+ t VMMCall Get_DDB
R8 y$ a' i5 } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ [8 P! e+ V4 y$ j1 c
, x$ `" N1 Y3 U7 ]. vNote as well that you can easily detect this method with SoftICE:
5 W0 q+ q# F- D# ` bpx Get_DDB if ax==0202 || ax==7a5fh
- E2 W9 p8 n$ k: C3 `6 ?- i
/ T" T* [- M6 z A6 T) d__________________________________________________________________________
' D0 s- ?" x: l# B3 b; @0 X6 u$ `( u" u* f* y
Method 10/ V) ]8 t3 L* C5 }; F/ K8 L6 W
=========
( g$ M- F: o& m3 W& G3 w1 U2 r" y' R
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 F+ n7 ?; r' j0 U0 ~- G$ s
SoftICE while the option is enable!!
* s( r+ U, `5 W8 }. ^: }' h3 S
This trick is very efficient:. S+ x/ L- p; `* d! l; G9 U! K
by checking the Debug Registers, you can detect if SoftICE is loaded
: N% ]( a1 l/ B6 [0 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 I- B# ~" ^8 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, D# R) n1 ]( R$ X( A. A2 Ovalue (in ring0 only). Values can be manipulated and or changed as well/ A# `% S7 w2 M! I/ S) A- @: d
(clearing BPMs for instance)
, X+ p Y6 c% e! p( q) Q0 @
# D% A6 ^' }1 L$ u__________________________________________________________________________0 u0 G: {$ E( W) T h' F
0 S* P) L T& Z% B% Q* `) X: XMethod 115 Z6 i: Q* l* R, Z: H5 @: l
=========: c- d3 q$ `% [6 ^$ ?+ P
s) h3 i- ^' G' Q7 N& w( F+ A
This method is most known as 'MeltICE' because it has been freely distributed
" J5 a. x- }' _2 Svia www.winfiles.com. However it was first used by NuMega people to allow
8 _( z8 J3 a O, N, y! e: JSymbol Loader to check if SoftICE was active or not (the code is located
" Y( O. S, Q0 ^0 Rinside nmtrans.dll).
# z4 `9 T" G" H7 h6 I, E
' s- G3 n$ J. p4 r0 _ Q2 jThe way it works is very simple:
. G2 q% U, J# j; n! ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ u3 T; k: c+ g& Z* aWinNT) with the CreateFileA API.
% r/ l( x6 n( N9 K5 N/ z" `0 }' z5 c) O% K& Q
Here is a sample (checking for 'SICE'):' ^ y1 g; A* [& k
. w; H; F i; o: K: z; u9 v- nBOOL IsSoftIce95Loaded()7 K T n8 p: g% T
{: g, m. ^% Z- y4 _1 `4 P/ M& u
HANDLE hFile; 6 F: G& {1 s: o
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: C- C) u+ }1 a' ` ?
FILE_SHARE_READ | FILE_SHARE_WRITE,8 J2 l# }# M& `, M" Z0 F$ X) k
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, l# z9 W* L5 T
if( hFile != INVALID_HANDLE_VALUE )
. Q6 T- @8 Q! x# A3 W# A ^ {3 t; c W6 K+ N) k' W
CloseHandle(hFile);9 H) k: Z. q6 T- t: A
return TRUE;
8 M) k# X# h1 r! S4 @3 P O' e4 u9 a }+ z- |) m2 a a8 c" ~% u5 S9 j
return FALSE;
' K6 Q6 M9 l3 H7 l}
* `9 I* w. {# z+ L6 L& X/ P w$ i# j' |+ f+ q2 ?$ e+ m
Although this trick calls the CreateFileA function, don't even expect to be
5 I4 s2 [+ [3 P7 Nable to intercept it by installing a IFS hook: it will not work, no way!
6 Y, f2 _0 ~9 F% m E7 h2 `5 BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, w" U2 O' j3 \3 I! T7 \service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 i# y3 d' W! \: K- L! gand then browse the DDB list until it find the VxD and its DDB_Control_Proc& \' ^1 o" D4 { N) ]/ d3 Q% A9 j
field.9 j, \- j7 x3 C+ M# V& A; G% d: A6 f
In fact, its purpose is not to load/unload VxDs but only to send a : _' E: Q4 r; X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 O6 }2 Q# R6 k' ^0 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 Y' q5 c7 b" O& N" Y0 `$ x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! ?# S% A8 H( I; }8 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: \: M1 i. s& e1 Y1 h4 o7 R9 M. Rits handle to be opened and then, will be detected.9 j6 L; m! V0 w+ J4 t. u
You can check that simply by hooking Winice.exe control proc entry point1 D0 }2 N+ v0 C) I6 u6 J8 ~' h" @) r
while running MeltICE.. o; s P2 f/ m
8 H% q. @& P4 a5 }# c/ Q6 H
. f& b7 S/ U- o0 D( C) R 00401067: push 00402025 ; \\.\SICE
: Z7 _7 M# I' R% B6 Z* q( G 0040106C: call CreateFileA
. D4 q w! p3 C0 k3 \8 `6 W) `4 E+ s 00401071: cmp eax,-001
% y# q+ T2 E6 L1 Q; |( ~, h 00401074: je 00401091
# j0 t( M( V! D3 j' K: B& B
4 s* V" ]- c: i
1 Z$ Q q, m/ I- e' P# ^' W) n- @There could be hundreds of BPX you could use to detect this trick.
3 ?5 O8 m' V5 O5 Y& k. U( l3 Y7 |-The most classical one is:) a- ]' D# r. U+ O
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
" C; Y1 {$ @) a& [3 @# z; y *(esp->4+4)=='NTIC'! D- {# n+ s/ C1 D0 f3 h: ]- x
' d4 `& R7 D0 Z1 b* \; _( \( r
-The most exotic ones (could be very slooooow :-(
U+ t8 F9 T0 Z. I9 @9 U; e" [ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
' B: a1 c# K7 F8 X7 R' z* w ;will break 3 times :-(, P4 U/ w) ]1 b2 C
3 r9 X; C( H7 a9 M- s4 k2 R
-or (a bit) faster: ~4 Z) k, s9 s$ G
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' v9 H; a/ _' c2 R( f8 w$ w6 k* [# @1 _& v+ w7 }) L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' f$ x; C3 x: r
;will break 3 times :-(
. S; R$ { X/ q8 }
6 H# ~) J( n8 Y/ Z; t8 B) k-Much faster:% A' A0 Z+ v# W' H0 J. I5 D" s: i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV': r8 g. }2 q' I- b: i
4 U3 Q- g V; w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ Q6 z; k& ^/ k. B0 h( l9 Mfunction to do the same job:; n8 P- l3 t( N- @. {4 a
+ [2 @/ d3 P6 [1 I/ u( @$ e9 q push 00 ; OF_READ
; m ?. i/ O+ s( @6 { m9 k mov eax,[00656634] ; '\\.\SICE',0
* @9 K0 B( X$ S- { push eax
: W2 [1 k* ^& D5 J4 H4 } call KERNEL32!_lopen/ g( g% B+ Y3 S) d
inc eax
! T: A7 m5 e8 x2 z' n: A# ` jnz 00650589 ; detected4 l C, V" S% O2 z# P s
push 00 ; OF_READ
4 ~0 A& @5 e N: o& X4 z( A( | mov eax,[00656638] ; '\\.\SICE'
8 h( K- r% N* p, T" _/ n push eax
" T% S1 `- V1 i! T call KERNEL32!_lopen6 J' D' L/ [6 p# ?, o5 i
inc eax" T, E/ k: h" \4 K: ~
jz 006505ae ; not detected
( {$ o& Y/ E4 Y9 g& U, g! K8 E8 e2 i/ S
/ u/ B. q" J* r3 ]) g9 i' Z__________________________________________________________________________. p3 z' Y3 P5 K+ [( p& \# h
* \0 ?5 h% o+ O$ E* x6 tMethod 12
# z$ ~6 S4 f: V9 A8 G+ w, @=========) _, q% Q) ? ?9 r- z* M0 M; E
) D, u( m2 r( w" W4 j
This trick is similar to int41h/4fh Debugger installation check (code 05( t6 w: V+ N, e+ |
& 06) but very limited because it's only available for Win95/98 (not NT)
' M4 q1 S' l+ c$ ~8 C4 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 j* c9 ?( ]- i1 z3 I8 _6 O- { z0 g
push 0000004fh ; function 4fh' N9 A! h+ u/ V7 j& Q; F
push 002a002ah ; high word specifies which VxD (VWIN32)
% T, i$ F) ? [: ~7 V3 P ; low word specifies which service6 i0 ? D& g, t* O2 d& e3 b
(VWIN32_Int41Dispatch)7 u& Q% R3 N' J8 u! W
call Kernel32!ORD_001 ; VxdCall- W$ m# x# E7 M3 U( L( |
cmp ax, 0f386h ; magic number returned by system debuggers+ C0 T: Y/ j- ]6 K, a- x: `3 `/ i' q
jz SoftICE_detected: R6 S q# V$ ?& {, ^( w
F. M5 C9 V, l0 ^+ g8 o- DHere again, several ways to detect it:
& A9 j( x. P0 O
9 |/ a5 G! `# t/ c: Z- h BPINT 41 if ax==4f
$ Y$ H5 A; O) e" s0 _9 G1 f" p) s
5 u1 g+ ]4 @! y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
2 Q" b3 |8 N1 U+ a* {
0 N9 l, H y& I7 B) |4 M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A; v' q* t6 @9 l6 b9 h4 \
: m& |/ Q4 O( b6 G! k) D3 D) ^
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
! X9 W/ d! C& I% E) A* k
" A9 K# _% ^+ D1 z# h__________________________________________________________________________$ Q- W$ w! }8 L) F* t4 P
# u/ G4 [; N, Q2 K4 c2 i( CMethod 13% T- J( M. j5 {, @1 J# [
=========
( g) D3 o% Y! W+ o
( ]( B+ S% {5 j) k; d# ?& J9 SNot a real method of detection, but a good way to know if SoftICE is0 |9 P& h/ f/ {& ?7 p9 N' w
installed on a computer and to locate its installation directory.
# X5 m/ ^: Y( TIt is used by few softs which access the following registry keys (usually #2) :
4 K9 C! Y* \4 o% F$ N. e3 O$ W+ U/ h; T1 H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 S! X9 T5 }6 \. O3 S( Q* {
\Uninstall\SoftICE
8 h& `2 z' v: O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- a9 I e* t$ }% _1 ~2 @" s; }* v# Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Q5 ^% X, h- B& R5 N\App Paths\Loader32.Exe: i! j" ], u5 t1 L2 k
; M1 `+ ~- T+ H7 m
" _# i6 b" o7 i9 E" qNote that some nasty apps could then erase all files from SoftICE directory+ v# R! S- W# @. V. Q
(I faced that once :-(
6 y1 K! P/ }) `# |3 E) }$ _; q& k4 V2 p, H
Useful breakpoint to detect it:
5 O, ~) x3 r8 n. u- x# U: W! u9 U7 R- y B) [2 T+ Y' g4 J
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
/ f( b7 k4 v# j3 P- G" ~# b. f; ^4 }& ]# q
__________________________________________________________________________
, C$ _* e" Q6 ~. j9 s
0 P- E- e. {! f3 v9 h' P! |0 n& H7 C- x) V
Method 14
! X. n; U; J4 N- g3 V6 c' ?=========3 P* X3 A, \9 N7 g6 `
9 w. h% r8 n$ d( ?3 T2 C9 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ g) f0 K, b0 Z, m# W) Q9 zis to determines whether a debugger is running on your system (ring0 only).
. d: ]: W& o3 t+ R
8 [# c3 s! M. M$ m VMMCall Test_Debug_Installed
+ g! |! ~) ^/ G- Z3 L je not_installed
- V' F1 [1 ?% c/ g- {' u0 V9 } M8 F4 F% d M1 L
This service just checks a flag.- C- I* Z6 w, R- L0 J
</PRE></TD></TR></TBODY></TABLE> |