<TABLE width=500>
1 B" L, I8 ^: ^6 l7 `7 e3 y<TBODY>
. v( a$ `' d% x) W2 p<TR>9 E8 t3 b; f; t
<TD><PRE>Method 01 5 a/ g* b Z3 l; C `1 E4 K! n3 S
=========
5 Y8 r5 Q. W k# h7 a
2 g' m4 h% x9 z3 S9 ` s0 QThis method of detection of SoftICE (as well as the following one) is
4 {/ w* _! g: O1 o7 G4 sused by the majority of packers/encryptors found on Internet.
! L g6 m% Q2 B( W) zIt seeks the signature of BoundsChecker in SoftICE) p) C+ ]$ h& l9 r4 K! s2 i8 L
3 K& a- C5 d, @2 {" z mov ebp, 04243484Bh ; 'BCHK'
( [# _+ |' k7 L4 n5 y9 m5 b3 w! v mov ax, 04h
( j5 L1 h5 Q8 i. G3 F int 3 ' j) q9 u3 @4 M! w$ O+ v
cmp al,4
) E! E* @: P7 ? jnz SoftICE_Detected8 x9 v" u, @& |0 W, B
; W/ c( Y* T/ E/ _6 {$ `___________________________________________________________________________
2 }4 c# V5 E7 q4 F) o/ t7 U1 r* d" r# T5 ?/ K
Method 02
8 Z# F' f; V; o+ P=========: C s7 @! T5 l# Z# O
9 X" _6 M7 t" y5 y# g. m( N
Still a method very much used (perhaps the most frequent one). It is used
' q$ q3 n4 ^3 H+ B% Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ d O" r- m1 i2 I5 oor execute SoftICE commands...# N( a# G2 Y. F# W( N3 M/ J
It is also used to crash SoftICE and to force it to execute any commands
0 N9 |* K9 c1 v) \6 W& G. M) q(HBOOT...) :-((
) v! P! Y0 `3 G A$ @4 D. Q% }0 I$ i$ W( R
Here is a quick description:& w/ d, Q+ P/ g' \3 j0 N/ S; |
-AX = 0910h (Display string in SIce windows)0 y% }7 i6 p! R& \, _( z; [
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
/ g j; }5 a3 v8 R-AX = 0912h (Get breakpoint infos)' ]* Y: b4 a0 ?0 k! [
-AX = 0913h (Set Sice breakpoints)
3 {$ M3 }) E" X: B9 A4 S" D3 K; u-AX = 0914h (Remove SIce breakoints)) U$ ~% K: d6 a @4 N; F& l: C0 u
* a; v" T5 ]3 [" W* |
Each time you'll meet this trick, you'll see:; {7 L. z$ b1 J$ W6 O
-SI = 4647h
3 L+ ~& j- D: z-DI = 4A4Dh
/ }# @& C0 C0 D) JWhich are the 'magic values' used by SoftIce.
. b2 y5 P* `7 A$ u& B8 oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 i) I2 q4 o. R5 X* x
5 M1 o; b& X0 K6 }, M! T ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
' `7 F Z/ ?% v4 Q$ L* A+ VEnvelope utility use to protect DOS applications:
% @: Y* w$ S" B" V
* k6 `* p0 _3 L* [8 x* `( a3 ^7 [2 k
4C19:0095 MOV AX,0911 ; execute command.! X% ]3 S+ V0 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). B) c: Y" U* _/ i& [9 r& V( Y
4C19:009A MOV SI,4647 ; 1st magic value.4 f3 L; e4 t" U, z* {3 Y
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 H/ {- _8 `+ a4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
~- y% {' R) o" E3 Z0 v: B' j' U4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
2 e0 e' [& a* A) ~" @; n* C3 L+ T4C19:00A4 INC CX
! g4 t% Q. U/ D# r" k6 U/ {" e3 o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
% r7 w3 K; f5 ?% g4C19:00A8 JB 0095 ; 6 different commands.
0 T1 W7 W& H6 p: f) _$ d2 D4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 N- T; ?# V1 Y5 p9 V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
" {" l' @8 e& O7 l& ^0 d1 K) y* U9 ~0 l$ X
The program will execute 6 different SIce commands located at ds:dx, which) ^" A3 p9 ?( O( n$ B* T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. v0 I# O% r) ^$ W( `5 A X4 g
) p7 z/ T$ z" Q% C/ X6 }( f0 q5 k4 g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 x3 t7 Y) f+ H
___________________________________________________________________________
/ e+ g, N( s- S6 U* [; X. G% ^
1 N9 b. q5 c' R, `' s/ e
4 ^0 p! b% ]/ z" u; w! x- zMethod 03
2 c) N: T9 s2 O' B$ p& ], d=========5 N& u/ O+ }' ]4 O/ P
3 ]; r8 z7 |9 i! }0 L2 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 ?, F3 D: X3 _8 F4 i' m
(API Get entry point)" \' @! Z2 l( k: T9 R* M* F
" m6 g$ t! ]4 h: t
3 u* k/ R/ E: d; \4 L5 _5 f; o xor di,di
6 U- S3 O% l5 r& M mov es,di9 ] E& q; E0 H/ j! @
mov ax, 1684h
0 t( E/ @+ K& Y% x9 C mov bx, 0202h ; VxD ID of winice
0 Y# v0 D, q" G5 B @8 j9 ]* S$ |1 T int 2Fh8 w" W7 K* B n! N' i' s
mov ax, es ; ES:DI -> VxD API entry point7 n1 P @. A5 s b% M D
add ax, di1 _: A/ p$ f @7 C& a5 A
test ax,ax6 T& G: }/ U, ~( n. K5 x( `
jnz SoftICE_Detected
8 }' p+ L$ a! {, ?6 Y: n! R
+ Y- k! T* ?( _/ Y4 l___________________________________________________________________________& N* j4 c- c2 M3 l$ ~( F: }6 [
! A, g9 S9 G9 Y+ A1 DMethod 04
/ i9 t/ r' o2 U) o( I=========
& i6 v3 B ~( }/ h/ E3 J4 }
; Q6 e. ^, t$ C% ?Method identical to the preceding one except that it seeks the ID of SoftICE6 q7 i) k; f* N% ?2 n- h$ f
GFX VxD.
7 x% u7 v! ?$ s g8 a( v Q
$ c* I" ?5 o) q/ Q7 B xor di,di
, P. _8 `! d$ W, o4 d mov es,di; e% B3 P4 X4 |
mov ax, 1684h
* b% p/ t: G1 b. e$ i* |$ N mov bx, 7a5Fh ; VxD ID of SIWVID+ Z: u! `! S; |& y# [0 Y h
int 2fh
% I+ s% a2 M& r+ O1 w2 _) w4 o. d1 D mov ax, es ; ES:DI -> VxD API entry point
7 I- G2 Z: z- B: o add ax, di( K+ T, B1 E9 }: S1 I( Q; h
test ax,ax1 g, @3 ?4 D1 g6 x2 g7 Q0 C% c
jnz SoftICE_Detected
* d4 n# ^0 Z. S }7 D! U# b3 t6 \: x0 ?7 o2 H
__________________________________________________________________________% q8 @0 L, Z+ O7 k" J7 H
; K( o s7 \6 [; |$ J# N: ?, |- P! T, x
Method 05
1 N* o$ p4 j, \* }! m" X l=========& N% m1 i2 _& P* `
. a9 J) M" i" P' b2 b: c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- w% F6 g* y6 t4 M8 X( @% Z6 }debugger. It calls the int 41h, function 4Fh.
) m$ L" F5 v% u5 x+ {There are several alternatives.
+ k$ p& `$ W4 W5 |4 R0 t+ {6 W+ u) q2 q! S s1 m" t
The following one is the simplest:
# p( x8 o6 X; E8 j y4 E( ]2 C+ r
mov ax,4fh1 B" `9 N B6 }* K5 B! h
int 41h
5 Z* o3 W0 [/ O cmp ax, 0F386, {5 i% y4 C* U Q# Z% A
jz SoftICE_detected `0 m" ?- ^6 B5 }$ I
+ Y4 b0 w9 R6 S
# z/ K/ Q+ _1 H" ^& o8 NNext method as well as the following one are 2 examples from Stone's 3 E# v0 p) g+ A$ ? z0 M
"stn-wid.zip" (www.cracking.net):# a: h4 o+ q* @$ w
$ g G7 o& n g/ ?4 |
mov bx, cs
$ u# ^4 [, M$ T3 j6 w8 | lea dx, int41handler2
1 x: z1 i2 l" t7 P5 S+ L xchg dx, es:[41h*4]
8 G7 ^) J6 |% k, C J" a xchg bx, es:[41h*4+2]
# u% C. }; R# A7 ^* U0 D# A mov ax,4fh
" b, ?2 O! s" ^- y' ^5 I int 41h
0 r% f' ]2 ^0 n' a; ]* O7 o xchg dx, es:[41h*4]
# `$ X( n/ d3 ]6 P xchg bx, es:[41h*4+2] Q6 n' y/ M4 K+ k5 W
cmp ax, 0f386h% ^2 f/ v) G, h @( l3 {! |
jz SoftICE_detected
$ y! D9 N8 |5 P9 w* f7 s
7 H: s; }1 D1 f; s8 t) Sint41handler2 PROC
, d: ?! h+ @7 E4 } iret
$ U; n! `) S+ K2 r: N, X/ pint41handler2 ENDP
+ X' @3 @) [4 |' ?; u8 ~6 G7 b/ D& l! |% o
% \, ?* c1 C7 Q" v0 @! I& a
_________________________________________________________________________% [) B5 Q9 U& x. d7 R. `
# t, N* a7 k' t% o$ C3 m* P0 s9 ?
Method 06- V+ x" Z1 a+ v4 ?! J2 h
=========9 Y& I3 ]4 |9 t; [3 u3 { D
/ `0 [- j o C% [& T
: `/ ]" `3 ]8 Z2 K
2nd method similar to the preceding one but more difficult to detect:3 H7 q. F4 N1 u$ M
0 }7 u: O( Q( W% q
- w0 N' f0 e! z0 S/ x. A( lint41handler PROC
; `' R9 p# K- x mov cl,al
% G/ ^/ f2 O8 p# R& X. P iret
/ S# @8 ?+ J& A |% H9 [! H+ a& Vint41handler ENDP) p3 ]% D. d* F2 R/ @" c! l6 E) B
+ _- Q- x2 \ {. A) @3 f0 \ _% T* m/ A% Y
xor ax,ax
. E% X+ @( R. H. S0 V' x3 f% ~* I mov es,ax
; [4 F8 A; G$ M/ F mov bx, cs, W E" X( t }$ ?% L) Q" D
lea dx, int41handler3 L5 f7 R8 ^# y& v& H+ }- p
xchg dx, es:[41h*4]; J; E" `1 G; V5 f
xchg bx, es:[41h*4+2]1 E5 R7 B7 a# ?8 R: F- w/ x7 F( ^8 Z/ x
in al, 40h' D' I4 C. {7 r/ x% d$ f, h2 H
xor cx,cx
' L3 a* L1 m1 q- A) v int 41h/ f6 z, E3 s: e3 s, c. G$ V
xchg dx, es:[41h*4]
0 k7 t8 R( d& B, W xchg bx, es:[41h*4+2]
8 g s+ {! h8 ?. z cmp cl,al+ T5 e6 ` v _) O) O
jnz SoftICE_detected
/ @% ~" y Q6 u, A) j2 ]* O
, _) g! Y5 _6 \& d7 Q, W_________________________________________________________________________
. |- V; f) j/ D5 `: Q L+ q+ ^0 N/ t) L, j4 [' j
Method 07
1 N. ]' _1 m( q' B; O, d4 B=========
, x0 v: T; R. E+ u1 \1 Y8 z( \# M7 D3 T# o9 D5 o
Method of detection of the WinICE handler in the int68h (V86)
) F0 v6 q% K6 t0 p6 G/ w5 p1 x# u8 O8 x/ g6 n
mov ah,43h Z5 R' t; o' K* T
int 68h8 j5 g' P6 b2 D7 d3 w/ q! C
cmp ax,0F386h4 ^* b- H) P. i1 N7 k7 R& _
jz SoftICE_Detected
, {- h; A3 O. K' p* T! {( `# Z
: T" D3 Z7 ^+ q' T. U
1 I8 K# i: e: {4 Y* A& G8 O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
' W/ |) v, n$ r$ D; A$ p) k& g. M, q app like this:. X" g% A! K1 O. s. m* j+ x& s
: a; B2 Z1 {* L5 \/ X! q
BPX exec_int if ax==68/ t( x$ W: ]% S: P4 T8 C3 I# U6 C' G
(function called is located at byte ptr [ebp+1Dh] and client eip is
, q. c9 P2 \; h [# p5 i located at [ebp+48h] for 32Bit apps)9 E1 R( B# @' Y9 V
__________________________________________________________________________) {9 _ Y# Q" \1 k
3 f$ \: a; @$ P, e8 r4 Y3 L
5 K. B( i" r' {* OMethod 08) A, R! i/ O0 I' ?. f$ r
=========
+ s1 Q8 z" b! w6 r7 N3 Q7 ?3 e) ]6 k# t( }7 P
It is not a method of detection of SoftICE but a possibility to crash the
' k" n" \+ G& Q) j: Zsystem by intercepting int 01h and int 03h and redirecting them to another4 S0 N B/ `: F" { m
routine. C* P& G5 _/ x Y% u* d( n: r+ {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) c; }6 k7 F% ~' Y2 b4 D7 ^0 Yto the new routine to execute (hangs computer...)
7 C4 B) o& D) \9 q0 z
3 ?$ ^1 c; w4 g: a8 G6 i mov ah, 25h
6 i! I; w+ x# r; o7 e mov al, Int_Number (01h or 03h)
5 b' U; _7 E. T% r mov dx, offset New_Int_Routine. \ a/ E4 J6 |. \% P. w8 G
int 21h9 @9 o, k2 y- R
2 t ^; W5 k1 |( e# q2 z__________________________________________________________________________
3 N1 b1 k- c1 g5 {7 ]& i {: j; G) K$ } z, ]6 q! E
Method 09
: f' N) \( ?9 I7 {/ ?9 B=========/ O7 Q0 u3 @* S- E! p
) M/ f0 p+ ~, w4 M# A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 D" E( \2 j- T& e6 N& l
performed in ring0 (VxD or a ring3 app using the VxdCall).. e' A* K% ~$ T, D
The Get_DDB service is used to determine whether or not a VxD is installed% G2 ^: X8 S1 R6 ]! y
for the specified device and returns a Device Description Block (in ecx) for+ w( u; [* N1 r
that device if it is installed.
' O) b2 d0 w! Z# D8 }( ^! l, P9 g4 C, h3 A
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 l, W' I a l; _' b9 n8 K mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ ]( m* z* ^5 n/ A# k. | VMMCall Get_DDB% l2 R: l* F0 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed3 V& D. v2 K+ z! k7 `0 P2 N0 o) z) e1 t
. z# J1 a. W5 @" g$ a' B, WNote as well that you can easily detect this method with SoftICE:# y* z1 s; s% Z2 u+ ~+ E9 {4 q! f
bpx Get_DDB if ax==0202 || ax==7a5fh/ D( D9 H0 M' b; `
$ c6 j' e" T* ?0 Z! P' S' w
__________________________________________________________________________. r) c) ]# t/ @7 s2 t; L! ~$ V/ J
% N* }; A' Q) h& x; o& @, b) EMethod 10
8 S" E5 l P, L. Z6 v=========! W3 C; F' Z% c5 R3 }5 F' p' \
6 b4 B/ |$ {$ h/ I6 f/ c. R& J$ B
=>Disable or clear breakpoints before using this feature. DO NOT trace with; Q0 r" Y& H" k
SoftICE while the option is enable!!2 |9 A- L9 U; v+ i1 B2 [0 b" E
" C3 s! t2 R: x! w
This trick is very efficient:
6 d9 j1 d& \8 ^1 g4 X3 Fby checking the Debug Registers, you can detect if SoftICE is loaded
% ?0 b) d# Z3 A$ ^& z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ f- l4 ~/ D3 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# e4 u$ y6 R- |" b# avalue (in ring0 only). Values can be manipulated and or changed as well
) o! Y0 z' D# _" `(clearing BPMs for instance)1 ?5 I# ?% {' _6 I) J- D4 y' L
\. b1 {; n) [& ?__________________________________________________________________________0 @$ ^+ O* G3 q8 B s% l/ [% i2 ~1 E
7 r" ^2 w" J1 A( k! \Method 11; [2 M1 t8 U! T& N
=========
; P2 e: H7 \! t' S
6 l' U+ O, z2 `, d& C9 K. q* k5 _/ _This method is most known as 'MeltICE' because it has been freely distributed
) ]5 D) C3 v% z( }. O2 {- | ~via www.winfiles.com. However it was first used by NuMega people to allow, b4 k* C1 F. }, Z6 _/ v7 D
Symbol Loader to check if SoftICE was active or not (the code is located! b3 [! r% l# O2 F" M4 y
inside nmtrans.dll).# a M& o5 f4 ^1 x
3 X/ _9 I# |" i+ v3 @2 Y, OThe way it works is very simple:
" e7 U, h! k# w) F$ q' Q( { GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) G5 c3 C' ~- l$ [WinNT) with the CreateFileA API.
- k; R& y( o& o+ x8 l
: |0 V7 m& y9 H0 uHere is a sample (checking for 'SICE'):" N, i* Q5 t# N. @: H/ G1 L
5 E" r( U* e, u( d: `! P& |
BOOL IsSoftIce95Loaded()
5 O1 H+ ?0 P( x$ e- K{
* m' U) f6 y. h6 X: p HANDLE hFile;
8 ~1 H6 ~) I% C# w% E7 t hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! m* _6 p2 _- e v" |3 a Y6 v
FILE_SHARE_READ | FILE_SHARE_WRITE,3 j1 `+ z4 w5 n
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 g6 a/ G0 H* q" R. H' ^ if( hFile != INVALID_HANDLE_VALUE )
" G. d! _7 |& ^& H) Y' D c" v {
2 u. ^ X2 H2 m, f4 R3 i' Q9 U CloseHandle(hFile);* c( g* v( n+ U; u: B' v6 l; a% q
return TRUE;, @5 W. v, z( u8 d% Q
}
7 s9 \4 O; J" [! Q+ | return FALSE;" @* ~; w2 }- I: z5 y& t4 [
}
* {. s1 I6 ] }. a7 X: N8 _3 W p' g0 K
Although this trick calls the CreateFileA function, don't even expect to be) j3 n+ X, c& U8 x- f: l2 R3 B
able to intercept it by installing a IFS hook: it will not work, no way!
1 F, N" n+ K' W' H- P- JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F$ \8 a6 d( I k* k; Y( Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
n3 m6 g2 K3 N3 r% n C2 Z+ Band then browse the DDB list until it find the VxD and its DDB_Control_Proc1 ~% q7 M. V" }8 Q
field.
% N; n/ X. i: p6 hIn fact, its purpose is not to load/unload VxDs but only to send a 1 R Y8 F1 _+ G1 }8 w. d0 ~- j9 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 i! u8 t2 Q0 f! t. N" }, O1 Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 a9 d- t7 f. V4 p4 L8 P1 k# }to load/unload a non-dynamically loadable driver such as SoftICE ;-).! b2 h/ P$ q G, m0 l0 ^# j* q, c
If the VxD is loaded, it will always clear eax and the Carry flag to allow: Q' \- u$ S6 \7 q. b
its handle to be opened and then, will be detected.
0 M4 l5 E" g `( [& @1 TYou can check that simply by hooking Winice.exe control proc entry point
6 s) Q: \$ r1 V+ J1 Vwhile running MeltICE.. X- }. I+ p/ r) w' p
3 z) `9 ^) F, d7 j
/ d x/ F/ P$ {) u- t
00401067: push 00402025 ; \\.\SICE
% r2 c# T s+ U5 m2 `# { 0040106C: call CreateFileA
5 T9 G) B! X3 C4 B: _8 y. z$ r$ O 00401071: cmp eax,-001" E. |* ^& n. _* ^' |0 R; E
00401074: je 00401091& ^4 ^: z `- U4 m$ J
: ?, U6 S# t, U1 @' R- y/ ~' {
: d( V9 v z) K; n. M$ U; O! hThere could be hundreds of BPX you could use to detect this trick.. m* U& F% I7 ^; V$ R! e
-The most classical one is:7 m, |4 @; p* K' b
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
K: n/ q! j. \ *(esp->4+4)=='NTIC'4 o T b* H$ E: N8 ~6 D
/ \* B& ]7 C& ]( {
-The most exotic ones (could be very slooooow :-(
* r v6 b: m, u$ ]- W BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & s- f! R" G- U$ p: _3 f; R
;will break 3 times :-(& m, U$ M$ A8 L& n; [! z
7 T& {3 T, x' D* Q
-or (a bit) faster:
9 M1 u# t. Z' U( P7 x( f5 d, ^) } BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 y( L2 T) h! Y) q
) [; P( F0 u0 S2 x3 X2 [2 c BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' y( A% t. v" Y" N, d
;will break 3 times :-(
$ e+ B0 {# A8 w$ E7 P
: J k0 _: l; y- a1 ^$ a-Much faster:
/ b- q$ Z; |* T; B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& R- m8 T2 i$ {7 @; e8 {
% }' |9 D: w* K' o0 g/ Z8 BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 x+ G! i0 d/ t u% q O- lfunction to do the same job:
' u( v1 n, d7 u2 z# J. t& w2 ]2 ], T* M9 e) W5 q
push 00 ; OF_READ, D& M2 g- p; y) t. r
mov eax,[00656634] ; '\\.\SICE',0
8 ^2 o) m. L$ p2 [: @$ ^5 X3 r push eax
* n( P! p5 }" a. L: Z" ^- i call KERNEL32!_lopen
) ^8 V, e) `2 Q2 X7 u# P1 y inc eax
) T( K: W5 W5 R2 B' u4 s* u- \1 p jnz 00650589 ; detected
3 P4 ?" }# o, R8 }$ X push 00 ; OF_READ
! a! h9 `6 o3 J5 Z; Z mov eax,[00656638] ; '\\.\SICE'" c2 L& u* g+ a' s- P/ Q" R
push eax
9 @# ^1 h9 Z/ h" {9 B call KERNEL32!_lopen8 C/ n8 V0 l4 H' A! J! v
inc eax
% \# {8 A G& Y jz 006505ae ; not detected
o) A) p& p2 x/ H+ X
4 b, k2 i) m t! j1 P6 r1 M5 }4 M" Q- h% w' v. e
__________________________________________________________________________
# r) m0 {0 G5 d5 g9 w( O: r3 _* C. [8 c6 `8 q3 ?- b- O7 N' ?
Method 12
* V4 O- D2 c, k8 P=========3 L0 `) |4 a- y! a4 M+ {
& s; v1 D& H7 M, aThis trick is similar to int41h/4fh Debugger installation check (code 05
1 c( t' L" T) |+ f' d; W& 06) but very limited because it's only available for Win95/98 (not NT)
3 q9 L5 w/ g$ h, H! I+ m) Q" x2 B0 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; M" U4 p: [' U- y- x8 _3 ?
5 x+ ]( ~, B, z0 {7 E' R push 0000004fh ; function 4fh. u' J" C% d4 d2 M9 f
push 002a002ah ; high word specifies which VxD (VWIN32)
" I) t ]9 p5 _: x5 b' G ; low word specifies which service* ^0 ^1 z6 d( Z3 o& c& k
(VWIN32_Int41Dispatch): q. I% _; e, Z9 F0 z% J$ U+ _( b
call Kernel32!ORD_001 ; VxdCall
( V; ?- I6 o- q! \, Q cmp ax, 0f386h ; magic number returned by system debuggers. r3 g3 U* b3 e2 D& d8 U! j
jz SoftICE_detected
* t, \" C4 R$ m0 R% w7 A3 W' {1 B* J( y t, f' c! g7 u) U
Here again, several ways to detect it:
4 \3 k0 Z/ w! Q& x9 Z3 u; @# k; _0 N
' p# w/ Q" F- P( i6 M3 z+ l5 \! g BPINT 41 if ax==4f
# y4 N$ t8 i0 R0 l
Z; u0 @ a7 M, p BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
0 o% h/ }9 R9 F9 l2 ?2 S# D# K: T: u& s- N% R: M; k- f3 i
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
0 I! \/ U; O% V8 d" e2 g4 L* ?
$ g% I4 q, p7 K8 \9 q* y D$ f/ R% d0 Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!" b3 g9 ?& E3 V4 F3 e( m9 _( G
* u" j, y3 w' U2 e5 o
__________________________________________________________________________
- `, M/ Z! ~4 g/ u. `) p, q/ ?
0 k( w; W+ E8 i7 X& [Method 131 M+ ] }6 i" O# u/ a
=========
% ~6 B3 N- T1 u$ `, |% x2 W
$ _! @! X. t1 n9 F0 ZNot a real method of detection, but a good way to know if SoftICE is% Q& W5 A: I) [$ w
installed on a computer and to locate its installation directory.' M# z: X. _ U8 v" x; a1 B' q
It is used by few softs which access the following registry keys (usually #2) :2 n' J& y3 w' n j( n% {: E
8 H- J/ B( z1 L8 O, A, ]1 [* S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 r! t2 u, W5 [1 H3 \8 E
\Uninstall\SoftICE
. \# S! k! p2 i1 I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 R+ z: Y! p# ?- C* P) ?5 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# j% l- T( K, V; B9 B
\App Paths\Loader32.Exe8 a3 u' N n. D& u
0 h5 i5 t8 `/ u8 Y# v& b; T5 _/ I& z K, }4 o4 v7 u
Note that some nasty apps could then erase all files from SoftICE directory
+ p, N: _4 J2 t, R$ ]. l w' _(I faced that once :-(. P" w9 K# g- w1 a2 x) t: \- [, h3 B
5 U j9 Z B! }9 wUseful breakpoint to detect it:
& X) Z& a# V" e; Y+ ]" b; _& P5 a3 j- Y" V! O; E% C0 x, ~# w
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'5 [& J* i. E2 \! H* w; j
1 h N" L0 ~' v$ b0 @
__________________________________________________________________________+ L2 x' D, o% B7 _
! C& a7 e7 `1 O, {$ G' G1 u
/ y" [; Z9 f" a. B# XMethod 14 ) a c% l2 l# F4 ~0 [" J6 X
=========
) `) l# X0 I6 @5 i. V5 V8 }* g t( i( F% q2 f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 w, j& i7 r; n, Q4 ^/ O9 e* D5 Nis to determines whether a debugger is running on your system (ring0 only).
& p* l1 q! c$ [( s, F& Y1 d6 w' Y( B5 k, J% E2 _$ |
VMMCall Test_Debug_Installed' v$ M9 ]$ O* ~
je not_installed
! f( g) Z# ?1 f$ M; Q) _; I- ?
- n) E* |9 l2 Q% @$ rThis service just checks a flag.5 q( m' c* `, c" ?
</PRE></TD></TR></TBODY></TABLE> |