<TABLE width=500>) f7 T9 e8 A% n0 h( |# ^
<TBODY>( ?5 y% F6 q* K, e2 f v
<TR>) c7 w% W: u/ x
<TD><PRE>Method 01 ) _. B) O( x3 y4 W$ v1 {4 Y4 a
=========
: C8 b/ y3 J$ C/ C6 S6 n l: v
% S F" A' u' _% F0 P! nThis method of detection of SoftICE (as well as the following one) is
! r- h! @0 R$ G# ~0 T8 Zused by the majority of packers/encryptors found on Internet.8 k6 F5 D1 Y: G! D$ |
It seeks the signature of BoundsChecker in SoftICE
' J, F O# }0 y8 p& L; \( j2 N5 M$ m
: E- ^( _0 J0 }% K1 p' n: n, i& c- J1 I+ I mov ebp, 04243484Bh ; 'BCHK'
' H/ [; ^2 B7 i% l+ U& Y7 X mov ax, 04h0 L* @; W" @+ D% \: I" k: |. l0 a
int 3 ) P5 m. l7 r6 N, e
cmp al,4$ E7 t* [' O' A- n" F7 N+ T
jnz SoftICE_Detected
" ]# B& E9 b6 K9 ^% Q% Q
/ [7 u; ^1 K) f5 w% H% \___________________________________________________________________________
8 b% y% I+ Q i; n. |* ^0 Z: i* q7 s* H) X5 E
Method 02
" g: J# c8 C1 m T% b p=========% h6 g0 @4 T) L5 I; w7 ^
6 D/ j1 |6 V3 y$ h3 H
Still a method very much used (perhaps the most frequent one). It is used* N8 \9 m6 s2 ~! L. S' _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ p2 S g, R0 E6 Ior execute SoftICE commands...% G% l* ? {7 w8 u0 }
It is also used to crash SoftICE and to force it to execute any commands
. P* B6 E, w8 p0 x% r H4 |(HBOOT...) :-(( ; ?; B- ?" H# Q0 s5 u0 f# V- z
7 F3 U$ A; A; }4 K' b4 R( x w
Here is a quick description:/ J2 I7 F) i) ^4 k( k& k
-AX = 0910h (Display string in SIce windows)
4 S1 m+ ?0 } u# F8 ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)" `: B8 s, G) N e
-AX = 0912h (Get breakpoint infos)
$ |* B9 r0 d% Z/ W-AX = 0913h (Set Sice breakpoints)
$ T5 `- L9 u0 l9 W3 ~( d-AX = 0914h (Remove SIce breakoints)' z) J( v) s) ~/ }- b% H. T& c
: m' z6 W' p$ Z+ C! j/ h
Each time you'll meet this trick, you'll see:9 z- W/ |! T0 u2 S9 y* s# L
-SI = 4647h8 ~# O% k% H* r1 x& f
-DI = 4A4Dh3 ]3 D7 r7 p8 Y8 V& v
Which are the 'magic values' used by SoftIce.
4 `0 I; Z t* p; r- j! UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; J2 I8 ~+ L# a) N; v
& ~5 e2 Y# o( |9 oHere is one example from the file "Haspinst.exe" which is the dongle HASP& G: `2 M0 Q! F! x& T+ Y/ K
Envelope utility use to protect DOS applications:& d: J: K$ s0 l8 n3 _1 @! H- d3 D
0 ~* D9 y' r0 F, ^$ E! i6 T+ U/ u' h' G. n1 B( y! M9 l
4C19:0095 MOV AX,0911 ; execute command.
0 l8 \3 q: e# }& k8 _5 J+ `4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; F8 N, _: x! ~+ a! J
4C19:009A MOV SI,4647 ; 1st magic value.6 @2 s. Y% S: w0 t
4C19:009D MOV DI,4A4D ; 2nd magic value.
; r2 a+ o5 h! s. V4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ k; K+ [" Y# a5 g: u/ A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( A& c5 x- r$ L$ c) I; u% _4C19:00A4 INC CX$ |: ?( W" |+ F& e$ `7 \ j6 o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 j. h2 E6 ?1 F" M3 Z1 P4C19:00A8 JB 0095 ; 6 different commands.% `. ? w* S- `4 y! f
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
- I& ?- j) R; [" e& a! e W# X4C19:00AD MOV BX,SP ; Good_Guy go ahead :)' @; @; A9 w; O; P( n- @
6 r3 a+ h# v; a; T1 L1 a
The program will execute 6 different SIce commands located at ds:dx, which
( f% R! ^8 |% \1 N& Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) Z1 _' S' ^& Y; [4 u5 o% }* i+ a4 |) p, k; g! Z" T8 P' I9 H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) K7 B$ t3 g! H$ P- Z- R
___________________________________________________________________________
9 [5 W W1 w& T- U d: N$ }
+ E9 A4 c) C4 ]7 Z/ x3 y
- y) s! x5 z, x& H; g$ G* ]Method 03
8 W5 I6 J, h5 i=========
+ Q3 K( S) J' @8 S6 F9 x' H% P2 T r
8 B% v3 c2 r! H @, ?- I. QLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 O& k, M2 \3 ]0 ?5 `(API Get entry point)5 D$ @ T6 A- h) w$ q2 T3 g
% P7 w! n6 B9 h% i, u _9 f
5 c- z8 g. s3 i6 ], G1 R; { xor di,di: F$ N6 J4 F- F0 U/ @0 U
mov es,di6 q2 ?) w) K% m5 H0 x
mov ax, 1684h ! ]* z: d' p: ]) O% \6 J
mov bx, 0202h ; VxD ID of winice
$ c+ ?2 w4 R9 M7 t- Q7 J int 2Fh
" |, q: g2 A8 h+ g1 g; f3 u# D1 x mov ax, es ; ES:DI -> VxD API entry point5 T: D7 N4 D$ z Z* C
add ax, di5 c2 v6 ~: m7 u, t ]4 ~. w
test ax,ax# H3 e# `, F' r0 G, e9 M* {
jnz SoftICE_Detected0 [: T' J. J1 N) i3 E; V [" G
9 b S5 B/ S v* o! X8 h! s7 a6 u! e___________________________________________________________________________
* F3 h5 M$ \2 R$ H3 f, F" ~9 B- c3 y% h6 y0 R* m# B8 m, |
Method 04
+ F5 p# k8 p; ^5 f. b, Z=========) r/ C* f: s8 W3 c- n
4 B! V; x' X- c) L% b4 j) @) ?Method identical to the preceding one except that it seeks the ID of SoftICE7 l: F* d0 h' p+ I# a- ~
GFX VxD.4 V4 k' F$ @& ]
' @- O$ W8 _) R9 j; w; C xor di,di* z" e# w, M$ A9 z# H
mov es,di0 I( m2 n' R, ] Y- m$ @5 j2 p
mov ax, 1684h - z2 y. \: R! s
mov bx, 7a5Fh ; VxD ID of SIWVID( v3 y! v; N3 [4 J# o
int 2fh4 ]1 _4 y4 C* v6 t
mov ax, es ; ES:DI -> VxD API entry point
6 }( E& q/ N4 n/ z, a' h add ax, di+ Y" N* R" `, y% Z) x ?
test ax,ax
m7 l( D j+ U3 p jnz SoftICE_Detected
0 L e' I6 `0 E# s0 D$ @' Y& |& z% R. P+ f& L4 f7 J8 z
__________________________________________________________________________, r5 s: b8 ~. J" u3 P! ^
7 x9 R4 O+ }( J6 w3 ?
1 Y( v0 D7 f' n& u) H1 }3 J8 ~Method 056 _# O( y" L8 m2 w5 _, i
=========
% q8 s8 j( w F$ ?
0 ~+ {5 R d$ ^9 `* X3 ~% eMethod seeking the 'magic number' 0F386h returned (in ax) by all system- }* d+ p* f7 s1 Y
debugger. It calls the int 41h, function 4Fh.2 l# }; f, L# I% E8 d
There are several alternatives.
, a4 E% H4 \. F" m- _+ F) N& H7 X& ^5 [! a1 O; r
The following one is the simplest:. B0 E" Z& ?2 x7 o: |
9 s" A3 r0 S0 n/ s5 e3 c: t mov ax,4fh* \( G) r6 s5 P5 R7 L
int 41h) h6 K# V5 a/ j. `
cmp ax, 0F386 {/ d7 H, A6 _# i/ H
jz SoftICE_detected' n- e, G4 B* B) `: k, i
3 [5 q& ~# V3 u8 W/ k1 u/ Q; p |# t% ?, \0 h6 e
Next method as well as the following one are 2 examples from Stone's
( |3 h9 ~! v/ _ S) s2 z"stn-wid.zip" (www.cracking.net):
W7 w2 n9 S2 c, U4 \; P+ D# }- n- B3 d) j3 L* E; k7 X
mov bx, cs
9 t1 J0 H5 a- d3 f' h8 s$ R/ B$ g. H lea dx, int41handler26 x# s/ _% p" d
xchg dx, es:[41h*4]
+ {8 B- ?; C6 S( B& Q xchg bx, es:[41h*4+2]4 N& e( n8 W. v! \5 b' f* w( D
mov ax,4fh \* |/ [: l4 n3 j1 Y& F7 r' P
int 41h, k& P6 w Z1 h6 R
xchg dx, es:[41h*4]
6 I! s3 [' z" V) r6 E+ d* l( M xchg bx, es:[41h*4+2]
2 M% F- N3 K. K O, k2 ]' H( H A cmp ax, 0f386h
/ A8 k8 r" h. x5 c jz SoftICE_detected
$ ]3 z3 V; l& f3 a* h4 f+ @' H/ L/ a. L7 N" D& n6 K7 l
int41handler2 PROC; h& [, V; W/ P% L/ E5 f r0 R
iret
' {# r9 m. M2 m e5 p: L' Kint41handler2 ENDP
3 v/ P$ Z" g! z4 p5 |' I
9 g1 l$ j# n& X* q" B* C9 ], q8 l5 H/ J7 @' |; ^
_________________________________________________________________________& W4 a; J' f4 `3 o4 u H' ]
5 }9 C: A0 K: Z X/ a. X7 Q, ]' |
/ W5 |5 ~* f( j. b
Method 06: |; k r) Y Z% {& h, B7 @4 @
=========4 d; P( M# o$ C# u A) l
/ D. \* N8 C* k6 f5 Y" j
4 R- m# |9 ]3 `8 @7 z
2nd method similar to the preceding one but more difficult to detect:
+ G5 | n( o1 h& w. z9 T: v* Y0 [7 f' r' [
* i" x {/ |7 Zint41handler PROC# X3 U: c" Q" y( C/ A0 _
mov cl,al
m! u, b2 t. A {8 J2 U iret3 r+ t; m' x. J* T7 \
int41handler ENDP
% u) c+ N' t, U \! z( @+ s
) h9 R* z7 ]/ _
! B6 L, `' N/ n1 f: C9 ]" B# Q xor ax,ax
r% _2 {8 R1 u6 E mov es,ax6 W. [6 v& ]4 J! e5 Y- z. B
mov bx, cs
! Y) M! B( L8 U- m s- f; q* q lea dx, int41handler
1 L# N3 _+ z9 l+ j0 ^& d xchg dx, es:[41h*4]5 ~0 U4 z. B$ q2 N/ b; E
xchg bx, es:[41h*4+2]- _5 D9 o. }' \/ j. R
in al, 40h6 C+ x, a; d$ l" g3 T5 o
xor cx,cx, x* H3 M) W0 R! `+ h
int 41h
" v4 r' Y0 c }& c# x e! v5 h6 S xchg dx, es:[41h*4]/ r" A# h2 f5 A; D, x2 |
xchg bx, es:[41h*4+2]) E& ?$ [" |) G* j. N
cmp cl,al" I0 h3 \( _6 [. w6 r y
jnz SoftICE_detected9 k- N8 E9 l2 M2 z
+ |8 G, m# W J7 H3 w_________________________________________________________________________
, J1 V+ {4 }# x; K' |; U" `, N v& G5 i8 ^3 i
Method 07
/ a! {' f& n9 q# n# O5 T4 G. K1 i=========
& p/ @; d3 M; F) B! O* G9 X; W( C" |; _$ `. w/ k4 ^
Method of detection of the WinICE handler in the int68h (V86)! `6 ~" A( ~: y' d+ i' v0 O% m
P; y2 t Z+ o) Y
mov ah,43h
* x1 S+ C1 g6 ~1 L; {$ _, } int 68h
/ I* z9 f2 M0 i7 T( r% c R cmp ax,0F386h
9 x# L" k2 i5 k' s9 n jz SoftICE_Detected, i- l6 f# ^4 R a8 L2 M9 \) K
, b& [! I* i' j% ]8 _5 j
8 Q- f5 X" @2 A3 `+ ~# c. l8 @2 p=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 a) B3 s D1 B
app like this:
' g" a9 g- s: r7 c! o% C
* ?/ F2 N& C! }3 g# C' ~ X BPX exec_int if ax==68
$ s" X9 z9 ]7 b* T (function called is located at byte ptr [ebp+1Dh] and client eip is1 X8 S. Z3 ^3 w' Z- ~4 W% w
located at [ebp+48h] for 32Bit apps)
8 s& w2 x" `8 e$ g( g__________________________________________________________________________" ~% W! i- c5 j% J% ~! i; h
6 X9 M) ? ?# N( y0 K* c' a1 C1 W. f& y
. a; i/ T( i$ L) \Method 08( {% z% E0 w7 Y) x- V8 k. b% E& ~
=========
: m) i$ }- b3 Z4 P/ G# |; U( \8 c& o H3 M% R! ~
It is not a method of detection of SoftICE but a possibility to crash the! ?% T, g5 ] r" x9 d7 p0 G Q
system by intercepting int 01h and int 03h and redirecting them to another2 ?" u9 U2 D. W, ]1 x
routine.# t; Z: p& N4 v* \% H2 p6 @# s( O
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 O0 X! R. j2 _- i; |/ x; k
to the new routine to execute (hangs computer...)
z3 f2 n$ W/ s! P; D4 h, w% d9 C# Z, F
mov ah, 25h
+ T6 s- D) y, V- l8 G mov al, Int_Number (01h or 03h)4 f( `' ^3 |, _5 V& t. h0 L( Y- j
mov dx, offset New_Int_Routine3 L; J& w5 _# U: k' w
int 21h% n4 t% u3 b2 M: ]
' i! |# c* I1 y1 p" o, W; o& Z
__________________________________________________________________________* A) v& P/ V! Q# p( x- b
3 S, [4 K! y' h2 B; L
Method 09% m" R, A7 ~/ o5 {) B; U; v6 S9 d
=========' y2 U6 Y: _7 f! ]- ~$ V) l
' k/ B% X9 z" |4 R% ]& L+ fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 {, y9 a' x6 H7 z2 p" Z6 {performed in ring0 (VxD or a ring3 app using the VxdCall).
! S! P7 ?0 [5 b/ R# HThe Get_DDB service is used to determine whether or not a VxD is installed
- h" J6 I" n1 b) s4 U# ]for the specified device and returns a Device Description Block (in ecx) for
3 C$ x- h1 G g+ p% L6 G% _that device if it is installed., u0 B$ D; h1 G
- A+ ~( g p- \+ z. Z2 c; j" v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 U( I# z. u8 [4 @- { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- J6 v3 k2 V0 o9 m7 a VMMCall Get_DDB
$ a: T; P7 t0 Z2 V3 X2 x& h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
& @/ ~- k- P6 i
! h$ d" y* g) ?6 P5 aNote as well that you can easily detect this method with SoftICE:& R! h& W* V2 U5 _
bpx Get_DDB if ax==0202 || ax==7a5fh
Z+ h4 M7 y3 L$ e" F/ `1 F7 ^; ?; l0 Y% O& U) ?6 U
__________________________________________________________________________' N6 ]' R: o m
7 G0 W7 p- q& S6 a3 x/ P
Method 10' e# u; C: S \' f" C8 N: Y5 Y: S, i. {
=========: a- U1 F* R; r, Q' t: e
5 ?- g- g d+ c; l" Y6 m
=>Disable or clear breakpoints before using this feature. DO NOT trace with4 K4 `/ ^/ @/ G9 ? |) P; M
SoftICE while the option is enable!!
% t- i/ M/ U# X: [- g/ a+ s( ]7 T# }! i
This trick is very efficient:
9 w3 z- Z' j, s, ? @0 T+ uby checking the Debug Registers, you can detect if SoftICE is loaded
6 e- d: J, A! j2 z; K6 h, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ v' t4 e/ [8 A5 C) d: Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
: w8 \0 O3 I' o2 I- vvalue (in ring0 only). Values can be manipulated and or changed as well3 h" l5 P h% H' l, y1 T% ]; d
(clearing BPMs for instance)/ u" P* W1 V5 {! S
& j% l- U4 }' z/ v! w- M
__________________________________________________________________________7 v& @; Q6 N2 u; X7 r W2 c8 ?
# b2 ]3 A* U3 t' UMethod 11
& @4 t; X8 ^2 T" a=========! j" d% ]0 z, R% V0 M
$ U$ l: x& S2 E* X5 `
This method is most known as 'MeltICE' because it has been freely distributed
0 V( P5 i5 t' Z3 d7 ^via www.winfiles.com. However it was first used by NuMega people to allow) H3 p+ x3 \6 ^, T& ]- B/ L9 K% S
Symbol Loader to check if SoftICE was active or not (the code is located
1 T1 Z5 y& W+ ninside nmtrans.dll).: V5 `+ c' G% `5 i/ M ^
; s7 v3 C7 {) o9 i7 [0 C5 z
The way it works is very simple:, ~( a/ o$ J k& \. v& k* J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) U- \1 g6 e2 N8 x. b) I
WinNT) with the CreateFileA API.- v, O) f& |- \& X: ?& ~+ n7 q
: l5 P# G! b3 G' f
Here is a sample (checking for 'SICE'):
% I8 [4 x4 h5 L. h3 h* t
( V5 ?9 ?/ Z" x5 `BOOL IsSoftIce95Loaded() }% I- T. o% i$ b# B: @- x5 B
{' i8 P# H3 H9 M, `) P1 ^
HANDLE hFile; * V5 k/ F6 {( X; a
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. ~" @1 u# e! G4 Q/ ~ FILE_SHARE_READ | FILE_SHARE_WRITE,% t8 Y) r$ W" C2 f7 L1 r, p
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( {8 } z: W& i0 h if( hFile != INVALID_HANDLE_VALUE )
) n9 m" G9 |4 q {% a# {2 t" y6 y5 L4 ~. q
CloseHandle(hFile);9 d0 w. C4 V2 h; `7 P
return TRUE;6 R6 S5 y% m. G5 R" u% r
}
* ~0 j! d3 t0 G3 |9 ]* P return FALSE;
( s/ W7 j7 G/ T' k}
+ }; h4 {' X7 N* v6 h
9 l4 S( R1 S0 v* y% ^, GAlthough this trick calls the CreateFileA function, don't even expect to be. y/ @3 r. L0 t6 U! B: R7 Q
able to intercept it by installing a IFS hook: it will not work, no way!
. \ u: |1 y( C) m6 QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" D% l& l. i/ R% Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 {) z5 Y) L7 Y c2 [# b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! l9 p6 P9 O) @1 p) Sfield.' Y/ a g1 q! {$ J% J) F( d
In fact, its purpose is not to load/unload VxDs but only to send a $ E1 L( U0 D* U s! z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 x8 _7 ?9 F3 ^& V7 ~) Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ o8 Z; p2 @5 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! i( `" m0 }/ M4 K) j, `% R
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ I3 P4 s5 i4 J6 p; [' I
its handle to be opened and then, will be detected.
+ ?7 I% a8 t D2 kYou can check that simply by hooking Winice.exe control proc entry point7 W5 H ], |8 O
while running MeltICE.
0 o P. e1 _' b! |" V" [8 E2 ~- T* i
+ T2 r2 B M, L; T: ]& {" B6 g, l! R, R0 R9 P
00401067: push 00402025 ; \\.\SICE
5 c3 F. B; j4 U, {+ k4 A 0040106C: call CreateFileA
0 x' Z( S) l& [7 |% p% U 00401071: cmp eax,-001
, N0 i, K) y# c6 H6 c# E 00401074: je 00401091
7 ~3 q& D# z- P, C
& t. N- B8 y3 i/ f% N V; ?. [, T4 J
There could be hundreds of BPX you could use to detect this trick.3 U( f, @" E! B$ |
-The most classical one is:
3 J* ]) y' c X8 `& V |# E0 F" _ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||9 ~: n) l% p/ Q+ L; B: j
*(esp->4+4)=='NTIC'
2 C+ `! T' N/ I* b$ M
3 ^! ]6 Q8 l6 X8 v0 h! d. o$ z4 {-The most exotic ones (could be very slooooow :-(* s! j) w, f% _3 A/ }4 _ R2 U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 m1 f& F, t V6 v" o! i- J. }( b$ Z4 S
;will break 3 times :-(
( Z" F& C6 j/ S! I8 @# j1 U" |7 E* ~6 u, T9 o
-or (a bit) faster:
! a$ I/ a8 l% W* p* E5 b" H BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), B& E! n" U2 Q+ G
/ c. p5 _: N7 y8 d' ~6 y BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' C/ m' N! `% v$ ]! `& n; y ;will break 3 times :-(
8 `4 S$ V) M: Q2 \/ [, |! K: n5 h+ C- \" ?2 B
-Much faster:+ e) c3 j' E1 K7 T" G
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
, F ^. z% d( o: r6 J
7 _" V( q( w/ q8 ]Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 U% j( O1 ^4 {6 O
function to do the same job:% Z- G4 G$ h0 M! n9 Q4 w* c8 ~& t
& j6 y1 m- V8 P7 b0 t push 00 ; OF_READ
/ t, X; m% w+ S$ b mov eax,[00656634] ; '\\.\SICE',00 Z2 H7 L7 Z1 m
push eax' R. k( L$ p/ D" D7 z
call KERNEL32!_lopen( o8 Y' `/ H5 t7 J$ h0 x
inc eax
) G3 c/ m0 Z* O; J" M jnz 00650589 ; detected
0 R0 B) i; N5 O7 n# c2 a/ B9 | push 00 ; OF_READ
% f; g3 P3 V: N. X' a$ @' f- Q mov eax,[00656638] ; '\\.\SICE'0 N0 u* c: h) X B7 E) W
push eax
$ Q+ c, W5 d- _6 S9 O# a# B4 o* ` call KERNEL32!_lopen. I7 P2 S0 K Q5 J+ l; M
inc eax
! Z! N! D2 C+ M jz 006505ae ; not detected6 l6 D* b4 V) h6 Z, L; d
- r+ j$ I0 O& r# y2 f: F
H) X* F4 [7 q8 z
__________________________________________________________________________
( ? v7 S6 S1 E: K* p8 b5 Z6 l) ^) A3 w [7 D. V
Method 12( Q1 l; F& l* _9 i+ H8 _+ b
=========1 j: m5 n* h/ l9 `( H9 N \
! o) n! m" B) g9 V5 hThis trick is similar to int41h/4fh Debugger installation check (code 05" P2 t8 n% D/ z$ }% p5 N) S9 o+ x
& 06) but very limited because it's only available for Win95/98 (not NT)8 W' o" H. ~& a8 i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 I1 y: y, x& z- p0 d# ]( e, y
( p, O7 D" e1 {9 m push 0000004fh ; function 4fh1 l- T6 e/ J% T
push 002a002ah ; high word specifies which VxD (VWIN32)
3 V9 V% e; ~8 z+ w# G5 r, S ; low word specifies which service
t6 d. G/ z8 y Y" c: ?/ y4 p7 N: H) y (VWIN32_Int41Dispatch)
) R" h" X4 @9 O" m call Kernel32!ORD_001 ; VxdCall
0 u& g2 x( S" R6 h cmp ax, 0f386h ; magic number returned by system debuggers
- R, o7 y6 D# \" D" w' Z, M jz SoftICE_detected: x1 V5 C# ]' I/ }6 d
& l' H- Z6 j9 n+ }& BHere again, several ways to detect it:) R/ ~- x b3 l/ n0 [
, f+ N# p) b' ?% t" Y1 S' p- v. l
BPINT 41 if ax==4f W" L; V1 w: B8 E% R
" f3 w+ K: ^4 |& }# w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. s; }5 Q4 G( L3 S7 C& S% w# u% [9 j- ?
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 z' t0 Q$ T* h o: D
( g; e `: v0 ]! }" k BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* }2 j- k! R' _1 _, M' \1 h5 }
$ Y& X% {% |* F! d+ Q# c__________________________________________________________________________" F- [ N8 j% X1 Z3 Z# y. Q
2 f0 w9 ]+ H7 I' o2 y. W" ?
Method 13
6 l, R7 t5 v$ k( M=========
5 i' o1 S2 h: c9 L. [6 g$ L6 I$ |& z% S0 w; G$ l, s( g# R* V" J, `
Not a real method of detection, but a good way to know if SoftICE is% [' y" g: L) S
installed on a computer and to locate its installation directory.* L, Z$ A6 Z8 A7 w; q. C: X _
It is used by few softs which access the following registry keys (usually #2) :8 G( G$ A$ H* c! _( `# R' ~
% O+ _, `0 q+ K% S* l) z" b! r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ M- `6 O; R/ Y) X& o3 x3 Q
\Uninstall\SoftICE
0 A' E* c* F* {/ z! Z: b: U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 d" n8 ]2 w) s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ U: M. s# _1 Q& J! J5 K
\App Paths\Loader32.Exe
; [; Y7 y3 }2 J4 \9 D
+ E' u0 r, H- U4 b. e* T" \2 h( Z9 h: T6 c, M
Note that some nasty apps could then erase all files from SoftICE directory5 w% T9 A# Z/ p5 ?
(I faced that once :-( ^0 w/ |7 R8 F+ ^$ T4 p/ S0 d: X
% \$ J6 ]0 H8 N6 j/ ?2 @- R' K! B4 f* [Useful breakpoint to detect it:
* c. Y+ d1 ^+ R6 Q9 }
2 H: m; R% J t6 \# B7 k BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
R6 J9 d* L9 y7 g$ t3 _+ P4 [5 @$ W3 T+ m9 e
__________________________________________________________________________6 r0 k% r$ y% D" E8 [# ]6 |
8 S% h7 s8 ?7 v4 ^
6 |+ k& V9 s+ U
Method 14 ' I1 ~8 ]+ J& r# D- e( g
=========
) Z3 z1 [3 N- n3 M# X! _ {8 M0 Z
3 t' ~ z4 m2 K+ r$ nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. r) H* u) t- o* |+ Q
is to determines whether a debugger is running on your system (ring0 only).$ A7 I( [, W. o# g7 X3 s" H
9 O; F' u# V8 W7 S% n5 o# w2 a0 `+ I
VMMCall Test_Debug_Installed/ T0 q1 f8 u2 E' g) m
je not_installed
2 i& u8 K, v L. o. `" I
, e. D6 m9 \$ {4 r' u% ]( O" @This service just checks a flag.% e! I f9 x% c7 I; l; R
</PRE></TD></TR></TBODY></TABLE> |