<TABLE width=500># y0 Y3 O4 m9 G) x1 W4 w$ g
<TBODY>/ p4 B* X6 t. h$ f) ^1 T
<TR>7 R4 V5 T" e, `3 w% m7 E1 V
<TD><PRE>Method 01
7 K, g5 w3 d. `=========
! j! ^2 Z' B) j. ?1 Y+ t1 T: Q9 z! }9 ^0 Z
This method of detection of SoftICE (as well as the following one) is: J4 w7 ]: {, U0 b- ^8 E
used by the majority of packers/encryptors found on Internet.
. H. O) p, d& B4 f& A" ZIt seeks the signature of BoundsChecker in SoftICE F+ t9 q8 w' S$ }( I# K, E$ J5 a0 B
! l7 O" I2 R' `* C" E
mov ebp, 04243484Bh ; 'BCHK'
: @% S. y: W- S* A6 A mov ax, 04h# h) A. ~4 u6 D6 y7 {- T% {7 v
int 3
6 { h$ y0 {$ A; t U9 f cmp al,4: W7 w$ m. F$ _" [& i2 F5 M
jnz SoftICE_Detected# w: w6 B) b1 R, b$ i' A; }
2 S1 l7 Y; X/ P# a( J# b! e! B
___________________________________________________________________________
" C3 w/ w6 S( w$ }7 P- K8 h) V. e) k6 x8 b2 l1 |
Method 02% n3 q @% V4 K8 C h
=========! _! G7 O$ r2 s# L# Z
! ]: y- P3 |, K+ I) u1 w' y
Still a method very much used (perhaps the most frequent one). It is used3 I9 P4 [, i7 N, F g. F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) }7 m! n8 K, q1 D7 g: b& L: g0 ?+ T6 x
or execute SoftICE commands...2 ^- S$ y6 V1 W p
It is also used to crash SoftICE and to force it to execute any commands
% W* O! F( f0 m(HBOOT...) :-(( 0 @* |9 ]/ E L! J* X
( r2 J. G" P) d1 y$ K/ C# V
Here is a quick description:
( |+ j/ I9 s) ^6 j-AX = 0910h (Display string in SIce windows)* Y) U3 O3 `- s+ z- \! A. o* f
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' W+ Z, V* S1 i7 \! F1 i0 g! x-AX = 0912h (Get breakpoint infos)
; m% s% s+ K# [: G; q-AX = 0913h (Set Sice breakpoints)) a. s1 ~$ j* I! {0 H
-AX = 0914h (Remove SIce breakoints)( p; q W* l. O* f n* O
: ?5 k- X E, X; d# C
Each time you'll meet this trick, you'll see:. _* n8 {0 \5 T9 i
-SI = 4647h+ d9 b O' N1 l; l0 `' D
-DI = 4A4Dh
! X, j: l" x' @& m7 \8 E# {Which are the 'magic values' used by SoftIce.
- h* }# [8 ~1 ^# J# s) T5 k0 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 W7 e1 `0 H" g6 E7 e8 O$ ^
! j p' K7 ?/ E8 lHere is one example from the file "Haspinst.exe" which is the dongle HASP9 Q3 b0 u8 _- } I! l
Envelope utility use to protect DOS applications:$ {: Y1 y% a! ~5 d
+ w# l: |( j9 x
7 B3 ^( i8 d+ F4 r. l) k
4C19:0095 MOV AX,0911 ; execute command.: j5 q2 r# a; Q3 u% w! a/ H( G
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* o( u3 y9 a& K8 z( w
4C19:009A MOV SI,4647 ; 1st magic value.
9 o% E3 r1 V4 n2 E& b' L6 J/ d4C19:009D MOV DI,4A4D ; 2nd magic value.
- } h; g" E0 @; q* p& F5 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
; X& Q8 V7 _* t! ^4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
, Y, n' E5 ~, H/ W4 r, ]2 y6 H4C19:00A4 INC CX
6 |: l% P& Y1 j: Z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute' m- _" c' h+ Z" _' Z* Z
4C19:00A8 JB 0095 ; 6 different commands.
: j8 h+ O6 Z! f" l5 {9 k4C19:00AA JMP 0002 ; Bad_Guy jmp back.
, l; s4 t) @+ [ k9 Q0 Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)" Z9 F4 ~% ]7 c# }! O$ n. _$ N$ o
9 n1 }( i' Z2 C, m) ^
The program will execute 6 different SIce commands located at ds:dx, which1 x$ f8 q, Q6 o6 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: Y" `/ M- d3 h) P0 U; f1 H
$ ]4 X7 f* k! j" ?% s8 h% F- c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 B( {+ d& J' Y# V
___________________________________________________________________________: G/ A3 o! j& O1 p+ _
: @, |; T1 d, N" Y2 x5 v6 i
1 m N- L( D- o9 s9 S) GMethod 03
' I2 Z/ q' E; [3 |; J3 {) `1 Q=========
+ g. i7 t7 ]- m. V$ L1 z" c, x% _& s
$ Y$ s6 Z* t; i% BLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( \/ u( |5 I' \. ?0 H* u(API Get entry point)- }# p% `: v e! E" L
0 m1 B4 A: ~% e% w, W" b
( {9 c C9 A5 e! r) [ xor di,di1 t0 G7 }- r3 G$ X, Y. J1 F4 P1 ]
mov es,di
1 r- }) A# \0 N2 I: X, Y mov ax, 1684h 6 C/ y/ o7 r% J8 ~5 T
mov bx, 0202h ; VxD ID of winice
" j# q* A) a3 @ p- N8 m int 2Fh
& B. R5 u1 }: P2 u2 n: m9 }( R mov ax, es ; ES:DI -> VxD API entry point
; y- U2 w6 F& B3 }4 `# _3 q add ax, di
1 x* Y" @$ A) U* ] q; ?. _# S3 P test ax,ax' S7 j: G; a# I; F& j- h0 o
jnz SoftICE_Detected
( v3 |: M6 p: m) M7 i% {/ }" |+ p2 l
, j: ~# G$ Q3 i6 `' T/ h8 }___________________________________________________________________________
2 F. b$ z# e# D, c/ ]" [
' m8 G4 G, \/ k7 k: mMethod 04
) n% j/ U% ^! x" x; q=========
# b1 Y" x$ M {( R8 g% s5 G( M& R
# m& x7 }7 W# J* m( L4 h1 m- [) [Method identical to the preceding one except that it seeks the ID of SoftICE7 r& ~5 I6 F- p' u
GFX VxD.
v( N$ Z, q' B# W ]7 `8 I0 S6 S$ ?# [& I
xor di,di9 i3 f; m6 v! K
mov es,di
2 J+ g8 }7 d( }, t mov ax, 1684h 1 i& X. V) S6 ]: f3 I, y ]
mov bx, 7a5Fh ; VxD ID of SIWVID
) g" A) G: n3 K int 2fh
6 T2 I( D/ D* P mov ax, es ; ES:DI -> VxD API entry point
& w( W& I3 h9 I5 {+ t0 B# r add ax, di
9 k0 c, [: o! v4 v* G- z test ax,ax
4 e0 T1 d& A3 a* P) X jnz SoftICE_Detected
; @: |" S% h9 J: Z' }5 Y( d- d) F# P+ Z5 q
__________________________________________________________________________
A# {/ h8 U3 ?9 z' r; H2 Y6 z, v' o- x5 f) M2 {3 P
2 L: x6 T1 S# ?9 C
Method 05& p5 v5 Y$ T1 @$ c& T- Q
=========# {1 l- F! |$ O' y# F& E
& O7 n" U. a* PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 Z6 B5 R0 _ F/ N5 u% n& gdebugger. It calls the int 41h, function 4Fh.
o: h3 `3 f$ M4 M8 ?5 }There are several alternatives. ' q% j' k2 q* N% X1 B
/ G2 B5 Q& u6 u- O$ \- y
The following one is the simplest:% o( x/ V) x$ h8 K- g. P
) K( C- t' u. f1 x. K T! T: w
mov ax,4fh
% u; \, x8 r7 W1 S$ R3 _ int 41h
, [% p4 [# t9 k4 l5 ]$ ~ cmp ax, 0F386
7 b( C) [$ g! Q1 ?8 g6 u6 M9 C: F( y jz SoftICE_detected
, w" \& A7 G0 `
* }; G1 q% v& j+ l) w- E3 l
I9 N# Z, ?: X7 W( h; L2 SNext method as well as the following one are 2 examples from Stone's 5 e; p3 d( L6 f" H4 W# ~3 ]. Z
"stn-wid.zip" (www.cracking.net):/ D' s6 j5 r J: b( ^2 X5 t7 a
& |1 u; U' s9 S( F! o. l+ [3 x
mov bx, cs
/ P# q% b, R) r lea dx, int41handler2: K: A' a. M3 y I7 y
xchg dx, es:[41h*4]) `; A, r; O/ R3 b
xchg bx, es:[41h*4+2]
^ k$ _5 U0 q5 X2 j mov ax,4fh
3 K( n }, @3 F4 q% I/ B int 41h
! J, ^/ v( X2 p% ]8 u9 I xchg dx, es:[41h*4]
" j: E0 q. i$ q3 z( m+ b xchg bx, es:[41h*4+2]5 T+ l) i3 x+ d9 }0 w! h
cmp ax, 0f386h; m3 g7 A/ C* U9 H1 ~6 E
jz SoftICE_detected: x* L- J, ~( ^9 Z [$ y6 n; x& d1 y
# V0 B. Q7 n' |( t# M/ X
int41handler2 PROC
* j, [0 n( x! j# C9 K iret. S$ r. p$ d' j; d4 |
int41handler2 ENDP2 F6 F* A: h/ t8 w: [; k
+ s3 M5 M% [5 a4 k- X3 o6 x1 j. V: C9 x- _5 j
_________________________________________________________________________
# i3 c, c/ A5 C2 A
7 Q6 D# a, o+ a5 Y, @1 z/ ^$ D. a3 o0 {7 M; R0 S
Method 06$ t7 U+ k: s: \% o# |4 c' D
=========
! y9 k/ i6 Q! h. f- Q7 {- d& D' U8 p
, w! \ D+ u F5 R* S8 r6 D
% R ?3 a3 E( n Y2nd method similar to the preceding one but more difficult to detect:4 d7 ^& i* m- q2 L/ Z5 B
# b3 V# O$ Y7 N, l+ w5 w6 l) G X' P5 f( G, |2 Q) r
int41handler PROC
0 y5 ]% E1 j0 ?4 ~ mov cl,al
' S. \4 O# P+ U @6 m/ ]2 G4 w- F iret
) Q+ }* H. P, c2 d# tint41handler ENDP I; L0 {# K: T3 }. B$ }/ h8 H
! G( w$ O7 T( |
1 j) ? i+ D( v2 f0 L) \! {: e
xor ax,ax3 T0 S u4 y* h* ?
mov es,ax
4 \: B a- z2 x' @8 X mov bx, cs: i9 W. u% j# Y
lea dx, int41handler
2 A" r) Z& s* ]. V/ g3 l xchg dx, es:[41h*4]
" T3 x/ n/ l# O* M% y7 m xchg bx, es:[41h*4+2]
# N4 L; ~" [ [4 C# j( o9 t: J! b) R in al, 40h; s8 A) O1 [' w# e9 K) Y3 J
xor cx,cx
# F) P8 w( {- Q" H; o* Z6 z int 41h
/ G% Y1 ?$ z2 j$ @ xchg dx, es:[41h*4]
" x1 T8 F" ?3 N( s$ I xchg bx, es:[41h*4+2]7 y4 V) Z' b7 f" L. s/ r' `) Z
cmp cl,al
* {4 {& U9 {4 D, D jnz SoftICE_detected. |) F* k7 X" c! q I n0 z1 ~
0 N. S: x4 ^$ Z_________________________________________________________________________
* h1 J# o4 m$ P' M. w/ _: y5 o' p8 R- `
Method 071 J# K2 K# G9 d
=========
# y4 \ w+ E5 Q9 v8 {" {4 |+ [5 |$ @* c% a3 z0 v; H8 t( c! C
Method of detection of the WinICE handler in the int68h (V86) V( c" t( Z s9 j- E `
* X1 h! x$ o6 q* D mov ah,43h
7 t$ R0 T- v0 U, E4 } W& W) F2 } int 68h' A' }7 y E3 z" @
cmp ax,0F386h1 N, x9 e3 c( L2 ^ m
jz SoftICE_Detected) B' l1 b) @4 r& E$ C( I; ]( N" ^
+ f! C9 [7 |$ z
% E/ s8 R9 o D) t+ ] h, \=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ V! `5 ?9 }, Y# F; s* I/ r' d0 J
app like this:
+ s+ _, s9 J8 Z( g$ y! P% w( W0 j% u$ ]9 t, P0 @
BPX exec_int if ax==68
% V5 J$ M6 H9 m (function called is located at byte ptr [ebp+1Dh] and client eip is
! q* b; w3 n! Y% f: C. f% V7 T located at [ebp+48h] for 32Bit apps)! Q* c4 ~" N* ^0 ?8 T2 V! G
__________________________________________________________________________, o$ w1 D) a) s- P2 A
) ^$ V' o" i, n3 t; Z2 F8 t6 m& n8 l$ c# m/ m% _ |0 v
Method 08
8 V4 m4 E7 Y( V7 |8 \! u! a=========* W& f( u6 \0 V' _7 _
/ \- Y" P' K/ T/ \/ @It is not a method of detection of SoftICE but a possibility to crash the
! s1 e' j0 }1 f7 c7 r) usystem by intercepting int 01h and int 03h and redirecting them to another* ]2 f; R0 ^4 W% x6 I
routine.
" u2 ?7 _+ x. t5 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ h1 r+ g4 K9 q: g
to the new routine to execute (hangs computer...)$ n+ |! Z' g- p, |7 l" I
9 W, M. r9 i) k. e, \7 n
mov ah, 25h
$ S6 P" Y4 T" ]8 y/ ? mov al, Int_Number (01h or 03h)0 Q$ _ `$ Z- H+ w2 ]
mov dx, offset New_Int_Routine
# M G6 B6 Y1 K* Z, V3 v7 j int 21h
, ^2 h: x( z# Z- P- k# G
! I7 O5 t3 D* H' D% A__________________________________________________________________________- ^2 f% B; L; Z, J' f8 S
7 {& n9 ]' _ u) g3 Y
Method 094 h2 t5 C& f, ^7 M$ ?1 o
=========$ \1 B$ {4 X7 E
. ]7 j, P* V+ S' E8 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) U; b! \: c) z' e9 J" y
performed in ring0 (VxD or a ring3 app using the VxdCall).9 ]* T: {% Y. _, Y2 l" W$ q
The Get_DDB service is used to determine whether or not a VxD is installed
; y" w1 C, A( H/ F, f* `) Gfor the specified device and returns a Device Description Block (in ecx) for
( u0 @1 s6 k5 {& f8 Ithat device if it is installed.
' z; O/ `( V( ~4 o; D3 ?$ I" W& P" j6 t) P* N( Z, R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID; d5 r0 X" ~, Y; ^2 z" J& b
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 [, n4 |- B7 {: `2 @' i' Q& ^) i! T VMMCall Get_DDB
# o( G) a% A) \8 q% u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
6 ?0 V5 @2 Q' z( N2 ?" Z' `+ G; e5 u* v5 J
Note as well that you can easily detect this method with SoftICE:! f; v3 w: |1 y8 C- ]* a7 l8 ?. x
bpx Get_DDB if ax==0202 || ax==7a5fh( s: v3 S1 L, q! y8 x! J' g) ~
5 e5 D: d$ h4 F9 i2 g& F__________________________________________________________________________ X5 Q3 H: Y: x. w" o o2 H
/ U& R# Z/ g- N( N4 D t, l3 [* kMethod 10
* x) R1 G& u" P=========7 T( n# `! |6 Z0 x) _- O1 | i$ v
/ Q' R N# c c7 c=>Disable or clear breakpoints before using this feature. DO NOT trace with
4 h7 r3 b' n! f SoftICE while the option is enable!!8 G7 h" ^# u! T, ]7 J
( p" \# o% \+ z2 ~- U, f
This trick is very efficient:$ y8 T0 S6 B. |; M3 v- \7 x; A
by checking the Debug Registers, you can detect if SoftICE is loaded
( K# C3 m+ `9 L0 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" C+ b$ U" i8 x6 \there are some memory breakpoints set (dr0 to dr3) simply by reading their! p, O/ k& b4 X# ?& P" ], ~
value (in ring0 only). Values can be manipulated and or changed as well- D- G0 ?5 p0 ~: D# H b* t
(clearing BPMs for instance)+ M3 z1 A/ W O0 d6 f
9 Q: s, q9 B: H4 T# H__________________________________________________________________________7 `7 w1 B: o3 w0 v& J
0 O- o" r$ s3 Y6 aMethod 115 _2 F8 Z! o) ?$ B5 K1 d# M
=========# U, A' x. N$ H- _. u
1 ~, X/ I6 @& x& e* J% `* nThis method is most known as 'MeltICE' because it has been freely distributed
! b5 q% t H- S8 gvia www.winfiles.com. However it was first used by NuMega people to allow
) o5 Y6 E9 I0 ?3 G$ f; X0 HSymbol Loader to check if SoftICE was active or not (the code is located
- u& F8 C: q. j- K/ S1 dinside nmtrans.dll).# @$ }. o0 w; a0 b
3 G5 ^- \8 C& ^8 o' \8 Z( g6 dThe way it works is very simple:
" m, Y: Y% F* F$ Q* ~' lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, e! B, k/ o/ h0 @% B1 z
WinNT) with the CreateFileA API.8 `: Z) I: G; S3 e0 }, M1 w' A
, g5 G0 Y# g# D9 J6 xHere is a sample (checking for 'SICE'):6 b2 D9 E/ d8 K2 g' Y* s$ B
: A, N5 ` k8 h- o# q4 L, G mBOOL IsSoftIce95Loaded()9 Y0 L O7 X1 l' v& O) I! S
{/ p* G T0 J+ K6 }2 Z. l
HANDLE hFile; 6 N5 Y2 _% _# F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 E0 U% U3 ^9 _2 ^3 C: E1 y FILE_SHARE_READ | FILE_SHARE_WRITE,$ X# G1 p, N) Y3 U6 I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. Y1 A$ t0 @% {& I K
if( hFile != INVALID_HANDLE_VALUE )4 Z8 ^6 ?/ u4 C7 g2 X/ W' ~
{
; a$ |: L0 E. X) T- z9 p8 O CloseHandle(hFile);9 e& G) m& |+ }
return TRUE;
a5 G( ^; g7 X' N. n9 H }
7 L; u" g; s1 q7 z1 i5 x return FALSE;6 e. f8 T& \) @4 j$ k7 c( W( w) g6 s, p
}
! } K5 c. V$ r( B4 a/ U
4 B$ _/ B" o* J: s3 QAlthough this trick calls the CreateFileA function, don't even expect to be7 M# ]3 q; K* D
able to intercept it by installing a IFS hook: it will not work, no way!6 u& }& s5 t. T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; B2 |- d3 C# V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" M6 y7 b0 x Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc, ]' H/ ?# U) c' k+ |7 D. C
field.% J: Q, D' @1 d( c% V$ f4 ?5 ]# j
In fact, its purpose is not to load/unload VxDs but only to send a 5 g1 E! M/ u1 P- W O1 I! M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 M: Y8 W3 V7 Y( A5 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ l2 ?( F8 X1 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
' i4 L. x# [( z6 e, aIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; x8 R) V/ [) v) N! dits handle to be opened and then, will be detected.$ S! ?: X2 M6 J- ]9 L
You can check that simply by hooking Winice.exe control proc entry point
7 h5 X& @/ r) O* q6 V+ J! A! ~; gwhile running MeltICE.
/ U, G5 F$ F, J ^0 S% ~
0 s' u% r0 d$ c3 ~9 J* _& v" g/ A- G2 `
00401067: push 00402025 ; \\.\SICE
% B2 r/ I. O2 R+ s 0040106C: call CreateFileA$ s2 X- T- q" E( }, H# p: _
00401071: cmp eax,-0019 M. z& `! y4 y% x4 B/ J1 u
00401074: je 00401091
7 x2 n( G5 x; ~3 n; D
) v- V$ m! i. U
* w& U/ m* O+ E3 e; Z1 n) vThere could be hundreds of BPX you could use to detect this trick.3 d0 [1 W& A* s) {
-The most classical one is:5 n _5 Z1 C: ~3 F6 `6 a; b3 ~ t& Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' A: i, U0 r- L3 N1 ?0 U *(esp->4+4)=='NTIC'
5 P g. n" W9 n0 }9 ?+ k# F3 u# f2 Q
-The most exotic ones (could be very slooooow :-(9 h) U9 W; e+ l$ Q8 ?5 x5 w, C
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; V6 M. i9 Y4 o; @# ]1 D/ U5 ~
;will break 3 times :-(5 P7 U- j; G" \$ W* r6 T
1 R' N% F: q' R-or (a bit) faster:
$ H0 W, s9 A1 M2 \, m/ T9 |. ~ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ]0 X, x7 ^* C- @6 S; H- H
2 a( G$ B+ y+ i) b; @- n* i, w" t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ {& n! m! ~3 Q% H ;will break 3 times :-(
- s) K6 S: `! N* N( z: I
: H+ F, ^2 F% y: H; W: i: z-Much faster:/ h7 f" M* o T. p, U
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( n% l! V H9 U- t
2 D! m3 A' e( o! F ~6 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 E2 e! @0 f/ Ofunction to do the same job:
" d$ z+ D3 H3 Y% p @$ ~) i2 f* X, X& T# K7 D
push 00 ; OF_READ
; V- x' ]; y. k mov eax,[00656634] ; '\\.\SICE',0$ Y. `: i6 r0 n* [
push eax
, d8 K0 W! b, G, [' J call KERNEL32!_lopen
0 y# W% O, J8 J* m% G: r; ^ inc eax7 g& V Q }& Q8 I) \+ q
jnz 00650589 ; detected
# O( r6 { D* @. l7 x ~ push 00 ; OF_READ
l' y8 x& }: h) X0 a mov eax,[00656638] ; '\\.\SICE'7 v9 i, A8 m% B3 q7 f
push eax; V& |0 M+ h$ v# d% U
call KERNEL32!_lopen5 \ y/ v; @0 T3 ~- A* Y* Y$ \
inc eax
+ i5 F5 [5 d& ?5 A7 W jz 006505ae ; not detected& E4 F+ Q; Y$ G( z/ [" e' g
( `0 w5 e# j1 P$ {% X5 d3 \* U6 H
! h$ Q: G* C/ W7 `__________________________________________________________________________
9 m, d3 h) K& ~
( ^5 ]- z. ~* J+ L, q8 O+ KMethod 128 m9 w; ^% D. \
=========% |( i" B. @: E$ M- C; N+ c
3 B4 k# r' z7 O/ \& t r
This trick is similar to int41h/4fh Debugger installation check (code 05
M$ k8 C% \; e5 @* y& 06) but very limited because it's only available for Win95/98 (not NT)
8 F0 P' v; K6 [, y% ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. D$ O$ G# }9 B' N2 v) H
/ _3 {6 z9 R M" H/ C0 d3 t push 0000004fh ; function 4fh
0 e% W8 t6 G+ C push 002a002ah ; high word specifies which VxD (VWIN32). f0 {: I; z- i# j
; low word specifies which service" Q3 L+ E: a$ A9 ?8 Z
(VWIN32_Int41Dispatch)! v4 ?8 h% p' C" i2 Y( k
call Kernel32!ORD_001 ; VxdCall) L& Y. S! a& x P0 c$ D, P
cmp ax, 0f386h ; magic number returned by system debuggers
# C$ `+ t9 J, J" L jz SoftICE_detected/ k% x. ?0 z1 E% o; `8 f! b) g) O
& q: E B/ V) R/ S
Here again, several ways to detect it:: D+ ]# j8 t7 _' }; w
' p1 B3 ?1 R* H- o$ c
BPINT 41 if ax==4f
, V, o7 l6 Z5 o* u, C$ ]) ^- i) l' c3 h5 _7 F Z
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ X. ]2 b" q" p# t2 }: h
; j4 J3 U; _6 Q- d M, W j BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& v5 a" k& |, @6 o
, \" S8 m4 I6 W BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!, L3 v, G8 b0 N
# z1 X% Y% |2 q9 U5 `__________________________________________________________________________
/ u- M2 @$ \$ }- q; h8 N
. ]7 y) a8 u+ w: sMethod 13
. @6 X9 g4 ^* B3 q7 z! M=========, G. H5 E0 z' o2 v
! Y% V" ?: Y$ u% l% b. e5 cNot a real method of detection, but a good way to know if SoftICE is8 u' o9 B5 {3 D3 b, I; w* u
installed on a computer and to locate its installation directory.: a: C" t. X& b7 m9 p/ x9 x
It is used by few softs which access the following registry keys (usually #2) :
$ `, x7 \/ p6 |; _+ D S; i. V A7 o8 E0 @1 h$ t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 d4 v. t w5 H6 t" S' n\Uninstall\SoftICE
: c( |2 h6 a3 X# ]! I/ M7 x/ \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- b/ c3 _0 T. m, q# X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* }4 b1 ^- c3 {( w7 O( |0 i- M
\App Paths\Loader32.Exe* x* ?0 b, C4 i/ d, Z W5 F1 S
0 a, ]. h/ S" _. Q/ o1 K
" ]5 d G3 r8 |- B+ z+ G( B$ c
Note that some nasty apps could then erase all files from SoftICE directory7 W0 S/ S, \2 Q& S- H* ~
(I faced that once :-(8 ^, X# d) h8 _/ C! ^
6 M- V, z3 i$ [7 J" l( W+ L( wUseful breakpoint to detect it:3 `; @* n! d& z% W
" a' k, m" X4 p9 J/ m* b" w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE': i4 V8 N. c2 f% r' N
+ h6 t" @! W. \, ^# i* W' ^( _
__________________________________________________________________________: W0 E3 m3 d: y% M
' M' D. p) Q6 I3 r, w$ e4 N6 Q
4 t& |3 P4 Z) O$ R! E A+ xMethod 14
( [' ^* r: C$ s4 ^" Y- ~) C=========3 w+ t6 M9 m- ? E- K& ], R: X9 P. m
' }6 H% ?$ T/ I l: n: t- QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ q9 O( S9 R+ b0 wis to determines whether a debugger is running on your system (ring0 only).
: X) `; H3 j9 H- E
" b4 y1 I; Y) j) w& Q" } VMMCall Test_Debug_Installed; x8 K! {: c! |7 e
je not_installed, E) I1 r' Y6 H+ X4 T4 {
. z7 I. G6 a1 vThis service just checks a flag.
# j3 n# E v7 y1 e</PRE></TD></TR></TBODY></TABLE> |