<TABLE width=500>
! u+ T1 N2 G1 |<TBODY>
: @/ a) t/ a( Y J( O' T<TR>
3 F/ j7 J, h! V9 a& `, O5 Y" M<TD><PRE>Method 01
/ R, Z9 Q& W# a=========* u+ E: k3 x! I! k8 z" ]5 ?; b; N
8 r, C% E/ O6 Y# O/ ^ O, \This method of detection of SoftICE (as well as the following one) is, A" P; A0 v7 `1 @' B9 }+ z
used by the majority of packers/encryptors found on Internet.
- E" A8 s- M. wIt seeks the signature of BoundsChecker in SoftICE
8 r: F& A( K! }' y. Q" v8 z( F; |; G$ k( n2 ^# Y j% s
mov ebp, 04243484Bh ; 'BCHK'! O' X( j* h5 `$ r1 H
mov ax, 04h
O7 G* {# e5 S" D' B- ], u int 3 3 D- L% W1 f* Y! V0 B- N
cmp al,40 i# a/ g/ M! |/ |
jnz SoftICE_Detected4 b# o! j, z; A4 r1 T5 n# @% o y+ T$ L
+ k6 t/ ~ X. G& P6 y) |$ M6 h___________________________________________________________________________, [1 T. Y$ q b$ z5 d
1 n- O' G5 o6 |+ W7 c% L2 M N
Method 02
3 m$ G8 |' A3 j3 u( w+ O2 n=========' O s+ N# M5 I: h# O
5 c9 }8 J0 i2 a ?! P3 v
Still a method very much used (perhaps the most frequent one). It is used! f7 u' i, M6 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' v R! ?, I# T2 a# h8 C8 Lor execute SoftICE commands...
6 F+ J/ L: |; s* g9 oIt is also used to crash SoftICE and to force it to execute any commands
+ ?* t |9 {' e0 |& e9 e(HBOOT...) :-((
9 H, E. }" E: v- a. {
; ~7 H; N1 i% K# M3 WHere is a quick description:
1 }- s0 g, I1 X6 U+ V F-AX = 0910h (Display string in SIce windows)
0 S% @/ @$ \6 y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)* ~, @% J7 w9 Z1 D# o
-AX = 0912h (Get breakpoint infos)
- p5 F" \- {' `& v N-AX = 0913h (Set Sice breakpoints)
1 `3 a* Z5 S; l3 f" K+ y* ~( o-AX = 0914h (Remove SIce breakoints)
& [9 m- s4 k% N8 y; t3 |; M3 ~ d$ w
Each time you'll meet this trick, you'll see:% Y/ ^0 B$ O( g. V' v8 ]9 S
-SI = 4647h( @" V$ a( L+ m; f( a3 a
-DI = 4A4Dh
2 }4 v: ^" s( h% D; K: qWhich are the 'magic values' used by SoftIce.
- Y3 Y" S" y. x+ w' ?" AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ b: o R; k# l/ b( ^; }
3 z p' @" |& B0 p) UHere is one example from the file "Haspinst.exe" which is the dongle HASP8 S% B, |" n% q$ U" V& m
Envelope utility use to protect DOS applications:' R% _# k$ I$ d9 O8 ]+ H
9 t4 S. B+ Q% C9 j$ l5 C
; q$ `0 w9 R$ g" R- b/ Q
4C19:0095 MOV AX,0911 ; execute command.
7 A& d# B$ G9 Y, c1 B4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).' \" Y& ?4 q( Y
4C19:009A MOV SI,4647 ; 1st magic value.8 j% \" y$ z+ x2 y$ n
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 I& b# ]4 p, ^' k' b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)9 N: w& O W3 v) s3 F. D" O! W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 R3 b+ A8 l* w5 x; v4C19:00A4 INC CX
: b' r' n2 q7 q4 H$ ]! Z, l4C19:00A5 CMP CX,06 ; Repeat 6 times to execute1 w# }9 V; t3 Y: s
4C19:00A8 JB 0095 ; 6 different commands.- k8 a5 }: V/ p
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 y! h. {# `3 c8 v' L' z! Y/ j4C19:00AD MOV BX,SP ; Good_Guy go ahead :); `7 }1 q+ z/ x4 a- h' U
2 E5 S/ Z# v3 Q
The program will execute 6 different SIce commands located at ds:dx, which- U3 H% A2 y$ o" p3 F5 R( U% I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 Y$ b0 e$ e" F; f7 \/ c" L! C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 Z" S; l) [# e; O* Z/ G& p! ____________________________________________________________________________5 P9 [1 Z( j2 F7 x: [& ]
3 s0 L, f' u# `& J+ o& }1 T9 p& z; ?* J% S! g J9 T
Method 03! I5 n! ^3 ^* @7 E& ^5 C
=========! u! Q8 V$ x3 m' w
. j. C6 }, B4 xLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 A4 ^0 m" r! a9 i5 c! z(API Get entry point)
: n6 u3 ?3 f+ K& \/ O2 }& p
) |, s7 R1 x( e y9 o' j' a9 x' X- t$ a
xor di,di6 \& @/ W: X7 |; ] X3 @9 q
mov es,di
# v- h! @/ ?0 [9 T! e) i* e# C mov ax, 1684h
& b$ m! Z3 j5 p$ _+ A0 a mov bx, 0202h ; VxD ID of winice
3 E7 l7 R5 ]' f% R0 G& a% ` int 2Fh4 k' s: d- W" k# \; I( J
mov ax, es ; ES:DI -> VxD API entry point
9 x j' p& w. _( I* k. x9 L add ax, di1 I1 L9 H6 Q1 o+ O
test ax,ax
$ R& \& }# P* N/ f/ `) K8 j jnz SoftICE_Detected
( J/ R3 F. i2 k* D0 }3 T$ z1 m& _6 Y1 |$ C' ~! N% F+ U' Z3 f
___________________________________________________________________________! ]5 U3 b# a/ ~( d) p1 k: Z' K; L! \3 K; a
3 y2 S3 U# M& R# vMethod 04
5 o3 L9 t' V! i' N5 ?# D=========: o1 V0 c& n. b: L! A2 w
1 [1 E1 N. X$ |$ j; CMethod identical to the preceding one except that it seeks the ID of SoftICE! G7 n& d( ~0 \* w+ Q7 e2 Y" c. x' K
GFX VxD.
7 E3 g1 V# s3 K+ O$ g7 _0 ~$ H5 Y5 G4 Z
xor di,di
8 B" L0 u F1 D9 E+ R, ^0 A mov es,di
7 |, v6 N1 }4 ] mov ax, 1684h # m; ]. C9 }9 M4 X3 i
mov bx, 7a5Fh ; VxD ID of SIWVID
\+ Q( m9 y B" U5 S- j& t/ J4 u int 2fh
. v" U4 ?8 Y/ z+ O7 a2 I mov ax, es ; ES:DI -> VxD API entry point/ y& B; u, O6 ]; _! V
add ax, di
- ]. x9 q) t% p# F test ax,ax3 [% m% ?3 [, W- h! U
jnz SoftICE_Detected2 r0 ?# ]# n" r: C0 [( N. U; q# P
: S9 X7 [: a, z i/ l1 H__________________________________________________________________________3 c% Y) Z( o$ N/ E& f/ G
4 }7 x+ ]7 }+ A- `1 S
6 l A: s4 g0 pMethod 054 t, Q8 h3 ?! K2 n+ a; V4 I
=========
+ e! I" h3 `4 {2 H. S2 V* i* z- J' m- @ L) |3 o3 @( R
Method seeking the 'magic number' 0F386h returned (in ax) by all system, Z8 h+ a1 ~: |
debugger. It calls the int 41h, function 4Fh.0 A6 B; i0 t6 ^+ Q; W: W
There are several alternatives.
% {, c' r% C- l$ y0 y9 G
# F# I- u- T3 |The following one is the simplest:: G: c6 p) y7 k$ N; g
/ |. M T: T: o; o/ O& ?" H) s. r: z mov ax,4fh
$ N1 h" k x: m3 h* x int 41h6 ]* N4 ~ q" e5 ^
cmp ax, 0F386& w5 v! \- m0 c! r% K/ e: J; N
jz SoftICE_detected1 G3 X: `9 Y, j( b& C
2 [" d0 w9 N& u& m
% S* P9 R+ a1 A kNext method as well as the following one are 2 examples from Stone's
1 w0 n2 ~9 ^) n+ U+ w" V"stn-wid.zip" (www.cracking.net):
, c; E+ E2 o0 p. h5 B1 x, i: P6 f
" A% ~1 q9 O6 E mov bx, cs! E9 ]+ D, T% C. N0 n, g, G% l3 o+ t
lea dx, int41handler2
4 z0 L6 c0 X1 Q$ V1 A. Z7 r/ U xchg dx, es:[41h*4]* V9 [/ }( E" x/ o7 |; h
xchg bx, es:[41h*4+2]& \$ T% k4 J* l5 e/ K2 L
mov ax,4fh0 V( d X d& ~/ y' N1 i0 K
int 41h
. M3 z: X( [5 C xchg dx, es:[41h*4]- L% [, h3 h0 `# H! M% B
xchg bx, es:[41h*4+2]
6 C4 C4 h6 z; Z0 U) y2 ?% ^- f cmp ax, 0f386h
* r3 i" M* @8 F/ R: k jz SoftICE_detected* Y' ~5 v' S8 q
& Y# M. |5 m! Y4 m3 @7 X: Rint41handler2 PROC) K8 S+ R N# q* ^" d4 S
iret% Y; D/ I* @8 a7 [" M4 s q. d" }, g
int41handler2 ENDP
0 }4 P, }- d& u( P* B' o
( i8 C" w0 N" L" Z4 H9 o& S# m
" d, J X J' B/ v& V_________________________________________________________________________
9 v# @, G9 A. z6 Q8 d. N
. O% b; h9 G6 t+ J9 \' w" S% T5 ^5 t0 B4 W
Method 06
! L: `7 N; w; O/ l- N=========: o# g. O. n3 }/ z% d# j$ x
# R8 v. ^+ `- s0 n% P/ f, Q2 @. Z0 Q3 P" Y2 z
2nd method similar to the preceding one but more difficult to detect:( w' ]7 V1 F. D4 r) { R# |
7 @$ ]7 d- D; h# X# _5 J2 M1 }$ x5 H
# v A C# B1 K. d9 C$ Xint41handler PROC' Q4 K4 }* i' U: \$ |
mov cl,al
2 T8 P1 g: p. P% y; t* F iret
! I9 Y+ c9 N2 ?. q+ Iint41handler ENDP# T) O* G4 o# B P6 z- K
" a9 T) V6 m( s: ^( b. N) W, n2 I# ~1 b- Y# d n' B8 x+ z& t
xor ax,ax! N9 S* m, S( I7 D: t H4 [( P1 C8 }
mov es,ax
8 c5 E' c3 B/ n$ v mov bx, cs
4 i6 x! W" o3 Q lea dx, int41handler& M" ^$ w2 f Z/ b+ g: {; g
xchg dx, es:[41h*4]; H; M- ]- T; g3 Q
xchg bx, es:[41h*4+2]
! e7 u: M$ e3 n' z( J in al, 40h
" o% X6 v( V O- P# h xor cx,cx
8 j+ q3 m4 {1 x+ Y/ }% F% p int 41h/ c0 d8 e) }* b' [, a* m, U# j
xchg dx, es:[41h*4]
" d: h3 Q: k( t7 s xchg bx, es:[41h*4+2]+ f1 R9 ?9 k7 U, i$ ?7 Z; }2 h) r
cmp cl,al
8 P- q0 K. ~9 u/ Z jnz SoftICE_detected
9 C6 l6 ]5 O3 M5 C7 \7 O' @9 s$ [% x" `
_________________________________________________________________________3 E5 P/ J8 I" i+ a
- z- U% c6 E+ w. O& i4 c
Method 07
) G5 E9 y9 F# x; O3 M$ `7 K; T; B=========, E) r! A" n2 ?; u" e
H" r4 I( S4 L* |% _
Method of detection of the WinICE handler in the int68h (V86)
! A9 q/ T+ J. v0 ?, P
|$ h3 n7 F. \4 q7 M mov ah,43h
+ C/ s" u+ }! u2 f int 68h' m' e5 }3 J( r8 ]* l
cmp ax,0F386h
W$ `! E7 J& c8 F- ]3 V jz SoftICE_Detected
7 c+ _. x! O3 F1 j$ n( Q- E% q \( F5 n
) X" W# J, n. \1 \! e+ ^* N2 q( Z
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( y) N b/ o% C9 D$ K: S app like this:
! R6 P# ], ^7 [4 X9 t/ r+ m) @
$ N2 }% z4 N ]: I* P" Q. q: Y, T BPX exec_int if ax==68. ~8 F' K$ l, B2 S
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 K! q6 T+ v1 v2 m located at [ebp+48h] for 32Bit apps)1 j' f( L5 ?- j3 Y! [, u
__________________________________________________________________________
3 `' T% U' j- D7 D& Z) d8 S7 ~" N6 }; U4 q7 ^# M1 G" V- e
) c$ E( y7 ]9 Y2 C( sMethod 08
0 a/ A( ]. {0 q$ s=========
- F& i1 G2 E- N4 X" ]+ X5 `$ p J( [/ f; z; |0 J7 C! g
It is not a method of detection of SoftICE but a possibility to crash the
5 y n' W i* {7 @, h ?% Ksystem by intercepting int 01h and int 03h and redirecting them to another
! _- f6 D2 b3 W" R9 Y2 Sroutine.* I8 {. Q3 _7 \3 h: {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 f" z* y' q8 \9 o" w
to the new routine to execute (hangs computer...)
8 j9 w/ r# o; Q5 w+ Z* m( l% R" J, L8 U1 |: m
mov ah, 25h
" n! S* F6 `9 | C7 y mov al, Int_Number (01h or 03h)
4 a% D: H/ p* M2 V' s4 `9 P mov dx, offset New_Int_Routine
) r9 `+ Q* ], a int 21h
+ u6 @6 Q i- X8 ^+ k7 j& W
$ W( [& ?* f. j0 t8 e/ N" z__________________________________________________________________________
# |4 S( l7 g9 n
* Q# C$ e2 A2 R# A( u/ GMethod 094 Q& ]2 [7 i: V
=========
! K6 A9 b% L8 I# N9 F( G
4 g' O4 P( o8 K/ o3 A" V6 \3 yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) B7 |7 g7 y" y" ?) Q- G# s, cperformed in ring0 (VxD or a ring3 app using the VxdCall).0 q" R- y _" Q
The Get_DDB service is used to determine whether or not a VxD is installed' K7 W+ p% S8 c3 ]5 Y+ R3 m
for the specified device and returns a Device Description Block (in ecx) for! x% X. l% c" A- `. s& i( U
that device if it is installed.
: H' Y0 ?4 f2 T* w0 o
' L+ t! v$ A, P3 w. @! v; ? mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' C& O' q$ e$ a( l
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 |8 `5 x; |3 a( t' f1 J VMMCall Get_DDB
4 c$ j& O, {( k* Z7 M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* Y6 U7 T/ s- D: j2 h1 X
$ s! ^$ j o7 c1 i% UNote as well that you can easily detect this method with SoftICE:
8 H$ m* Z2 G/ ], X) _ bpx Get_DDB if ax==0202 || ax==7a5fh
. C0 o( C. k5 z7 e& K& @
6 f0 x' Q# j& [" T7 {% P__________________________________________________________________________
" l/ B1 m. P7 f; i4 V; J, e0 f* T. H2 F; d( ] H
Method 10
" C9 H \* M( C! F=========
5 e8 X+ ^- X; f O
( G4 |# B; {) C8 }$ ~) Y, f=>Disable or clear breakpoints before using this feature. DO NOT trace with3 R: c9 x* b1 B
SoftICE while the option is enable!! [: }5 o5 {/ N9 q. _3 e
" a8 t N+ D/ j/ s+ c+ x% J- a4 T' f1 u. P
This trick is very efficient:
# d, c7 T2 }* V0 v6 y; H$ X2 J Tby checking the Debug Registers, you can detect if SoftICE is loaded; Q4 f1 t+ H. A6 y! I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 f# E) t- B) d5 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 t+ [8 }8 J2 L. A; v% Y0 ?value (in ring0 only). Values can be manipulated and or changed as well- q% T+ Z8 r* J; T) W+ Y
(clearing BPMs for instance)
: I; I$ }0 i' B3 l8 u3 Q; ^4 N" b
, C' [5 j6 a8 N2 V. U i; ^# [__________________________________________________________________________# l A# ~4 }7 Z X! J% J& i; m0 z
. _" @" G# m6 w) a( K2 h
Method 11: y: @( y& q7 G4 L- B' `! H* k
=========
( d. G2 o' B; F1 I$ C
$ h W7 \# S s$ E+ b2 k' J: r3 NThis method is most known as 'MeltICE' because it has been freely distributed
$ O/ N! h( D+ Jvia www.winfiles.com. However it was first used by NuMega people to allow
0 p1 K6 I/ a; t6 m$ ~, B' rSymbol Loader to check if SoftICE was active or not (the code is located
. p) Y; C; s) yinside nmtrans.dll).8 A9 A4 j! R, Q6 `
9 E0 h; r0 V; _3 f. t8 ?7 S
The way it works is very simple:
% L* J3 j5 D% s" T9 rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& w/ w, [5 B |8 v' D4 I
WinNT) with the CreateFileA API.$ g h1 M3 l1 n: D- |
( g8 b3 I5 ~7 \, c, i. {8 [
Here is a sample (checking for 'SICE'):' }8 O/ t- s, N9 z% W
1 y' D) \) d2 m3 h; O' p4 d# }
BOOL IsSoftIce95Loaded()
. s' N2 C- g1 P3 }2 B( o3 {9 J{
( D+ s1 {1 g5 L! `9 o8 r HANDLE hFile;
$ T! w; Y% w7 z6 T3 N hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ Q: n6 S$ w) d FILE_SHARE_READ | FILE_SHARE_WRITE,
& U) Z# }/ h0 N NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 G& N( Q! S4 p/ y* s$ {6 V* U/ E
if( hFile != INVALID_HANDLE_VALUE )
4 H j7 R6 `6 o- p ^6 ] C* r {/ X9 q' S/ `6 q) i/ n% C$ k& v
CloseHandle(hFile);
% [( z, B6 w# I: n7 T return TRUE;' O: e5 e" r/ o# f$ }) I# z- S
}
0 l; N. c# O% Q C% H g. M/ g4 I return FALSE;
6 n2 {. }+ [1 w- L* J! |}. H T3 O; C' S( `
* U3 O! U5 g/ p! l9 U" `Although this trick calls the CreateFileA function, don't even expect to be
4 U7 V) L7 S. v% Y8 W3 Dable to intercept it by installing a IFS hook: it will not work, no way!
2 @% j: D8 |* G7 p' B; L2 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) c+ c6 |6 L4 z- `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- p! x, r- _; j, C, Z( J$ T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% S+ p$ v6 W# g
field.
d4 e4 K d: w! x. r: GIn fact, its purpose is not to load/unload VxDs but only to send a 2 H; x p- P$ ~3 g4 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: Y6 C% Y% ?$ c' jto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 O7 y z. d+ [* O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; O. z1 _; `( B2 A! R8 I9 K9 c6 ~! B8 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 E) ]' L( D0 i! J c
its handle to be opened and then, will be detected.
' M: S* }: _5 c( Y: ^You can check that simply by hooking Winice.exe control proc entry point
n( x% `3 {" t* [, ^; X7 O8 ywhile running MeltICE.) I6 A7 V/ n6 H* s- A i8 C
4 j" h5 ~% X0 H0 f# l' ~+ s ~; |: D+ W4 D+ k
00401067: push 00402025 ; \\.\SICE
! I4 Q( P% v4 c# ^4 B# R& | 0040106C: call CreateFileA+ U/ C7 l4 z5 S/ M+ j' ^5 F0 L
00401071: cmp eax,-001
0 u2 H& n" t" V) G# w3 Q# p 00401074: je 00401091
- C( \" B4 G$ E0 }) T% q% I3 f1 C- `+ t3 a& W6 ~
1 r5 Q3 P' y# p% W# F
There could be hundreds of BPX you could use to detect this trick.. Y7 c6 J) P( d& J1 [ I, ^( J
-The most classical one is:
; t" o4 q4 C% I, o7 b% `9 Q BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' Z& z7 R9 B* m* F3 n *(esp->4+4)=='NTIC'
6 Y- U! l' T7 y" W; C7 ^9 W
- w" t" }1 r' I2 U1 `-The most exotic ones (could be very slooooow :-(+ [3 }* |+ l) S# ]
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 o# x: M7 h ]$ ?/ \* F5 Y" r
;will break 3 times :-( k3 F% m' ?$ ]6 }" o* ]
! D$ O. \% g) S' n# m: N. a/ v9 _
-or (a bit) faster:
1 d' x# X; c9 C/ \5 `" ` BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), n2 R! G3 t9 g
# \( D' J) a0 ?- ]& I! q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' k! ^. X- W, K/ k9 u7 c
;will break 3 times :-(9 Q4 P# d9 x2 o
& t* H: T$ g9 S1 v& k. E( Z0 R-Much faster:2 ?2 x# g# Y8 m, r0 X1 R
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' ?6 K7 Z5 x, x3 S, a1 Z
8 r: }) V R" J7 H; p) m l Y7 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 j5 @) I) f9 T" W C9 D% ]6 ^function to do the same job:+ f" C+ r+ S9 U% \
! O8 `+ `4 W. P! T4 P/ e
push 00 ; OF_READ/ j. t5 [ q0 p* T& u* o
mov eax,[00656634] ; '\\.\SICE',0( H' u* `% d/ { F' O2 M3 }
push eax/ @. c T4 x3 B8 `
call KERNEL32!_lopen
. l6 C- v. D: Q6 p7 \ inc eax/ k$ J- N9 a: i4 Q
jnz 00650589 ; detected
/ L4 m4 F5 q; M9 m* e/ A push 00 ; OF_READ0 I b: M; ~( G4 k9 v
mov eax,[00656638] ; '\\.\SICE'
+ d' M& {/ S+ i6 r. ^5 S1 L push eax
* ^2 K9 [: K: y call KERNEL32!_lopen
1 K; T2 V. @# i( F1 N7 g( a inc eax! c* c, m$ T2 a$ ^4 t# P
jz 006505ae ; not detected& Q K, t# d3 [
, [" x x2 F M, O2 S8 b! G1 g2 Z+ b
, P7 j1 u0 u" W- |/ @, N7 W__________________________________________________________________________
! e6 Q2 p- V% m! p) D1 A, d
' Z9 Z) e0 T- T/ f$ LMethod 12( b& i4 b% j2 S5 e
=========
$ y& X6 w" C7 d- Z/ J5 O
) x+ e0 X( q' {0 iThis trick is similar to int41h/4fh Debugger installation check (code 05. s" U" l# w0 ?; `8 p
& 06) but very limited because it's only available for Win95/98 (not NT)5 V0 j' H% a/ h3 H, [( {, e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 H8 j" @, Q" u( k2 w( t1 ]4 q/ x! a
: n8 t2 @8 }4 i) j5 Z4 j push 0000004fh ; function 4fh' @, W1 s P+ P' n
push 002a002ah ; high word specifies which VxD (VWIN32)! k+ b& N, p8 S/ G% j& j
; low word specifies which service% t' p- z- d! ^! k1 {2 O; ?( `1 E
(VWIN32_Int41Dispatch)2 i! S" t- v& u: H8 x* S
call Kernel32!ORD_001 ; VxdCall; H5 N% L# ]# y4 A L3 b/ Z2 w. `
cmp ax, 0f386h ; magic number returned by system debuggers
8 E# N) v y- h jz SoftICE_detected2 Q" [$ X; t, l
2 J! ]+ l' }% W6 J( W* ~- jHere again, several ways to detect it:; L4 v7 G& L4 w W4 F/ X
& O; F7 F3 T y; V1 B) J BPINT 41 if ax==4f
; Q! F0 L. I/ C/ b% r! a! @7 `! A( \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& a9 b+ n/ ]- D9 _% l& Q
- R0 C+ H: O" a BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A& H# K' t/ ^) w0 P4 s% @5 \
+ }' B0 b) Z7 r& s# q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
# q6 U9 i0 v+ E& l1 E% B- f- H) i( v: \
__________________________________________________________________________
. C b1 T% b- p8 \2 v6 }0 Y2 _- f. {" R6 f
Method 13$ V: V$ m7 g+ K' g0 Y/ }
=========/ P- M- |7 c9 \. E& T. J& M1 c# G
r' g: p; z% ~9 m
Not a real method of detection, but a good way to know if SoftICE is
; P7 d% W( ]% n) s" M0 _ t! finstalled on a computer and to locate its installation directory.
; h% V' G9 F% J& ^It is used by few softs which access the following registry keys (usually #2) :
. b' P# S. S6 r$ |$ C7 h E
0 l E" X' d/ ]; ]2 K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- w2 Y. j( A0 B, P2 j4 r- ^- q\Uninstall\SoftICE0 V! v! f0 \; u( x) O6 i% L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: e3 y/ u3 {7 w5 k! v; @5 I5 \# G( U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: V+ b8 d4 @- l/ s: g( I
\App Paths\Loader32.Exe
! q& K; R5 |6 }" ^& F! F& D
3 t3 f$ m0 t3 n/ ^5 U: t) Y* {5 `' V4 t, E
Note that some nasty apps could then erase all files from SoftICE directory; g4 C+ n' x6 F9 r- r# _
(I faced that once :-(
* ]5 }) q$ a d9 t) B9 ?9 G3 l5 |1 L3 S+ z* n# u
Useful breakpoint to detect it:
* @4 z" C! s! s3 N
2 P7 [5 E6 U1 s" a2 R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) v9 Q( O4 {% G" v! ]9 `5 F7 e4 z2 g
4 M+ f3 m! y7 f' I8 }! Y/ y+ n2 o$ |__________________________________________________________________________
# s% ~) E k( F# g! r+ S
' u ]1 r- \6 ?: H8 Z) w" a$ x6 E) Q# T( Y1 y
Method 14
4 T5 o" e7 a! v* f=========
0 `1 e: x) V% y7 T) z- r" F" V" ~5 X, g% H e0 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ z* u7 f8 v, Q9 {
is to determines whether a debugger is running on your system (ring0 only).' M/ g H* L1 O) ^: B
8 ~& O1 r. {9 f7 O5 o$ _ VMMCall Test_Debug_Installed
. x! ^' a+ p8 b- t. e) W je not_installed9 y: H& ]; f# Z5 s5 H; I
) b u* V& }/ O8 s- w
This service just checks a flag.
/ A2 V, V! i2 h</PRE></TD></TR></TBODY></TABLE> |