<TABLE width=500>" _2 v+ C9 [, I) @! V
<TBODY>
k% m/ P; q3 o$ J3 A2 t5 h3 B1 }8 T) s<TR>7 z1 L. c" v W+ u) S
<TD><PRE>Method 01
5 e" f: r! q' j, o$ \=========
! G8 q/ `! I7 w4 W$ l2 w: f
/ U5 s1 v4 a! I" D* d, b+ y, fThis method of detection of SoftICE (as well as the following one) is
5 J3 r' g- `0 T7 }0 J7 w6 \: [' h kused by the majority of packers/encryptors found on Internet.1 S3 t. T# h( E$ z5 O7 c j
It seeks the signature of BoundsChecker in SoftICE
3 X$ g$ W& f4 r* `* `. t% C% w4 X5 ~+ x% p; i6 m7 N
mov ebp, 04243484Bh ; 'BCHK'6 h; ?, P5 ?4 h3 _- B
mov ax, 04h
! ?2 F! f% n$ h% C3 s int 3 8 f6 c1 F3 G5 p
cmp al,44 R+ i% G2 K8 i" l: T
jnz SoftICE_Detected$ H7 Q, a1 D" S* J: P9 V5 }
n4 F; f. Y9 y9 G+ t# {___________________________________________________________________________ B: e2 K' u! Q! Z& [3 M/ k5 L
( X7 G' y- Y4 k" }/ N8 w* D' m
Method 02
- N) k- `4 c$ | \=========: ^* L2 Z, Z+ A9 L$ k
4 k5 ]& L" I* y. ^) |9 q4 U' j
Still a method very much used (perhaps the most frequent one). It is used
0 r" i; |8 H$ s6 f/ Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 a4 o- A. K: r9 p) _
or execute SoftICE commands...5 R/ ~+ j6 g# f' h- @
It is also used to crash SoftICE and to force it to execute any commands
+ P# ]- _8 X0 b" I(HBOOT...) :-((
! K, q, o/ ] W' e4 `3 h# |1 N$ C2 q" i' ^) ~' X; b+ k6 V; D
Here is a quick description:
5 L. r4 v% P' G) w% D-AX = 0910h (Display string in SIce windows)
" D; ^% U0 o( |+ i4 V6 l-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' p) i0 ?3 Y! D' y2 O% X- ~4 h5 l$ K-AX = 0912h (Get breakpoint infos)5 t. v! u5 n+ o q \9 T
-AX = 0913h (Set Sice breakpoints)% n* Y: K0 i* f
-AX = 0914h (Remove SIce breakoints)( O8 s3 w1 [% z! X* K
" i/ D7 h: ^7 A: ?+ [- `Each time you'll meet this trick, you'll see:& ?1 X# v/ e% F7 N0 R2 e
-SI = 4647h6 ?; V% T# ~- k9 H! H
-DI = 4A4Dh
# S# v9 O* ~( g8 e; D- J" c. OWhich are the 'magic values' used by SoftIce.
$ x0 T/ i" v6 O) e- XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 s1 v( _8 E2 G9 k' E b" ~3 y; w7 g8 d& s( E k$ U( L3 |# \
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 K. M( p. ]3 V7 m+ r$ P
Envelope utility use to protect DOS applications:
+ o6 F" y# d" i) e
: V) z6 q, s: v8 j2 Z/ Z5 {7 ]3 Q4 K7 z# q' M |8 G- n
4C19:0095 MOV AX,0911 ; execute command.
u" N; I, o+ A6 Z9 ]. e& O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).2 q- `2 ]* k6 q# h! I! n+ X" N
4C19:009A MOV SI,4647 ; 1st magic value.. F5 q& f: [' N0 y& M
4C19:009D MOV DI,4A4D ; 2nd magic value.
% A P& H6 i/ \1 J# S1 ^4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 B# x# _8 f& ^
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
0 \+ E8 ]* ]. S/ \8 g& n4C19:00A4 INC CX
8 C! L4 O; w0 g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ n' M% P. L5 V2 I
4C19:00A8 JB 0095 ; 6 different commands.3 W! a2 d i2 n! e0 o0 R7 M
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 G5 {! @( I; b6 x" G5 B, k, u: Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :) C4 `9 e I0 M+ b; A m
. `, z; i: P& K6 m$ B" ~
The program will execute 6 different SIce commands located at ds:dx, which! J6 q- Z, v) F3 `7 X0 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 ^3 y! }1 r M+ \& }+ R3 z+ H n* @- {: F, I/ U8 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 n9 N) x& x. `5 \6 |___________________________________________________________________________
. f( _/ K% q- R* Z2 u1 k) I& |# q& w8 [
: |6 u; c& ?- }' t" h) u+ e8 UMethod 03
. Z6 c$ c6 t6 s5 f- |- `3 ^7 R=========( b# a8 f( _8 ?1 J
* H8 ^7 a$ s' v& J4 MLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 d" A4 b" }2 C9 k T( Y(API Get entry point)
( p( h9 q% L- g/ I. Y ) N8 P+ g+ b9 |2 N
/ `, a: E$ S! a: }7 m xor di,di
9 `, Z' r* _" b' g4 o! D mov es,di
: S7 l, ?2 E6 @! z mov ax, 1684h
( F" V! J; a2 G2 @2 U" L* J mov bx, 0202h ; VxD ID of winice' O0 {7 {3 _" r( W# B
int 2Fh
1 H1 S9 a' G) i" X/ A" D. n mov ax, es ; ES:DI -> VxD API entry point
, Q- A- z/ r0 G3 ^9 o4 R9 I/ P: n add ax, di. ~$ q# z) D6 n4 {
test ax,ax
& W0 D. [( V1 k, A jnz SoftICE_Detected. C" p+ ]6 T' J1 S7 S0 q; }
8 m. Y* x$ Z4 a* |% b___________________________________________________________________________
9 l$ H% x; J4 k+ A2 k3 i, R0 s9 I
Method 04) P& k$ H9 T. _, p+ S1 K6 T- J" P
=========
8 X a3 `$ s) `( J6 K- z" F5 }% ^; r! e3 W& h
Method identical to the preceding one except that it seeks the ID of SoftICE. G5 I( L2 ?4 L
GFX VxD.
1 L. {! y$ W) ]8 {3 ]7 ?
2 C9 K) a9 z; D. u M/ \, l xor di,di
; y/ X4 x2 f k l* ]% t mov es,di
: s7 Q x; L: P* k5 g* P6 I9 r mov ax, 1684h
1 ^" R4 V% x% n) V3 z/ \$ d mov bx, 7a5Fh ; VxD ID of SIWVID9 U" U. r0 k/ L/ L% ]
int 2fh
1 h8 Q' ?$ B& M0 g. b/ D mov ax, es ; ES:DI -> VxD API entry point7 w/ n; U e- n5 v' b
add ax, di4 v+ V0 |; S8 t; O- \
test ax,ax9 k( _# n" H) q5 E
jnz SoftICE_Detected3 a7 F' O/ M, B4 ?( K
& U/ F# } ]* h
__________________________________________________________________________4 X1 g% g& c; B+ L
! v5 ?% F! r9 _9 Q P& I# o' N
; a7 k: g* ]- R# mMethod 051 i) z9 M( q0 c i. X
=========) h2 G! N3 e* m3 Q; }7 B
) n! ]3 P( d7 T+ _
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 S' J" }* h! q/ A0 @$ P* \
debugger. It calls the int 41h, function 4Fh.
% }5 A# o' I* Z( H! P2 c7 z4 KThere are several alternatives. : b( G; D4 D! f% m3 E% [5 k
6 @( {1 l7 P4 P+ X$ `( }The following one is the simplest:+ k# [! Q V0 i6 K
! H' O' H x& ]) b8 [" x mov ax,4fh
7 R8 [. p8 V! x3 i6 f int 41h* U: G3 s: s7 k; M, U2 D- v
cmp ax, 0F3866 N6 q4 _* t0 Y
jz SoftICE_detected
# U8 Z6 C1 [2 Y0 `7 z' [* u) k% d- b4 D! l7 D8 e
( o; C" Q$ o4 n4 v2 E b" ]
Next method as well as the following one are 2 examples from Stone's 3 P* W3 c8 w# D6 p. B9 ^
"stn-wid.zip" (www.cracking.net):
% C, \, b$ t2 r# }# P4 S, S) U$ _; Z* E B# ?) M3 E! L
mov bx, cs4 ~. X+ i0 D6 r' T
lea dx, int41handler2
( ~, b* W5 f+ o; i$ a! G xchg dx, es:[41h*4]
4 A6 Q9 w& B) M, j. r xchg bx, es:[41h*4+2]
/ S& V3 J; T9 S. W( y* |0 n mov ax,4fh5 i% g- g1 J8 z. t9 z9 K+ I N
int 41h
+ [6 q( x2 ]+ Y xchg dx, es:[41h*4]: T/ L* J& W9 ~ J2 Q
xchg bx, es:[41h*4+2]
# w" b1 ]9 C) d2 [8 @* m cmp ax, 0f386h: k2 j. ^; b, d P! f* n
jz SoftICE_detected |( y& M# v3 Z, ?" p
f$ @3 R q! _% E9 P$ l1 g; `. I
int41handler2 PROC/ s6 `' s5 c0 k/ k5 u* G" m; V
iret
" ?4 `. P9 t( E/ Qint41handler2 ENDP
3 h( f0 }; Y6 c5 f3 O2 n: A/ \2 I
' k" \2 |# T- s: ^3 L. `. B6 h" W' f( i! D' m# M* j" @3 X) j9 U3 k/ n
_________________________________________________________________________
6 B! {( R( u# i3 T6 C7 O
& f& e0 w, m2 @3 \) r; W0 i2 u0 [5 W+ R4 x! v; w9 m
Method 063 X1 t1 O- e3 }5 F+ r) {" ~. ]
=========
# J/ ~1 R5 n% ^$ R7 ?4 ]2 ?, Q8 F! ^7 r3 |5 p; t
/ ]6 }8 x, T0 P- G! u. o2nd method similar to the preceding one but more difficult to detect:
6 i2 n) w# ?0 V
# [8 P+ N. x% M5 ~$ |0 p( T9 x" B& h6 L& r
int41handler PROC
3 z; K" n! y5 R mov cl,al3 u$ h7 c2 T' w1 i$ V
iret
; i) k; d8 [# u& pint41handler ENDP
2 G+ a$ k8 _9 X) e) ]
" i3 U4 X4 K% B0 `7 P# G4 W7 Y# G! Y* T9 C! k' r3 m2 m# g
xor ax,ax
+ \6 ^0 I) C7 ?1 E [6 l1 { mov es,ax7 ~1 p2 m/ Q k) x: g+ J8 k( H9 ~% t
mov bx, cs
; M& J+ e2 {: i% k5 z lea dx, int41handler
5 }7 S* r% Y% _1 v! T( A: D xchg dx, es:[41h*4]
7 K! w9 H2 c6 d4 S& I$ ~) T: b, Y xchg bx, es:[41h*4+2]
# n5 a1 S7 v# J& K) D) S2 f! \* Y" g in al, 40h7 A# f# i1 N2 X- U8 U- X& O
xor cx,cx
1 U* w/ m; F5 I int 41h
- D6 j% w/ c9 L8 }0 h xchg dx, es:[41h*4]
1 E3 j6 { Q3 i3 ^+ [2 w xchg bx, es:[41h*4+2]
- [' r/ h" l" R3 | g) d- X cmp cl,al
& R! X1 A2 e2 x6 Y jnz SoftICE_detected
$ L. j( Y4 |) q
# D, y( l, ^" n5 z_________________________________________________________________________
" u$ X q7 q# {: G) p9 L! T: g. ?7 u- U. Q! d7 j$ e
Method 07
/ W* D0 ~# n4 Y! Z: i2 C% i9 p$ t/ Y& j=========2 S8 O& q( h: Z$ g+ N& L1 K6 F
: d6 d; a9 ]: b' q
Method of detection of the WinICE handler in the int68h (V86); r$ V* ~% u [2 u X1 U- ^$ @
$ s/ ^7 \' ]* T' n
mov ah,43h6 m5 ?# z" X9 w5 b
int 68h
~* I0 T' l4 s7 A cmp ax,0F386h" M" M! \" C* p+ ?. P5 _$ b8 {3 v! [
jz SoftICE_Detected7 U7 @6 b. x- A/ t- b3 g8 I
3 c- X5 \- V# g; K O
7 ?; H. e: g4 s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ c8 O8 P5 l4 n# ]1 {6 U5 \
app like this:, q) X8 V7 C0 r
& `7 Q2 x1 D: C0 `! C
BPX exec_int if ax==68
U, p9 l( J+ d" Y! o- x/ [4 e, U4 t (function called is located at byte ptr [ebp+1Dh] and client eip is4 ]: e5 J" ?( ~, S6 F0 B6 r
located at [ebp+48h] for 32Bit apps)1 c0 d q$ h& v/ h! a
__________________________________________________________________________" t9 D& z0 ]7 w, M5 U
2 R* N G( \9 j- q& @) ~' A4 J" }! I2 r
Method 08; @" `. O9 O+ e) s4 t
=========
1 D7 f# @& `- Y4 g# h# Z( g+ h5 Q8 S1 ~8 e
It is not a method of detection of SoftICE but a possibility to crash the
& x$ p0 W, n+ Q. A* ^system by intercepting int 01h and int 03h and redirecting them to another. o* {7 l* j9 p0 r1 Y
routine.
- N3 T3 g* [9 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 }: t6 W3 H1 b
to the new routine to execute (hangs computer...)
* g4 w# r0 j: U) V# l/ Z' b5 s5 w3 e
mov ah, 25h6 J" H5 R' R8 R4 t+ D, x
mov al, Int_Number (01h or 03h)
: p) H' t( l2 e mov dx, offset New_Int_Routine
6 L0 N; A* d0 d! U int 21h
7 p$ ?1 R2 z! `3 U8 M4 d3 e$ h. W: }5 o% U
__________________________________________________________________________
$ l ^ z. Z5 _/ g/ T/ E& P5 i" _; h6 n6 _2 w. t
Method 09 L8 Q! V I1 s% {" v9 T; I
=========2 N, E. N2 t+ n, u
% C! T$ i9 F4 k$ g U( p% N3 x: ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& {, S' j0 J8 Z; |performed in ring0 (VxD or a ring3 app using the VxdCall).& I9 W6 ^3 D2 |5 \4 W Y8 Q, F4 i
The Get_DDB service is used to determine whether or not a VxD is installed
3 [) u: Z! ?" G6 x- ]! efor the specified device and returns a Device Description Block (in ecx) for
& c! V9 U% F) ~6 }. T# k" Jthat device if it is installed.
0 @6 l8 ^- V* N: U. f
* u' o2 K0 w" j% k mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 Q% ^( D( L& u; f" }" q& f0 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! L3 a7 b5 f; ]. c4 x( \3 q VMMCall Get_DDB. h, D4 \* | k U
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ U4 S# ^- Q0 Y) d
4 X6 l2 B$ G, d. I) f4 X5 q9 {Note as well that you can easily detect this method with SoftICE:
7 d' z7 T- l; X" Z, d6 [ bpx Get_DDB if ax==0202 || ax==7a5fh9 x0 y& z# G! w( p: ^
2 J9 {$ F. J9 c__________________________________________________________________________
' v8 L8 S6 N# J1 s9 n8 _4 v4 \6 `) ^
Method 10
; B- s0 l2 U) K I, b5 ^=========
6 n, b1 N9 P# r2 s Q) t
% M4 C0 {8 D7 Y" @8 V- A2 V=>Disable or clear breakpoints before using this feature. DO NOT trace with! M( L4 u9 ~# E" |* z" Q
SoftICE while the option is enable!!, \8 P5 r' ]; S2 q7 q1 U
! X4 u" F# z1 _% Q9 u! T1 QThis trick is very efficient:% j4 P( ?$ g; t% s. D
by checking the Debug Registers, you can detect if SoftICE is loaded
6 ~( k3 Y- m% a. P+ A) ~. I. y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 L% w$ U7 B n4 p bthere are some memory breakpoints set (dr0 to dr3) simply by reading their. A* m K- W" X4 b6 K9 r) n
value (in ring0 only). Values can be manipulated and or changed as well/ n/ E" b4 c8 p, L$ {
(clearing BPMs for instance)
1 D$ [' D; p3 g3 C9 o
9 B! u1 b9 B* ]__________________________________________________________________________
" F. E0 C7 j+ x; V' V0 X1 B
7 C8 y# C. V. S: {( X/ HMethod 11 {- @2 N7 k" x& M- j
=========
r5 m, z8 E; L! x9 T# G( [0 D. X9 q$ W1 A
This method is most known as 'MeltICE' because it has been freely distributed
9 d# o" j: W8 j3 J) ]/ Rvia www.winfiles.com. However it was first used by NuMega people to allow
, P2 ^! j$ Z' D- M; s$ XSymbol Loader to check if SoftICE was active or not (the code is located
2 N; ^7 q4 v7 h$ T/ N9 [' zinside nmtrans.dll).& W- I p8 c% B+ B
4 A# o7 o/ f- ]& C( ]
The way it works is very simple:
* K/ X1 k. g! }% a# UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 L% r8 S. g3 |4 j/ {, GWinNT) with the CreateFileA API.
5 Y0 h: z4 u- I
% K8 @! ~ Q% s/ F, Z' g' CHere is a sample (checking for 'SICE'):
4 d8 `4 w3 R- A: r! X" s% }8 M
1 _) ?$ `- [. c. h+ X( ]# rBOOL IsSoftIce95Loaded()
1 F$ z# W% m5 f; ^{
; Z3 \( _; K$ O- G HANDLE hFile;
5 p$ e; w) W Z5 Q4 n hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# |& Q8 K3 ]* F4 p$ c+ p FILE_SHARE_READ | FILE_SHARE_WRITE,
* w! n. a: |9 D; `! ] NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ Q9 Z2 u8 l, p8 @& O- H
if( hFile != INVALID_HANDLE_VALUE )
' `/ C3 O2 n) Z" ~: q m. [ {7 [# Q) ?: D* Y7 R' h- e2 g1 L
CloseHandle(hFile);
. ]/ V! G6 c) H5 Y return TRUE;- V' L% Z$ [, L* P7 V) T2 Q6 w0 o0 s
}! e( Z$ l6 c3 Q% y8 D( I7 e! l
return FALSE;1 j9 _) r$ t% t
}+ i$ n$ b3 Z8 ^! ?4 M' B
: B; V' e$ q3 bAlthough this trick calls the CreateFileA function, don't even expect to be; }4 q5 m# R1 U! q
able to intercept it by installing a IFS hook: it will not work, no way!
( ?, d5 T( C5 X4 d# o/ _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( \5 }# y2 N% R2 w) pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! B( U& P/ d) L% Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 ]: G( y7 F1 f9 j; ufield.
: `; Y" N! |5 x6 z/ `4 `; fIn fact, its purpose is not to load/unload VxDs but only to send a
6 n8 W& n2 n. ]/ e5 x- F+ k, E' ]5 nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): K+ o7 _5 C* J: M7 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# @$ n0 U# N- c0 F/ A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 J/ t7 A& c" f+ ?0 R" p, ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 D# M2 d: q9 X+ [# v, i) Wits handle to be opened and then, will be detected.
: S! K Q7 F* lYou can check that simply by hooking Winice.exe control proc entry point5 k; O( K! n; S2 ^
while running MeltICE.
; A7 L' ^0 c/ n4 E1 O" X- o; j; V+ f- t% o8 F
+ Y3 g+ K# x( ~2 X3 H 00401067: push 00402025 ; \\.\SICE
4 _$ e6 `5 }, n1 }6 P 0040106C: call CreateFileA
, g6 B0 K& n" \ 00401071: cmp eax,-001
" |: J/ x+ h3 t. ?1 Y# h 00401074: je 00401091+ Z0 q- B3 P. `4 v0 s
% @0 x1 H, H" D+ G$ Y
- J0 M5 ^4 G! j( f) H4 x1 Z6 aThere could be hundreds of BPX you could use to detect this trick.
4 a: |# n! I5 n% ^$ w) U-The most classical one is:- P( H: _7 Z3 k) A1 o$ i
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
2 i* M, D0 `" C7 k/ ?1 T0 P; G *(esp->4+4)=='NTIC'5 q1 n/ T6 x4 ?% {/ ^- f4 M
Z. i; y" q( k7 Y. N9 j-The most exotic ones (could be very slooooow :-(
+ U, W- v6 Q- i5 t3 T8 \8 Z& b BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 w: }6 r5 ]- r4 q" L5 I2 {6 G4 w
;will break 3 times :-(
8 {4 ]5 [5 T. ?3 u U/ {+ o# j
5 G% M; ~. @/ L1 b' A* N7 L-or (a bit) faster: 0 S2 C( g( ~4 y
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# i$ Y& G5 G. M% n* r* U! x6 x8 C8 w* e
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 5 Q+ C2 D# d/ U4 Z i
;will break 3 times :-() Q3 ]5 _; y4 i7 A1 M/ t6 y, P
6 n% u# X3 C* H ~9 [
-Much faster:3 H$ f9 z) ]+ O6 M5 c1 d! d3 A
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
( @6 T+ Q1 W5 x( j' _
# w# x3 ?; C" f/ |1 }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 s* C/ C; q/ h( h9 K1 W
function to do the same job:
) T* k* Y- O8 E6 l. @2 B2 Z$ L/ d% [; i
push 00 ; OF_READ
% R. X) H) v# N5 y mov eax,[00656634] ; '\\.\SICE',0
9 {$ V; ?4 z' r Q! Q push eax2 } M$ C! R5 q- r1 w) O2 O) k* g
call KERNEL32!_lopen8 ~! [6 L4 ^4 W, {+ D: ?7 S8 _
inc eax' E( m' N# m( a$ [, C& m
jnz 00650589 ; detected1 M- J0 `& B( _, g5 o
push 00 ; OF_READ
5 b' |5 E1 I: H( G9 d+ R4 g mov eax,[00656638] ; '\\.\SICE'
2 C) G# O. f& y push eax
: t X2 d$ y+ m% ? call KERNEL32!_lopen
# D2 Q+ ^/ `: J1 z1 E* ?/ f, C inc eax2 U6 r6 b( I. I0 Q
jz 006505ae ; not detected# f+ U- d) a$ r5 B7 j- y: Q' ]
) c- n0 P! O% a0 f, x$ ^
- v( Q% A3 k# J6 l1 Z$ n__________________________________________________________________________5 }$ ], l) F+ y; o+ B& q/ e {
3 `4 n3 V7 Y1 Q1 A3 m
Method 12
. {1 N' ?3 n/ u" ^=========# q/ B4 X' |8 J* c; ?
: n* n3 Q2 n4 O! l4 P) O, ?% ?4 {5 O5 N
This trick is similar to int41h/4fh Debugger installation check (code 05
7 v' J, n+ {, ?% k$ P& 06) but very limited because it's only available for Win95/98 (not NT)& p- ~2 h1 T7 d3 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
T6 O. ~2 y8 d" p1 r/ ]! T) @$ H: {
+ r$ {; ]5 U, _6 {4 E, Q. _. q push 0000004fh ; function 4fh9 M* _4 l9 n$ i! e; _
push 002a002ah ; high word specifies which VxD (VWIN32); D& f9 c ]* K6 G/ ~; B
; low word specifies which service: u' H A$ m4 ~/ o; X6 V) Y
(VWIN32_Int41Dispatch)
1 r; {6 D9 g' B$ h* S/ W! X call Kernel32!ORD_001 ; VxdCall7 ]. f2 ?7 E( G9 p" f' f
cmp ax, 0f386h ; magic number returned by system debuggers
6 g1 \( \) [: d M9 M7 g jz SoftICE_detected+ o$ I* w$ A* C1 `' z: h+ f2 e7 c
; c5 h! |1 N2 p" s% \6 M5 z
Here again, several ways to detect it:
% p+ F: N5 ]+ h2 F- E4 _& U/ ]
$ s* C- P4 Q$ n0 u& d1 s! i BPINT 41 if ax==4f* t, q5 c, ~; O) L- |0 a2 {/ P
: [$ p' d; d2 y# v! o! r
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one8 \# U. E a8 g; X; f: [ k6 q
M/ d+ }2 ~2 g- B1 L BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* k4 y$ i% `5 q( V9 e1 j% U, @' N% \7 i ~; H' S c0 ?$ F
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& e; J) ~0 D0 T4 I. t; H6 f1 g
* g2 f2 P5 }( p1 ^__________________________________________________________________________
* v& G: ?! _% b( O8 _4 k& E; K% f! s0 Y8 U
Method 13
- Y6 X+ q% u$ r$ X3 x+ c=========
0 M3 ~3 ~$ ^- d+ u4 p3 \0 Q7 Q% K+ _& m2 p
Not a real method of detection, but a good way to know if SoftICE is
2 Z' Y8 }# l) @6 G$ }7 Linstalled on a computer and to locate its installation directory.3 @, O+ k4 x) }% S3 b, ?1 j" q
It is used by few softs which access the following registry keys (usually #2) :
) d5 f# \& W6 y) Y; ]' Q" U( B4 ~& F+ L' w1 {/ E# {3 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# [2 q& `6 e/ G. \% I) x e
\Uninstall\SoftICE) d, {* ~0 B" a, l. j5 h5 I) P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ ^6 `. B! ]) Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- O' \6 s" y2 s2 @0 S\App Paths\Loader32.Exe
% F& u( M, H7 q, C4 p
" `1 g- z* q8 P5 Q- @& X7 ?0 w, d9 ~0 n) `4 l7 C' ^" B% k
Note that some nasty apps could then erase all files from SoftICE directory& K. Q' C# g+ G/ |
(I faced that once :-(/ {- m1 r" D( U1 K h
3 d- ~) I8 n Q
Useful breakpoint to detect it:
% ^' \1 l# |# G# Q5 u7 A' J* t; [ p# A: u: s* Q3 _: Q! u
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
l. U7 r% M; R5 E( l
! g9 U8 G: {( L__________________________________________________________________________
) y6 m, y2 @$ [2 z$ {* v) y) z; P1 \9 h: `
6 g( C/ t5 B9 U% L2 K: D2 |
Method 14
5 o7 W0 T n; M, }8 w$ h=========
0 h, Z! L$ u& y% N+ j- l; @- Z5 d8 ^+ q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! ^/ Y( n/ `: e; g+ N
is to determines whether a debugger is running on your system (ring0 only).
4 c' x7 [& n# H0 j7 {4 t {
7 q& U. m+ u. Y1 s VMMCall Test_Debug_Installed
$ I- I% p2 h5 N, ~; p1 F6 X je not_installed. D: D4 a& B, D- M( F
9 b. S' t/ A7 J! [& K5 q
This service just checks a flag.( ~" H, X6 [/ i& g5 P
</PRE></TD></TR></TBODY></TABLE> |