<TABLE width=500>7 A7 S% e0 p# q! _! ^. e! u0 K
<TBODY>
, v4 \- l1 j0 `+ q* |/ ?<TR>
) Q: S, |& R3 p/ b. p; ]<TD><PRE>Method 01 & q! J8 G: D. X8 K
=========' B9 S! Z) e: |7 B
$ D' q( S3 t2 r9 i* A& @, ]
This method of detection of SoftICE (as well as the following one) is
! g5 D+ q/ i4 H4 ]7 H6 C4 pused by the majority of packers/encryptors found on Internet." ]! A. T2 t6 H
It seeks the signature of BoundsChecker in SoftICE
( ~! p3 g4 o5 b; r4 v" v6 z- M) `; I; W; F2 C
mov ebp, 04243484Bh ; 'BCHK'; k. l6 `3 p: K! z* ^' t
mov ax, 04h8 l! P: [/ x) H5 a1 P
int 3
. L2 T Z8 `: U9 b! Q cmp al,4- M$ M6 i7 N5 J, Q5 C* W/ S9 Y
jnz SoftICE_Detected
' h# t/ q/ r5 E9 J7 O7 n: Y/ B3 x2 U4 _! H( o" W: a# B
___________________________________________________________________________8 [( d2 `) k9 ^; o3 c
1 w# d6 i0 ? ]: ~* ?0 h" L4 KMethod 02
; t9 R/ V( U. u=========4 S& G) ~ T: H
X+ D7 r; z* X- F3 h) K
Still a method very much used (perhaps the most frequent one). It is used+ Y; }9 N G5 g- R9 S5 e& a2 @7 y+ [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 R6 }9 m7 J+ ~! o( uor execute SoftICE commands...
. P! b" @9 y' E" `- AIt is also used to crash SoftICE and to force it to execute any commands* ~2 @2 X1 j1 {- B7 ?, ~
(HBOOT...) :-(( & a ]7 {5 f/ G: K6 I/ r/ b" K
1 U A; E, }7 s" `) ` o1 b' ^Here is a quick description:
0 H3 k" T* `2 q5 O( K7 r-AX = 0910h (Display string in SIce windows)
/ H% f8 p' z* N% i; f! F; w4 {-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) T" h* G1 O% k# K5 g
-AX = 0912h (Get breakpoint infos)! I: a; W9 W- R' Z
-AX = 0913h (Set Sice breakpoints)
7 e* T* B6 |+ C6 w* z-AX = 0914h (Remove SIce breakoints)
4 H/ l. i7 m/ e6 `& l, [- E6 K1 c# t# o3 }
Each time you'll meet this trick, you'll see:2 C9 j) g; B6 Z/ f, R, I
-SI = 4647h
; Q. N: `% J. q' \" F9 v( x/ g-DI = 4A4Dh
: d6 q+ Z8 X* K A: hWhich are the 'magic values' used by SoftIce.
% Z G$ ~7 J, F) D( F+ m- vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& m3 J& B+ l' R! u6 ]. p3 V# @( ^1 F! S* J4 j c+ q7 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP, U( B+ F: Q2 |' @: X
Envelope utility use to protect DOS applications:
! I2 u! }7 M% g0 R" X& V( M: k+ T* l" M( I) e) {
# ^% v9 n; E/ D4 M8 \3 ^) Q" r4C19:0095 MOV AX,0911 ; execute command.
0 ?! d- J; L7 J, U7 e) U% B% J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% \' Z$ w$ J( X# n1 P( @4 C1 H
4C19:009A MOV SI,4647 ; 1st magic value.5 l4 U& ]( E4 Q5 C
4C19:009D MOV DI,4A4D ; 2nd magic value.+ k. y2 w/ N0 n3 m, g2 B$ n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' F9 v5 y' O! N9 y% Q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute! D1 O! C& ?3 u+ X3 L8 ?+ }
4C19:00A4 INC CX7 `9 O) ^: T. r: t% A& F
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
, _ X. w; k# i" s0 J b' W6 W4C19:00A8 JB 0095 ; 6 different commands.
+ H+ J" e# s/ j0 n+ T4 s# P, e: Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% n0 b4 [& B& B6 U4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ E9 s$ v, a+ o# W4 a; Y( {, x
3 w- B4 P- L8 l) u% }/ ?" W4 o
The program will execute 6 different SIce commands located at ds:dx, which
5 R7 H9 a0 B% b) ? h2 A! K' q! Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 e* \& b1 i* r6 l0 ?2 [+ I0 {
) R+ o% N e3 |/ Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- l2 \( N" r# [8 s; I7 m/ P) M___________________________________________________________________________
3 f6 b L) R9 z0 V8 _& C; o8 A+ P* n" L- X; b2 q, [( U* ^
3 c7 w3 t, B }$ f0 i7 v* QMethod 03# Z- t+ V g& L6 B
=========# y' y! y+ a4 O
( A9 z* A4 E+ { h2 ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 e* \8 a" F6 A(API Get entry point)
6 E; C/ q2 F9 }7 l" _9 Y
2 L( t! x. Z. M+ c6 k& J n3 r, F1 b5 D0 U, ~* ~
xor di,di2 V5 V! F# M$ N& {) x" S
mov es,di6 @ Y: e, g" Y9 D$ z+ g6 \
mov ax, 1684h 7 ?0 U" X' r R( v; u, u2 z4 M7 `
mov bx, 0202h ; VxD ID of winice' C8 j" {& ~9 |, i- m$ ?# G
int 2Fh
2 ~6 D) q1 g' Y1 ? mov ax, es ; ES:DI -> VxD API entry point
% g" t3 Y+ Q9 a. G add ax, di
0 f/ @& Y) ^2 d( o; t4 O9 r test ax,ax4 S/ F8 U! [8 n5 ^. D( J
jnz SoftICE_Detected
: E4 {' t/ \. ^3 _, K2 I4 ^. S1 z; x6 {# g# `
___________________________________________________________________________
% q) i& }" B: }( o, ^( M, b% h4 _9 n# k0 ?+ D4 K9 U. N
Method 04
4 x: o: X# s+ w=========0 p+ P( i) h! O! ?4 a: x S" E
: X! j& K# f% m! R
Method identical to the preceding one except that it seeks the ID of SoftICE2 u( |$ I" u( l& s( o- V: F
GFX VxD.$ _7 g! J6 i+ ^! o
- |8 M) K! G/ ~" X$ U xor di,di
+ {* w2 r) d/ Q/ V mov es,di
% X. U9 i1 N9 T: M4 c/ P mov ax, 1684h 2 L4 o. e6 z% o5 B
mov bx, 7a5Fh ; VxD ID of SIWVID
$ k C7 k: g: k) F. X int 2fh
- r+ s" N* A5 m! } mov ax, es ; ES:DI -> VxD API entry point
8 ~' K6 d# ~1 B8 Y add ax, di
- g+ M" g! i+ o% t1 V! t1 N' q test ax,ax. I$ h& ]3 z) c! K
jnz SoftICE_Detected- h+ C6 {' F) K
% [' m) a% K; E2 s/ Q
__________________________________________________________________________
* w* R: T5 y- | G6 d4 q
! |0 @: S6 I4 v2 B; m. `2 i, ^
~' C' T% W, N$ K" Y* ~" y5 \Method 053 T3 M4 r, R! ^/ B! }1 F3 G$ |
=========. U) [' L9 ]0 x; M0 i- Z/ G& H! I
2 e1 o3 d+ h) k: LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& m R+ { d, h3 l. S: Rdebugger. It calls the int 41h, function 4Fh.
( X6 N7 E% ], P3 R% I6 v( dThere are several alternatives. + {- @: ?6 c0 b" k2 ] V/ Y
2 ~1 ?$ P& R. v) T; W# B- k6 S
The following one is the simplest:" S( h" R. t5 i% _6 }8 Q
! z$ [5 z+ D# b1 A1 \) ]5 _% U
mov ax,4fh2 e- K- Z( `+ B" T0 z+ J
int 41h* f7 ~" ^1 S3 E7 F2 }# n
cmp ax, 0F386
" M* \/ T# O/ ~2 h* k! ]+ j jz SoftICE_detected0 P8 `/ P" R/ l0 y8 K W$ F
( e3 `5 A9 v# M1 _6 s
8 Q, a/ X3 K7 a ^7 p: |Next method as well as the following one are 2 examples from Stone's
& U \' ]8 P: Y, P0 H9 b"stn-wid.zip" (www.cracking.net):
7 w$ F) D! \, M5 G( D
) \' p, d& c! A T8 j/ | mov bx, cs
8 Z# [* G9 E- I6 ~4 E9 ~2 \0 y lea dx, int41handler2
8 F2 ]6 X' ~. z' r7 F& i xchg dx, es:[41h*4]
: l. F2 s# R/ b xchg bx, es:[41h*4+2]: ]8 x' r+ |; I/ C# v
mov ax,4fh
; b2 k b7 c$ l int 41h
1 ^: T5 A G. c. K7 }- ?( B8 l3 L xchg dx, es:[41h*4]
2 I2 Q9 f+ J" J1 ~- j9 K xchg bx, es:[41h*4+2]
8 H' i s, \+ p0 w9 w3 O cmp ax, 0f386h; N2 F# ?8 u3 G
jz SoftICE_detected2 @0 S6 M/ l6 N
, X) {; E6 j) t! K( b2 h
int41handler2 PROC4 m$ G: O4 [' q5 v
iret {5 \* ]; P3 I% {* |
int41handler2 ENDP: M/ c( l. Q$ I/ a1 i; M5 i; }5 U
9 h I3 I9 ?/ l; Q
! ?6 n0 _( K. o( i, T' B( k
_________________________________________________________________________6 N! p: m: C) b B* _, _) ]" K/ g: P
3 L7 y$ E: x, U$ i Z
O7 B# l4 q, W5 Y2 NMethod 06+ h, O( W% h) N% r9 b, o
=========1 o1 q/ a& C3 G4 w+ a
4 O- Q. h# W& O2 a6 i2 T. w/ r: s7 R' b, z1 D- ], g+ N
2nd method similar to the preceding one but more difficult to detect:
7 @- y: D* B( y. ?( k5 l0 u0 `) t2 q6 f9 E
3 n, f4 W1 _) _int41handler PROC
# c- G& P, q0 {! k+ B- y mov cl,al
. v( t* `3 d; e: P: F) f iret
b0 Z8 l+ s" R4 k; Lint41handler ENDP
8 o# x* q& C, g6 V0 z4 H, w2 n
$ f/ Y. u7 z( B8 Z) d) w4 g% p/ e( q0 k: u- K
xor ax,ax3 P( I+ U H% t- E3 N/ i8 u* o
mov es,ax8 q. \: A: j- q+ k* y1 s1 c
mov bx, cs
4 l% q6 ?1 o& s9 W, ^5 p lea dx, int41handler9 `* U1 _# {& z' W e T0 @$ t% y2 T
xchg dx, es:[41h*4]
$ l5 f( `- e' j" D7 d7 N9 b xchg bx, es:[41h*4+2]
8 E$ C( Q) x$ e& q2 S in al, 40h
: }" c2 A S4 p0 d! c$ H& \ xor cx,cx" U& ? i5 ^$ f# N7 m
int 41h5 s' x, s6 n2 e% L
xchg dx, es:[41h*4]* \9 [ B! F: G$ s5 a3 D
xchg bx, es:[41h*4+2]/ w( V2 m# @! P4 x
cmp cl,al/ z" J5 n3 T6 p+ {
jnz SoftICE_detected3 \& P* a% a" V# K
5 y4 Y: a+ C3 } p; l$ \) G_________________________________________________________________________7 q) V& n6 f: v6 l: \
; T+ M9 \4 l4 ^' \5 t2 P) }Method 07
9 I7 K/ Y8 {5 L0 m' ]) z=========
$ G% {$ v& t( R; s
$ c: ?. x2 W$ MMethod of detection of the WinICE handler in the int68h (V86)
/ a0 I5 \' L# ^7 [* ]# a. p3 Z, V
7 ^+ @7 Y9 R3 s1 L" d* p& m mov ah,43h
1 J. k( s8 [& z' _/ [ int 68h i# d+ D8 x( p: U8 B
cmp ax,0F386h
7 ?$ w$ Z' i5 i2 _/ w5 G( f jz SoftICE_Detected
P+ G! @8 b+ O6 [5 e6 u W" k3 @7 u# x! [' _& Q: N; _& Y
9 ?, e0 h* u3 i" q# Y/ K/ N=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( t* E+ }# k0 I3 k# o& w t
app like this:9 d/ u$ L9 G* T# a
: `5 k n$ V% {9 I* T2 o
BPX exec_int if ax==68; Z, \( o+ `0 _4 u6 E# W, M
(function called is located at byte ptr [ebp+1Dh] and client eip is4 `( Q7 x' K& F1 Z
located at [ebp+48h] for 32Bit apps)
' I7 }% f( I' N7 W( m j- `__________________________________________________________________________
4 k8 U/ M8 V2 b5 D" y) L4 ~3 Z6 W7 w# J9 W/ m
9 z# r$ f- I- v/ Z/ T+ V% cMethod 08
. J9 b0 [: D0 m=========
+ X, ]: `1 K. l9 i
& m3 S$ f; t, W; V* Z; nIt is not a method of detection of SoftICE but a possibility to crash the: `4 q, v$ \; [
system by intercepting int 01h and int 03h and redirecting them to another
; \7 i7 N j' m Nroutine.
; u2 K3 P* t( L7 LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& A' X1 e. R ~. Z- J- I9 I7 ^
to the new routine to execute (hangs computer...)) K) [, i& A' Y
- v3 x7 Q# C$ k) a mov ah, 25h
/ b6 x; D3 n! h1 _0 _6 `7 Y mov al, Int_Number (01h or 03h)
' W. w& q4 A' n4 b) p/ @ G" w. [0 t mov dx, offset New_Int_Routine, j7 d) e3 W. A
int 21h) i6 X! H6 c5 }0 L- {
6 P3 x9 T; r! c5 n__________________________________________________________________________) o- b7 C2 u; ]% M: J5 R, i* ~" T
4 J" W6 R/ i- k; N4 B; eMethod 09
9 I" M1 i( p! J% e=========
* p9 [) L! s2 P0 f$ H; ?% f
" d) W+ u/ n) v1 _) U# ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! U9 E2 e0 c( V& E I
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 [" f; w2 w, F: P& JThe Get_DDB service is used to determine whether or not a VxD is installed$ N$ H' K# Y* `2 L5 T9 w
for the specified device and returns a Device Description Block (in ecx) for8 l! s6 }) t6 Z+ b/ b- j
that device if it is installed.' D ~* ^1 \; r% Z4 [5 b
- n1 |1 P) c* F( K7 V8 \2 t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% I' w# @! e2 }. [) D0 U mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 U/ C; T/ x* Z; ?5 i+ B VMMCall Get_DDB7 c# h4 w9 O' L5 o% ~# @" {9 C4 k$ b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
* {6 n0 R9 n. c' G1 o! O; {& v4 s* N; L, T; H7 }
Note as well that you can easily detect this method with SoftICE:8 f9 T9 Q: m: \* D
bpx Get_DDB if ax==0202 || ax==7a5fh e0 Q2 I1 E# }
+ x; _5 v9 o. o! {2 d! N; U
__________________________________________________________________________% x! O+ A4 v3 l
% a0 Q3 c6 N' h, j" i
Method 10, F/ O, V x. A' [, s# K0 ~
=========
, {+ R9 n" R2 B- [, l" s* M, x& c3 h7 }3 H4 v; F. E
=>Disable or clear breakpoints before using this feature. DO NOT trace with( I2 q, D8 k) `9 B: N/ R( i
SoftICE while the option is enable!!
1 i4 J: d& f' q( q# _- ~) O
7 c/ b( k4 R9 R d; [This trick is very efficient:: Z- a' s0 x" O% U% [- P
by checking the Debug Registers, you can detect if SoftICE is loaded) a+ O' E5 z/ c( O2 s3 `0 t% O3 H& m' ~- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G( M1 S+ ]* jthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 A+ x! V, s7 N
value (in ring0 only). Values can be manipulated and or changed as well5 d# }: V7 [( \7 d1 U( C9 H+ L
(clearing BPMs for instance)* [ ^8 a( a3 ~) F/ N# W
9 h P9 c: Y1 {- m
__________________________________________________________________________
; p/ c* ]5 i4 d {0 [0 {6 ?" d
/ c' I5 T8 T' a: [# XMethod 11, o6 j7 o8 ~4 L1 [9 a, J% N: f; y
=========
Q0 q F5 S) Z% f
, V% M0 E* _! B* N( i! \This method is most known as 'MeltICE' because it has been freely distributed. V2 N- P$ u- H3 W8 Y
via www.winfiles.com. However it was first used by NuMega people to allow
G7 J! d, f& z$ P4 ~Symbol Loader to check if SoftICE was active or not (the code is located
* h/ Z$ z: S f3 A' {. ~inside nmtrans.dll).
1 y$ e& i3 p( O' d
, m3 o9 k$ c; P2 n! q& x; ?The way it works is very simple:7 D3 J# Z* o" ]! q9 a% y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 Z: U( N. [0 R+ Y% a
WinNT) with the CreateFileA API.% [! A, D/ | p0 q% g% G
% m6 k. D0 l2 {+ @! s2 b( d/ WHere is a sample (checking for 'SICE'):# W% {$ V/ h8 b
) I3 P Q6 V( z' ^/ k0 |$ e/ N
BOOL IsSoftIce95Loaded()% @' w: D5 U. `) W4 O7 H2 b/ E7 V
{! ^) Q! x/ S5 n, Q5 l6 M7 s& K
HANDLE hFile; 0 ]0 S+ x% p0 T4 j4 V- x( [
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 f' D4 }0 X3 N$ A
FILE_SHARE_READ | FILE_SHARE_WRITE,! g& |* h8 K, v0 t# S' u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' ?% ^ C0 e4 C5 `# }$ D- k8 x% t
if( hFile != INVALID_HANDLE_VALUE )
9 L! ?" y1 L" f, ^" G- ~9 C {
0 X' b5 ?6 {( O l B/ ] CloseHandle(hFile);
+ x; i3 x; l# V- k) Z% D$ I return TRUE;9 V# U1 k+ l- X+ s
}
5 r& P% R+ ^- c& ?1 L& N K return FALSE;: T- m5 D5 a+ V+ S: h. m
}
$ y6 W; o9 ^8 u2 ~
$ L. g1 |0 {9 f: wAlthough this trick calls the CreateFileA function, don't even expect to be9 a- K* n, e4 e) S' t+ [
able to intercept it by installing a IFS hook: it will not work, no way!
! H9 \9 d2 d4 ]' t+ T$ ?/ WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. k' \6 |7 ]$ g0 F2 s3 z! Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 U+ L" f: A! P5 L7 \3 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, v6 u2 F m- L+ Z7 a5 q
field.
; G+ d4 ~* \' ~0 t$ [, hIn fact, its purpose is not to load/unload VxDs but only to send a 8 S& g% r& M( l9 m U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' z& Z. w- Z+ t4 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 R9 d7 f$ B9 I4 d( Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) i% B* A, f1 D ^: o1 \: {4 L1 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, r- O4 I& |. i* n1 X' t3 hits handle to be opened and then, will be detected.# y: c1 J3 w* m! J7 q: m+ |6 o
You can check that simply by hooking Winice.exe control proc entry point
9 b( b! o! }) L2 y- E( Rwhile running MeltICE.
. }! @6 k4 H* o3 X E6 f7 W
" [1 M! k% K. s+ z. g* N
8 d" L2 c; j/ e& H! W% b l! t 00401067: push 00402025 ; \\.\SICE
) j. h* r. V/ d, X) O }0 ? 0040106C: call CreateFileA4 H3 U- ~1 l8 J' s' I& i% h
00401071: cmp eax,-0016 f$ x! r7 q% \7 n# ~) `3 o7 _
00401074: je 00401091
h: @' f# H+ ~
% V7 S; Y2 q0 V1 K' ^7 l G
: G0 q( _- h2 kThere could be hundreds of BPX you could use to detect this trick.% ?4 H, q7 a; Y& x" X4 G4 N6 U* n2 ~
-The most classical one is:
9 o2 ?2 W$ w; B; @2 \8 G BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||3 J5 C t% t+ Q5 U7 v6 n5 l
*(esp->4+4)=='NTIC'& _1 o' I2 {& B7 ]7 _& Y
4 v# F) ]$ C p" X5 p
-The most exotic ones (could be very slooooow :-(8 r2 b& _" R' y" B& k" W' e$ X! s; P
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 y5 N$ ]2 |! q! ?$ L. Z' q
;will break 3 times :-(7 g& P$ C9 N7 U T% @9 |, Y w
: D t+ p- x, D8 [% c) \; O$ Z- D$ d
-or (a bit) faster: 4 r# W. q6 }3 H9 s! `$ q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 }8 a- W( z- Y6 ]
, f5 b: y1 ?# Y0 y7 B2 i$ [9 R
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & }" y$ N( a% ~
;will break 3 times :-(7 r' Q4 U, @9 n, d7 g4 N
' F, g3 n% g' C4 s4 t& H) Q9 D! s
-Much faster:
) E/ C9 e7 V j1 o- A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' ^& X: Y( [2 W3 b F9 J
5 M" {7 [" a! x& z8 c$ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 o9 t: B. T, {/ B9 I% W% c! G6 hfunction to do the same job:6 f. L, O) @+ a+ y4 a' K( T
0 O% V, B: [/ @ push 00 ; OF_READ% ^* B. `2 }+ V9 B/ x
mov eax,[00656634] ; '\\.\SICE',0
0 ?8 M5 I+ c4 }& D K' C push eax5 K1 s7 m0 _4 w) Q
call KERNEL32!_lopen
2 `6 ^9 {- B) {! ?) k: g inc eax/ n5 S! f/ w3 u$ j+ z
jnz 00650589 ; detected$ q1 N- Q# C1 q& \8 Q' F
push 00 ; OF_READ
w/ D4 D, J: ?( P+ {% d mov eax,[00656638] ; '\\.\SICE'
8 p/ p2 L% u& w! l9 j push eax
. |4 o3 c% f! k6 z3 t call KERNEL32!_lopen
5 d; [* v1 C0 V. A inc eax
3 s' w+ Y+ r5 j, E* B/ ]2 S jz 006505ae ; not detected N1 z; v* j5 x8 `' A- r- y: c' ^$ @
; H. A; _1 u4 r# q& W6 I& l# p
5 b, m3 `" ~0 x" Z; M2 {# ~" p
__________________________________________________________________________
3 q. T2 Y9 G' I) E7 I) I7 |# D
. _ [ ~ H: }Method 12& N* Z6 ?! k. a: f0 j- t1 R
=========6 F# |; {# L/ ? [
8 u; m7 B' I% A( UThis trick is similar to int41h/4fh Debugger installation check (code 05. y+ g( |. H, L# i' P, r" K+ \. ]# _
& 06) but very limited because it's only available for Win95/98 (not NT)
/ @+ S* T6 [: s& V0 Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; x& S5 O' c! p, w; t Z- p+ i( T8 B8 c% [; C/ R
push 0000004fh ; function 4fh- B: B& j) t- E; a, G
push 002a002ah ; high word specifies which VxD (VWIN32) A4 y7 h/ `* K3 S
; low word specifies which service
7 b! J$ O) N* o1 _) A (VWIN32_Int41Dispatch)1 l9 {- d+ ~0 a* ~
call Kernel32!ORD_001 ; VxdCall
/ i* f% [5 \ s3 E cmp ax, 0f386h ; magic number returned by system debuggers4 I7 d# G! ~2 y8 g9 L4 [4 w* V4 n7 ]
jz SoftICE_detected
- o6 {2 @1 T8 b% S- ^2 ^/ p2 j. f
Here again, several ways to detect it:4 h# H0 h/ L7 U
t$ ]' u L" D2 x H; P3 O6 B) | BPINT 41 if ax==4f, D2 @& r* [5 A# Q; Z# }
/ w" ^, |/ `0 W5 }
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
9 v2 j- U, Y3 v3 Z
: S3 p9 G/ L- ^# h3 o* \4 U BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A1 K6 ^8 M9 B/ [
1 m- k$ l/ Y. H1 S3 X% _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ o9 R9 e' ?; Y* f7 `6 D( t* p0 ^' E/ l: [4 ?/ _* A0 t$ a
__________________________________________________________________________6 D; C# N# E) w: i. ? {4 D+ a
2 E& f- {0 z9 z) u$ O9 J% b0 I( z
Method 13
% V( A8 c1 n! n, S- A=========
# V5 s+ M7 l* U3 E$ k8 x4 p2 g3 {6 {* f S( O3 B
Not a real method of detection, but a good way to know if SoftICE is
4 z' g h% d0 k9 a% O! u; V' Minstalled on a computer and to locate its installation directory.
: T) G: C; T; P; o6 oIt is used by few softs which access the following registry keys (usually #2) :
3 c2 V6 g7 @1 `# D
' S3 y1 f, n v0 o0 {! x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; `* _2 s* z# {; T: A7 Z' }' I) u
\Uninstall\SoftICE
, g! R- @" E* c2 k' A: ?7 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ]% R8 M# X7 j& j$ U6 M5 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! V P/ c% E) U+ J0 V `* A\App Paths\Loader32.Exe
& }+ w' M& D2 g$ m
9 M1 [: v5 p) K
( g" K# y7 [+ d' YNote that some nasty apps could then erase all files from SoftICE directory
8 Q0 J) @6 V# ], F, c1 f(I faced that once :-(
6 p# v3 H( K" p4 t% k
/ k( D: ]! D4 E5 a, k; zUseful breakpoint to detect it:
' y0 V' D* h. |$ e( v' [7 k4 a
; B7 J+ |5 }5 O% m' Z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
: G* [9 e7 I7 R: J A- F# \6 j* Q# o d. |7 s- ?- q
__________________________________________________________________________
$ ~- J" }# o4 N+ E3 B
! P3 B/ |0 W4 `& y) O c1 Z! i# o0 S/ z) ]0 h
Method 14 . B: r6 K2 R" d* V9 `
=========
! |6 N( u' Y/ U1 h W: p% U* H. ^4 j1 z/ ^" i6 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ C* y1 i/ W( s& F" S( wis to determines whether a debugger is running on your system (ring0 only).; P$ b: y) y3 p- Z1 ?* [
* S2 O( ]6 S3 c1 f5 Q
VMMCall Test_Debug_Installed4 ^, v9 y% y/ s0 J$ u# s( ~
je not_installed" N4 }) ?; g: q
- o$ [5 K; L2 |( h" ?/ T5 QThis service just checks a flag.
; @7 y- {9 b( h" X</PRE></TD></TR></TBODY></TABLE> |