<TABLE width=500>
% A8 z* Z- f/ T* d5 g1 h<TBODY>! W2 F1 [5 z' r- L# k
<TR>2 t2 `1 P# G" z: X" e
<TD><PRE>Method 01
' C# P/ ^; I2 F! W* z* v4 O: j8 _=========% `* H2 C0 u4 t
' t! n% V5 b( G: X! F
This method of detection of SoftICE (as well as the following one) is
. b) C1 m }( I4 eused by the majority of packers/encryptors found on Internet. x6 A6 c% ~ q& F1 y1 A& ^: M
It seeks the signature of BoundsChecker in SoftICE
. b' ~8 s) n9 {6 C" }" E5 |% }% L* ~0 x
* J3 ^; h; {& ?/ Y' @ mov ebp, 04243484Bh ; 'BCHK'
# y! y8 F1 t6 @- f mov ax, 04h
2 J& F4 ]# {5 r, i int 3 1 N: r' p9 e6 R$ Y1 D
cmp al,4
% l# Z5 a2 h% j# I1 e# g( ^ jnz SoftICE_Detected
5 j- Q; ^9 D( ]) L' d* D% e2 Z3 r, Y% @$ L8 K3 M
___________________________________________________________________________. f. L7 I/ A( z6 N
) \2 V, b1 s5 d. S7 ?, j* A( |
Method 02
7 w8 o% o5 N; [1 c4 V4 H+ u" A9 X=========
( M: g' U d$ F$ ]" F# Z+ G7 c
8 V" t& w3 O7 w* BStill a method very much used (perhaps the most frequent one). It is used$ X) F; _- S# r, S5 }+ x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) ?; V7 H% m; v9 ^% `5 s6 X' [
or execute SoftICE commands...
+ L- }8 v9 G: C# G) kIt is also used to crash SoftICE and to force it to execute any commands3 i9 I% I0 O* u$ c9 a7 l% L
(HBOOT...) :-((
, _- W0 @+ d3 H+ U7 D2 h
- }- Y& P2 c! N- s8 c2 z3 fHere is a quick description:+ O! V4 {, C6 Q4 L
-AX = 0910h (Display string in SIce windows)1 L& s) v/ N+ B, F+ N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
% u. x% O0 @( ^/ R$ S-AX = 0912h (Get breakpoint infos)/ x9 {& P: K/ Q7 ?
-AX = 0913h (Set Sice breakpoints), g. V ~% L# K$ n3 V
-AX = 0914h (Remove SIce breakoints)" m3 H; G8 p6 B, u* E- O
# w J+ ^& p9 v' ?& l A/ s: F- _Each time you'll meet this trick, you'll see:: i3 d4 {! k' {$ B F2 Y# N: s
-SI = 4647h
' t. v2 a( U! Z7 e8 |-DI = 4A4Dh
( O. m/ u, @* L' f, I% T# [) mWhich are the 'magic values' used by SoftIce.
8 i' g/ L4 T( WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# T! i( q9 C2 k& K- n2 J; C1 ^6 ^, G5 i+ L$ q) U' j, B5 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( R3 Y+ P* R! M H7 IEnvelope utility use to protect DOS applications:+ t: l! I) r, z( r
. ^/ Q" o4 u: |$ h* c3 K$ r( T" X
6 b6 L0 I4 s: ^
4C19:0095 MOV AX,0911 ; execute command.
+ _% S6 R4 ~: r2 S4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
" v: j9 e2 W) R% v+ t1 F- U- t4C19:009A MOV SI,4647 ; 1st magic value.9 ~7 q4 x9 @6 I2 t9 z8 r [+ H
4C19:009D MOV DI,4A4D ; 2nd magic value.
0 e$ C4 U$ m0 \! w1 `4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) T: I; Y) H( t4 t, J
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 ~0 q0 Z8 o1 g7 p; P/ B4C19:00A4 INC CX
& b; J ^/ y. g6 F" h0 x; g4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
1 Y0 h- W" I( H1 o4C19:00A8 JB 0095 ; 6 different commands.% t( ^+ F" _6 [: |/ w( g0 m
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; h% y7 V) R* S/ }8 _: {' Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :). H6 b5 X1 G9 p# A6 f
2 v0 ?) G9 f( X7 m# q( \1 t' V
The program will execute 6 different SIce commands located at ds:dx, which
3 X0 K* n3 q8 Y- \4 v0 ?) ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) T5 l* r6 O7 b' C7 m1 w) X. ?% Y6 Z6 ]* R% q$ T3 w! F5 Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ x% m5 q$ i/ v/ E, I
___________________________________________________________________________
2 i" i9 q, V. A
3 _: p7 r' `5 ^) y/ J) _8 H
, Y- s# n# X" a0 C# M# D jMethod 03$ V; ~: ?6 @3 {9 H- B$ \" t) {: ~
=========
4 h, J" ?: C- X3 ~. s" j( H: c" @! Z( @9 y; {5 [' x# V5 d3 {
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 V1 z) ~7 R$ U: q& s
(API Get entry point)
) r; h. T1 Q) I+ {3 G
% Q. _4 `" L# l4 R) H2 T- @: i3 M& [) {$ s
xor di,di# W% I4 @6 o& r z5 o; q$ D
mov es,di
% B' D9 t! f0 `1 Y0 u' ` mov ax, 1684h " s6 h3 }' u# d6 }$ \
mov bx, 0202h ; VxD ID of winice
2 i- h$ i4 i% A6 @2 J+ S7 t# L int 2Fh* Y o, f! H, z l5 s r9 N5 R
mov ax, es ; ES:DI -> VxD API entry point6 X. i: u+ O& v6 }9 A) D
add ax, di
( n* S6 G" s6 u3 A) e test ax,ax L- t# H' o, ?4 G
jnz SoftICE_Detected
" L* S- o m" C
& |- M0 r8 j9 {5 i" `% Q. N___________________________________________________________________________
8 S6 Y; u+ X, ~" [, x( y- ]1 q* R- p( Y
Method 04& D0 b/ H0 d) e6 X' \
=========; U9 n( \' |5 b% U' v4 q) o
5 B3 Q6 B, e0 ^3 o1 k# jMethod identical to the preceding one except that it seeks the ID of SoftICE
3 V. g. I, Q7 [, B/ |& M0 N& c9 v p+ QGFX VxD.
8 h" S8 Z" q: q8 V# H, W
; Y* E: X! t6 Y0 I/ o xor di,di
/ W. J; L+ {; I9 j5 R0 Z mov es,di6 O& b! e( D; l* E
mov ax, 1684h & D8 U E# V$ e( h+ I) Z/ Q3 g7 v" Q
mov bx, 7a5Fh ; VxD ID of SIWVID& f, b! w$ U9 J i0 }$ o5 w: j% T. p
int 2fh
1 V3 M3 L8 b1 O" j2 R- W9 ^ mov ax, es ; ES:DI -> VxD API entry point/ p6 I+ u+ ^8 k9 X) P+ O, D# V0 L+ ]
add ax, di2 i( F& H. _" }" h/ @, q* P v( R
test ax,ax
" h# {0 G& M+ |! Y# M jnz SoftICE_Detected! H: x+ n/ U6 y3 {7 { `5 H9 N
) @$ y' S6 g: x( [9 V* ^. M! R9 F* T
__________________________________________________________________________5 P+ ^& \. N1 L+ v7 A
' R) L5 z( R0 I& G; ]$ G! g; O+ Y
$ _$ X: T' f) x j3 w8 CMethod 05
0 [2 t0 `; a9 q& o2 e' ~% N=========: f# s6 W/ w0 X) Z% D+ O/ |
% e& `% H& }8 e0 T8 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ w T( M5 ^- n9 m0 V0 {
debugger. It calls the int 41h, function 4Fh.: ^9 N R1 y5 j% Z& b
There are several alternatives. * F' f8 I( `6 C; [
- s# k: v" g# a8 ?& Z( s3 q
The following one is the simplest:& [$ i- Y" z9 F
' l- C g; V8 S mov ax,4fh) {6 O4 e Q- g" G
int 41h
* {; k" Z P) W5 F5 u" [' o& s cmp ax, 0F386( R9 s. c' u( D0 D
jz SoftICE_detected1 z0 k" J: d) T; G/ ~& U/ ^. h/ |
4 r* T; S7 q( I' w
: R7 |) L( X' I- \Next method as well as the following one are 2 examples from Stone's
* ^+ v# B1 `5 O+ h"stn-wid.zip" (www.cracking.net):6 L( L7 I$ \/ _4 o8 N8 q: Z- U
% P6 w% q1 i; {6 J9 a8 v. h mov bx, cs
% D1 j# F# q, L lea dx, int41handler2
, m b- E5 K& S& a+ E xchg dx, es:[41h*4]( O3 T8 v S4 H8 w& e
xchg bx, es:[41h*4+2]
. T, _" v8 d; I- t mov ax,4fh
0 u* D; S2 b5 g( [; b2 f int 41h4 q: B7 E3 x* N: |/ m
xchg dx, es:[41h*4]
. [, I" L, a7 C4 i xchg bx, es:[41h*4+2]
" w- u9 B( l2 p cmp ax, 0f386h9 r+ q* @- ~4 N# I" Y* G( V+ Q) y- f
jz SoftICE_detected; _" ^+ L0 N+ @* r
7 u2 t3 l. n; c( Q6 }* C9 s" u
int41handler2 PROC
' I3 Q5 A& W1 q) `) q$ y iret F: p# S: {2 V2 X/ r, B8 Q. o
int41handler2 ENDP, }( E9 f" j+ i& P0 N
/ ]( j+ z0 O8 w; \( k7 B
6 _' G2 b1 I2 B" V$ v+ \8 L_________________________________________________________________________ X5 C0 z% {! _7 [8 d( d* K6 a$ ]1 e
) |3 W' R! J$ U' @! Y
! P; a9 U0 b: ]6 R+ `( r6 A5 t4 ^) bMethod 060 C# C" a) _; A1 }0 G/ ]. ?* E
=========
# d5 }8 G1 w& s; R* H4 i: A% \# v# j; A3 L5 Y) z
) c( ]" f+ I9 \4 S1 u9 n! b
2nd method similar to the preceding one but more difficult to detect:
6 O f& m) }) Y1 f7 [
, H( u/ W" x" \( F5 V8 w. u% B/ }' Y& [( [
int41handler PROC
7 i* H9 C; g7 b6 n/ `4 F* a mov cl,al
/ u1 E1 C2 e% w- ~; t; m( a iret
, y) s: o& a9 }" {" _, y! J Mint41handler ENDP
' \; n! d6 E8 ?5 Y1 {2 b' C7 l5 t0 j8 j7 f' l! |9 u
* M/ J) ^% d: O, R4 {8 R* F+ V! p; G xor ax,ax
( F, c) I0 ?% H" j mov es,ax
- w( G+ x8 Q# T) f mov bx, cs+ n* K/ @3 J9 T3 v; K0 v3 P
lea dx, int41handler
& k: T7 N4 \7 C/ P xchg dx, es:[41h*4]& g0 R) V( j/ y, C9 C
xchg bx, es:[41h*4+2]* J9 o! k% V; s% ~9 X
in al, 40h2 a0 M" v" F# `! }" F& @
xor cx,cx t, U9 u: }; P& Z; S
int 41h
9 D; \ @4 Z$ m5 k6 z y/ j) P xchg dx, es:[41h*4]
! ~& E! @5 W2 [& d/ X+ P& n$ J: D xchg bx, es:[41h*4+2]6 l9 z9 j: _- b; q \, i$ ~
cmp cl,al* l/ Z1 S Z0 N! ]( v
jnz SoftICE_detected
! q5 x; b$ }' _ X& P0 c' N$ T( B0 ~, e+ r" f1 [! C
_________________________________________________________________________
x3 f. O, f7 ^7 q) J" h) p" k% j6 x' F: l' ~% p# [/ { V6 _( X
Method 07# w: c/ i# c* k; r& q4 ?
=========
3 w: f& L7 Y% d5 [0 B2 w M7 f/ S) A7 d$ }
Method of detection of the WinICE handler in the int68h (V86)
$ E% ]. }: q0 h/ g% @4 @$ B" I& Q" j6 A$ R+ T
mov ah,43h
1 h7 \; O F% G5 t0 o. [ int 68h
# A% @" l' h o' a: Q/ M4 \ cmp ax,0F386h
, I! ?$ |1 i, w# O* {6 L5 C jz SoftICE_Detected
3 P& o& ^3 }1 V& l Q3 d
/ ?; i7 ]) t3 ?% O9 H: D" K- p' R8 s) c, [5 e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: o$ E5 j: I* B% i2 S
app like this:: d, j- P9 S4 E) [7 B( J
6 b1 h" q& W8 _) {! ] Q1 j3 p1 p# x BPX exec_int if ax==68
; s! W R: Y+ K8 F; i" N (function called is located at byte ptr [ebp+1Dh] and client eip is
t$ H- Y# B# n$ _8 u. I located at [ebp+48h] for 32Bit apps)# g$ b0 o' A# g7 H: j, t' [$ {
__________________________________________________________________________
/ H4 R) ^, H |4 g/ L, D: s* r
& a, A' S8 ^2 I6 b( D4 Z) ] h, P& `3 A2 y4 J4 C0 M+ A6 \
Method 08( A, |- {$ p' y. `/ M
=========
* `& @/ M; D) c' W( M" E' r, @; [/ d- P
It is not a method of detection of SoftICE but a possibility to crash the# r t( Z0 I! o: L$ W9 R6 f
system by intercepting int 01h and int 03h and redirecting them to another
. _* ]7 \! K8 m) Hroutine.
, `, u" m" x* gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ S( ?( |8 `) ^9 T/ \
to the new routine to execute (hangs computer...)
% t! U! Z8 |3 Q( { z- {9 F
* m( U4 L; K+ H3 v% X; p; k mov ah, 25h; l3 t$ D8 W1 D( Z& U) a
mov al, Int_Number (01h or 03h)
' m% P3 ? Q ]& A. r" U! T w' _ mov dx, offset New_Int_Routine
9 ^0 f! I% b/ w" J int 21h
# Z( M+ `; j& w9 h* @
6 z$ y/ }0 d" i! l+ |$ b__________________________________________________________________________! Y ^; ~% C, {
6 k3 U' c- i0 k. @, j
Method 09, K" H f, N- i9 e
=========
R9 `# u# t0 \' x, g* k5 P% z% } a z' e* H ^0 r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 v9 U5 G- M( R+ T: w& l
performed in ring0 (VxD or a ring3 app using the VxdCall)., t% r5 P2 H/ |
The Get_DDB service is used to determine whether or not a VxD is installed
$ ^& x7 o# L7 a+ a" J+ l5 Ufor the specified device and returns a Device Description Block (in ecx) for
4 q) a8 t& z2 V4 ~# O0 Ithat device if it is installed.
) f+ P1 k# O- L+ g/ n
6 |' q: ~5 `& v8 S3 a* e mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 M2 p$ L' a2 I1 E y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 @+ f" Y/ E4 o0 P- Q; M/ b3 m VMMCall Get_DDB; i" O% T! `9 B5 w5 {7 }
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
" n( E$ [, r3 x4 X4 B
* Y/ @ c! S" i+ q n \Note as well that you can easily detect this method with SoftICE:$ {' ~5 G" Y) E- p0 w% z
bpx Get_DDB if ax==0202 || ax==7a5fh9 K& G: h8 q( |
* H# V! X1 K( c
__________________________________________________________________________- M7 k7 B1 t6 H& T. k
' J! C5 V; U5 f7 YMethod 10
: z# a, B/ i! g) ^: H; l: x6 D=========: A# h+ ?6 D7 k% ~% ~8 L/ h
. @& K$ i6 V% g+ b0 s/ ^
=>Disable or clear breakpoints before using this feature. DO NOT trace with" z9 u! r$ f, p/ e9 V
SoftICE while the option is enable!!4 [' [6 X U/ _& ]
M* v- T) N+ }4 i+ m% l0 r
This trick is very efficient:4 q3 A; W9 y# @( H
by checking the Debug Registers, you can detect if SoftICE is loaded& y/ [1 j1 q/ E/ C' I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: T* t' ~6 g$ p$ q) Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! [9 R# |9 H* p- g7 p" I0 D: S) _( Avalue (in ring0 only). Values can be manipulated and or changed as well7 H& `! j4 y; V
(clearing BPMs for instance)
, s$ _) M: v% w0 s3 e. i
- U4 O- w5 ?1 K+ c* @+ A__________________________________________________________________________8 ?( B/ B5 r* F2 V- c- \4 e u+ h( [
* S- m- \6 y9 v+ j% p: XMethod 11
' K8 x+ R: |. l) ^8 S=========
/ z/ S2 o+ }2 E) U" g
5 i# n J+ P z8 K3 P7 Y* h0 lThis method is most known as 'MeltICE' because it has been freely distributed
( v) C5 L/ B5 P5 [6 }7 t" Mvia www.winfiles.com. However it was first used by NuMega people to allow
& A2 r; F `/ q% eSymbol Loader to check if SoftICE was active or not (the code is located4 U q7 X# y! d# |$ L
inside nmtrans.dll).
5 ~% \. ~: {' Z O0 T. _: P3 _' e. F; ^/ w; j
The way it works is very simple:
h. N S5 B" v7 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: r. }3 }" j7 g8 _WinNT) with the CreateFileA API.
2 m. g, Y4 ~) R' t) w! f6 N& E9 g2 S y+ H3 f. @7 Y- J
Here is a sample (checking for 'SICE'):
+ \: r1 ]( X3 U. w2 @# w0 `/ O
; b. m) j' `, Z: w& PBOOL IsSoftIce95Loaded()
; e. ~5 g, m4 i& u/ }; ?$ N5 j{
- J# q ^ e$ ]& M% @' K g4 ~ HANDLE hFile; }9 x1 X. W2 t. r6 p* |$ o& ]8 m
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ B& y! k$ k" v2 m; S
FILE_SHARE_READ | FILE_SHARE_WRITE,
! y+ `( J% T! g4 ?" E0 p4 O+ S1 h NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& a6 s- x% d: r. K" J# Y- R( S
if( hFile != INVALID_HANDLE_VALUE )+ V5 Q- ^0 h; T( O3 d
{
, l1 D2 y7 q- d9 z: i CloseHandle(hFile);
% U8 d5 a# |% z8 w# t$ H return TRUE;+ R3 a9 U2 ]# x+ Y4 t& Y
}
& ?; ` B3 Y* O) O return FALSE;
$ @, Y) S' Q+ O}
$ S( c2 J% B( Z2 Y; d
- d. p. |2 _6 o% L) ?2 t7 I5 B* J+ O$ YAlthough this trick calls the CreateFileA function, don't even expect to be
' K; Q& g& b! f# Sable to intercept it by installing a IFS hook: it will not work, no way!% i) T# {# B& B# ^/ ]6 e# o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ O: A5 B, x" W6 D; }' X* _2 N" _; iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ f T+ [, m9 S& t$ O3 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 Q! }( `: c6 R2 {" kfield. v2 k" ]3 O" [
In fact, its purpose is not to load/unload VxDs but only to send a 8 r, Z* H' _5 h- K( `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 l+ H- o' p$ k% d. K) V$ Z7 C- U. Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 o) _ g2 e& b; ?# Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).& \) x+ J! n& H9 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow. J9 O; v. l' W+ A9 a) B U8 D8 v
its handle to be opened and then, will be detected." L1 Z: P$ R8 R: ^6 F0 ?* g* l# T; ?
You can check that simply by hooking Winice.exe control proc entry point
+ _2 g0 j. h0 t- H& R* E& i; h9 Y1 ?while running MeltICE.. D+ ^$ K" M2 M s8 H3 W! G
: `( S2 x7 e' `* b$ O) T2 S Z, j: d0 N" n: u2 \. ]
00401067: push 00402025 ; \\.\SICE
$ C9 I, H+ F& R 0040106C: call CreateFileA- o* \+ m G3 B# O& G' v6 I' O
00401071: cmp eax,-001! F$ D3 I9 F* ]+ x6 r" \
00401074: je 004010911 Y l0 J5 J( Z
2 R, S+ \- }6 \
$ @! |* y6 ]1 H" C0 r0 K, b/ qThere could be hundreds of BPX you could use to detect this trick.
- |# a+ N- y: Y Q" W-The most classical one is:) o, Q0 W. B: m1 @' t
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||1 }! x% q: N4 R; e" Q8 W" P
*(esp->4+4)=='NTIC'7 {: O# T0 a, J
8 A* p F; T+ _
-The most exotic ones (could be very slooooow :-(; s' j* b$ A4 F9 S
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 v* g: ?: v$ l: m- _; @ ;will break 3 times :-(4 W' ?$ }$ C1 m' i9 d1 O: @! @
) w% G7 i& H- d! {7 y8 Z
-or (a bit) faster:
/ r! L: |& ?+ H# m BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): o2 A0 g6 h+ m: y' O
1 w7 A. R* M' x2 O" K* c+ Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
+ P6 Z, w s1 p) i* {0 T1 t. A3 _ ;will break 3 times :-(1 ?* q) j \$ x0 j( \$ Q
" g) J* [; n% w% d5 _-Much faster:+ [: M, y' X I
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 S6 s% u: z4 m$ h. }$ e& n3 b* f" L0 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* c7 J+ }* ]2 ]( [, m. y; F" dfunction to do the same job:
( N1 y' ]. z; m4 z5 ?3 a3 a) x' Y" C4 L2 x! H2 [& ]& ~4 P3 R/ m
push 00 ; OF_READ! F) K. y, y; I, I1 N7 {
mov eax,[00656634] ; '\\.\SICE',0" R- B4 p( w- `! J. ]; x
push eax8 l& v) h! Y$ t0 P$ r0 g* ~
call KERNEL32!_lopen
/ C7 ]6 s; } Z$ C inc eax( m7 t( l" E0 K( j, h6 t
jnz 00650589 ; detected- @* O5 w! Z' I( k6 T
push 00 ; OF_READ& S9 M* \. e' c3 C& s( G
mov eax,[00656638] ; '\\.\SICE'" X. _5 m; q: I
push eax6 U* }9 P- F$ [( t8 L7 K! ]7 z( z
call KERNEL32!_lopen8 |% d8 B% y8 `- ?! {5 R4 C
inc eax* Y& x" J2 {2 g x0 o
jz 006505ae ; not detected
8 a( ]: }; V8 L* Z
/ W9 U" g: u, P8 b' ]! f
6 v: a# m' x: W, }' u' [__________________________________________________________________________
+ }/ Q0 d( U3 n+ _
; L- d3 |$ b; W: _4 SMethod 12/ b9 l) v7 R5 D- G- a
=========4 `$ I+ y. }$ p! ]
* `9 [0 L4 ]; {
This trick is similar to int41h/4fh Debugger installation check (code 05- i% h4 k1 k# d- T- l7 J% D
& 06) but very limited because it's only available for Win95/98 (not NT)& t" [" M0 y+ P$ Z% L4 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" W @4 ?! J. k+ t3 O5 L) s
- q, G7 N# A/ O9 }5 `" f" A s push 0000004fh ; function 4fh
$ V* M- g" p, j5 `7 T# l push 002a002ah ; high word specifies which VxD (VWIN32)4 c! W* ]" Z' n; W% G. O
; low word specifies which service
6 b( \ R. M4 U* {7 X3 x" W6 p (VWIN32_Int41Dispatch)
$ G- m9 ^" U/ K4 \ call Kernel32!ORD_001 ; VxdCall s; B3 c& ?8 c
cmp ax, 0f386h ; magic number returned by system debuggers# z! R, G) M' m) E
jz SoftICE_detected
& s, C) Q: s3 N1 Q+ e) J* D! g! n8 C5 ?9 u2 i, R
Here again, several ways to detect it:
( u: P$ `, O( K+ f" S) z1 t, ?- }. v+ h/ ^* v, Z5 a- u+ M. O y
BPINT 41 if ax==4f
1 g! z0 V( S8 d3 L
5 k! v9 K! a- e! A BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one3 U8 v: |! `& A6 M" `
" D; q" g7 ]! f' m g5 P. G! O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# C9 i& w( r$ ^# \8 u! Y
5 c7 f5 S8 ` _' v5 r BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
: p* L3 `( n# U- G4 W/ Y4 B) H/ Z2 x9 _
__________________________________________________________________________9 c6 R0 g# Q9 l6 v4 W$ E
o- C d5 e4 |8 ]6 V8 E
Method 13: ~7 p/ w1 n3 U- u
=========+ z3 {' X- Q [# l( P
( V$ L; D% ]7 u7 G8 s! z4 o! m5 WNot a real method of detection, but a good way to know if SoftICE is( t; F1 m# }0 C
installed on a computer and to locate its installation directory.
9 J. m0 Z3 Y. {, m# uIt is used by few softs which access the following registry keys (usually #2) : X( n" R/ M' N# A. w
& M( y) z: R/ q: r; p+ ^- {- K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: m. s, T* T: @3 ?\Uninstall\SoftICE
3 k; N1 y2 r9 a5 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 I0 t2 N. x$ f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, X# M, G/ {2 V7 w3 S\App Paths\Loader32.Exe
) G. @0 N' V" _
6 L3 ]6 F) M5 h! x. J W6 x2 j# v2 {; m0 x7 B; |
Note that some nasty apps could then erase all files from SoftICE directory5 ]% c% \; a+ v: z8 r" x0 t
(I faced that once :-(2 H: C- P! r9 J4 {6 Q
% k/ F1 ^1 _/ J. R& Q+ gUseful breakpoint to detect it:
2 B u8 L' B7 j' T1 n7 d; |
4 \# h3 n1 \ g& u2 d+ r2 a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* V7 J3 Q( S/ i. d# l
6 f, ?' a5 e) {0 d( [__________________________________________________________________________! \7 f2 |% n% @* V: ?
5 r( @1 t: e0 i l4 R/ ]: n% Q7 z3 R& ]% z! \
Method 14 6 i% B5 V+ s) x/ t2 X. X' g+ I
=========
* W R; l" Q" u9 E9 W+ X8 i. k ?" o
) Y+ X5 }$ W3 P8 _( q& \2 _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% `5 U! Y8 ]/ d# Q# q. J. M
is to determines whether a debugger is running on your system (ring0 only).6 u5 z. t( }- U
( I4 w* p' a& q e! V VMMCall Test_Debug_Installed' e) c! P9 `! U0 j
je not_installed
' N$ H( m4 Z8 j% q* X8 V5 G4 u5 W. a$ B8 Z
This service just checks a flag.; b( }4 i( _% r+ a: T B& e
</PRE></TD></TR></TBODY></TABLE> |