<TABLE width=500>. V* [8 k m$ Z3 W7 I7 k
<TBODY>& Q4 x8 h. _ w- y! {6 U
<TR>
4 {' Z: ~- C. X3 w<TD><PRE>Method 01
$ L, f# T3 I: U5 R/ t! I0 U. i- T=========. d# i* w3 o8 p+ V y
6 F: f) @7 O) D/ }% o' d; mThis method of detection of SoftICE (as well as the following one) is
6 w9 E5 o- e- u! B8 u+ h7 V$ Eused by the majority of packers/encryptors found on Internet.0 k- c2 c/ D5 q9 x/ X
It seeks the signature of BoundsChecker in SoftICE
+ W# X) K' ?! r2 l
4 _+ W7 H2 ~8 }0 P mov ebp, 04243484Bh ; 'BCHK'
( B! R) z' e, k, M mov ax, 04h; F0 E- d; V1 @
int 3 $ W# [9 U% J7 h) T
cmp al,4
2 x+ L; H" E4 R' v4 ?- g2 v jnz SoftICE_Detected
, D) ~/ O5 K( b) |8 }
/ E& W- O! C8 b; ^___________________________________________________________________________
9 Q/ T, w( o: L8 z) J* F
6 g2 l: |5 a7 I# zMethod 02
* h* }# n8 |4 Q7 f) Y=========
7 A1 d- U) y7 y% {: m5 s
: m* I: d7 Q* y: ~* ZStill a method very much used (perhaps the most frequent one). It is used
) x# Z( b w' m) x9 i; ^0 bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 P( a7 k J# |, L5 _8 X
or execute SoftICE commands...
- Z' j$ k6 _1 vIt is also used to crash SoftICE and to force it to execute any commands& L9 _8 S" M( f, a" j" N6 E
(HBOOT...) :-(( & r1 p7 d# U* ^) G' C8 g( p
% F* ]! \2 T* m: p9 r6 Y
Here is a quick description:7 T" N6 M2 X! u3 l1 T& r
-AX = 0910h (Display string in SIce windows)8 |% z2 V: k6 t
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)# o% ^. j8 V8 j
-AX = 0912h (Get breakpoint infos)
# |0 C: M: d1 ~/ D o-AX = 0913h (Set Sice breakpoints)
, G" \( [9 |6 }% `$ c. c+ {. X-AX = 0914h (Remove SIce breakoints)( g3 x& `8 C/ x' H6 Q
. }1 s0 l; U5 Z8 q4 T3 c9 o6 x/ l7 K
Each time you'll meet this trick, you'll see:
6 }4 {1 S8 n, ?( T% F& v- _. w# T. @-SI = 4647h6 P4 ?. a& f+ L* v
-DI = 4A4Dh
' ~6 R. R7 z5 x' u. Q1 i# M6 w" H0 QWhich are the 'magic values' used by SoftIce.
( x e7 D0 p6 P1 i, l JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 O5 S; v' g" h
i9 {: h' I2 s$ r3 kHere is one example from the file "Haspinst.exe" which is the dongle HASP
. n. d: @( f9 XEnvelope utility use to protect DOS applications:6 b5 X+ h$ `' e- f( u- T6 a5 C; w
6 f# b, U3 O; o( r2 r5 C
7 _/ z% Y$ P& T h+ Z* r4C19:0095 MOV AX,0911 ; execute command. ^4 }; U. n7 t7 l" B; ~- W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." V3 ^) W/ H4 ^% L
4C19:009A MOV SI,4647 ; 1st magic value.
5 [6 ^& |: N2 G3 ~4C19:009D MOV DI,4A4D ; 2nd magic value.
! |. A/ m; x% p J. b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)+ N8 U9 H) V) s0 z7 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ v2 [+ P. y5 g; G# I
4C19:00A4 INC CX
4 e# M" D/ d" r1 _ R4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' L9 Q+ |& [- D, I2 A( a4C19:00A8 JB 0095 ; 6 different commands.4 V6 B6 a6 R! A- I8 j- e. P
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% b! q# n) k2 l1 A, S
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, O1 m- X8 u2 w( l0 d) o' [; |' S6 E
The program will execute 6 different SIce commands located at ds:dx, which
t, m) T$ Q4 B; [7 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 d* D8 Q6 P! S1 R. W/ U6 a7 j2 |
7 s* c* l6 D3 Y+ A, \9 ?% S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Q: f9 ~: j% p4 `! ?- H% h8 a
___________________________________________________________________________ D+ r2 e- J- e2 J$ `
5 y: I6 |# @& p" n. H& F; X' B; Z6 c
Method 03
8 k3 a) V$ d! f2 t4 x=========
& @% M! _' e0 W' Q8 [9 X& w3 C; L5 y" l
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" g1 z0 [6 l2 Z' p1 ~4 H- |(API Get entry point)7 q! m# ^8 V& P. G2 A8 p2 Q& V& O. m" i
( I* t/ u4 k& m5 m, H$ K- N3 f
5 t+ V j, Y0 b8 o: J6 M& v( h xor di,di
! q) j0 y: c. |0 r; `4 m u mov es,di$ p1 \ w/ l$ x/ u4 A) l* W
mov ax, 1684h 8 j2 r) D7 z; f7 [& {
mov bx, 0202h ; VxD ID of winice
8 R+ x2 \* c. ~ int 2Fh$ j# K% [* F0 V0 [0 Y3 i
mov ax, es ; ES:DI -> VxD API entry point
7 a) |* v9 i6 {1 s add ax, di
$ a5 l2 M* |. Y* Q" Z* b" k4 a test ax,ax+ h* ?4 O) a2 j
jnz SoftICE_Detected# w0 w# Y7 B# V0 U* J+ k( N0 a% p
( S- U% c) ]5 B! \6 ~; x" U4 q
___________________________________________________________________________
# f' O, s5 j. ]) M+ q- X) K: W
, R% Y. |" {3 [. [5 O% A. n# AMethod 04, C: m8 n. ]4 x. y/ u+ C1 E
=========2 |' v# U2 R3 f; Z; i, R/ T
J6 u4 W* i3 I* U
Method identical to the preceding one except that it seeks the ID of SoftICE
' k, u6 I3 Y: ?" p2 v' AGFX VxD.
" j9 ^ Y3 Z1 M8 H' v' @7 W5 V: Q2 M- n7 I( m4 w
xor di,di
4 d6 [( B) Y5 T4 P- } mov es,di+ O) r* n9 }: ~5 k7 F8 \, o
mov ax, 1684h / j W- u( I* Q! `; }7 }' o2 f
mov bx, 7a5Fh ; VxD ID of SIWVID
, T& z+ _- Q+ N/ B# d* D: c' }5 L8 F int 2fh
. h' B4 t8 ?! z& x& p mov ax, es ; ES:DI -> VxD API entry point
! ]; `- _! n8 v add ax, di
, a& B' w) {% D' @; r. A/ f test ax,ax: m# Q! E! j+ a& |
jnz SoftICE_Detected! Y, N c$ t- t; L9 _9 H0 ^. o. C
/ n' s4 M( C1 Z7 D
__________________________________________________________________________
& F2 _0 ?2 I. z) @, Q
. ?+ a0 d1 R8 ^
1 k* G/ r3 I; J' x7 M7 D) [: O0 ]0 a4 qMethod 053 W) M: L$ c4 Z# j5 R( z" @; _
=========
/ k+ J" r2 `3 C1 q) F y, K& w5 H, V9 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ h* a' I9 R8 O( H" [debugger. It calls the int 41h, function 4Fh.. _ e) o2 U- }9 H' Y) N
There are several alternatives.
7 T4 S) Q* O2 l* L5 m H" W! g2 k0 o+ {$ C
The following one is the simplest:
: s1 @9 E0 u3 r& J; {3 @" r# P; E1 Q) f/ u; y$ M2 D
mov ax,4fh
0 }& z. d6 J% g9 P int 41h) K! `2 W& Y: v0 R
cmp ax, 0F386
; A0 I8 y6 ^5 J+ P4 I jz SoftICE_detected
1 t2 f- n" i$ n( F9 X8 g8 q) n; P& @0 V; A
0 T( \, a# p7 K8 r
Next method as well as the following one are 2 examples from Stone's
3 W' Y" x- |- M+ n1 O"stn-wid.zip" (www.cracking.net):$ N: V4 u- G4 X+ h+ u
6 k, M. X- v. D. z+ A: L
mov bx, cs
5 v& m) S- m: a: t: Z* E6 x lea dx, int41handler2
' ?4 @) G1 g5 o) W8 b- c, K# y; z2 o xchg dx, es:[41h*4]0 N: C5 }& h7 `* E
xchg bx, es:[41h*4+2]5 [) N$ @9 l6 ^! A3 x: `4 m
mov ax,4fh
5 f" r( m+ x, K6 @; L int 41h( d+ z5 U# [& A, C
xchg dx, es:[41h*4] }0 o$ }) d6 c' B! B& k+ Y
xchg bx, es:[41h*4+2]
# e9 ~$ E( X0 K7 z5 ? cmp ax, 0f386h
% {7 p$ U+ P0 e& z" C4 x jz SoftICE_detected7 ~0 T5 T+ k7 ^) R9 C6 z& C2 U
6 Q0 [: ~& N! D0 u; x, @int41handler2 PROC7 ]3 U4 U+ s1 \4 _5 x
iret) C' }- T: k6 P6 d$ z' ^
int41handler2 ENDP
2 a. x; K0 ?$ t( B
8 E `: Z3 F; b/ f; Z; u8 Y2 Q3 y( ?3 P$ O, X6 l' U
_________________________________________________________________________0 u, F; Y$ a& p/ @. M- s# `
% P. Z- A4 B; [( }# M( r( \# t9 }- G8 ~4 o# H/ J5 R e
Method 06
; `6 O7 g" d( n( b& h& X8 p7 {=========
9 z. e7 _+ H2 y' s$ [/ d t% k( z0 y9 i. y( w
- D+ r' ~0 o9 n! T+ ]8 X) t( q& D$ G2nd method similar to the preceding one but more difficult to detect:) X( J( f* u# `/ K" j
3 E! F# m& `% L+ a8 l& N- l8 b
/ }* y6 T2 g! N6 q" zint41handler PROC: z& P' w2 P3 y# N
mov cl,al
: G1 |: O6 @2 O f4 ` iret
. c% g E# {8 m/ V6 H: Q7 w+ dint41handler ENDP) h. N; \& ~* j; H! a
: ]0 u5 j6 x. c8 k2 h# M% C+ V
) b+ Z0 t0 Z- L0 [! Y+ I- a! P
xor ax,ax
$ e0 u( F6 u; J+ h; V- L mov es,ax
$ m. Z8 N/ ?3 H mov bx, cs
- G( ]7 y/ S* L! `7 P1 d+ O4 s8 ]# W lea dx, int41handler u- t) d# x+ m
xchg dx, es:[41h*4]' N0 ] Q# b; v& E6 i
xchg bx, es:[41h*4+2]6 D! w2 @% k! ^- ?9 @
in al, 40h9 K5 G% d& S8 U! R
xor cx,cx
; G5 A& S7 @8 K& b int 41h1 A$ g6 z: b# } _2 K
xchg dx, es:[41h*4]
1 E/ }& ~% q4 l! V4 d( Z f xchg bx, es:[41h*4+2]
^1 H" S- t y: W* a3 V+ G cmp cl,al Z) h' }/ B( J& Z4 [/ V
jnz SoftICE_detected$ H! W2 v# o- {5 H% n
3 j0 W! o! \, ~
_________________________________________________________________________( C8 A$ B \* `( [
/ m" o7 k: h' W" L( j* \0 B
Method 07- R. r: y3 @6 s9 n- b3 ]0 e" ?
=========
% [/ B R( h4 S, E. B* u4 g7 d" [
Method of detection of the WinICE handler in the int68h (V86)
9 m+ y4 K+ i6 b" p8 [7 T5 [/ |* k i+ v' C5 q
mov ah,43h5 Z: k% M1 l) r, S" |/ Z
int 68h) b% S" d; V" a( q, n, T4 q
cmp ax,0F386h! @9 T6 \9 G: _ g& o
jz SoftICE_Detected# {0 m1 @" A4 r2 D
/ w* e7 f& g+ w4 V4 {7 ]( ?; S' \; O* X7 i* r- f1 @
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 t4 m$ G7 R& S* R! @6 E: b app like this:
- p' y& Q# \5 O) q# ]7 A7 ^8 B# U- l2 A% m/ N5 W. h0 _2 ^" W
BPX exec_int if ax==68
/ M' M W5 `* y4 j* L; ~( \ (function called is located at byte ptr [ebp+1Dh] and client eip is+ t2 w- L4 p3 i. p |0 Y
located at [ebp+48h] for 32Bit apps)
6 _6 J3 ~+ f, L) t9 m2 @__________________________________________________________________________
0 C4 t2 D! C5 P) g8 V2 I* V0 ?* }% o8 K# s: _
( a4 a) ?* P, a. @Method 08' S5 C1 E7 ~- c; _7 a
=========
2 d% Z! U. r" q# I, U6 n, J" l/ e
) c) L" i, M9 |2 ~8 b/ o7 |. YIt is not a method of detection of SoftICE but a possibility to crash the7 K& |% l4 W8 j+ n. g. g
system by intercepting int 01h and int 03h and redirecting them to another
2 J8 ^2 C3 r9 x* c( f, Y6 jroutine. N+ p0 _& v' r) I8 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' i' w. B0 I3 Z y! V8 rto the new routine to execute (hangs computer...)6 q( p/ g9 x/ I- x& q# E5 u
- |' r; u8 |* a6 ~) [
mov ah, 25h
2 J( W" s! @4 Y' `1 [" \ mov al, Int_Number (01h or 03h)
) A y& d8 G3 R3 B. Y% Y' \ mov dx, offset New_Int_Routine
w4 _ b) p# y1 P* z2 N int 21h7 l/ k/ d0 q; k
0 l: t1 @/ r6 b% W- m& a- ^: j% T
__________________________________________________________________________
# B: @( E* ]$ q1 Q9 B3 j; S; |. L2 E, h" g6 X: O( Z, b3 c9 K
Method 09# b6 A I' t1 q
=========
. D8 P' ?5 T( A9 C2 b q" v8 Z
/ ]% J9 e8 f. Z) R4 FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% Q) k- o) z' f# t9 B5 r: M- q
performed in ring0 (VxD or a ring3 app using the VxdCall).) _: m2 c& M/ N
The Get_DDB service is used to determine whether or not a VxD is installed( e7 Q: l* [/ Y* p; g
for the specified device and returns a Device Description Block (in ecx) for
0 `! w' m; i/ }# t5 N; D( ^that device if it is installed.0 l( q3 i9 ?) H- Q( b: O/ o9 k
3 }0 D# d9 i& v! G( I2 } mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ a, r1 [! T) M. d6 |
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ A% I+ n' ]* P$ u0 D
VMMCall Get_DDB3 ~% i6 S/ z3 W5 i1 U/ X' B' y
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
3 R" R- ?0 {* V, l& `/ e
0 V5 Y& `1 a9 G2 r. s* s& q/ R' ONote as well that you can easily detect this method with SoftICE:7 C: H5 \' e: R# B
bpx Get_DDB if ax==0202 || ax==7a5fh
. R L+ Y5 u( {: e7 n) k
3 d1 ^0 w$ a9 |0 y__________________________________________________________________________! k2 x* V9 Y' v6 X5 b: w: E
' P( y' X+ B, Q |/ Z( S, Z
Method 10
0 v9 N0 D" a ^9 O5 S( t=========+ t4 }* Y4 C: [% Q
) f$ i. O, @' @# H7 E=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 k" p$ ?! J0 r% d0 |" S. F0 D SoftICE while the option is enable!!
; L3 b7 U! I( z+ |. Z! N& p, ~6 f* g# ]% `
This trick is very efficient:
. n- y! R* ^9 y2 j1 sby checking the Debug Registers, you can detect if SoftICE is loaded5 F2 y" _( K ]2 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 x( ]' L: z) D6 k4 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% o& Q- W, a, N! Ivalue (in ring0 only). Values can be manipulated and or changed as well
* k) V/ ?$ S2 z7 F(clearing BPMs for instance)$ R0 \$ {+ N. @! ?5 N
# y" S' X _, V# b6 o) {
__________________________________________________________________________% ?- N# |3 O) X% f
8 f; h1 K% U% K0 A6 L- R4 }9 Q
Method 11
3 Z) c( c( E8 l: ^% S=========
7 \/ ]; i" W7 E7 I4 Z& @( y/ S. K7 ?6 O! O# _" j" [ r; D8 o
This method is most known as 'MeltICE' because it has been freely distributed
0 }8 U6 [# K3 e1 U# x7 c. Mvia www.winfiles.com. However it was first used by NuMega people to allow
% B8 l6 F5 E" c: aSymbol Loader to check if SoftICE was active or not (the code is located
" l& _) Q( V! s5 Finside nmtrans.dll).
/ [! S( y' L/ |9 o: E3 l& y
- x' _. }" A" J- B8 k0 V0 v0 RThe way it works is very simple:
2 @: E, ]9 Z$ z/ I. n( CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% q$ Z/ w. C' F1 ~- { g4 {) [WinNT) with the CreateFileA API.- C3 Q1 Q o3 N. {3 i* n7 x# q
3 K! F( m6 {+ L. `8 m: p( \4 A
Here is a sample (checking for 'SICE'):
1 @ U' z5 b: h3 f+ n0 S' X; L
8 V, T7 J" s! N( J& Z/ D4 o% xBOOL IsSoftIce95Loaded()# b: d B( S5 E2 f$ T
{
# R3 H5 y. n4 u6 K1 \- R4 v HANDLE hFile;
- Q ?* L% M$ t, H hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: B0 G9 b) ^8 v8 j" C$ u, w
FILE_SHARE_READ | FILE_SHARE_WRITE,
/ M8 F$ m/ Q/ X) t NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 c1 X- Y0 p+ H$ A
if( hFile != INVALID_HANDLE_VALUE )9 U6 A( D$ J- m/ N3 o3 b' r
{
4 [2 y8 t2 A+ _7 P( ?3 F% A% B2 X CloseHandle(hFile);3 y P- d) ?5 t; L( z8 S
return TRUE;* [4 p3 y4 [ C
} a# l$ ], r+ P# \+ x3 {1 K y/ ?
return FALSE;5 X- n1 g" Z1 B k( x+ ~
}
% ^2 ~ `- E5 l5 v3 }; v1 @* u' A: S) u) X5 Z4 s _+ Y4 X4 P
Although this trick calls the CreateFileA function, don't even expect to be
2 [$ l- i5 Z$ E0 X- _able to intercept it by installing a IFS hook: it will not work, no way!
y' }) y2 T) |5 w6 a& EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 a1 B) l8 n, m0 b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 C& f. _$ O2 ]0 h% Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 D; d1 G7 [2 @& Q4 u: [, T: J
field./ u4 C% [% Z3 k7 u& e0 v) V7 a
In fact, its purpose is not to load/unload VxDs but only to send a
0 b# F. _$ G) J0 |) dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* h( R) s9 P6 \- G9 b% [$ oto the VxD Control_Dispatch proc (how the hell a shareware soft could try5 j+ K! e2 x5 c( H( c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 F# g ]4 [3 I2 g' C1 r' L$ cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 N) H& I/ z6 d" x% Zits handle to be opened and then, will be detected." `* n0 @/ W. {4 Q+ X0 s: p: R" ^
You can check that simply by hooking Winice.exe control proc entry point
; u9 r/ t- j# f* E' [while running MeltICE.( V$ r& l3 j, h- |
$ v& H9 t: _) X
3 E6 {. z. N9 _) t& I; F) L 00401067: push 00402025 ; \\.\SICE
4 D/ A, o5 P/ `+ ]0 x4 o 0040106C: call CreateFileA! ?6 |$ {' S6 r1 K, l: b0 V/ \
00401071: cmp eax,-001
5 B) U( m* g& }2 o 00401074: je 00401091) @+ ^9 E% m+ Q ~- B. ^' q* v9 ^
" W5 T. m* R( U0 o/ S/ c1 G" V
! v9 A( Q) `, u
There could be hundreds of BPX you could use to detect this trick.
) {* q# ]( k! D9 j$ R-The most classical one is:( t( A( e, M/ `7 x
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
5 m6 T+ W+ o! r# _ *(esp->4+4)=='NTIC'
2 i; ^. r" X/ z1 N, P: x0 O- U4 Z, ]
-The most exotic ones (could be very slooooow :-(
& S! Z) Z( T& u$ t( K" k BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . s8 F( S' M% c0 b" B" \
;will break 3 times :-(
0 O6 }! L$ ` y2 \8 |9 W& B" k# @4 p: r/ J$ s% p, V
-or (a bit) faster: % S" s* c$ X, @* O5 c1 i. q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): [/ Y" K8 w6 r6 q. C# n5 e8 `. e) O
- T+ h. G$ m% W
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' & C2 [& |% W5 Z l+ V
;will break 3 times :-(
: G# X7 F% l0 q1 q' k h g5 c4 l9 |* i4 V" G/ q6 Y' t
-Much faster:
+ E2 c+ M# T7 t. y4 ~. s BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'' a3 Y8 E6 s) f* q- Q6 h/ E
# O- M1 W0 J. C+ J7 q7 O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 v0 }# Y* F" L* o; Lfunction to do the same job:
7 b. w4 A+ n' m5 P% U" E' H# ?
- e/ A, h q% o) k push 00 ; OF_READ$ D W# L2 o0 t' h1 y( l+ S
mov eax,[00656634] ; '\\.\SICE',0! s: g" A3 W% V, I5 `
push eax3 W3 T# J& {! U/ _3 Y0 a9 f
call KERNEL32!_lopen
2 p* D- t+ U; Q inc eax
, U& J& U% z) b. u jnz 00650589 ; detected, S$ P; m L2 C
push 00 ; OF_READ
7 h. W' }" N3 M: {- e. ? mov eax,[00656638] ; '\\.\SICE'
. U( B: P% q. m$ L. P" a push eax( Y, M: b+ g4 q; I0 e
call KERNEL32!_lopen* J) G& T9 u, x
inc eax$ u G; I6 P' D
jz 006505ae ; not detected( N p4 e2 J, N
1 M7 G9 C) a9 h! g. P) Y$ Q+ F' m3 t9 V9 h3 B7 H4 E
__________________________________________________________________________4 u/ e3 h) g& s$ z8 v
5 @* \5 y' F$ D$ a+ jMethod 12
4 V9 I7 q% t) U=========
# G6 k( `9 h" e1 k0 M6 {# w
, _8 y! ~1 A# GThis trick is similar to int41h/4fh Debugger installation check (code 05' X' Y% z4 c$ T* N: c% h
& 06) but very limited because it's only available for Win95/98 (not NT)& m' r3 B4 x- k, W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 Y' L; H* b. u$ z8 K3 O; z# c7 k
9 c4 {/ p1 i7 h1 V, Z3 Z push 0000004fh ; function 4fh
: k! Z3 ^. R. I! G8 J" V* u$ u' U push 002a002ah ; high word specifies which VxD (VWIN32)
6 I) d. u( m5 E ; low word specifies which service1 I9 s1 H, V2 D) |# s {4 j: L
(VWIN32_Int41Dispatch)
# \' o7 U1 ^" ?5 m! c* Q call Kernel32!ORD_001 ; VxdCall
2 N) `; ^8 e, a0 O cmp ax, 0f386h ; magic number returned by system debuggers
1 ?5 y8 r1 }7 X* l7 K jz SoftICE_detected5 I9 ~2 x9 H3 J' `8 v6 W, E Y
( ]2 L/ z: [% @! `! d8 X* j$ b* y% V& r% u
Here again, several ways to detect it:: P' c7 f* \& A/ T* E
! Y F, w. w0 O5 g
BPINT 41 if ax==4f
( d6 s1 c. @/ e/ `- f$ Z. ?; \% F1 Y( q* }6 ]
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
* M: Q1 e7 Y* A* Z" Q
/ Y' `. y3 c/ X9 g BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A6 R/ E7 a) `% }: X9 q7 `, o, Q6 M
1 q6 a2 W" p9 l1 b BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# L$ b& H# y$ r; x; b, K
7 G |) p$ N' ~% i! b9 ^__________________________________________________________________________
2 Y* z" W4 w6 Z" h
% J/ ?2 b, [/ n- l* J+ TMethod 13: g, l: y5 U0 _9 \0 n
=========
# b+ s" D4 b8 E' _% C, t% b
0 Y6 q# G( ?) F) XNot a real method of detection, but a good way to know if SoftICE is) q( C( p2 Z2 t& y9 \
installed on a computer and to locate its installation directory.
* A+ D) B9 t5 P k2 g% x+ m eIt is used by few softs which access the following registry keys (usually #2) :
* }- E) [& k: M8 [0 [: f/ @6 d# h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 B4 H9 q8 F& ]2 N
\Uninstall\SoftICE
1 m, o6 R3 ^. w3 X2 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. \- r$ r$ Y+ L+ f( u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ~- _1 n, q4 `7 ?
\App Paths\Loader32.Exe# q( @0 E5 O" F
* y' i4 `# B" ^5 X1 @
) d, z6 ]8 h/ Q8 uNote that some nasty apps could then erase all files from SoftICE directory
5 F4 ~; q. U) ]' H5 F9 n( b(I faced that once :-(. E5 d! ~% ~9 d' Q
; v; c% d, Q& L" W& o! W) T
Useful breakpoint to detect it:) U i' t0 t* B& {0 V9 H4 M2 L
+ G) J* M' }2 v- n# m% R( h BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 @- H; f; y/ G7 s2 v% y, U8 E
2 d( ~" b( S" u) V D5 o2 N$ \. p
__________________________________________________________________________
2 b: J4 \" |0 z8 B
) v1 p7 l0 [. F k8 ~
5 g U- T& M2 ]4 T' v, i' D3 A, [Method 14 $ h1 h9 r) y' @
=========
! U3 e* o0 `9 _, F
; o; }0 b1 ~; B& k) e2 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. T1 M" P* J, S* p7 lis to determines whether a debugger is running on your system (ring0 only)., Y/ {' W. H. {( J t
0 \9 N4 { j; n. B) }- N' ]! z& C2 F VMMCall Test_Debug_Installed3 E) b: r7 N5 C' q
je not_installed
6 C. j. J4 ^% q/ p6 K
7 m. q% M! y# T+ {! e0 s _This service just checks a flag.
' d9 e8 Q2 ?) n8 V( A( s</PRE></TD></TR></TBODY></TABLE> |