<TABLE width=500>- d3 } t7 I/ j" |5 r
<TBODY>
7 m7 v) x( m' }8 f' l4 O$ E<TR> y5 J1 y2 ]+ y# [4 C" k: x
<TD><PRE>Method 01 ( b( Y2 O8 V& F
=========
" y4 _6 x5 B+ o( I% Z/ l [/ h2 H* V3 ]5 z5 K( Q7 q4 O
This method of detection of SoftICE (as well as the following one) is
' C9 P+ k1 Z# `! k4 `+ yused by the majority of packers/encryptors found on Internet.0 p4 R! T9 G8 [, v( H* h
It seeks the signature of BoundsChecker in SoftICE
' v0 e% m+ y* j" Q" w6 {! r
* z4 ]2 Q5 E, l% ~0 ~* p mov ebp, 04243484Bh ; 'BCHK'% w2 y6 K* O0 l. k- \2 c' S
mov ax, 04h
3 t1 R9 o& m( f% O int 3 . K, f6 n" I" g# r
cmp al,40 u+ j/ I( f3 x
jnz SoftICE_Detected- n5 V- w, V5 K C9 s" ?" g- ]
# O0 s1 ^: |7 o# z4 e: t5 \9 ~3 y___________________________________________________________________________
6 d6 J6 Q9 e g' H6 B8 [- k F
3 k; z" L% D/ o4 IMethod 02& n/ r$ j1 v2 }7 v E, S
=========5 N/ p/ c3 n+ T/ ^3 a' P7 o
* w( F5 e; V+ h7 VStill a method very much used (perhaps the most frequent one). It is used
* y( X4 t1 _9 `' kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 E6 }, W6 Q6 E' T+ C H: m
or execute SoftICE commands...
& {5 J9 B5 |" J( \ h1 U3 dIt is also used to crash SoftICE and to force it to execute any commands
) _( c, Y2 }0 t. f! f8 y(HBOOT...) :-(( 1 s% X/ w7 h" E& }5 h7 n6 J' ]: B7 r
: B6 O1 c$ _, d' J6 `# G# \
Here is a quick description:
( |- I" V& I5 u% r# e' M5 |-AX = 0910h (Display string in SIce windows)5 W% ?% f% `: \; a) Y$ l9 l, m
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) N* w% W9 q5 _$ H# M6 `-AX = 0912h (Get breakpoint infos)- U. l- F' ?2 l0 E
-AX = 0913h (Set Sice breakpoints)
+ S$ X. |/ ]( T( Z" x$ R-AX = 0914h (Remove SIce breakoints)
. ]% W+ h9 }, v4 }& m/ h% e# v4 W8 N2 A2 A# L6 T) g: w
Each time you'll meet this trick, you'll see:
- [0 c; G3 s+ n2 C7 r-SI = 4647h1 v4 j+ u( w. k* p! {" Q
-DI = 4A4Dh
( c+ Q" |6 l( CWhich are the 'magic values' used by SoftIce.2 O* m* W# L# A$ p2 `0 R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# y6 H- q' S; g2 O7 m% m* R
8 U# ~! V# B9 \ ~ C4 P8 A( }Here is one example from the file "Haspinst.exe" which is the dongle HASP! ]8 Z8 u" P+ }' J
Envelope utility use to protect DOS applications:
7 G! X3 ~6 M+ ?$ ?0 n
/ f1 V; R9 [+ ^6 p3 Y
; q+ }. \+ d* ^& E; m0 U4C19:0095 MOV AX,0911 ; execute command.
, A! ^5 y1 q; \! H* ?9 |/ R4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 m2 Y! [( O y2 O2 f% S* q: D
4C19:009A MOV SI,4647 ; 1st magic value.
: {5 f: [, H/ q: [1 D* Q: M+ L# z- {4C19:009D MOV DI,4A4D ; 2nd magic value.
m4 e$ l- @' R5 {# I% O2 \7 G& V( Q4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
% }3 ^9 O( |' r3 F' K/ W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute7 J" g4 u# s9 l+ t& D: O6 c
4C19:00A4 INC CX. A/ b3 _8 G1 h
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ ?9 D. | b1 J. s4C19:00A8 JB 0095 ; 6 different commands. f1 k* X* B: H: V' w6 P: Z
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- ` Z d. [, f9 N+ G3 I
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)8 U% i, D& G% b
, F. r3 K8 H+ i4 d3 tThe program will execute 6 different SIce commands located at ds:dx, which
" j: W. @' h7 e4 y! C/ Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 X; Z/ C9 n: N( E3 O, q: c% c
3 D8 }# N- W/ t; n8 N9 n# I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# D. `: Y8 z. \" R$ ?% U, b
___________________________________________________________________________
2 m4 N; r) b+ s/ M$ z- S, e8 U- k1 f& v9 _3 G
7 y* M* s* w' @1 Q) g
Method 03" Y" W, ?2 N' W d8 y
=========
# H8 A3 T# r1 ?: T+ H7 m x. a& `9 _+ N7 D, _2 x2 H2 r! |
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( i( a, k" P1 g9 M(API Get entry point)8 N' i, w9 l& O& g5 C) \: B; E
" o! {' i# J' F
" x. H5 a& }( s" f* x3 U' h9 } xor di,di3 z; G8 D" I8 y! e: y
mov es,di
) J9 {& {+ O. }; P* q mov ax, 1684h
/ @: @. X' B2 [2 S& C& U mov bx, 0202h ; VxD ID of winice! p. |# ^5 `5 L0 m1 @3 K
int 2Fh
& s6 w* _2 Y' U C7 q _ mov ax, es ; ES:DI -> VxD API entry point4 H6 e [! C+ I O
add ax, di* k% A- b. l3 Y% a9 x% n# ^
test ax,ax
$ X9 k: W2 J2 z5 V! | jnz SoftICE_Detected" ~, f1 S* ?3 z" u- s1 g
* M8 N }# A( L* L/ k' l. r
___________________________________________________________________________! U7 o8 I( E( `/ {8 I
( @) n6 ]$ c2 ^2 K- IMethod 04- H1 [+ L3 [ l& T% x$ h0 `* n
=========2 o8 m' V- I/ v
4 ]+ T3 _: N) X
Method identical to the preceding one except that it seeks the ID of SoftICE- g& ^6 N8 v/ M* e! J! R
GFX VxD.! K; t8 N. U( n1 P5 _6 |6 D0 B
& b! W7 u5 q3 ^) M xor di,di
( l4 j6 k. s; r* `" S mov es,di
9 o* U7 L: P4 d& y* L; T6 B mov ax, 1684h
% L9 Z8 G, P5 d! s$ ^1 y mov bx, 7a5Fh ; VxD ID of SIWVID
/ _7 |( f5 H0 d p int 2fh
& P- R# y! v! F+ G+ J$ i mov ax, es ; ES:DI -> VxD API entry point
$ A; v' j! W" u add ax, di' K+ l' r' I& n4 i
test ax,ax* x# r% t! n0 {
jnz SoftICE_Detected
4 q" }8 l7 g4 Y. u. h
0 K4 v. W0 }5 K__________________________________________________________________________, n! t3 \/ s) R9 }$ N6 }
# A7 j1 c/ p1 Q2 `
! X$ }: Y: C6 `0 ~5 A$ k- H8 `Method 05
+ O: D6 r4 L" l, S=========
2 |1 i8 \( V+ d( e* v5 f, a5 s& {* T( k9 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 |: j( _; v- J) X* Y$ xdebugger. It calls the int 41h, function 4Fh.: C1 k4 w4 l6 p; N1 B) y0 e1 y" [
There are several alternatives. + i5 ]: U) x+ j$ ?* z
( h+ A, z0 `& z
The following one is the simplest:4 q% A1 E9 [* G) Q+ w7 U
$ a0 u: u2 R! ~" X& T9 n mov ax,4fh
3 H) B1 P9 z6 E, U8 c: o6 M int 41h3 T9 T! A1 R! d# d
cmp ax, 0F386
5 a6 p! Z; K5 V. g- f jz SoftICE_detected0 Y/ x2 J/ Q3 W+ x: K5 ?8 q0 W
$ T) o8 G2 |& o, ]% _8 Y T
$ Y6 ^- b& I9 NNext method as well as the following one are 2 examples from Stone's + l6 w3 u2 b4 X: d( L
"stn-wid.zip" (www.cracking.net):
+ _' d% |1 z: `5 D" j8 {& p; O: g: X7 t( s. J* G+ M. }) h1 @1 k. I
mov bx, cs
: E* v: Y5 d6 L0 P lea dx, int41handler25 ^1 H7 M- v1 S' O5 E$ K( N% y
xchg dx, es:[41h*4]
1 y. G% n3 N$ S7 Z% i9 k xchg bx, es:[41h*4+2]
% |7 k [0 N* y$ U# N mov ax,4fh7 w+ B! l/ c7 \4 A
int 41h
7 W2 n" v ~( G4 B6 _$ y, k; C# f xchg dx, es:[41h*4]
! Z) r- ~, `% r! Y6 u, ? xchg bx, es:[41h*4+2]" G* Y% O! {( y' `: ^ O
cmp ax, 0f386h' u# O0 \+ c: [* f& ]2 f7 m. q
jz SoftICE_detected, W+ E. g8 |) @" |" v* e+ j
' @8 I8 W/ j0 E1 X& e& [int41handler2 PROC
; z6 t: f) V, p) Q! R6 v1 w iret
5 s. v( k: h' ^% ?) Oint41handler2 ENDP
" s" L- F% G7 q+ n/ S7 g0 w" b6 b, I& I' `
2 E x3 Z- }: R2 q# w) t2 l4 j* q; I+ ?/ b
_________________________________________________________________________* I3 X* ~$ Y$ v
3 ]& R! y) l& H6 A% w7 }
) W" a! h! S8 ^3 U6 f: Z0 wMethod 06
8 t% I, T# ~1 V7 ]& ~=========& M! W* Z+ u% X' O' V* s
. ~+ Q) Y% j( E7 w
' g, {( P* ~0 I. N' Z6 N2nd method similar to the preceding one but more difficult to detect:
, V$ P" k9 h/ r( X) U4 g2 {% B0 M5 `/ ?$ j" T$ U3 H! ~
9 D9 d+ }$ N9 O( qint41handler PROC* `) J8 F9 h. T3 J
mov cl,al0 [* _: W/ e, [. J6 v. ^
iret
# D0 V2 r& Z3 n/ E$ h8 Eint41handler ENDP( `* l/ V( K1 G' g! l# Z9 c
$ N1 w: d" ?) D# \; {
2 C. d4 p8 B$ z4 x: w xor ax,ax( r5 S# O# u R
mov es,ax4 R. ?2 X0 A$ a& g4 M
mov bx, cs
/ E* G: l$ }9 Y8 `# k9 o, h lea dx, int41handler7 B" H% ^/ _- ?: n+ B* ^3 Q
xchg dx, es:[41h*4] H# @$ U/ r* G+ s/ x
xchg bx, es:[41h*4+2]" d( f! P( q* Y5 D2 [# j" v% ^
in al, 40h9 A. y, k5 g# j3 s- ^
xor cx,cx+ G& g& H& L2 P- K) A9 |
int 41h* e7 l$ W6 Q7 E
xchg dx, es:[41h*4]
- V% k! ?5 [8 W7 f& g, q" E- F j, D( u xchg bx, es:[41h*4+2]( [! d% |1 E9 q! @3 F$ u7 a" h$ E, s
cmp cl,al
' u1 Z+ Z' N7 H5 g* L: l6 W jnz SoftICE_detected {' b( ^% a. S: {& U/ y" N Y- i/ ~% M
3 n: T) h) w6 O" X, b9 d i6 V_________________________________________________________________________
- U% ~1 o7 E8 Y, l* S' e% ^+ g X4 E
Method 07
/ w9 i- @. o; t* n: @=========
2 ^: M4 r( j6 {) S9 M9 o$ }
1 c/ p6 i1 D" QMethod of detection of the WinICE handler in the int68h (V86)
( u" A6 }/ ?& o" X4 w8 R) N
; S3 Z$ E' y8 q mov ah,43h
) q2 y! f2 r) A int 68h! {5 M1 t$ t# q! e
cmp ax,0F386h
% k' w7 D k8 w! K1 r- `2 R jz SoftICE_Detected% M+ S3 E7 x! [& x5 K; o. j" W
: O$ }3 N* M r; ~( J% Q$ K
& A7 U6 x! N% Q=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 c) h# R/ M" z) w! k* Q& P app like this:1 ~$ k" d- F# k8 q( ` _7 `
# i2 a! w, T w( f7 T/ O BPX exec_int if ax==68
' I5 f% s8 W. q; w3 R& ~ (function called is located at byte ptr [ebp+1Dh] and client eip is
v2 C, k. ~5 C& H; D7 }- l' y located at [ebp+48h] for 32Bit apps)
+ ^7 g ~5 f, K& @7 M7 f__________________________________________________________________________, k" S6 Q+ u( W
, }" T2 P# m! M4 O- b8 I5 S
1 s9 q+ i8 w% u! D3 a; C" n
Method 08 q, l: }) }+ j; P
=========
+ G2 J( [4 Q) F) Y r, m
2 P9 E- G( b7 k2 g6 QIt is not a method of detection of SoftICE but a possibility to crash the' [6 t3 h3 O1 f9 _" |4 v# D
system by intercepting int 01h and int 03h and redirecting them to another/ c' q( |" [( S- i/ d6 v
routine./ \( z! ~! Y6 ~2 X1 N, v5 O6 M3 @" W, _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; h9 v. O4 g9 {. fto the new routine to execute (hangs computer...)
" a3 q- ]1 P; `5 X7 v8 |& F! ?2 A7 n% W/ u
mov ah, 25h
* I$ P8 S& m. j. k" [9 Q" g mov al, Int_Number (01h or 03h)
' h2 b- Y1 F% i) l+ t mov dx, offset New_Int_Routine1 g$ l1 w8 |, ^" z( S9 i/ k5 r
int 21h) v8 h5 |( U7 i
8 k' ` R8 N3 ~3 y3 D__________________________________________________________________________
- k4 |8 i' v, W9 m) y' e% @
1 \+ y& p5 x% t: E7 DMethod 09; {$ l9 |9 [$ K, M) l0 L
=========. u6 g+ l4 \! |7 Z
% j* }4 ]# h4 W. iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 `' N- }) q6 L- Z- g5 j4 zperformed in ring0 (VxD or a ring3 app using the VxdCall).
" d9 S2 e0 d/ m2 h/ U0 d: SThe Get_DDB service is used to determine whether or not a VxD is installed
1 B+ v/ g; Q, h; P' c! I$ W: rfor the specified device and returns a Device Description Block (in ecx) for" d- X3 r3 h& \. z5 ?
that device if it is installed.
% k! ^7 z1 t* `+ v9 U/ O: ^. W. S7 F a
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 u' z4 J$ j7 [ mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 n" b- \. k! @9 I! G& z3 a
VMMCall Get_DDB, C1 b) n3 m2 G- ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
% W) i& N2 N3 G. V+ \& A, @8 m6 O8 e
Note as well that you can easily detect this method with SoftICE:
- {2 J; I( z+ x2 B bpx Get_DDB if ax==0202 || ax==7a5fh% J0 q1 q3 ?6 u3 }
+ i4 u) ~& r. y6 x/ d
__________________________________________________________________________, `4 b4 M3 I ^) _- `/ C
* x- h: a( |2 ?; ]. a7 O% SMethod 10' y- [2 l* ?0 ]3 [8 e- z2 o
=========
9 k% w" e5 }4 p* `, Q4 w
: j/ N1 U& n, N, k* G=>Disable or clear breakpoints before using this feature. DO NOT trace with- D% o# ?2 H. ]$ R: N' {
SoftICE while the option is enable!!# \' W' @, ]4 Z& r, B8 a% S
5 | _# J+ t" k6 f
This trick is very efficient:
1 _# m( b$ E8 q% cby checking the Debug Registers, you can detect if SoftICE is loaded
7 L- U3 N9 w! c& l8 P$ n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- h: F) R0 D! g1 F8 v9 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 S: P7 w0 N" o- gvalue (in ring0 only). Values can be manipulated and or changed as well9 [/ q" x6 a6 c; F3 z; a; Y9 G
(clearing BPMs for instance)
, M& a# O* g6 Q- F6 {( r6 L- ]$ _5 f# k& @. m
__________________________________________________________________________
/ e& w8 ^2 n& b0 @! [ t+ J2 k2 t4 E' l5 c" w/ I3 m
Method 111 T$ }" n+ P0 G. r! u7 l- X% X
=========
& Y, _+ s1 T* R/ w( K( d' u4 [# j& Q, m [; O
This method is most known as 'MeltICE' because it has been freely distributed
& Q4 }4 a3 X, J( jvia www.winfiles.com. However it was first used by NuMega people to allow6 H, p& E3 z$ E" S2 ~5 _3 }) o
Symbol Loader to check if SoftICE was active or not (the code is located% Q6 l5 \7 T) {8 o" ]3 A
inside nmtrans.dll).
0 l z: y" @9 S" a( \% O4 Q; H& H" k; G! X' C
The way it works is very simple:( Q9 J2 K1 c, F" H9 o8 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, E; b- P1 r; ^) {( }9 GWinNT) with the CreateFileA API.' n2 g5 {8 \) N v8 R$ K8 y5 W
4 g# s6 I- @8 [& d" x* N# yHere is a sample (checking for 'SICE'):
. d! _; W+ H3 _+ j! b/ Y. |0 c y( c8 q1 D
BOOL IsSoftIce95Loaded()
2 E8 o, u0 d, E3 Y; w% ]{
2 I2 t# u c% Z& I HANDLE hFile; " ~4 v7 v0 @/ S! ?3 s: W4 D/ W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: p8 b' `9 R7 N: m
FILE_SHARE_READ | FILE_SHARE_WRITE,0 ]4 _" x3 w" e0 s( ]9 @6 O
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) J4 K7 C* G* T6 ?1 D$ O' ~ if( hFile != INVALID_HANDLE_VALUE )3 N) H1 A5 x, Z# {, F' u
{5 L% F7 A0 Q! r2 n$ l7 _
CloseHandle(hFile);
6 [/ ?0 N4 ^) D3 `' H0 }& M* N return TRUE; `( N9 P+ D" m+ z6 G$ _2 z
}" Q2 [# t0 B; G+ t, a8 z! P
return FALSE;. E6 D; Z! }6 h8 a' W
}8 M" o3 d# }8 B$ Y% q/ p
; X+ l0 X, H% f O) q5 jAlthough this trick calls the CreateFileA function, don't even expect to be
# Q. {, l3 T% i- n0 kable to intercept it by installing a IFS hook: it will not work, no way!2 N! ~8 i9 h# {9 ] N) M4 T( ] p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) {( U' O3 `: f1 ]8 r V, y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); G- T7 a& B% I7 ?* A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* H. a. b2 f4 Z: ~- v; s
field.+ y# H* A( {5 S- z7 p3 J
In fact, its purpose is not to load/unload VxDs but only to send a # b, c0 E! g( [; C! d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 u/ f* d% [) r# D: w. l t3 M" O" ~+ J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# V7 C( H P( o8 vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 Z3 i5 Q& T3 N" gIf the VxD is loaded, it will always clear eax and the Carry flag to allow& V, t. \, A" M/ ^, P
its handle to be opened and then, will be detected.
1 {( |! B. b. E, s( [$ sYou can check that simply by hooking Winice.exe control proc entry point
2 Z$ a, c( L4 z, Mwhile running MeltICE.
8 B, L4 _* K5 w w$ B- B
& M% q: O7 m# \
2 a" j U, U5 V* e. X: Y) G1 b* L0 o+ Q7 w 00401067: push 00402025 ; \\.\SICE0 m. \+ }: y/ G
0040106C: call CreateFileA
: z) \' t# e6 n. m 00401071: cmp eax,-001* {: w7 q+ T" [* u, ~
00401074: je 00401091
. r8 N7 ]* o, [/ F: U# q2 {
! C' \- |! V8 q/ `; |
) ]( O1 g% w* Z4 dThere could be hundreds of BPX you could use to detect this trick.
" k2 }* }, S- H6 r, \& ^" a! e-The most classical one is:/ ^% S$ y8 s5 @, d! D- T( V/ [
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||7 V/ u" a* R; n7 R; Z
*(esp->4+4)=='NTIC'+ v' q/ N1 F- [& ^1 I2 p- S# }
p4 ?. @9 D6 K, y5 o
-The most exotic ones (could be very slooooow :-(
5 J& D9 @* h6 ~: x9 ~/ y1 D& v0 H1 X BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) z. {9 U) K; |
;will break 3 times :-($ `+ C# G6 W; k; O# R6 e6 p0 e$ U E
$ K6 @3 B) N0 _# y! d" v-or (a bit) faster: - V, I! J' H1 d* d( p
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ [% r# V& {. j3 H8 e3 g
) n$ o( \ p$ G( W5 _6 ? BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
6 F; M% T0 c$ t$ J ;will break 3 times :-(; n6 l" y+ C$ P2 }3 `0 X' g
9 _( |+ l, K# s! K' i/ m-Much faster:
; N4 y( s+ F$ n0 ^ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 h1 L8 i& }+ y! X
/ B# @) d; V5 }* pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* e% _" H7 w2 i: `6 T! ~* o( wfunction to do the same job:
) s. R* y' {* G1 S% @
" p6 J7 g3 {1 b6 T9 b push 00 ; OF_READ
7 r* j+ i' Z$ }: c3 x9 M mov eax,[00656634] ; '\\.\SICE',06 H: K5 }3 N4 p$ n. u' t
push eax, g9 e9 {" k; m; |' g6 }4 M0 j5 s
call KERNEL32!_lopen
( r! V0 r3 m" w5 |1 k9 E) ~ inc eax. S4 N" D+ J6 i. S
jnz 00650589 ; detected
. }1 D+ i6 g& E7 {/ M3 s2 K push 00 ; OF_READ1 E9 j1 d, a. U& g; o
mov eax,[00656638] ; '\\.\SICE'
& B, X& Q- k: y5 s push eax
7 T& C! G( A( [9 n; E8 ]+ s9 `) } W2 p call KERNEL32!_lopen
6 x6 c/ S9 Z/ f9 B inc eax
6 S( S6 z$ l" l! R [ jz 006505ae ; not detected4 Q" {8 }( g4 a! a) _5 l
5 m) x7 Z- N4 W
+ W8 R3 D" p8 \. y7 Z
__________________________________________________________________________
# ^7 J$ N3 m# ^! g5 o) d) V/ A/ Q: q& K$ C# _# J5 Z
Method 123 P- h! m& o% ~! n
=========( g" Y+ Z# O: e- ?
4 D/ N4 m% }7 e: P7 s# X# z R% `This trick is similar to int41h/4fh Debugger installation check (code 05
0 ?) j9 z0 P7 l8 H# d/ ~& 06) but very limited because it's only available for Win95/98 (not NT)6 y P. N, |) j; F% X9 o: u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! P. f1 f3 p1 M! o
* @# R. O3 i4 n1 n; U8 F push 0000004fh ; function 4fh
1 Y6 p2 i' P j" @7 Z' T push 002a002ah ; high word specifies which VxD (VWIN32)
! S4 z0 I Q: G6 h2 J ; low word specifies which service2 K- t9 ^9 j. a1 Y- W
(VWIN32_Int41Dispatch)
- I. P; G6 A+ Q9 k5 F0 Q call Kernel32!ORD_001 ; VxdCall
" D6 z. `" k$ R) |" l7 ^ cmp ax, 0f386h ; magic number returned by system debuggers
1 f* ~; m4 j, _: c! } jz SoftICE_detected
) J! r( a- ?% s
3 m) F9 s" _# ^+ {. rHere again, several ways to detect it:, c& ?4 k3 C+ X: I, O3 J' v
5 g. T6 p% g7 K( a% W$ \8 X
BPINT 41 if ax==4f2 c. W: D3 r7 T3 J" @$ y
6 O( K3 ]; T) ?1 l# B" m/ y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one. s% m* O `+ _+ r
9 a5 y, L& J; k, x0 [+ A$ C1 ^: q
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 k' n5 i4 K) s% ^# P- u
% W% f- `) G9 _1 q BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, k) T: b+ q w2 Q% ]' Y7 W
. r! X( y& v+ w$ {7 ~2 B__________________________________________________________________________; |; b& X4 e; y' X1 j" Q
3 f9 Q5 _0 U) Q+ P# f- u0 O2 S3 fMethod 13
. [/ W: k7 [: H$ L+ N2 F0 K$ F=========
& T0 m: `" j7 N c6 j. n( H+ ~% |
! {/ Q1 q8 C( ^* c& w3 }4 INot a real method of detection, but a good way to know if SoftICE is% \' d, f! ~+ t# u# B% P* e
installed on a computer and to locate its installation directory.
' t* p! M4 h* hIt is used by few softs which access the following registry keys (usually #2) :' T8 }+ W/ a+ O" `) @# A' e
+ g0 w; Y2 _+ i% A) p8 l3 k4 \) z" Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- ~( b$ T$ F% }; n( T1 N7 L* P\Uninstall\SoftICE/ M+ l2 q7 h5 V5 u/ M" ^/ V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! C7 F" ? F* z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 s% e% ]/ p& y1 V
\App Paths\Loader32.Exe' ]. u) S5 c4 \! ?* T0 K
. @% H3 V7 p, |. ?( Z" k
7 |' K" \+ N+ @# ?2 {! C
Note that some nasty apps could then erase all files from SoftICE directory
7 q5 J" y8 j" t J(I faced that once :-(
+ a3 _& y9 C. v* h
8 j2 ?; `. X& vUseful breakpoint to detect it:
. S- K1 @6 u8 u- i# o% {2 k2 k& x5 b2 ]0 t7 \5 `& E
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 ~- Q) D0 w5 d. T6 [6 _1 g
* `9 ?9 G3 F" P6 I" g& n! ^& g__________________________________________________________________________4 k! y9 @! W6 i, r( L1 A' C
8 V+ v! T W& ~5 `; m1 l- d" |
& T A& D$ o' n6 _& J# }( j! ~( PMethod 14 / Z, t$ J9 ~( l) P- y( g
=========" w( H9 O+ O ^* J; l9 ], O3 |
9 N H6 v% E$ {8 p' Y7 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
r0 Y4 q( e7 qis to determines whether a debugger is running on your system (ring0 only).
) u" R( Q. k" Z4 {5 Z) k
/ }/ b* \: S# Z VMMCall Test_Debug_Installed
0 M- H) a: }) m. k8 i) Q je not_installed
( ]' Z2 c# b6 i* T5 a/ }) T
8 v; r5 S9 x. ~& {This service just checks a flag.
V( p5 h! v4 b' E, |</PRE></TD></TR></TBODY></TABLE> |