<TABLE width=500>
: v7 A$ x: t8 ]/ K( l8 T<TBODY>
5 e& @4 G. e; |! [6 M<TR>
/ p1 M1 ?% C. {. ~/ h# E9 l<TD><PRE>Method 01
7 c x$ _# |6 B6 I2 f8 _6 R=========% t6 K! m2 s+ p7 P+ ^
# f( Y8 [$ ?0 f4 h
This method of detection of SoftICE (as well as the following one) is
0 h( F# v7 v8 y; U K3 V4 ?0 L+ n) Pused by the majority of packers/encryptors found on Internet.
( }4 p0 c3 Y% n; ~" v# ^It seeks the signature of BoundsChecker in SoftICE. k2 X% O+ i% @: a5 w; L& l
5 g9 R. T1 t+ d. n% x mov ebp, 04243484Bh ; 'BCHK'
! {& J) m! t/ ~: T, z4 o& R mov ax, 04h
! d, o3 S! E7 J0 a int 3 * r* w' Z) g6 X
cmp al,42 L9 {. u0 e5 h4 ~4 @! X
jnz SoftICE_Detected
* @9 O8 }6 e% a0 }6 w: \$ T* I) L0 S9 \
$ a" }- L" u- U \# O0 Q5 m___________________________________________________________________________
- H7 s& k+ N: |4 N- i3 A4 I8 [
7 Q) P% Q8 W, O; P7 p& h1 GMethod 02
, {) j8 @/ S, G' T=========4 `6 Z* ^( j/ f0 i9 ?) z7 Y
, i' ?- X3 M j: n7 V9 d
Still a method very much used (perhaps the most frequent one). It is used2 ^% s7 F, _9 `/ L* _% V+ B$ O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 O$ w+ v2 r B; Q: a' P" h9 Y
or execute SoftICE commands...
3 ~# C0 G4 N. I& Z; h! w( b: pIt is also used to crash SoftICE and to force it to execute any commands
' `# M* G; A; V(HBOOT...) :-((
1 o+ r3 R3 e1 K3 L* h! A
& g7 G% v) I9 J/ KHere is a quick description:
# v" F, Z7 v8 p- _* Y( u% S$ S% v: F-AX = 0910h (Display string in SIce windows)& U( f& }2 Z1 ?1 M9 g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ j- E" P* F5 y7 D; a
-AX = 0912h (Get breakpoint infos)) R4 N" }9 w' ^
-AX = 0913h (Set Sice breakpoints)
. u: l# \/ f1 [-AX = 0914h (Remove SIce breakoints)1 J# M2 P% a* f" Z! A. M; C% j* g
( |+ Z2 S* y& [* A! R
Each time you'll meet this trick, you'll see:5 A e: k6 F8 n" g+ V/ Q
-SI = 4647h4 L9 G& ^8 i% Y# D
-DI = 4A4Dh
1 O1 g, p/ t5 H$ V. ZWhich are the 'magic values' used by SoftIce.% J2 J6 X) q$ m& e# C6 U/ u7 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." h1 K& ^# {$ V: b
: P) f! w' z3 O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* o0 K' `( s z* d7 x; mEnvelope utility use to protect DOS applications:
& O& c( Y- g! Y+ z7 E" y- U6 k: Y5 Z9 x- F; `4 n6 r* e
4 f# c1 H( j; @9 Y7 \; N2 `
4C19:0095 MOV AX,0911 ; execute command.
; P, ~" k) j7 z7 y+ }4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, \7 a% c2 d$ u4C19:009A MOV SI,4647 ; 1st magic value.
; G; y; ] C* |! s* m6 B: s! Z+ a- ^* x/ l4C19:009D MOV DI,4A4D ; 2nd magic value.
4 _, J6 v$ x- g. ]+ g8 n7 {( ?4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" j: r, a: C! m! @; A7 M4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- `4 ?0 I* B8 p# t4C19:00A4 INC CX
C% M9 p) c" F% z2 N* F4C19:00A5 CMP CX,06 ; Repeat 6 times to execute; L# Q% ~- `3 ]! f
4C19:00A8 JB 0095 ; 6 different commands.
; K% ~, e" B& k' G& g$ s5 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.- V( Z5 W/ f5 w- ?8 }- T
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)- ~+ ^8 _' i7 J7 K3 ^
6 c' f+ ]& F9 L) O0 N2 j: T
The program will execute 6 different SIce commands located at ds:dx, which
9 ^ v/ T6 S- \% ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: |6 w6 c- w' D* t. @- s
/ x8 P8 U( \: w4 O. B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" g6 j* f0 ? l+ \$ x- g4 v* i___________________________________________________________________________2 {# D( k9 B8 h/ b8 i' P& C
% A' `" d6 p" p, {! c0 \
+ ^1 F( W* ]( R+ S# k; r- O/ ?Method 03
: F; i! h7 i r$ G E. p=========
& W7 Z- S f W& Y; h5 E' o0 K! W+ p" c4 }! y
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h; Z3 j0 P3 B) d, e6 [) p$ x
(API Get entry point)4 Q# b8 D* P% a. ]2 [; y6 F- t
i# o% D) x9 d8 d! T# Z
0 W/ F5 y+ G7 u0 {& } xor di,di
& a/ B9 V4 r) P. N mov es,di ?+ a! Z' D- e' _% [
mov ax, 1684h [* O% N. |* h* d, a, F
mov bx, 0202h ; VxD ID of winice5 L f/ a0 E% h3 m5 W7 N4 k4 l; P
int 2Fh
/ }5 F+ @% \! n0 x% f mov ax, es ; ES:DI -> VxD API entry point- B+ ]" U M9 J n" ^9 b1 r
add ax, di
8 E2 `+ ]( v$ [# G, w test ax,ax
2 g' t- ], i4 T, M( F4 `; S/ i R jnz SoftICE_Detected
7 t! O/ {" q2 f c: O% B A/ A! ]% P
___________________________________________________________________________- S& c3 P' V0 l$ H* t# t3 J: u; W* n
& J& x1 C8 J, o; p) h0 D3 x% }Method 04! s7 V3 Y1 H6 J0 ^7 ^/ V/ k, x
=========2 I7 ]9 D9 `5 p/ B+ s# V( m5 @! {
% Q9 W) P( \. lMethod identical to the preceding one except that it seeks the ID of SoftICE2 C' C& }$ \) t5 t+ s$ i2 U
GFX VxD.
' V r) D2 g$ \2 N
) B+ [, c2 V0 z: F xor di,di" {( K# s9 q( K. d3 g5 m# {$ P
mov es,di
* p* K6 y4 t$ g1 r, a. Y' r mov ax, 1684h
/ \2 x% N( g3 M- t( i mov bx, 7a5Fh ; VxD ID of SIWVID
4 v& c1 v8 Z0 Z5 ~) i# E8 O int 2fh$ v4 |# B/ F- k6 }% J7 `
mov ax, es ; ES:DI -> VxD API entry point# | T% |- K# Z( R
add ax, di
3 u, S D' z4 J test ax,ax
: t- @. Y3 O/ Z: K jnz SoftICE_Detected) e/ l$ O; d, _6 ^: G
. _+ m8 {+ b( h- u$ y& u__________________________________________________________________________
# v6 p- x4 A$ p: V
, f; N2 G' D t4 ~+ I ]1 |: n
4 z) [, V0 P$ G: P9 }4 QMethod 05( |+ J. f% Y' z3 n$ E" q
=========1 y1 L2 s3 i7 b# p, N
% \; U0 y3 \/ k3 O$ V! u
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 O- o& q: @+ u5 P C: ^
debugger. It calls the int 41h, function 4Fh.
( E" M& n4 ~/ EThere are several alternatives.
0 z$ N$ q. g3 Z- e. ?9 N8 t* i1 O: z! k5 l
The following one is the simplest:. |) A2 A1 O4 ~% E# y5 j8 M5 A
2 B; N* {! x7 h5 l3 z+ M7 @5 _$ F
mov ax,4fh. B: Q* S" u. K) S
int 41h
3 h. c$ O6 o$ x2 E" c+ O7 @5 } cmp ax, 0F386- }: F0 v7 H2 s3 h1 u2 G- A
jz SoftICE_detected
& i! }6 L6 u) t _
" j% b) E! V! a3 W; G7 V
& ?" `" L: T$ k xNext method as well as the following one are 2 examples from Stone's
1 b% f( b$ P- R" I T. Q"stn-wid.zip" (www.cracking.net):
' d* F, Q. `) y& _+ \8 Z# G; N% a J; j
mov bx, cs0 p; h% }% W6 p
lea dx, int41handler2
1 W2 i5 Y1 N$ z J xchg dx, es:[41h*4]
# L$ s2 H) F: \% H. Q xchg bx, es:[41h*4+2]' E# ?6 |, V `4 y/ q1 V6 q: Z
mov ax,4fh6 H/ @. {6 u0 M$ A! v- k
int 41h
( o: l4 I1 H, z& v3 c# }, p F( } xchg dx, es:[41h*4]
& A# @9 m& k3 Q xchg bx, es:[41h*4+2] e$ w9 t0 n9 o2 S( n
cmp ax, 0f386h8 ?+ k/ B1 d3 a$ o. _3 R
jz SoftICE_detected+ n' u. a7 T4 P/ C
# W% F7 g7 t! s* g+ s
int41handler2 PROC
1 x. t$ Q7 |2 \' ^) E0 ^ iret
" w* h+ i2 }* n% g; Fint41handler2 ENDP( {& {4 ^3 I, e/ f! n. ?
2 t: R/ k# j, E" O9 b2 v1 C8 ~! w" Z, o) R ^. E9 J4 ^
_________________________________________________________________________" |2 r3 ?) \4 C% | h
, N% a5 _/ @9 Z
8 p6 b9 Y/ i" m IMethod 06: W6 ]2 a! @$ G1 F/ E8 `) g [, B3 \
=========
8 G9 Z) f4 U n) F
( {2 s* J! ]1 d% K0 G; _2 A& o. l
- E" {' C7 k& H: X0 i. n$ e2nd method similar to the preceding one but more difficult to detect:) @5 K4 j3 X: H" r% \7 E
7 u7 l3 T! E; A7 W* L% v5 `2 J. p% F# F' }( [2 Q
int41handler PROC5 P, ^3 B2 p) f+ r5 a
mov cl,al% X2 \$ A( l& }! n/ C" d
iret2 @) J i9 O) U+ ?8 J# o
int41handler ENDP P0 l7 _: O7 W2 T- s4 F0 `
% {8 T& q$ g3 _4 x
3 |: N5 v$ U5 m
xor ax,ax
, L: e8 o3 h+ i+ P. Y$ G% y C. f mov es,ax( I* H u0 I$ m) n# B }2 C. Q
mov bx, cs( j0 h S7 C( B% [- }$ L% x
lea dx, int41handler
: l: w4 I9 y. r, p+ Q: R xchg dx, es:[41h*4]
. Q8 c7 E& |9 H) C9 Y7 U xchg bx, es:[41h*4+2]$ i# Y/ Q$ R0 n
in al, 40h
- a# S; T; [9 s4 B8 t/ S xor cx,cx
% Q5 Y: F1 E; Q- l int 41h, u' M' a9 Q2 s3 ]: F! V6 `
xchg dx, es:[41h*4]
7 K, Z8 N" o" w# v. l4 w xchg bx, es:[41h*4+2]
8 T- n8 a$ R7 d6 B cmp cl,al m1 _4 s& m7 H6 q4 m
jnz SoftICE_detected
' ?( m! s3 q/ Q# `9 {9 k7 b5 O/ {0 t L( ^" ^
_________________________________________________________________________
8 E; e0 }( H) ]4 c& q2 s
) l0 y1 O4 i9 ]5 M! N5 ~Method 07
3 L( `$ D+ a/ ?=========
4 F" h0 e3 z0 u8 @+ T( w7 M0 Q1 F
( m/ a( s0 ]* [- q! ]9 r# t7 r t$ bMethod of detection of the WinICE handler in the int68h (V86)% M; i7 N# A6 u& N! g" e. t
& N8 L7 B+ y f* q1 [; b% z* l mov ah,43h9 O; H( N" u3 o- s: m9 c9 b
int 68h
9 {0 y* _6 C- t3 j% _2 H: t cmp ax,0F386h" u7 h, p9 D5 a/ K3 [ R5 d: H
jz SoftICE_Detected9 w8 X& i% M2 x! }( N3 i8 P
8 b; l5 V, y3 K& w) w8 U, F6 i
) q' [* V, F. M5 o0 G6 M( c- O% i. L=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 ~ u1 ^9 R) v5 j9 P; e app like this:
3 p# d4 H+ u' [( S2 e; D8 T0 F
( w4 ?" y) x; s$ }& [ BPX exec_int if ax==686 {! h4 p5 t. E' h- `
(function called is located at byte ptr [ebp+1Dh] and client eip is
/ S; o, M/ L( j" f located at [ebp+48h] for 32Bit apps)& u8 P& R1 X. j- k* O
__________________________________________________________________________" F0 G, W0 } H" k3 I
9 O' C# h( x ^
7 E! K- H0 r* _7 @% H3 x
Method 089 b6 y$ i7 @; P
=========) K7 {3 W* m9 g0 D' I! `7 V4 L8 u
4 B' Q- o" H0 P8 K# H' R! JIt is not a method of detection of SoftICE but a possibility to crash the5 ]* H3 R7 e( @$ F, O6 _- E& b
system by intercepting int 01h and int 03h and redirecting them to another
m- Z! k0 b& o1 e& Troutine.
0 A7 g8 u# {- y- g) zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- f; }8 a9 ^6 c7 S: b1 h) x% t! R
to the new routine to execute (hangs computer...)
3 }2 d) ]. A/ K8 D2 S+ p. n' X+ j V. w9 Q: a% ]+ J$ B5 x* |1 j
mov ah, 25h. x+ p. e. M/ l8 s4 K
mov al, Int_Number (01h or 03h)
4 Z) `- h& k9 d9 x ` mov dx, offset New_Int_Routine. h" t5 A" u2 [% {4 n, q* w! N
int 21h
( R) Q& Q2 b$ V/ ]) C9 X: u& u, b; X1 m# F
__________________________________________________________________________
; N p, y8 {6 P: Z( b$ L4 O8 |# t$ y3 K
Method 09
8 Q$ d+ I! R+ l& C u=========; S% i2 }2 b# q. a4 A, Z( y
' n' m& V n" Y5 Z' X, C* k# C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 m Y) ]$ i4 n* t3 D' operformed in ring0 (VxD or a ring3 app using the VxdCall).. ]) E" h! B! Y) y" c
The Get_DDB service is used to determine whether or not a VxD is installed
! y' n2 Q9 V9 g* K5 C2 bfor the specified device and returns a Device Description Block (in ecx) for- E# d' r9 c( R
that device if it is installed.0 p, N" P }2 |: d N+ W# A
5 n0 T7 |$ x% w# X; O2 r
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 I0 k' D2 ?, H, D3 i( r. k: |/ z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 s3 N. U( k/ o' T9 c
VMMCall Get_DDB1 \- y% F' u4 Z; ^* p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
0 A0 `9 g% B* C7 h5 `3 K7 c$ ~; r! K5 n6 c
Note as well that you can easily detect this method with SoftICE:: s; g9 c$ K1 v3 h2 |$ ?
bpx Get_DDB if ax==0202 || ax==7a5fh
! W k7 ?9 E* k: [! ]) H: G6 D/ x I
! q+ X4 m8 O& |2 E. J$ J" C6 Y__________________________________________________________________________
/ U/ y& H) B t( b, E, \- h4 b9 Q3 X" s
Method 10
; N" G: Z6 ], a1 u) B! z2 W=========. ^/ d7 B4 h, y& u/ n
! }/ @# Y+ j4 {1 z& G/ K; Y. P=>Disable or clear breakpoints before using this feature. DO NOT trace with, l. A- _0 [2 }8 _3 o
SoftICE while the option is enable!!# X6 u/ V" i7 }1 D( `- g; M" f$ _2 L, j
6 U% E: h+ Q2 H- YThis trick is very efficient:
% j; M9 G( f) fby checking the Debug Registers, you can detect if SoftICE is loaded
" c# f8 |/ e( }% s# Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( L& k- w+ \# z+ m" }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 R( T s) _7 q$ S" m" Kvalue (in ring0 only). Values can be manipulated and or changed as well
f3 e/ @. ]! I2 L4 I$ }' J(clearing BPMs for instance)
; G. j4 N% T6 N; e4 [
# p n& d1 x) @! v- B4 O__________________________________________________________________________3 h+ c9 L ~. Y7 F( [ Q9 ~/ U* c
7 H5 n: ^0 ]- eMethod 11
& v- s* g/ o6 g7 S, e9 C=========
! ~% ]/ ~7 s" ? ` O1 w2 r
( Z0 w( K9 {) n/ i2 pThis method is most known as 'MeltICE' because it has been freely distributed6 m! } P# I, ~$ m3 U
via www.winfiles.com. However it was first used by NuMega people to allow
4 ]; U- v2 X5 Y9 e. ~1 ^9 }- SSymbol Loader to check if SoftICE was active or not (the code is located
: \. k& p, L/ h( iinside nmtrans.dll).
. N, m& L4 F8 D2 g h4 ~! }0 ~! u2 Q/ g" E1 H' {
The way it works is very simple:3 [7 D5 u& y" l. D2 T) w+ q& d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( M( @) ]- O+ T/ K I1 C; _WinNT) with the CreateFileA API.2 s p* {# |# F8 L
! {- ~; g M! h% b6 BHere is a sample (checking for 'SICE'):
4 y7 {- c( f+ f0 }. n
I! e# z2 u. q+ d- a/ V5 X8 KBOOL IsSoftIce95Loaded()+ Z( s5 Y6 g/ j1 }3 G
{
6 i8 a% B6 O T, N6 u" c. n HANDLE hFile; . ?; m- ]5 P: X2 G1 I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 ?7 O `1 O6 v5 W5 ~8 o( n
FILE_SHARE_READ | FILE_SHARE_WRITE,
: D, a% D! [' s- ?7 g A8 f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 [9 y; g4 X1 r" x/ p% }8 @4 m
if( hFile != INVALID_HANDLE_VALUE )
: c2 s. G$ L! C- J4 J/ ~: @* Y {
- X" C0 k5 w/ E% T; G2 } CloseHandle(hFile);
# i) i+ b8 k7 G% ]% T U return TRUE;' [# `, R( j: q( q3 K9 l$ b B
}
' x3 z% L1 v ?0 `% Y1 U/ r1 k return FALSE; N/ y. p0 @5 u# y& Q, Q1 E7 E: j
}
5 \6 r, O U4 }; q4 I6 D; M4 r3 w$ k- u3 d" B6 W
Although this trick calls the CreateFileA function, don't even expect to be* c9 Y6 e" ]% Q. D
able to intercept it by installing a IFS hook: it will not work, no way!" x& m# E& D2 A7 Z* n" p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" _% n) C) ~# A3 Z$ W8 Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
S! q; V1 l$ W% [! [and then browse the DDB list until it find the VxD and its DDB_Control_Proc! D$ [1 V( H2 f" f+ P
field.% @0 g: J! n* S: S2 ~
In fact, its purpose is not to load/unload VxDs but only to send a
) c6 K3 |9 @! C8 q9 u1 i) n" k+ KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ }1 G- S% R. V; C6 A: t* ^" x a8 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 ? A3 s3 e* ?6 I2 Z* @) q# S; m7 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 [( b: h, p! I0 s* w& l
If the VxD is loaded, it will always clear eax and the Carry flag to allow( {! \3 o& K8 H$ d8 D+ Y
its handle to be opened and then, will be detected.3 c, P; R) d- }" U; j
You can check that simply by hooking Winice.exe control proc entry point
# G$ [4 R$ d( o/ @& r) k/ s2 [while running MeltICE.
/ G/ f5 ?: {5 O. L7 H
' Q2 G8 i2 e' B: f/ X4 ]' V2 A: \/ V% y2 a: O0 d: B9 L( Y
00401067: push 00402025 ; \\.\SICE
3 W+ v" F" W1 M 0040106C: call CreateFileA
$ S7 O. Y+ i' V' { 00401071: cmp eax,-001
1 R) H& [5 l5 [8 w+ E4 d 00401074: je 00401091: L G" B# j& g. ~/ O8 \8 I0 Q+ Q
- }+ }0 r$ F$ X9 y) {* }& W2 L
* i# V# b9 {7 N( u& }There could be hundreds of BPX you could use to detect this trick.; J9 g9 \. e4 _7 l4 D
-The most classical one is:
, k# c. k" C) n0 \% S' b BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
V5 k" g6 m# ]0 P( N *(esp->4+4)=='NTIC'
$ R+ @4 s; j* _! T F# ?
; Y# Y$ U7 Q- b S; G$ l9 j-The most exotic ones (could be very slooooow :-(. p8 Q3 {0 w; u
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
7 H, E. V: J) | ;will break 3 times :-(
: q6 F8 s( ]% c( F/ S2 V) c+ r( l6 |; a* M: s# U
-or (a bit) faster:
* k- |( h( j! j& U7 O BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 o% y$ V2 h+ g' m5 l
0 l! J8 S& k. s, I# [! t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( I& y/ r; s5 E0 i7 p8 S ;will break 3 times :-(
, [( P* K4 j8 Y, k7 D3 T4 z8 R+ \6 y& S: b6 W2 Z
-Much faster:
1 E0 @7 ]# J) y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
|# q: u: X( G, X: w3 V$ W. t e8 l# v8 q2 C. H2 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ a. o4 Q* ^* C3 ^- Z% R" T
function to do the same job:
: v. w9 U8 n$ y- W6 Q$ P7 i, L ~6 i2 S
push 00 ; OF_READ
( [" p2 X6 F. ] V9 { mov eax,[00656634] ; '\\.\SICE',0
; Q0 ]% u g* K/ s& S push eax6 C+ ~) | z- ?
call KERNEL32!_lopen
3 |8 K" j0 l! P' T8 L inc eax
# I6 L- Y: {4 g' B/ j. u jnz 00650589 ; detected
! ] E6 v& d6 D% x push 00 ; OF_READ
t) z, ]. |$ ]8 x. q1 D# e mov eax,[00656638] ; '\\.\SICE'
& g1 ]4 Y0 l4 ~/ j9 }: G push eax0 u% o; a( K. _2 D7 [4 |
call KERNEL32!_lopen, V; P, h2 C9 |0 k+ D! k
inc eax
8 a- }4 U7 z8 C3 Y5 x5 y: a jz 006505ae ; not detected7 S# R! r& ]$ i1 x& E
5 X, t; m: O) g6 d! U
" K% m- b3 X" P5 U! P__________________________________________________________________________' X" g$ }0 H; V! t* R/ c4 b
0 L3 M2 u8 Q( N- A0 K
Method 126 P' x" U- F. h: S5 F9 o
=========$ x; Y- w" B0 Y9 }# l/ s g
6 _4 q+ a# @! s- }9 Y2 m
This trick is similar to int41h/4fh Debugger installation check (code 056 J' W1 I5 Z8 A: N) B( Z& v" e
& 06) but very limited because it's only available for Win95/98 (not NT)2 N1 j1 e% d n2 @! Q9 r- {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 g3 R* }" I5 Q: u! t
, ~' e: s, J7 B% f' B* w# r( N push 0000004fh ; function 4fh
& T, l7 y% s2 b* M% P) c push 002a002ah ; high word specifies which VxD (VWIN32)
' }# O) d+ o2 ^% R ; low word specifies which service
% g/ ^9 A- d1 [+ e+ z (VWIN32_Int41Dispatch)
& }8 J3 H- s5 b& w/ f" R* o7 W8 ` call Kernel32!ORD_001 ; VxdCall
$ d p: {4 U! f, E cmp ax, 0f386h ; magic number returned by system debuggers5 w. h, |9 `* s; t* s
jz SoftICE_detected
7 g( u' m N0 C$ a/ R: C& r+ n+ M6 ^$ q
Here again, several ways to detect it:! h1 Y2 Q4 h" W Z6 P4 l6 ?# i! [ |
; X1 @. s0 Q9 `" S* s; \" M
BPINT 41 if ax==4f
$ n2 \' c' n- f2 L& y4 F7 N
+ O7 l" R' ?( O: V2 I* n$ @: D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ _" I; Q @: K$ q3 {" ?/ i
1 n" Y8 h$ [6 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
- d9 S, ?$ @& T6 r& l' A! L! c& |% X2 {) P
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& D; S, i# B# @+ X- R) f8 O2 @% ~) m7 g$ {4 l
__________________________________________________________________________
' z: y" M |8 a$ d* ^1 H$ ?# j0 \! | i3 `8 |. D- |' c/ g
Method 13
% v. J9 D6 s. @8 a=========
+ k/ d! o6 T1 l& Q4 N2 L7 ?# S+ x
/ E" W- E, ?7 oNot a real method of detection, but a good way to know if SoftICE is
5 z9 y+ {0 K7 f# \# g+ G; M vinstalled on a computer and to locate its installation directory.
. o0 i* n, W! b3 z! I8 D/ t1 s" Z! iIt is used by few softs which access the following registry keys (usually #2) :
, @, ^7 f" e% |* X) e7 ?
( j" `- Z9 q. }! u( c1 F* G: Y! c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& D* R# P$ V; X( v( ]: H
\Uninstall\SoftICE( o0 e/ j: R1 [( U% ]6 i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 S" y. c# K/ h+ d; ?" Q9 G% @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& @! ], J8 {' k6 |/ B3 e& S" ?
\App Paths\Loader32.Exe
+ j* y0 q1 V! B- r4 q" Z) \4 o+ W5 f2 u% f2 F+ u
i, A' {( Y# u5 i; `+ k2 iNote that some nasty apps could then erase all files from SoftICE directory6 ~8 d& b3 T. G+ E6 c" L6 u
(I faced that once :-(' U: Z, i" K1 f4 l, i
t/ w6 ^3 o+ a7 n3 Y8 ^Useful breakpoint to detect it:
& u4 e4 }+ J7 W/ d; k- {7 d* B! T C2 R6 R! T+ M! }
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'2 Q6 u {) Z* z9 F
2 H6 X, E5 |3 ?# A. `% R7 O__________________________________________________________________________
3 N5 {% _2 h* S( T- r( ~
8 n% e7 `$ ^$ d. h5 w3 u
# N* v* I+ R7 O _( ~5 {Method 14
7 _& Q% ~: x7 m2 A/ R) o=========( B. q }4 D: v, S8 v6 w+ k ~
]# X, j$ G( T. bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ W& y0 i+ T+ Y4 m
is to determines whether a debugger is running on your system (ring0 only).
8 m3 I+ j9 I0 x2 o$ \. s- W6 u }3 v6 [2 |, I6 u5 k8 r
VMMCall Test_Debug_Installed
- s7 t& [1 \, y6 @ je not_installed
1 a* s h/ Y' a m! `/ L
1 H) \; [, c/ ?5 I9 x; B0 CThis service just checks a flag.
' w# ?" P% T3 ~; Z [</PRE></TD></TR></TBODY></TABLE> |