<TABLE width=500>
/ |9 s! v3 d8 @ ^% G<TBODY>
* O3 M' u t" P/ |3 R<TR>- i; t& f' O) Q3 U [7 U2 S" F
<TD><PRE>Method 01
- ]0 K0 J6 z- p; I5 M9 [3 Z8 h=========' n8 J: c) b7 q- ~, ]7 Z- K- }
& i+ \# C' k! ]: _! O. p, hThis method of detection of SoftICE (as well as the following one) is
. G% a6 A& x6 V& v+ @$ L6 aused by the majority of packers/encryptors found on Internet.) @7 H. d' P; x/ s( ^: j3 }
It seeks the signature of BoundsChecker in SoftICE; z( a' c# q! O# ^( q
3 m0 m4 p9 I+ u6 G mov ebp, 04243484Bh ; 'BCHK'( ^8 S& J/ j- ~ m% ^4 S* V" P
mov ax, 04h
# J1 ]4 x) s5 u2 ^3 E8 K' w0 T7 Q int 3 & N9 }5 m+ G% ?+ l: X
cmp al,4
+ w6 }! ~# W, p$ t9 J jnz SoftICE_Detected' I3 r/ l' C. R( h! S7 B2 [
' r: J0 D. \) x, d: H" v___________________________________________________________________________/ D3 }1 Q7 l P- Q
# C. O* K5 G; r2 N; j, j1 w) RMethod 02
7 u# Q) H' b7 z; ~; X( Y3 h0 x5 r=========" b7 f s0 K/ z. {
9 q r4 _5 L* A4 E+ ^% J4 sStill a method very much used (perhaps the most frequent one). It is used
' R& ?% B* A1 }2 ]& T; rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,: m) n3 N; {7 U
or execute SoftICE commands...6 \/ L7 \+ U7 P
It is also used to crash SoftICE and to force it to execute any commands$ U* n9 h7 w5 ` H! |
(HBOOT...) :-((
3 ]$ `/ h, H/ |' z3 _. h3 k- e; l6 U! U7 N+ z+ z# i+ r
Here is a quick description:. X3 l, G5 }6 `( s7 }
-AX = 0910h (Display string in SIce windows)
7 v2 I8 E( A& q-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) L& @8 j2 c1 y; a3 Y-AX = 0912h (Get breakpoint infos)$ q& B( _8 f/ v6 r1 }- Z" p
-AX = 0913h (Set Sice breakpoints)
2 o$ p9 l3 a( G: Q5 k/ ]2 z( E-AX = 0914h (Remove SIce breakoints)
% d/ I! | D Z2 C" @, l0 `5 C
, w C. ?' ^' n4 O& t C7 b8 z1 [Each time you'll meet this trick, you'll see:( E4 M! \9 z9 @6 W) c4 U: _
-SI = 4647h1 \! S2 L/ |6 x* L8 \
-DI = 4A4Dh
( D- a+ R! ?1 b) K9 V' [Which are the 'magic values' used by SoftIce.# B1 c4 G7 h1 r8 P- B/ x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ I9 I- J: L, w9 M1 W8 |; V" b
2 E% ~. {8 F" ~/ v( yHere is one example from the file "Haspinst.exe" which is the dongle HASP" H( ]1 p" ]& b6 y. t
Envelope utility use to protect DOS applications:
0 x [% x: t* I f7 k
9 }& y' h6 ]4 F: x7 n) E7 F" f' J) U6 J! i$ l5 b% x/ n
4C19:0095 MOV AX,0911 ; execute command.
, R, W/ U) }0 l8 E" _. O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).: L! I! w" A5 ]# y3 F1 g9 m- K
4C19:009A MOV SI,4647 ; 1st magic value.
5 z2 Q; b9 v# d' d4C19:009D MOV DI,4A4D ; 2nd magic value.) _* f6 x6 j! g7 l# W
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
* p" N% G4 p, \7 s0 l) K4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" w7 A* ]3 n! I7 b2 A A4C19:00A4 INC CX! l. ^' N7 {' t' n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. Q. _& x) w% t. f4C19:00A8 JB 0095 ; 6 different commands." A3 U5 a6 v2 X/ ]5 I
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 j6 [6 P* n7 E
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 G( z$ `% O! Y. y/ p: {% K4 T- E$ @
8 a; l, L9 o3 `: L0 `; z! DThe program will execute 6 different SIce commands located at ds:dx, which
- Q- k# x' g6 A) H+ V' K/ Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ R# g0 r# t* d* g3 A, s9 h- Z# [
& Z: g2 B% ?1 X/ s/ i4 S# W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 P( ~# C' o) v, p___________________________________________________________________________
5 z1 T, y' J1 {% M, j' T+ m+ H
# E" T0 R2 i# c1 _, p- r; B! ]9 p# U) D/ { J8 g
Method 03
2 r+ \. K) r, }# q3 x) r2 R=========
" G1 v, G4 Q9 k0 M1 A- u; N8 t' m1 D9 ?$ z
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h' E, a! Y9 \" B* f$ |" \/ l& k; X
(API Get entry point). k& J; @( X5 @" S, j# M
, l& f+ L! w% H, x) A- K
P2 r( Z1 s. f( Q xor di,di
/ ^8 e0 G+ I9 f* Y1 k mov es,di3 _3 Q( V* J- f; G
mov ax, 1684h
2 B( h. S8 h4 t6 @! k Z* o mov bx, 0202h ; VxD ID of winice
' x) @, n. n2 N+ I3 r- W/ K int 2Fh8 e2 k9 v9 j+ ?! t5 Q( v
mov ax, es ; ES:DI -> VxD API entry point
3 i( Q$ Q4 q5 W* ` add ax, di5 |7 e8 x3 u+ `* S9 \) |/ }
test ax,ax3 e. s7 F# M) ~0 Q
jnz SoftICE_Detected
' s2 S. v( I5 D9 R7 ~) A" S/ X5 r. z" n7 E
___________________________________________________________________________2 N4 ^2 j- q! r! Q' a2 s; e% K1 n
5 r' d5 o; o& {4 b d4 w+ KMethod 04
& J' n0 J U, l=========
- V. `+ w# v9 Q0 M3 N* r4 Q1 y
$ a7 y# L4 [6 Q$ y- M& _1 r* wMethod identical to the preceding one except that it seeks the ID of SoftICE
$ w3 F3 ^9 m' A4 R( f2 ]: y# A7 YGFX VxD., q+ l. M' `# Y0 b, A
# T* a7 X. Z+ c' W( ^2 k* _' g
xor di,di( T0 `4 O6 ~( ]; b) V
mov es,di! ^! r. o# ?1 G X* J, {
mov ax, 1684h 3 A7 P$ O1 ^# E: S6 o
mov bx, 7a5Fh ; VxD ID of SIWVID: Q' S+ F9 G, K- n
int 2fh4 v8 |) G) \) U$ S8 Q- {
mov ax, es ; ES:DI -> VxD API entry point
0 C- m5 u% G4 D) E add ax, di
g* e8 ~* z& K8 [* Q# r* K' }5 `( `6 k test ax,ax& y2 H5 p0 c; c+ q/ t+ |
jnz SoftICE_Detected7 `' g% u# Y! k% A
' q0 {4 N0 Y* k+ y; X. S4 R9 b0 O
__________________________________________________________________________
% M. z* j* [% L* v7 i; ^- o
0 M7 X J8 Y5 I! r. m3 o1 {0 ^
4 P( M8 g( T- g. ]Method 05
4 `: j& D8 z. R) n F; u8 |) B=========
, I* U1 f+ l* ?2 d [3 T, X7 ^4 g2 j: E6 B3 w+ S9 |( b- v S
Method seeking the 'magic number' 0F386h returned (in ax) by all system; E5 ]) [- S! p% N
debugger. It calls the int 41h, function 4Fh.7 K& Z \* e% G+ r n0 }& F* w
There are several alternatives. ! T" E: B$ t: ]8 d p, F; c+ H2 k
% J) o$ [, @4 q; bThe following one is the simplest:% _8 ~! F/ q5 j- z, x. g+ q- n
) m% t6 z, f/ j; B* s% y1 z8 c- c mov ax,4fh0 B, }# e: v/ ^- D; q# |
int 41h
: b6 U' {6 \. w" w* B cmp ax, 0F386# ~8 X! L% c% m! M1 ]$ W4 I
jz SoftICE_detected
% D( e4 G) b( ~4 K% u- `, L" a5 F+ x0 b6 E' g4 A! Y) q' F, }
7 J) `. s g* H
Next method as well as the following one are 2 examples from Stone's
, H! B1 J' C( N9 c+ }4 o"stn-wid.zip" (www.cracking.net):
& u5 z8 E" I! E0 M
8 i1 d- i: s* n( N mov bx, cs
4 C5 Z- A+ m& ^4 Z c lea dx, int41handler2# @/ Q( n5 P1 b& ~
xchg dx, es:[41h*4]0 t4 l% E) E1 S: q* l/ q
xchg bx, es:[41h*4+2]4 f* S3 Y0 o$ A3 H
mov ax,4fh" F$ J- z. P! y- n: G& d+ E
int 41h
! R& F; p# K; J/ h6 x0 Y. n xchg dx, es:[41h*4]
: s( H6 u0 g+ D7 d3 N* w1 H" h2 Y xchg bx, es:[41h*4+2]
) L# H- u3 f- H$ ~3 F: o cmp ax, 0f386h
! o$ b+ V! X4 W- Z jz SoftICE_detected
; W" R( m$ G, x; ]
7 j/ K0 u; Y* V }2 Oint41handler2 PROC
$ R! p. a1 x9 G3 X( v/ F, { iret
* H/ N7 s( k; c" g1 g! N& O7 Q8 N3 Nint41handler2 ENDP
4 D0 t% H6 x* t& W
7 V( h5 \9 M2 ^. K9 n2 K3 _5 C0 y8 X5 [3 s2 U& ?( [3 N
_________________________________________________________________________$ k# }6 w( K2 v4 p' m8 j/ a
; Q& j5 N: j( ^$ I
6 W( }/ R& C! W2 b
Method 06
+ D V- n8 c) U- P) t9 v0 F=========' J1 \. d. p! l. n. ^
$ X$ T. l" y+ M
$ P1 g- _, f A0 g: n, S* |& {2nd method similar to the preceding one but more difficult to detect:
0 r' Q" B; i, }! K. a9 X8 v* ?$ H& p; g
# ^1 T! E- Y) C$ S5 P* f
int41handler PROC
7 e/ h p5 p W6 T- y mov cl,al
3 E4 T/ Z) B- b/ Q- `5 Z# C iret) l5 Y% g5 T) Y: V- H3 a
int41handler ENDP& H& |/ g- `/ ~& q% g8 x5 Y
4 A7 Q" z" r+ W! _
! K: A7 j2 X1 r xor ax,ax; B' u; R: r4 H: }- L2 u- y
mov es,ax
' k3 ~" t, P. S mov bx, cs
% ?- M# e0 M& M& S; g lea dx, int41handler
% t) P2 @! d' h( G# `- o/ K xchg dx, es:[41h*4]* }' @1 S3 E/ o0 _4 v2 \7 ~
xchg bx, es:[41h*4+2]
2 v5 t) h1 L0 X+ Y6 t% u in al, 40h! q$ B4 e W0 N. m- y3 @
xor cx,cx7 f5 o K% p& a! H3 h5 S
int 41h) ~6 u5 e: |6 D: y! F; P1 W& M
xchg dx, es:[41h*4]
6 B8 Q. m: R+ u7 M1 X4 ?2 h xchg bx, es:[41h*4+2]: a. N' v% Q2 `; {9 n$ I! }4 Z
cmp cl,al
) `3 H2 L, w5 j$ n jnz SoftICE_detected0 T6 \/ w3 u& o( x3 L
1 U, ^' q: X2 {
_________________________________________________________________________
3 l" k; s7 a/ T! n& `3 O
( e4 c: X; j1 X+ ?7 K YMethod 07
* v+ ^8 W# E# O/ a3 b4 {* K2 i=========
6 u/ ]7 z* I3 g1 L0 V. O" f N N( M; ^0 K
Method of detection of the WinICE handler in the int68h (V86)- S! f* x1 t! m8 W
" ]( h- P( a$ I D0 G mov ah,43h6 W6 h0 k1 V; s; ~6 A7 e
int 68h
( d/ u# H( f' X0 K cmp ax,0F386h6 {( _7 L6 }% C$ I+ m
jz SoftICE_Detected
: ?* K5 l' K1 R% B) A5 X2 D: m# E" @& w, Y* s
9 i# R0 N" C1 c. S=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 D& `! ]* `, {3 J! G app like this:
2 w5 C! `* O, H2 B( I0 Z# P M& ~( U% m" I
BPX exec_int if ax==68# n& d: C" X. E' r- R
(function called is located at byte ptr [ebp+1Dh] and client eip is
: I7 L6 q9 W" H8 h5 g located at [ebp+48h] for 32Bit apps)& ] _: p A6 k8 T. i5 N! @
__________________________________________________________________________# Q* h/ P; m. D$ g- V
$ b: A2 ^/ p. p m2 L0 a o2 _/ B/ I# V9 c* H
Method 08# x3 b; w$ O1 H9 c" k
=========
8 r: j" k8 Q2 }' r. B* k) t* U5 O+ Z& A# v4 R+ x* I
It is not a method of detection of SoftICE but a possibility to crash the2 ?* t* d9 b A7 [% }' q! E' c1 ^
system by intercepting int 01h and int 03h and redirecting them to another3 {! ~# d% S( z8 _) D/ Q
routine.
) k3 R1 v ?. IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" e2 _& S, Z: R% fto the new routine to execute (hangs computer...), Q/ i6 ~3 n+ p9 T% `
1 ?1 @+ Z% J, u9 n9 q( S( J8 ` mov ah, 25h# i$ N g9 ]* Q. M
mov al, Int_Number (01h or 03h)# m9 ]! o; Q- ]& P8 _5 o
mov dx, offset New_Int_Routine
" ^6 F& L3 b) b3 j. Z6 u+ \& \! P9 Z int 21h
1 `* ^: H" i5 n8 M) k1 x% }* w
& D9 o0 d5 g' d: L__________________________________________________________________________# t' a( o5 \ `3 L' R
; }0 @6 ?- m, NMethod 09& s5 I# P0 _0 {6 H8 {% D+ R6 C& T
=========: Q M' R% y; S3 a' j
/ D9 N( U x! {4 O4 pThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. I* E' q1 `- x# r& e: h$ I
performed in ring0 (VxD or a ring3 app using the VxdCall).2 x5 K; N% c& k- m Q2 q
The Get_DDB service is used to determine whether or not a VxD is installed; `/ e* ^+ k/ e4 f' D6 V
for the specified device and returns a Device Description Block (in ecx) for, b* B; L m; J0 `$ f
that device if it is installed.
* E2 ?/ R3 E, I$ f0 N# c6 p- p6 E$ B2 V! k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- b" i; Y1 d5 l8 D6 w0 t* O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 }) D" {+ q" _5 f2 G VMMCall Get_DDB9 D+ g0 @4 D4 }4 l" X. F% t8 F
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed- d/ Z: y! K; p; S
S5 T3 A$ l1 JNote as well that you can easily detect this method with SoftICE:
. x! ^' [) x0 b6 c% b) r bpx Get_DDB if ax==0202 || ax==7a5fh( m$ H. S8 b* L# `; b8 U' h* ^; a" H3 @
: `$ g. a2 C a2 i
__________________________________________________________________________
6 r4 T! U3 [: J, P# v
/ ?! L5 H+ S% \% D: qMethod 10 B F& E6 b" M f8 s0 m& q; J; D
=========
- T2 o! `9 [- ~( i; @
H# V$ f( y9 a, G% h. P0 L$ f=>Disable or clear breakpoints before using this feature. DO NOT trace with
, E( b. N- g* i4 t) E1 ?; N/ f2 z SoftICE while the option is enable!! G/ \4 [) x. `' B& G8 `7 L; _
2 y: X, O8 `; ~# J+ N" d
This trick is very efficient:( }# h- L4 g4 D( w. T, V
by checking the Debug Registers, you can detect if SoftICE is loaded8 Z d1 S* {0 B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) g" }9 G/ v9 \, L. _2 T" q2 [" H; q% {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" A9 C) H- x9 Wvalue (in ring0 only). Values can be manipulated and or changed as well- y9 F, _* e9 W0 I9 q7 n; u
(clearing BPMs for instance)' J: H9 M# r3 d' X& p4 K
0 W3 o! z' L5 Z5 t4 @__________________________________________________________________________/ ]' C6 L# I, f+ B$ V5 j
- y& l( B9 A A, Q1 s! yMethod 11) W4 q* Y. j$ a$ V# G$ o
=========
- |5 l f1 W1 w# ]9 y. j+ e# t. ~6 q+ J, E2 Q+ L2 y+ O! g
This method is most known as 'MeltICE' because it has been freely distributed, _" }3 K4 R" W: z2 Q5 g
via www.winfiles.com. However it was first used by NuMega people to allow
3 V, U( y( k2 T, Y$ V. r, l5 w- KSymbol Loader to check if SoftICE was active or not (the code is located
4 i& ?- G4 I6 u; m# ?# linside nmtrans.dll).; N+ ?1 C; j/ S
% `0 L& d ^1 H, N% k6 w
The way it works is very simple:
4 q2 j* T U; O& D5 F* QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 n8 K+ w/ @1 ]' C7 J# [2 }WinNT) with the CreateFileA API.
4 S4 a4 i9 z& D3 c e% m# p( r b( N: F4 M; \% y
Here is a sample (checking for 'SICE'):+ @& J; Q6 I. I! a6 W/ @- Y( W/ d
7 U. m. J* z0 Y8 c7 e* [( O
BOOL IsSoftIce95Loaded()
8 w& _/ l' F5 P{$ \3 d; d" T# l5 a9 Y' t' f/ g
HANDLE hFile; ; {9 S4 D# o' b1 }
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; f2 i3 |$ u$ `: a
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 D5 s5 O5 g6 e& x, U% p NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; N' k4 I8 ?: g
if( hFile != INVALID_HANDLE_VALUE )) b. _5 s2 t/ I3 c$ m! Z) x
{% f' ]; H+ V/ f9 h( D; R" L
CloseHandle(hFile);
* _: ~# \0 r5 u# ~ ^$ W" ] return TRUE;
2 M; @% o9 y- [$ I' J$ n' W }6 w) o! U* S! o1 O: I; f
return FALSE;& z9 Q$ Q! u: w8 i3 T; c
}: g0 {2 U" q" a( `6 Q: Z& b. N
9 J; r( u- f; u
Although this trick calls the CreateFileA function, don't even expect to be
9 X$ o9 A* i, d0 |# b$ n, ?able to intercept it by installing a IFS hook: it will not work, no way!
4 k; M# Q9 {5 }2 \& f0 P# jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% N$ }. h2 [2 f; b' B, F/ z$ j, ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 X) T1 l6 i0 z" P' R: z! Z7 w: J" n4 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 N; k; Z% W/ J3 |field.+ h0 T, B" K" u- {& y
In fact, its purpose is not to load/unload VxDs but only to send a
7 h: m1 m( T$ ^. tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 X! l% h1 d5 f0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) r% N3 \9 w* f. f, r0 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: X7 z: O4 G+ D0 w# k/ m' dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 K% z) _1 |, B" k6 {its handle to be opened and then, will be detected.+ j2 e! g+ T0 J' O1 \- u% G+ G, C
You can check that simply by hooking Winice.exe control proc entry point
2 w4 E0 j2 J/ q" I' X0 x) kwhile running MeltICE.
$ ~: ?' R, W/ }' c6 R1 F: H) R
& L( w3 \1 F2 t( S' d* h+ p
* t) F6 x" i/ F 00401067: push 00402025 ; \\.\SICE% u# P" n# m: G7 Y( ?
0040106C: call CreateFileA! f# B' C. ^" B0 ]) Q: q! q% J
00401071: cmp eax,-0012 o( J- d! ?+ {+ @" ]$ O8 y% p
00401074: je 00401091
# ` p; X) z G% l4 n7 ^) O
9 X$ k% a8 c( I; `7 P5 h, [0 I: @* D" {4 R: K* Z5 F
There could be hundreds of BPX you could use to detect this trick.9 `/ w( F- x! g( |
-The most classical one is:6 h d6 ]" Z$ f, O# t- J* ]
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( t! V, z! B* q) O
*(esp->4+4)=='NTIC'
; e! ^3 ]* T9 R8 E- h
0 G" V3 `+ M+ T-The most exotic ones (could be very slooooow :-(
) s" l/ C+ F# ^: B BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 2 l* T2 r+ J/ w: p$ X5 U# Q
;will break 3 times :-(+ [; M% v- [8 a$ Q' M: d: m/ n% n
1 ?8 b" B. @7 P0 p- d p- [/ M
-or (a bit) faster:
( P7 s" Y6 Z3 U6 Z0 F BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); N. F" ~& ?" J: h
- [8 y1 r B1 L% f) Z0 b
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
, t% Y7 L* j8 e7 i$ _* r ;will break 3 times :-(
: z$ n& k: C; E8 m+ A3 M9 k: }! ^- q# M7 }5 X5 o6 @
-Much faster:: U4 `3 U) o" ]
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 v, O$ M* l0 z8 h1 ]3 g; a" ?8 Z2 `5 r# p" }/ ?8 |. r- X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% T6 t7 F% x, I' j' w& bfunction to do the same job:
; ]3 b8 X# ?4 L0 K; \ N- ^8 a) y5 T$ l
push 00 ; OF_READ* B4 |; U* E4 l1 W0 q
mov eax,[00656634] ; '\\.\SICE',0
4 `2 t& j8 y. e! t- @ push eax) g6 \ J2 Y5 v) ^" A( X. }( n# m `
call KERNEL32!_lopen
9 ^# E5 _% O2 o; u4 {( f, e inc eax
/ z8 R' Q: B! k: B% j jnz 00650589 ; detected
& |. h) t: ]5 g( _$ m- _ push 00 ; OF_READ
* I4 Q V1 {5 K# V mov eax,[00656638] ; '\\.\SICE'# Z; Y, E' W$ X" b
push eax" [6 L3 Z: A5 c8 w7 }7 @/ u2 R& R
call KERNEL32!_lopen, h- ]) ~ O6 e9 G1 ~
inc eax' n: g* \: N" _7 T& W
jz 006505ae ; not detected
' A# b8 |1 ]7 ?( B. r3 a2 @1 T* T2 B! w2 B1 m L! y6 F
9 u) y" v# F- B( D5 I* f4 B
__________________________________________________________________________# B6 G7 I& w" H3 J$ l9 v: P7 Y. ^
& r# D5 M4 O* e' F* r( s
Method 128 o/ ]% P w3 d' ^
=========
8 L& `# V: L C0 l* w( ~. K" s- K) y3 V# g: G. I$ ^: C8 }, [
This trick is similar to int41h/4fh Debugger installation check (code 05
4 h% H5 F6 i8 X1 Q4 Q& P& 06) but very limited because it's only available for Win95/98 (not NT)
! ?7 n6 L f0 |9 vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ [8 ~0 w( ^! p. L+ y6 E5 v0 i b; l& V
push 0000004fh ; function 4fh
+ [4 P# V' d- R( v push 002a002ah ; high word specifies which VxD (VWIN32)
& U9 v; D6 F6 H( V/ ~ ; low word specifies which service
8 _8 C/ R5 b( ^/ s1 K8 ~+ C (VWIN32_Int41Dispatch)
9 p) { p; v" D$ U+ R call Kernel32!ORD_001 ; VxdCall
0 q9 n2 J# ^; {6 Y, Y cmp ax, 0f386h ; magic number returned by system debuggers: K: ]3 Q$ n" S: A3 s/ z8 A: `
jz SoftICE_detected/ Y- X, ?1 R6 u5 {$ c* b
4 L7 r& D+ \( K9 Q, t; i- s( nHere again, several ways to detect it:
! ~" b i2 Z, G/ C/ j: @/ |( S9 b3 l
BPINT 41 if ax==4f
0 E% k$ B1 H. p. }7 ?, j2 W, I4 n/ x5 l! ]2 X8 `7 k
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
& \- l! Y" a/ C5 g2 c5 O- p' E0 l* i4 T# a
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. U2 b' P& w: Y' X. Y6 _
0 y K7 u: ~6 O6 O BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
3 \- K1 U% q- L: p7 S/ @- o1 a5 P* v% d
__________________________________________________________________________+ U7 ^ X/ B; G1 e& J, S) N
4 N9 o3 n; M+ O6 u
Method 13
# @0 g6 [- l6 \2 H) A=========* f) D- f4 m5 `6 c1 K: |
) j: S' o( M+ m1 U, ?% a! ?
Not a real method of detection, but a good way to know if SoftICE is/ }& Q2 u$ v) e. _* s) `) b# k
installed on a computer and to locate its installation directory.2 P4 q1 I6 P2 x0 F2 Q
It is used by few softs which access the following registry keys (usually #2) :6 ]/ R% @6 l6 U
! }, X0 {, L5 U V9 U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 {0 |# ?' z1 k: K/ r; T\Uninstall\SoftICE
, J- T: O) I1 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" e+ Z4 x! U1 E5 p/ D2 {: Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 E* `+ _2 `, A' F\App Paths\Loader32.Exe
, c5 o0 ^! e* A% t
6 A" D2 f2 X& B; M' c5 F
& t. q( a( N5 I3 m3 aNote that some nasty apps could then erase all files from SoftICE directory
! V8 D% f. e* j8 Z(I faced that once :-(+ k' R* X; b! N1 i$ a
: {8 V A: P% j- x, E7 t0 B8 m7 V
Useful breakpoint to detect it:* Y9 h% _5 M3 ?- c
V: h9 g* h* R* j$ b6 @; g BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
D9 Q. q' [: y# ~9 b% s( G# Y1 w% y6 C+ @
__________________________________________________________________________, j6 i" p* C9 f; t8 p7 n+ P
% R0 S6 ]5 b3 ?. ~; ]9 C& O; |! Z1 R7 u$ j K
Method 14 8 t8 ] W M$ w& H
=========# m3 k- I: @ ^9 X9 o6 ?& ~8 i* X
$ v3 I3 m) }- T. w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- V3 y2 W. h+ y2 i5 K& Lis to determines whether a debugger is running on your system (ring0 only).
" s5 j/ F2 |# X: E8 J1 [% a3 n: v( i% w' @/ R+ W
VMMCall Test_Debug_Installed: p# f5 R9 x( g% Q
je not_installed
+ v) ?; L1 Z0 L, o
' B5 i) d5 l9 L P6 G# ^This service just checks a flag.- x1 p* m! E& o+ @% L
</PRE></TD></TR></TBODY></TABLE> |