<TABLE width=500>8 a* k2 ]& ]$ Y; Z# `6 |
<TBODY>$ q4 o- ^+ X0 h( g# K- O; ?. d
<TR>
8 K. U" v, L5 }3 J5 q9 w( e<TD><PRE>Method 01 - H6 |$ @' e6 I# y2 V
=========
u; Y; e1 \/ ]$ C* ~
/ ~+ E& s- W7 n1 RThis method of detection of SoftICE (as well as the following one) is
- N1 i0 t3 e4 c3 h; rused by the majority of packers/encryptors found on Internet.
}* d. E( |8 L( Q6 p2 g2 I$ TIt seeks the signature of BoundsChecker in SoftICE5 b7 W- G; T7 l. w" O1 A) W
) v3 ~$ ~: N; A/ K- [! ?0 { mov ebp, 04243484Bh ; 'BCHK'7 [1 o% z5 ]' M& u9 I3 f* U; q& a
mov ax, 04h. \3 D$ m8 ?" |
int 3
1 R# V. v& c4 C8 Y cmp al,4
0 U: I$ c' e B! f jnz SoftICE_Detected
1 O4 _0 g: O+ L; Q% K! w
6 m8 \" d, q" }5 j___________________________________________________________________________
2 s3 F# L: P8 M! v
8 p* |/ U0 K1 Q5 K. DMethod 027 I3 O) T' L% M0 Z9 }9 R
=========7 ?: ?. u: ?; P- C* x: C/ s0 p. o
& Y" ~1 o4 t4 n+ p) X$ R
Still a method very much used (perhaps the most frequent one). It is used
* M- e/ [+ C* G( uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ |# p( v; t1 Q. t/ l( f) s/ nor execute SoftICE commands...
4 i' l) i% X0 ^& l: sIt is also used to crash SoftICE and to force it to execute any commands. h4 I) g/ P: D0 ^' S
(HBOOT...) :-((
. x- P$ [5 {/ I4 c5 V, I3 I5 a9 c* |8 @/ H
Here is a quick description:
9 w, B S6 e2 A: |8 E) U% k3 ^( t-AX = 0910h (Display string in SIce windows)
6 T6 W3 q/ z; q8 U" }-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): d! q9 V' T, W& D7 E3 k% `- e+ d
-AX = 0912h (Get breakpoint infos)7 F/ Z) l9 H% H7 L
-AX = 0913h (Set Sice breakpoints): @4 y" g0 s( p
-AX = 0914h (Remove SIce breakoints)
) B) [% p. q% O0 b; ~. q1 F F2 F! \ z" }
Each time you'll meet this trick, you'll see:
! k1 H3 ^7 h3 E8 u-SI = 4647h
9 S, u) ~' i( a& K: f! m) n$ d-DI = 4A4Dh
1 O; z9 R/ U# b: O; |, K$ SWhich are the 'magic values' used by SoftIce.& d8 ^8 m' \, ^. n! B1 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 o" q% C! f* e: |3 j
3 @# i D. U: w3 \4 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ w, X& M; E9 K! {
Envelope utility use to protect DOS applications:
6 z/ n- i* P+ }6 X& |. Q$ F% A2 i' n0 r5 m
`/ [4 B0 u( J% P( g6 O/ `# V
4C19:0095 MOV AX,0911 ; execute command.4 f& H* _/ E/ y! M
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; ~1 A# }" Y. I6 l- f* N" S
4C19:009A MOV SI,4647 ; 1st magic value.$ v* C4 F( H4 d/ W0 t: x& {. \, e7 g( Q
4C19:009D MOV DI,4A4D ; 2nd magic value.2 p; W9 S# M% u( `2 T% Z* i. e
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ q; k$ W, u& p2 h2 Q% C& W4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
4 ~( m X) n- ]6 b4 m* i$ }4C19:00A4 INC CX
/ l: Y- `! G7 r( |8 y2 n' v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 [8 u( H/ a4 ^4C19:00A8 JB 0095 ; 6 different commands./ y" j+ ?* R- c, u% G# L2 _8 C* L
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 l; S+ L6 M" s5 e, Q4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
Y3 }/ s8 `. ~* w; E4 i5 h" u$ A% W# s, Z2 b
The program will execute 6 different SIce commands located at ds:dx, which/ E2 H v* v3 c% U3 q% i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 c/ d$ `% h' Q% h _& B, L, S
5 Y4 X5 y# `1 `" G$ i0 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- c% r% K2 ^# K/ v% i; S6 y
___________________________________________________________________________5 C5 |1 u9 ^2 N4 b5 I1 W( j. \
9 T: x7 B( T; X& K6 e
; K7 ]) I7 h# [' u, h% C9 v% m
Method 03
7 M3 A1 T( Q U% B) ]( d% {2 z=========
& J0 Y; X5 x9 L# y/ W R. L v8 m+ q- x, u3 r: q8 U+ L
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' w2 D- g: g0 x; U. @" d(API Get entry point)
, I3 S4 l/ E0 ]+ | ' R1 ~* r& ^, i; q3 e
2 s' m, n" |' {! Z: f xor di,di. u# g: L: O/ X1 u" t2 E N; ]- q3 m
mov es,di( F; l, J$ ?7 U1 ?; U! T' l
mov ax, 1684h
' k+ j6 G6 l3 R! Q! S mov bx, 0202h ; VxD ID of winice; H5 F& k. i5 O0 X; [$ r
int 2Fh2 e* }1 C' p( Y: _" x0 q
mov ax, es ; ES:DI -> VxD API entry point$ E$ |. ~, I# X* {! I
add ax, di
' n& l# K) ?$ m1 h2 q+ D test ax,ax7 [! G5 R, a! h$ ?" B) P J1 c( u
jnz SoftICE_Detected- r6 M4 a' y4 N5 o$ k
) L% u$ P8 C5 c8 w4 U$ g
___________________________________________________________________________
- W( m: y# B; H: I/ J
7 R9 ?. ]) G9 F$ a4 {9 z% K4 @Method 04* J0 s! o/ s" o& T4 {2 Q) W, D
=========
- g9 Y2 t# X, X9 E4 @, U, u/ T: m% x& k8 A& n3 J$ s; Y; Z
Method identical to the preceding one except that it seeks the ID of SoftICE
+ F8 D7 ] ~8 U1 _2 b5 p# j) iGFX VxD.* @5 A: {/ W8 t6 F
3 }* Y3 g; z# E( @. I; [ xor di,di0 E ~7 v) F6 |
mov es,di$ e' B' d" j+ v. L6 k. S, O2 L# j. \) D
mov ax, 1684h
' J" V7 k$ x$ m+ P+ t, b" g: S' H mov bx, 7a5Fh ; VxD ID of SIWVID" G" p z u, b4 N$ e/ f
int 2fh
. A7 N+ A8 v5 R$ ] mov ax, es ; ES:DI -> VxD API entry point
7 @$ [4 `, I& `! u& n* a/ Z' e9 }/ t add ax, di' {/ N- e# d7 e4 ?1 `9 x
test ax,ax% u! j1 Z: T" S
jnz SoftICE_Detected
1 M- Z5 L: C, y2 V
' V6 D: x; p1 U; B o( G8 }/ w" A+ e__________________________________________________________________________
7 k( D6 x2 P7 n0 N# o, ^* r3 E8 {$ J; O+ v! w7 F* ~
2 g5 ?; x, a9 ^: `
Method 052 s9 S( S* A. H4 R
=========! d$ l0 R' l& S* x# y
1 Q8 `* A5 o2 e) ~3 SMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' P6 `, t* C8 l& i% Q# gdebugger. It calls the int 41h, function 4Fh.) T' ^. ~0 @0 H, z* i
There are several alternatives. # v6 @+ P! F* L8 B9 C
3 D% U5 r* ], e$ z1 g4 L r
The following one is the simplest:
r c1 B% _8 S& N
. R$ U2 a4 @0 `$ H1 Y mov ax,4fh d! N1 v* A/ j
int 41h+ B2 W2 E) n1 M
cmp ax, 0F386
# K" Q7 K) y5 b, v jz SoftICE_detected2 G2 v. S' [1 `- c3 l
8 I0 r6 N1 q. M x e
+ b0 w2 Z9 a( U5 A+ W; X1 Q0 xNext method as well as the following one are 2 examples from Stone's ' X; V8 H3 @' ?7 ~: C, C/ y4 }
"stn-wid.zip" (www.cracking.net):
5 X0 S6 U* Y6 f3 X7 u4 t: Y7 J6 p; v0 T% p$ B: s% W, d! B
mov bx, cs
/ Z3 A- |( n. Y lea dx, int41handler28 C0 l, X1 k! j) y5 I* O9 r7 O
xchg dx, es:[41h*4]
1 x. Z. H2 z, Y0 C! R: h6 M xchg bx, es:[41h*4+2]
" v7 M7 e$ U4 r6 i: c4 l/ | mov ax,4fh$ W1 Z& R$ e0 T1 V+ k7 u
int 41h
6 ~, d; R' M6 J$ Y, b' P xchg dx, es:[41h*4]
1 X+ `1 a: \6 T8 T* C4 l4 e( N xchg bx, es:[41h*4+2]
- ~) ]0 c5 N) W cmp ax, 0f386h
% }1 _ Y0 q- n jz SoftICE_detected1 s2 W6 D4 W& d' O1 `& @ J
6 b6 a0 w }- c. h# T
int41handler2 PROC$ t2 n0 r/ o) ]3 | C6 x
iret7 t/ d5 r+ m S
int41handler2 ENDP: |% i4 H2 ~ \' A$ l
4 s) n! n" e- ]' P5 h7 U! }) _
) B0 i3 u4 u2 o$ f# J_________________________________________________________________________
8 T+ w. n' @% M* Y# J
" i4 J2 e" S; t- V+ O" Y$ c. b1 Q7 Z$ u: R& b# k; E
Method 06" x4 M; S4 S) l4 e6 D8 ?
=========1 x: f) q% y8 ~
2 [( j V1 t& T$ Q+ T. M2 m
9 c4 g3 W1 b+ d, \2nd method similar to the preceding one but more difficult to detect:
) p' N! d! r$ q0 F' d( J) ~ Y) U7 P7 e' R! u# s1 h# ~7 g$ Y6 D
+ m7 O4 {1 J6 J* Q6 d$ N# G" d
int41handler PROC' {! _1 T6 m$ U/ L: j' t/ L$ A
mov cl,al
0 `1 k8 P9 E/ `, ?6 m2 E5 p iret) l8 m# N* G" R) Y- K- o2 |3 W
int41handler ENDP8 J- L: Y+ L+ c" }8 K. T4 d
- d/ Y" T0 O! \. m, w7 w
9 ?* T5 a$ S6 c) M8 {, ^ xor ax,ax
) `# n( A$ z" c c mov es,ax
) T! z% k: A1 q- ]( g; y: G& ~ mov bx, cs
# g$ k9 R% H8 h- v, p7 N M2 Z6 f lea dx, int41handler
0 ~7 V/ d5 M" I; Q xchg dx, es:[41h*4]5 W9 ?1 U. w+ a3 ]1 |, Q [
xchg bx, es:[41h*4+2]
' k. r! l A4 }7 C0 W ~7 s5 r in al, 40h
a: Z9 X/ p+ |" D8 I xor cx,cx
4 R& q% P; d# a, p int 41h
; J, Z$ P/ v$ d xchg dx, es:[41h*4]9 o7 X. d0 Y P. l
xchg bx, es:[41h*4+2]
1 V- [6 m$ ?. D8 I7 d cmp cl,al
( J7 L: {$ K8 e4 Y- e0 D jnz SoftICE_detected
0 h! D# F/ v* ^1 S: h- J6 `5 x6 m3 w& @9 E
_________________________________________________________________________
+ m# J \9 g8 N+ D) ?% A; x4 U/ ]2 p; U$ w2 L5 g
Method 07
' I3 ?5 q% A& X8 `* J=========
" |' q! {' d0 K3 K6 c
; w7 B# W5 t" V5 e& y+ ^5 rMethod of detection of the WinICE handler in the int68h (V86)7 S. |& Y6 ^6 `8 z0 t
1 W: T# [; q) ?9 H3 r8 o mov ah,43h
7 x4 F/ u& y- H int 68h$ a- V6 {- N0 ^# V# S% C! ~# T
cmp ax,0F386h
. E- R3 a; y" z8 Y) u jz SoftICE_Detected
& w+ g7 U% b$ t. N0 l8 h) T# J7 i; h0 \ w2 N8 E
# X7 i Q" J8 U! A; U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, K [# h0 z/ J6 |# P8 c
app like this:
1 ~/ C& E M" e9 L$ H1 y4 d" b( W; f6 n/ r2 Q! `# R1 }
BPX exec_int if ax==686 C( Z7 Z. q! l' a+ s' e7 t
(function called is located at byte ptr [ebp+1Dh] and client eip is6 H8 d4 _- V' \& N* z* R
located at [ebp+48h] for 32Bit apps)+ L9 n& i* H; z. t1 z, Y+ V4 y
__________________________________________________________________________1 `+ I, \5 {" Y9 }# w
- J$ M) M: l/ }1 p. L
/ Z5 T' K" S$ k9 c3 Z3 e7 TMethod 08
: J5 [9 K4 ]5 C6 t2 M, \=========7 L4 K/ _2 ~5 s, m" e
1 i! W5 j7 E, x; u8 Q2 N) `
It is not a method of detection of SoftICE but a possibility to crash the
/ b9 g3 t3 o/ |! dsystem by intercepting int 01h and int 03h and redirecting them to another* j S/ m- j4 l$ ?% }: Y7 j
routine.2 ^1 l ^" t% S/ a/ d+ p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 \0 d. P6 N! F& r/ i6 x: b
to the new routine to execute (hangs computer...)
( L, r" q* f* Y' n% C
) F( @0 g% l* _* r$ N2 |* x mov ah, 25h R2 q0 `$ x" t1 f8 ]
mov al, Int_Number (01h or 03h)
/ p7 X3 C, e! B+ r$ A, S4 {$ y1 O mov dx, offset New_Int_Routine
( w3 Q2 M. s% s9 x4 u; x( d int 21h
5 t) H6 k4 k' H' ?7 j, T @+ w
V7 q$ K$ |. S__________________________________________________________________________9 J7 m6 _( \+ O l' ]
z3 z. a3 e3 u* R3 Y7 W8 \Method 09
6 c8 A* J! U7 `) @/ e% D0 J' W0 ]5 G=========
8 b$ q, H, O! u$ {
5 C& u- i8 b% C, c( xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
h- D' U! r f A* a2 x# R' cperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 R& n* |) y5 g' i1 [0 v5 t* {The Get_DDB service is used to determine whether or not a VxD is installed2 i: Q9 x/ O2 s
for the specified device and returns a Device Description Block (in ecx) for9 ?! D# G' _8 U7 E: h5 U* { [, B
that device if it is installed." g' g6 F! Y% Q8 _% u P$ R
- o' }* q' r1 o" a8 d( s! \ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 j; U7 z. G8 V
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ R4 q9 t1 @" i6 P7 i VMMCall Get_DDB& \4 m! x' m2 n1 F( e. k- R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 w1 u7 U) Y: [) H
7 [7 Y/ ~% k+ pNote as well that you can easily detect this method with SoftICE:
4 Y/ h$ n$ r4 y/ O" U X bpx Get_DDB if ax==0202 || ax==7a5fh9 a3 m6 g5 w: ^6 O
- @. K4 o3 i }- @__________________________________________________________________________
$ W( I: F2 H1 ~. r- m& |8 W
( V# J) [6 f; [: K0 P5 r$ tMethod 10* b! g) N" }- I9 ~
=========
4 j. M9 Z! |) `! ]' R
" r7 Q, s2 j1 ^/ r- m; N=>Disable or clear breakpoints before using this feature. DO NOT trace with* S. N8 m3 {. W3 w) Z& o( e& S
SoftICE while the option is enable!!
% S1 W5 I& P+ K$ A6 Y$ p
" M* E% }. S3 \3 Z; _& F hThis trick is very efficient:5 z4 J2 L4 x' M5 i
by checking the Debug Registers, you can detect if SoftICE is loaded) Q ^! ?2 g6 g& ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 ?1 A/ z) {3 D# g, l0 k& U/ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 |. e2 ^0 |/ i( a4 k, M
value (in ring0 only). Values can be manipulated and or changed as well; e5 Y8 ?* p3 F$ Q
(clearing BPMs for instance)
. S1 ~4 O& f5 }6 W) d
2 B. l* {6 r& Z__________________________________________________________________________( a2 Z! H/ b, t& X3 L
/ z$ d# E) a' E" `# IMethod 11
9 w! P E' _$ v=========# ~9 G# \" Q* ?
# x9 |5 x' Z- q& M5 H9 `This method is most known as 'MeltICE' because it has been freely distributed
+ r6 B! [9 P) J+ dvia www.winfiles.com. However it was first used by NuMega people to allow8 v- D% W' N# m+ H- j
Symbol Loader to check if SoftICE was active or not (the code is located
! M7 }. d) `: Hinside nmtrans.dll).
. E4 C* L0 v. Y- G! ~; E" e+ b/ H3 q4 u: c# @! ]) k
The way it works is very simple:
6 x6 p" T; G3 Q( W8 p; WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' D4 C+ s7 B: @+ |
WinNT) with the CreateFileA API.
+ s3 {2 n9 O& _
7 d i$ D8 _0 cHere is a sample (checking for 'SICE'):7 J9 b$ \3 S) p% M
2 a3 Q4 c6 E8 @- uBOOL IsSoftIce95Loaded()
- b2 N! F; V, l2 I/ N1 }{" L( y% ^2 u$ ?- M. [- `
HANDLE hFile; 0 `" c& f6 r* V4 P: M. C
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" l y& ^ S7 A" O: \8 T- W FILE_SHARE_READ | FILE_SHARE_WRITE,
$ G! s# k5 Y" P/ O NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
J/ g/ e) y0 W7 [ if( hFile != INVALID_HANDLE_VALUE )+ S f3 s$ ]2 \3 g( A( ?* h
{& h0 A# I* O7 o; @
CloseHandle(hFile);
% W) W4 R+ r T$ N, I; o w return TRUE;
7 G7 b1 T5 [- N/ d& @ } [( |# l, Z% a& U; g$ Q
return FALSE;
, T! r- f5 B0 o2 ~+ R}! ~) b" D, \) a" y( n
) {$ @' a& Z. c, u6 t
Although this trick calls the CreateFileA function, don't even expect to be
% g% g) V2 W1 \0 W2 Uable to intercept it by installing a IFS hook: it will not work, no way!- p; P f- K/ n3 e1 A; s3 u0 A) O
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ Q% s$ }1 i) P6 [6 B% Y, P" S4 k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- D6 r6 |9 J; T' s' \1 `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' Z9 j5 ?( x4 dfield.
5 G' S' C, ^4 c U. ZIn fact, its purpose is not to load/unload VxDs but only to send a / ? Q, v( x& F; c9 f' U; ^! ?
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ H; m8 ]: l* b0 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 p" |7 ^$ g* ] rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) k" F/ g" B% }. R$ z! L- [If the VxD is loaded, it will always clear eax and the Carry flag to allow, C2 m9 i! ~3 X/ ?
its handle to be opened and then, will be detected.: K( d' s m# L9 G7 q8 O
You can check that simply by hooking Winice.exe control proc entry point
' c. T7 L3 |. O s7 k+ Pwhile running MeltICE.
" V& K/ i7 R* N$ ?. G5 w! }2 d
1 V; l/ o. x9 k
' @; W- s' x" n+ _$ ]- ^+ d2 j 00401067: push 00402025 ; \\.\SICE. L- m: ^( k: M1 k& U. @& g. d
0040106C: call CreateFileA
, ~# K6 I0 u: o 00401071: cmp eax,-001
: |( p N" N w! b% s0 O i$ T3 | 00401074: je 004010910 z/ x$ c* }( N$ N" ~
8 u2 o0 _( K1 t4 G$ ?8 R3 Y p. o, }$ w: i
There could be hundreds of BPX you could use to detect this trick.) e( b# r" M$ P3 V* t+ j8 {
-The most classical one is:
" T% ^1 T& I! [ G4 |; z! n- P BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! F) X. J* X5 p i6 V% Q
*(esp->4+4)=='NTIC'
% J% d/ W. m$ P. s% \
9 W9 N$ Y. |- ~; y-The most exotic ones (could be very slooooow :-(
$ I8 r5 U$ O' r8 M; |# g4 _ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ) w, Z# j6 Z+ U- M0 U7 Q
;will break 3 times :-(
! k$ R! {0 A# R2 ^! B9 s) ~0 L' A2 N9 l0 u$ A3 j, P0 `: d3 f
-or (a bit) faster: ) T* |- l+ c$ J7 D& p/ j
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 a* N+ Z. g. Q+ K4 @/ M& V: Z
9 o1 ]* G! y! d9 o BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
' c S- v3 N/ o7 T ;will break 3 times :-(: G3 G# b3 Y/ C4 ~4 }2 C- b
' w3 O$ i7 U8 g$ }; n-Much faster:
) N8 O; N6 B4 C f8 B1 u, `& N- P BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
" u5 `/ p5 p1 ~2 z4 r) I" W/ D5 F
1 L0 R% y$ p* {6 C" VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( ]% a( T# |0 \' Vfunction to do the same job:; ~% Q- n3 m9 f3 S% ?% O0 x+ i
' R+ u% I1 S! x9 T1 E1 V5 G i
push 00 ; OF_READ" F& D& q: u1 p! X, W8 }
mov eax,[00656634] ; '\\.\SICE',0. }7 D: a' F' Q; A. q4 ~$ N
push eax
* e# f f' r6 K) f0 M$ { call KERNEL32!_lopen
$ ~: D! Q x) E8 k& }& k inc eax
2 B" s/ Q0 q( | jnz 00650589 ; detected
% t# m( J: x8 v push 00 ; OF_READ7 @0 O+ i* C/ e- k6 R; m, m' b6 j9 x
mov eax,[00656638] ; '\\.\SICE'
) a. y! ~" b1 D' l0 m push eax, R6 [, {% }* S% ]
call KERNEL32!_lopen
j' K$ \5 C0 C inc eax
' l J2 V' k: x- ~% v jz 006505ae ; not detected2 j' d& Y w1 f2 _2 j- b
3 ]& H# V' U4 s, r
( x G5 K. y5 c__________________________________________________________________________4 k$ s7 q# |& C% @6 Y
3 h2 y) E$ |& d0 u; O% x/ ?3 g& S
Method 12
( D; U8 |- Q/ b=========
7 s! D) M4 l( I) D% C" ], d8 c. Q. [, H8 s: s5 u( u l
This trick is similar to int41h/4fh Debugger installation check (code 05
- R k3 w/ O- D! T) }; g& j+ e& 06) but very limited because it's only available for Win95/98 (not NT)
& ?# @0 _3 B- z, n0 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 m- c7 Y' h2 g
" P+ }; J9 u3 x; H
push 0000004fh ; function 4fh% b0 E# P6 o4 ]& G, w% h3 @
push 002a002ah ; high word specifies which VxD (VWIN32)2 `; x& u5 D* D& t6 D* T
; low word specifies which service
; ]$ T) y. n3 D4 k (VWIN32_Int41Dispatch)
* [2 u5 C. ^5 H call Kernel32!ORD_001 ; VxdCall5 |0 |" d) h+ o, I6 M! o* ^' x
cmp ax, 0f386h ; magic number returned by system debuggers
% f% f' l; v7 } jz SoftICE_detected
1 v, z: Y( D. @2 S& j3 I
( e y8 z, k* S" J6 Z7 kHere again, several ways to detect it:% L4 j* n' r' {) B, s4 i: g& d
) K: }& D8 P$ T6 l* M/ y% p
BPINT 41 if ax==4f; S) \/ t' H. D2 W) Z) k
5 c" O1 j7 z7 t! e2 Q
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 w* n1 ~/ M' w7 E1 S: Y! G+ m: f4 Z- R' I1 p D
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 V* g8 @/ g' U& L& ^
! W5 {, P, f, _- H( I0 O/ c1 A BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* D* S2 C, d1 w: |
- [+ T1 e" b- d
__________________________________________________________________________( B4 B j$ S0 q5 e, L1 z0 Q
2 }) G2 N& A, y7 L0 ^* BMethod 13
, e7 `! T- |* G2 N5 A, W" G3 `- Q=========3 W9 v: o3 k& y2 J. @# f
& w4 s9 Y# S$ z) \% a
Not a real method of detection, but a good way to know if SoftICE is2 X3 U, C6 h9 ?9 `6 ]7 m s
installed on a computer and to locate its installation directory.
3 Q) ^3 I1 l# o' aIt is used by few softs which access the following registry keys (usually #2) :
) x! E2 p7 R- v) a6 @2 b5 E4 }- c- A+ H! P d. a4 B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; x4 w- E" ~# e! j. R\Uninstall\SoftICE
6 `* E% h7 s7 `3 _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. f( n! D2 A$ n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion B$ w; n/ B6 a: O; E. |
\App Paths\Loader32.Exe4 b r. b' B6 E
6 c' }1 z6 Q* {1 c u& w6 M. ?
+ I) F2 @; i% Q: |' D- RNote that some nasty apps could then erase all files from SoftICE directory' G5 S$ s3 [* K) Q! g$ t
(I faced that once :-(
1 ]5 D- G4 n/ I) {6 S! ~" O" {
. I4 b' a, N6 g- n. e4 ^Useful breakpoint to detect it:
2 W* n2 Y* Z6 n0 Y4 v H) ?& O1 q0 B
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE' h: | b$ |- j- A$ \6 X% b
3 T+ F" m- a- P( K3 s
__________________________________________________________________________. @/ A0 R% Z8 ^: N+ y V
3 y/ b6 t* c4 Y# X: t8 b
6 v2 s/ w% n# e2 d" ~. f9 r- h
Method 14
& [. r6 h$ E& [1 d0 x5 u) d( p=========. E9 l0 n5 L, U/ \1 c% [& ?
* v6 c0 ?/ C0 s* m& F7 B* Y+ h- M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# ^* y1 @9 ~6 M$ y+ Fis to determines whether a debugger is running on your system (ring0 only).9 U/ }+ i; D w
: D2 z/ G% q! f( }' `% B
VMMCall Test_Debug_Installed
- Y- y0 p8 \$ h je not_installed
( w: a( c) ]6 C6 ^
7 | N2 O6 V, ], QThis service just checks a flag.0 y3 V4 G0 K8 r: M
</PRE></TD></TR></TBODY></TABLE> |