<TABLE width=500>9 ^. d) p/ w! O4 o1 F' R
<TBODY>
% i1 ?! _1 x- y<TR># W6 D2 v- N' U3 |: r+ Z( i6 e
<TD><PRE>Method 01
/ m' o3 |0 a$ j& Y=========
6 C5 o6 K7 z2 p9 U x: J+ W' i, l* Z, o
This method of detection of SoftICE (as well as the following one) is2 y1 ?/ }' c$ u% i7 {6 A' B8 }+ }
used by the majority of packers/encryptors found on Internet.
! T/ P& R3 `- w. B. c4 ^It seeks the signature of BoundsChecker in SoftICE
7 c b! t/ u2 P
3 ~3 q$ ~9 t0 G. l5 g9 H mov ebp, 04243484Bh ; 'BCHK'+ g/ K8 x: Y# D% \* Y; r
mov ax, 04h
+ l& ?/ r- R1 S3 }* K) C' x int 3
T! N# y- \* r3 s0 `3 W9 y, X cmp al,4# t, Q1 x/ g/ ~+ y% x X& {3 E
jnz SoftICE_Detected3 p+ V. o5 \/ l* S
) `( \: E) A0 M___________________________________________________________________________4 K, A/ q- p# x, w" a
% Q% o) A9 r3 T# h: A: _7 N" E( \Method 02
) y1 g& P4 U+ n5 U% W=========0 m) x2 L- a: k2 P+ t7 \' ]* c
5 P8 ~- b- I* w z* S6 m4 i" h
Still a method very much used (perhaps the most frequent one). It is used
& V" P) I8 r j1 w# l' g8 r0 lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! o) @8 o8 K) l8 Qor execute SoftICE commands...
- `: r5 B* U4 g' h- r) kIt is also used to crash SoftICE and to force it to execute any commands
, {8 P7 t6 v1 c(HBOOT...) :-((
- H# J* ~4 w5 i2 p
1 D. k+ G1 x) vHere is a quick description:6 k* q! }+ }7 Z' M9 y: c
-AX = 0910h (Display string in SIce windows). j1 r5 E0 {* N
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; Y7 V0 U1 p C5 H0 c; _4 I# s-AX = 0912h (Get breakpoint infos)3 Z5 c3 N9 `# S0 H# M) [
-AX = 0913h (Set Sice breakpoints)& Q7 Z& B; w5 \; v: r
-AX = 0914h (Remove SIce breakoints)
: p$ f) [' k; Y1 C% z# r/ i2 [* X5 T A/ I1 b) ]
Each time you'll meet this trick, you'll see:
$ q9 K9 g" _, W# j" ?-SI = 4647h
% @' c4 x) j# T7 q7 g' c1 X-DI = 4A4Dh
& R& m0 E& c$ K! _Which are the 'magic values' used by SoftIce.% O/ e" [% \) D+ j8 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; J1 C7 h2 r. |9 S0 R7 Q; a4 n5 n F+ j0 i4 ?; g' o- K" v2 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; D$ V+ \3 r* JEnvelope utility use to protect DOS applications:, ~0 V' O9 e2 Z. F5 `
1 a8 e3 {, h+ L, m; K1 Y9 }7 G; T+ }& v% t
4C19:0095 MOV AX,0911 ; execute command.$ h7 \1 q+ z4 h
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
4 K* J" T% v/ r( \& e: K' Y4C19:009A MOV SI,4647 ; 1st magic value.; \) F8 F- e' Z" @+ E
4C19:009D MOV DI,4A4D ; 2nd magic value.4 a7 S8 M+ B" t- W) l
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 h: j ?5 H9 N# d9 m; h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute4 u7 q; i2 p* W" p4 n9 e" l- G
4C19:00A4 INC CX6 I/ R0 L8 }3 Z" d& J, O
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" Y1 L, V: k) K3 t' S+ W6 |
4C19:00A8 JB 0095 ; 6 different commands.
: {7 |2 R/ Y' _/ |0 `4C19:00AA JMP 0002 ; Bad_Guy jmp back.
0 B, c8 v* m6 i5 x* J4C19:00AD MOV BX,SP ; Good_Guy go ahead :). O: t9 K( G( ^9 h/ H
2 m4 M0 G* [0 f, @, q1 F- v4 ~, VThe program will execute 6 different SIce commands located at ds:dx, which' e+ z7 u7 B* u) g7 p# [0 h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 L& K' k6 M {' b( O
% ^6 j2 Z6 u- e5 v2 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* G! [3 E- _( l8 B1 F8 M
___________________________________________________________________________( J# D: E: m% _2 W1 x7 ]- s4 }0 }
/ q- ]- {6 q% O/ J3 O; G" a0 @4 U, n# v# T( H- V; m% u
Method 03" k3 v2 q% w! Y1 \& q
=========
/ a& `. W8 e3 }, L. Q4 w- T' o- B4 [
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 Y' G- J7 G7 o( Y7 i
(API Get entry point)
( V# j" J7 a( ~( N7 w% a; P$ | 4 D2 ?, c/ A7 H0 h4 @7 z2 a# V* f
5 Y1 Q; h, L9 e9 z2 b* n: M5 \ xor di,di5 D$ h; o! K2 K
mov es,di' C3 `8 p3 _! o$ A7 t/ v u% S3 j Q
mov ax, 1684h
2 v6 f' A# Q$ r1 @ mov bx, 0202h ; VxD ID of winice) d ~- d- M0 I3 l4 V6 d
int 2Fh
) p9 P" h, z: L6 [+ Z mov ax, es ; ES:DI -> VxD API entry point
) K+ b, E3 A) Z% m( `9 E& q add ax, di7 v, d4 C% S( S7 ^6 ^
test ax,ax
9 l6 T2 R" o) r" m: u: G2 @" | jnz SoftICE_Detected N: R" q. b J( ~5 K4 U
" }7 N$ r) {3 u* k
___________________________________________________________________________
. y- {: E! y# v, h1 m+ ]& z
5 Q6 i8 t7 B( NMethod 04
3 O/ ^1 W) s& j4 y: V( c=========4 \( N+ C, N9 p/ D
# o9 [9 M9 U8 ]* r- ~) XMethod identical to the preceding one except that it seeks the ID of SoftICE. } r$ S# n8 [/ `: V n+ Y
GFX VxD.1 L+ k( R0 z. }2 x$ N3 l" e7 j& b
, o+ a2 Z; }; L) n0 i xor di,di4 Z7 D: b! {; ?/ v' `. Q
mov es,di
1 T P& F5 C0 y" K$ x mov ax, 1684h
' Z8 ^; Q( B1 ^* i( l2 Q mov bx, 7a5Fh ; VxD ID of SIWVID! {2 l u/ I# V! Y
int 2fh! L, p9 x) z1 c3 e7 e5 g' D
mov ax, es ; ES:DI -> VxD API entry point
9 q, `$ ?7 W+ \ add ax, di
/ W* g. A; n' U# ~# j. [ test ax,ax7 z& T1 Q! b; ^, A% w9 M! Y( Q
jnz SoftICE_Detected
+ _- q1 Q' i8 T N; X% q( T, ^
' p, t. ?% w6 M( V, p# D__________________________________________________________________________
, ~# s/ r: G" c. U9 M" u5 C+ F! S, x3 J* z
! ~: Y6 W$ L# m2 g% i
Method 05; J$ J* K4 m2 C4 i7 b+ y6 d0 B1 t
=========
! h# J9 j3 ]+ n7 Y+ D" B' H9 h
) u, ] `+ C$ \Method seeking the 'magic number' 0F386h returned (in ax) by all system: W5 x9 A- u3 a7 o
debugger. It calls the int 41h, function 4Fh.
% R% F2 q5 r1 H# P4 e% h* U1 jThere are several alternatives.
4 h. l3 s: s/ Q8 X* o) s' _- f5 j! R9 o/ w W# d2 V
The following one is the simplest:
7 M0 x, o$ j' m7 F8 w$ h# Y% L. b, P) Q/ Q7 n
mov ax,4fh' [8 U& o" F0 }: E" @# j
int 41h& K4 P( x" V% k7 w1 q, ~- w& s7 K
cmp ax, 0F386
) P0 ` V0 B( k* ~6 d y8 c% L jz SoftICE_detected; x: W g3 M, p W
$ a$ X$ b5 F$ f/ `; P9 m3 o( |: S& E2 ?; B. N1 B
Next method as well as the following one are 2 examples from Stone's - a" I; A1 c3 f4 C
"stn-wid.zip" (www.cracking.net):9 S5 Z+ n- t8 f, l& `. I5 N* {8 b
0 [2 ], ]8 ]! U9 \* L2 b5 |* L$ U% p mov bx, cs
/ d- }* @6 ?0 R# e5 K) Z lea dx, int41handler29 u7 B7 M2 h/ E$ O& ?0 m" n
xchg dx, es:[41h*4]
6 s; ~' ^! k( o/ z, D1 ~1 Z xchg bx, es:[41h*4+2]
; g& j8 i! R( q: c) ~ mov ax,4fh4 |( y K( R* l' k
int 41h
8 E4 K8 n6 t8 R! Z7 l8 @! A xchg dx, es:[41h*4]
5 j; a1 B. d6 | xchg bx, es:[41h*4+2]7 n4 Q* i" m. x
cmp ax, 0f386h8 |# H' |; s% Q
jz SoftICE_detected4 b4 L! I; H$ P8 S: u
+ ^+ F4 k( H8 e0 T( w
int41handler2 PROC; z! H; K8 h% |0 t9 Z9 d8 V6 U3 P
iret1 Q+ e! G3 p( i% o7 b3 l* h4 X. C" W
int41handler2 ENDP1 K: V! i) l i# N
4 K" t6 r: f7 V ] n# a. E0 O/ |! X. F @# M' u
_________________________________________________________________________
, _$ [0 b1 A8 |( E1 F& G6 ^0 ^
. p7 x9 A' [: [- P. g) \
# |9 m. p' U! PMethod 06
/ @4 X& v) ]* w$ W=========! R! S9 _% y q x
) E; ?( `; `$ ~9 _) |( i( n
+ }( [) l! y/ @, _8 I; \" W
2nd method similar to the preceding one but more difficult to detect:9 E" t8 o8 s1 ]% r; S+ j
( a2 v; H! h) o$ d7 f% ?
3 a; _) v0 C4 v( \
int41handler PROC
. X( b# r9 @5 L" | z+ p8 j2 v mov cl,al
/ K4 x; \' h h iret) G$ ]9 S1 {) i3 w8 _9 q- U& |
int41handler ENDP
% O) }8 F6 f, o, Y. \3 {
" ^7 W& Q, }# R, j6 P$ f D
2 e- ^& W! u7 j xor ax,ax
0 R6 x9 \) ?, r% l0 I. L$ z5 a mov es,ax) a5 Q3 b' s4 S8 }0 k
mov bx, cs: T9 p8 p) V Q# Z
lea dx, int41handler4 {. C$ i% Q" C
xchg dx, es:[41h*4]
& n/ }5 u y* T8 W% Q! m% [2 M xchg bx, es:[41h*4+2]
0 x& O2 r$ g/ y$ A( P in al, 40h
) y: W4 H, [4 D6 B |5 h$ D0 A xor cx,cx6 V$ O1 h6 c* L, y
int 41h
' @; p% a) p) O9 C3 M9 \$ z xchg dx, es:[41h*4]
{$ }7 q0 n2 l% G# x xchg bx, es:[41h*4+2]0 ]* i- }+ K0 }' p6 I. b
cmp cl,al: L2 g& F- I" u; Q1 ]5 Z3 v
jnz SoftICE_detected: _; H' B# I! P7 T, P9 ?
$ H6 N, Z" d4 m: T$ O8 d6 Q$ p
_________________________________________________________________________
% |9 c. Q) c5 {, v
2 i7 C2 v8 a) x0 w# ~( AMethod 07
+ o! V6 E; y6 b' l=========/ P: x& K6 |) g
/ L* a. d- x" E) n" c( FMethod of detection of the WinICE handler in the int68h (V86)
2 c# `; j6 s3 i" o0 `
: D8 a+ L& @. l% a( E7 Z mov ah,43h
4 ?5 F: B: H# r: P7 U int 68h# L0 O, \ ^0 N9 d/ I
cmp ax,0F386h
+ B6 K9 I" X2 P+ L jz SoftICE_Detected
l# W! P9 _1 D T2 P# R/ n |
: Q2 ~0 ~$ s4 `' }# y% T1 k+ ?3 a' d& G0 o+ i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 F/ ]/ s, L% T; v0 s app like this:2 d R/ I: c! E, }1 ?, d' T
9 h$ K% N5 U3 ^1 ]6 q; C
BPX exec_int if ax==68- C# x @' L- S: p& ]2 }: ^
(function called is located at byte ptr [ebp+1Dh] and client eip is* x, E7 `+ a _1 ]) }* t
located at [ebp+48h] for 32Bit apps)
: v9 a- x( r4 q* Y9 G__________________________________________________________________________/ I$ C5 r1 ~. z, c V l
- ~" w4 E7 i4 o5 g6 u/ p) t: S0 j7 f
8 m* n4 v1 |8 P( S* [ G' @Method 08
/ I {; @* Z, ~; F6 \2 ]# N=========
3 w- [9 o5 B1 C0 @' U7 {7 J7 B- N
It is not a method of detection of SoftICE but a possibility to crash the
6 z: s: n3 C) T; D5 _system by intercepting int 01h and int 03h and redirecting them to another n, j6 k1 t' A0 D) s7 H$ i
routine.
3 Z+ u% m& o0 W6 }" T/ v) iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 f4 b& N0 j$ P1 d2 K
to the new routine to execute (hangs computer...)4 N- S: L$ d# v) T3 l
~1 g; j M& T4 L4 B. `5 p% j mov ah, 25h
8 C; I4 G. z8 F2 n. l, q mov al, Int_Number (01h or 03h)* F6 l6 u7 X* S. r* M9 C
mov dx, offset New_Int_Routine; @7 ?5 L: z# Z
int 21h5 p( k# m- H2 V. H3 {" y
' ^( j% R- b# B" g* A3 L__________________________________________________________________________! }* ~/ e7 w/ Y. B5 L+ }5 {
- u6 C* ~5 P: V6 u# O+ xMethod 09' D2 h+ s" m3 ], _% o
=========4 i7 X' u. o; h) ?9 u6 c- T
% K4 C( `6 k8 TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- ~5 o# {# ~2 ]8 T, qperformed in ring0 (VxD or a ring3 app using the VxdCall).
) z/ U( N0 `7 i+ N! F6 e- ]% JThe Get_DDB service is used to determine whether or not a VxD is installed
: s6 B( f; H8 ~! Vfor the specified device and returns a Device Description Block (in ecx) for5 T) z* d$ ?* J4 p: p5 D+ |8 ]
that device if it is installed.
6 }- c' b, {5 R2 e8 _+ u. ~/ a4 E' u7 M6 Y; V' C/ G6 ` z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ K4 M) V: N; V4 R& g1 y/ M; i mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) h J/ o% a0 s1 t( b
VMMCall Get_DDB
/ C9 C7 U- G2 T! y- }, ^ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ U! {& e. z+ L0 J) T: P E
7 p) y% J6 o7 X4 L/ W0 U5 eNote as well that you can easily detect this method with SoftICE:4 \0 e; }# ?5 a
bpx Get_DDB if ax==0202 || ax==7a5fh$ `2 h7 M4 f* c3 ~- p% [
& ^2 e3 s) s0 T2 j" S4 e
__________________________________________________________________________
$ i* n+ H1 c x3 N" F
% P1 u) h& n V, A5 FMethod 10; U, y# o2 t8 N# J
=========
* t# ]5 W- ~$ [$ B0 g, z( c+ s. g
0 a: m8 B# i% p2 b' d s! b4 ?=>Disable or clear breakpoints before using this feature. DO NOT trace with
# C$ Z' C* k" Y$ x* U+ Q SoftICE while the option is enable!!7 X: X; O1 x$ X3 `, ]
% s# k/ m* y% v& g% `' j
This trick is very efficient:
' v; e& w# R9 kby checking the Debug Registers, you can detect if SoftICE is loaded8 ?4 a3 t/ h! |" V4 g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- A6 c! @6 Z" s4 p+ @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 L8 J2 G2 {, Evalue (in ring0 only). Values can be manipulated and or changed as well8 V' [2 @% }. N, r8 }3 `, }
(clearing BPMs for instance)
* M: X- A7 S5 D
/ S0 i7 T0 h( \* z+ x$ z__________________________________________________________________________- c' Q' D2 e3 ?7 V [7 }8 F. O
, a0 T* D! L# w4 r0 m E, {Method 11
! m% g" A4 W8 }9 x* @7 b9 w1 c( T=========
- z' i$ i: Q# ^- u' R2 ?& l& w' t/ t' t; i! N. B1 I* y
This method is most known as 'MeltICE' because it has been freely distributed4 l+ V) k9 J5 q7 C4 y& n, g
via www.winfiles.com. However it was first used by NuMega people to allow
) g' N" j2 X& Z; d: S4 T9 _/ RSymbol Loader to check if SoftICE was active or not (the code is located
2 O3 b$ C- F; U P6 Cinside nmtrans.dll).
( @) ~* a7 m8 n6 m1 U8 Z7 Z( v; K# e; q: b: s- N
The way it works is very simple:
- V4 N, {6 Q! ]1 O5 @1 X% m' L8 Y* RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% @$ J7 J1 ?' l+ l: g% i, x
WinNT) with the CreateFileA API.
4 u6 Q" u2 a9 P( V, A4 M+ }3 b* ^3 F# w& p: l% D" l/ z3 U
Here is a sample (checking for 'SICE'):9 k8 K) h5 G- v! \# }
6 }# B: Y4 H0 d( k# {- L2 QBOOL IsSoftIce95Loaded()# U/ U% {7 {: M
{
5 H; J* ?0 o4 m; J' B HANDLE hFile;
( H8 D( e/ m& g' m' D hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' u$ a; Y/ U2 F5 [2 G9 m
FILE_SHARE_READ | FILE_SHARE_WRITE,
3 T7 [+ Z, Y8 s/ q1 s0 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' |7 N9 O, \& X- f( @
if( hFile != INVALID_HANDLE_VALUE )% k- E/ ^) L5 F/ c) A" b2 [3 s2 W
{% U, M1 H- x% S4 a$ X: a7 K+ i/ x
CloseHandle(hFile);% ~, a4 T" X8 [1 E
return TRUE;5 {* h& [" w! X. g
}
, F7 R) Y _( f5 g return FALSE;) v( k# u# k, l/ v. }3 o
}
# A% ^% e" ?* U; m( b. Y! R6 y
/ F) Q3 x7 T, k# E0 v- YAlthough this trick calls the CreateFileA function, don't even expect to be
1 j# j0 S d! A, N" J" w; wable to intercept it by installing a IFS hook: it will not work, no way!
: I! X' H \" h9 D0 vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' c7 f9 N; J& d Q+ pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 n+ o9 R4 U9 b7 a- ~3 f: h' o' F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ f1 x: [: I" t* O c; jfield.
' O& J8 Q3 o& u" HIn fact, its purpose is not to load/unload VxDs but only to send a 6 V9 W3 T/ Y/ ~1 F3 N( \2 M
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 R( d2 ? C; Q. V0 s+ j0 C) s) [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 L! [3 \/ q, a4 c0 e1 a* Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 A2 B8 {, e+ k( A+ `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 t. k4 U/ Q- l" k: ?* Sits handle to be opened and then, will be detected.! x( n3 s H' x
You can check that simply by hooking Winice.exe control proc entry point
7 }4 G- R# Q$ b* P* F: E4 swhile running MeltICE.8 U. u" }3 t1 e6 ?0 G) d/ u' Q
9 @% Z( \3 w; M$ A& S
: _' @/ u. m6 s5 o) Y5 m7 T* s
00401067: push 00402025 ; \\.\SICE
0 \. {0 N9 A' Q* \1 l 0040106C: call CreateFileA4 @; p, w- Y; I5 s, a
00401071: cmp eax,-001
0 y! `+ H+ H2 k( g/ D* u 00401074: je 00401091
$ d4 x1 P5 K0 Q/ S8 @ Q& }+ R9 p: q3 Y4 f- C
/ L M( H# ]# E) {There could be hundreds of BPX you could use to detect this trick.
+ t2 l* M& n( S6 p, g: ^3 l-The most classical one is:
# Q3 e0 ~! f) K4 B& ~ BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||5 K* E! |' ], Y- o# l1 B$ z
*(esp->4+4)=='NTIC'
- o; @( K/ O H" P* ]2 n. \; X8 S0 C! J/ U) l+ U) L1 @3 ^
-The most exotic ones (could be very slooooow :-($ z" q& U9 D, l2 V; s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; r& P; k! d4 x, F I* s6 T
;will break 3 times :-(' ?# @0 j' u3 M( I
! b. f3 [1 k- n" N% v. B% d( A-or (a bit) faster:
+ x: i6 G9 r% E+ ^ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) w" j5 a x O* |6 I( m
# S/ g/ K% G; H. {- v4 V, |! g
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
2 s& {/ v; C6 Q ;will break 3 times :-(
5 ?; L1 M2 L8 X
- f A b3 ~9 A' R-Much faster:
3 ~/ j; _" d" ?% S) R5 w BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 ?' H6 F( y: v+ S6 @
' Q9 d: Q% P5 N' B4 c) hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
n9 Q( [2 O& k3 ^function to do the same job:! F/ n; \1 G5 c3 s/ b1 r: S, O/ O; @
$ s& A. y" I5 M# a; A. @
push 00 ; OF_READ
0 [" o: V/ L* ^" E5 a/ A5 L( W mov eax,[00656634] ; '\\.\SICE',0! g! f9 p8 S6 }' {1 Y
push eax
. v9 w% b" I% o4 G% t5 C& m call KERNEL32!_lopen% L( U% B! G1 l- L: r- O8 y9 e
inc eax
& `, {& E% z/ r6 [ o% l: F* q6 o jnz 00650589 ; detected
# y" E) x0 q0 Y& |' D push 00 ; OF_READ
6 z% P" N/ N: {# j+ D) w6 H* d& l8 g mov eax,[00656638] ; '\\.\SICE'' a" f+ N* R5 h: d4 c- J0 a
push eax
& A' T& c( d+ b" h6 ]6 b call KERNEL32!_lopen, F8 A* ^1 N2 w* ~; w
inc eax: V. v0 ?1 P5 w
jz 006505ae ; not detected
# n- y$ v$ t9 v, v1 s2 Z" ^! H* e2 T$ S& {
- ?' J# W* i9 y2 \__________________________________________________________________________% H; h" \. u$ z2 o9 [+ v; M- B% l
/ j6 W, ~6 C+ X8 s0 n* W YMethod 12; e$ T- V: G. @' v3 i ~
=========
$ K6 C$ O; ^$ K5 E9 }# h5 e/ d8 I( j9 s/ S
This trick is similar to int41h/4fh Debugger installation check (code 05& @: O& V, ~7 O/ P8 S ]! b# n
& 06) but very limited because it's only available for Win95/98 (not NT)7 |& e3 p7 \6 \: y" N$ W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* q( L3 s7 t0 h' l4 i9 X4 g% e( Z I% H! t0 O0 e8 h/ @
push 0000004fh ; function 4fh' j& Q/ n5 g$ V2 z
push 002a002ah ; high word specifies which VxD (VWIN32)3 E# R5 P2 t' L8 O& K- W
; low word specifies which service
0 Q( A& B$ w% O" w (VWIN32_Int41Dispatch)
5 F) J4 v) [1 O' u$ c+ [9 E, E call Kernel32!ORD_001 ; VxdCall
/ c. q& m- u+ r8 ` cmp ax, 0f386h ; magic number returned by system debuggers3 k2 t' ?7 M, u$ @, o E
jz SoftICE_detected0 E5 r1 {5 ?% }
R- @+ C0 n L3 k8 kHere again, several ways to detect it:
8 l# Y4 \# _3 x5 ~
* h- G* ?( p( \& Z3 _# X BPINT 41 if ax==4f$ y& z. i. C3 V- c
( w* J/ E& Q! p6 w7 M BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
. P4 l5 x- p. W2 z0 [( L
5 W( ^) ?: G+ p v2 G9 g7 T BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
: p& W4 [. `6 E$ c
0 F! S& v K \4 Q7 P BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
$ g" ^/ P z6 K; F1 w# ~( c. p
2 j' k) d) O2 j/ d* L__________________________________________________________________________: ^ I1 N, ?! i
% q) r6 Q( u& }7 NMethod 13
& I# X0 |; W, v2 u=========" X: K8 ~& R4 O" V9 l
5 V$ [/ T0 ?. J1 [3 Q
Not a real method of detection, but a good way to know if SoftICE is: W: H5 O5 m; R' a/ b
installed on a computer and to locate its installation directory.
) O2 t2 @# r9 u5 E5 g `+ aIt is used by few softs which access the following registry keys (usually #2) :$ X" Q9 Y# d: F( f. u2 }2 b- u
" w! Y0 r* c# P! t7 y4 C9 N) x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
j3 T/ n, y4 [5 w9 A+ N\Uninstall\SoftICE' {2 l0 t4 a% O0 t7 Z2 ]) _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 U+ T w8 u' y8 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" C& T- K" F4 c# L% o" g- K8 {
\App Paths\Loader32.Exe9 [" |* p9 d4 k9 G: [% \5 q+ e
8 h$ d; L! R _: e# Y% B1 M0 i1 w1 P W5 y G
Note that some nasty apps could then erase all files from SoftICE directory
8 @7 l/ C+ w0 }9 F0 w" V(I faced that once :-(: Y. ?" L1 U8 N- ^( D U( ]
6 J* m$ X: I) ]4 P
Useful breakpoint to detect it:
1 J3 ~1 l- H6 M
1 i, q: \* }6 b6 R9 X7 w, T. d* R BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'% `; M4 h. I; J/ T8 `1 L) [7 ~8 ^
/ ]; V& h! C6 v" k, d__________________________________________________________________________
5 s9 y5 t7 @" ~0 U1 O6 b5 D! G$ H5 O) B7 m- m
7 }8 W; V U2 V+ ?' Y
Method 14 # r# W2 ^ }9 W) G
=========
2 K% b8 R% m p4 s. K9 v: R) A0 l
: [% s N3 b5 b$ r6 {+ g! r+ UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 m9 l- O& h/ \0 Tis to determines whether a debugger is running on your system (ring0 only).
" ?5 C( ^6 F. [ D* V7 R) L+ Q9 b" f y* a2 e6 t
VMMCall Test_Debug_Installed
% X' p1 U8 e- h4 f: H# y je not_installed( E" v: n! ^* C% J6 M5 H
* O( X$ I9 a/ K
This service just checks a flag.
5 C: C) _, C7 T5 ^* X</PRE></TD></TR></TBODY></TABLE> |