<TABLE width=500>
5 k; ?' e+ y }8 y<TBODY>
/ C- y4 T9 Y' M7 l4 o<TR>- y \5 k) h! P& l* W6 n& n
<TD><PRE>Method 01 4 e9 C, V- X6 W% I T% L
=========$ z( h( S+ a; L0 ]4 k3 I
1 [, ^# U6 z+ S5 k! E1 IThis method of detection of SoftICE (as well as the following one) is
/ h3 o2 S0 G% O3 w/ [used by the majority of packers/encryptors found on Internet.
4 B e5 _ Y- x9 b% UIt seeks the signature of BoundsChecker in SoftICE/ x; `( h: Y/ Q f! ]- g: j9 B7 o
$ }& @( v: H" G9 D) B7 R) @ mov ebp, 04243484Bh ; 'BCHK'1 c$ W& z, ^# o* f/ g
mov ax, 04h
3 d$ r {+ [+ x1 t! f/ |0 v1 \ int 3 ' U/ L7 |# U( r) v
cmp al,4
4 r. B& k- V( ?& i jnz SoftICE_Detected
3 C* L$ ~' \$ p" F% [
+ V+ v; r8 Q: J+ g# N6 L) Y2 C___________________________________________________________________________
B% g- |6 K; _, a+ E r) U: W7 U
6 k1 W4 _+ \, a) `* R1 aMethod 02! h, ~; z4 R( F7 K$ v% R
=========
' Y3 }; q0 \5 [8 I; B! d- T- W7 U' h: ]- S8 s/ Y, V
Still a method very much used (perhaps the most frequent one). It is used
7 V* M+ n F% Q: ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' l; u: _$ _9 E# O6 ]/ G8 Lor execute SoftICE commands...
& i( R. I& u, U. KIt is also used to crash SoftICE and to force it to execute any commands. T# A9 x4 }+ E' u
(HBOOT...) :-((
# G3 L9 o1 f# @, f# S0 L
: h I- E U8 ^$ `6 y/ x9 I, DHere is a quick description:
7 Y* B$ l0 ]& a& w* x. q; A2 M-AX = 0910h (Display string in SIce windows)
+ X' q% Q6 q( z-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 X' M3 W5 ^ F5 m; `! g-AX = 0912h (Get breakpoint infos)/ @1 K7 z; h/ N# w! p2 A, ^
-AX = 0913h (Set Sice breakpoints)/ ~" n d1 P3 X, g) q$ K) ]. B
-AX = 0914h (Remove SIce breakoints)
+ O- O3 ^* Y3 P9 H+ u4 h$ M4 }7 k9 M* K
, H1 h$ Q2 n" H+ ?+ o( ZEach time you'll meet this trick, you'll see:
' K: }- ] ?1 P! G-SI = 4647h
& J U/ h# h8 F& [6 Z7 B9 i- d; q2 F-DI = 4A4Dh
3 s! T# b4 E U0 _; y7 k3 mWhich are the 'magic values' used by SoftIce.2 K1 U. `% t* w' S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 ^$ e; A! N' d' }# s- h2 Q0 }. a, ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ ^" w9 _0 ~+ s' M# ]
Envelope utility use to protect DOS applications:
- O( W9 k/ K, p" J& c& N; d( [7 |
! ~* k# F7 J: T6 a2 |2 p4C19:0095 MOV AX,0911 ; execute command.. ]$ W% g+ p, S$ s/ r; ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 ^ `. @( h% K, ~. H# Q; j4C19:009A MOV SI,4647 ; 1st magic value.
( X& p4 t9 a9 v9 j, o4C19:009D MOV DI,4A4D ; 2nd magic value.
2 t2 b# B* }, s. ?! [4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
! [5 w# U3 A% e+ {: }" W9 u4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute: |: z9 g* d1 d3 `2 M
4C19:00A4 INC CX
7 f5 [1 d0 _, P2 |( g6 i2 k6 y* k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
5 g( i, k s7 f0 F' H4C19:00A8 JB 0095 ; 6 different commands.
% z( ~% N! t, E' ~# `. |! w* T4C19:00AA JMP 0002 ; Bad_Guy jmp back.
6 t% M: |1 }4 ^- n# m; t0 r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) B0 m2 f0 T+ t
/ S" P% ~/ Q# o* q7 dThe program will execute 6 different SIce commands located at ds:dx, which5 `8 w2 V5 `9 [. J7 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 n9 d. n% A6 C9 B4 ]
$ h4 V2 I6 b% p8 \" a: V' a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
H. D+ ^6 Z* ?___________________________________________________________________________
* Z+ \3 n( Y: c b7 {5 ?
: t! l3 e/ T) q7 c+ O {" n( ^; ?/ a2 Z6 z( V6 l
Method 03
* I/ C' _- A ~# |- U=========
; E2 L% S) h; _! o: {% e" G
5 U T; \7 a1 ` [Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 l4 [4 K/ z5 A' I& @
(API Get entry point)+ a3 z: g6 G; ^
' |/ G% ^: o0 c+ V, L* X+ ?; ]- f+ q* L( B
xor di,di/ |+ s6 V( p3 J" M' [" I% F- o
mov es,di
5 O( v5 ^+ C1 J, V+ f8 N' h4 }# `# J& h mov ax, 1684h
2 ~' W) c" {2 C1 g+ b5 r mov bx, 0202h ; VxD ID of winice- N) G Q- f6 x& G# A3 l
int 2Fh
2 E/ X' @: t. r mov ax, es ; ES:DI -> VxD API entry point
1 ^0 O# S& {1 E" e add ax, di1 e* g; ?$ V3 g8 A( J0 c- M
test ax,ax& |* R3 X9 G5 H) o
jnz SoftICE_Detected
( _1 ^, ?8 N7 O4 `$ T* x
+ l0 W3 w( p! f4 X C: M' F' B* } u; O___________________________________________________________________________
/ x+ ?- Z% L# ]* k/ Z5 z6 _5 _0 Y: k; X2 p# p" y0 l: [# o4 k3 X
Method 04
; ]$ }" ?# _: c( q/ n# W/ p=========
- D) C5 J+ K! u5 m# l# b% r. t4 R1 M- b( P7 S* K
Method identical to the preceding one except that it seeks the ID of SoftICE
2 \$ R8 [/ \$ A4 Q# {- z& `5 gGFX VxD.
) v+ b" u+ I M# w: v0 L! p/ S+ V" T( y4 A* c
xor di,di. o4 q) X4 L; j w8 y& \
mov es,di
" w4 U$ A; \0 t# W& ` mov ax, 1684h
U, @9 }4 a3 ` mov bx, 7a5Fh ; VxD ID of SIWVID8 M, I/ N! Q, L& p. d" W0 [7 g9 A
int 2fh
- r: k! l& T4 W mov ax, es ; ES:DI -> VxD API entry point! R N: ~. a2 B8 \3 Y# g
add ax, di
/ Y1 y" b) X! g1 f6 Y- [3 f test ax,ax2 R6 n& `. \9 a7 ?1 F* O
jnz SoftICE_Detected
7 k2 g2 Z( b! Y8 a# j" i$ D0 R. P2 R) }+ L
__________________________________________________________________________
' f( l, j- ?# Y. ~. ^' ?9 P
8 X/ C* D3 g: H8 c! u6 F, Y$ Y/ _/ v3 E+ y) f0 A& }
Method 05
$ N/ F, ]2 I( B2 f+ a" P=========
% K8 a+ R! e2 d2 H% A$ e
3 t$ p/ ^" r' i( S* p5 [Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ~. _6 D/ q( t5 Idebugger. It calls the int 41h, function 4Fh.
8 U% R2 ]5 t: o3 K- d+ U, M5 qThere are several alternatives. 9 Q/ x# n! V5 y. e
( z7 r& p8 l" }, ]
The following one is the simplest:7 G6 ^6 u' m' P" D0 ^' _
$ o) O" _7 T; p3 |( p+ g. F, [/ b' G, o mov ax,4fh e! r9 w0 q2 h- t9 E! `( H
int 41h! L8 g- p" Y# j% b0 |: u! |7 q4 Y* _8 k! M
cmp ax, 0F386" Z+ z) F& @% A! r
jz SoftICE_detected
& k. _( S* l; Q8 R$ s% }. ^+ e' `6 ^: u$ ^% \- z5 T, T
3 Z! o2 Z: [- P% d2 f( ?% \8 P8 S# I
Next method as well as the following one are 2 examples from Stone's
; l U* B; U: q- R"stn-wid.zip" (www.cracking.net):
) @ ]# { V( ^
h4 N, ]6 b" V" f2 q A mov bx, cs3 E+ H* l) g" e4 \
lea dx, int41handler2
: Q% h- z" b1 r1 \, K% s) k% f3 p xchg dx, es:[41h*4]
9 m0 |2 V: i: ?2 U3 |8 F7 L& n+ ]* Y xchg bx, es:[41h*4+2]
. k. W* O! C8 W3 p6 b mov ax,4fh$ I+ ~, i% w2 _2 H' r# q I4 y3 _
int 41h
/ a0 m; t P1 i! w xchg dx, es:[41h*4]
! s$ k5 c* U) G7 v% a$ Q xchg bx, es:[41h*4+2]
; P4 ], k6 }* o5 X: }; E& l) ^ cmp ax, 0f386h
6 c5 P3 g- S. T, [ jz SoftICE_detected2 q% k3 E# H5 T; }5 \
_4 s/ Z4 {& oint41handler2 PROC
- c" j' v! P s% @) I$ Y iret
, s% u1 W# q/ rint41handler2 ENDP
, d/ ~4 t' h- ]6 i/ R! @. T
. }/ H/ o/ j$ D. o
5 t3 W+ f6 j* e2 }" B" a_________________________________________________________________________
! L# k4 s' R$ S" \6 p# V. I, g# E: O
2 \0 y3 }( F+ m7 q6 z4 GMethod 066 ?7 H0 A# O! \; r5 p2 H" i( o# W
=========
5 G# O4 n6 |- b, t X9 s
# k+ W, l3 S3 _+ D0 Z% Y Y' `# ?; D0 @
2nd method similar to the preceding one but more difficult to detect:
: J0 j% Q: l8 w7 e( E! M; M, P( r8 j2 Z6 ^; a
# M1 Y& \6 B" l
int41handler PROC* r! X' |' W1 a2 ?. P
mov cl,al- v% j# E. [2 I6 A1 V- P
iret
2 c- _! H. m- {) ^& Kint41handler ENDP
0 g" `4 h3 r/ z5 x, O6 i9 {) l j3 N) c2 M) w! E5 L; U0 }0 U" \
* n0 z+ ]0 |% B
xor ax,ax" d, I1 G& }! d3 z1 U# u% ?
mov es,ax
5 I8 x2 D3 x: |3 R0 R& F; S# y# F mov bx, cs( Y3 j1 T( S( ]6 e3 ^% d
lea dx, int41handler7 m1 w' O2 C7 i a
xchg dx, es:[41h*4]& g- p9 a1 B) p F" l& w& t! j
xchg bx, es:[41h*4+2]) e) {2 d' u- W) V3 s8 w
in al, 40h, ~# M9 s2 O* L; \' i
xor cx,cx0 Z/ R) `3 E4 b, s4 O9 ^
int 41h i; d3 Z9 H1 W5 A h
xchg dx, es:[41h*4]* _1 z/ J% n4 @; T! ?
xchg bx, es:[41h*4+2]7 `/ d5 i) X0 b. u" B
cmp cl,al
4 O! X' `( B( C jnz SoftICE_detected
! s4 e$ T4 j6 S- A
, ~5 b0 @* F2 J% a9 L; z" A_________________________________________________________________________# W6 p$ s" |! p6 h- }: F
# @$ N/ [/ v" ~# J' W# v2 }+ c8 aMethod 07
3 u; [" P: H, P8 o. p=========
% _& x2 i& G) e2 L2 B$ g3 V' d$ }% }$ t k+ o, n1 _/ J$ w; E
Method of detection of the WinICE handler in the int68h (V86)5 @8 j; U8 S; j4 \
4 U+ m, Z' _1 P
mov ah,43h
7 o# N M# f7 O1 e* r int 68h
0 y9 Q' ]5 G- R1 A8 E cmp ax,0F386h
' ~$ i- Y% y1 ?% K& B7 U jz SoftICE_Detected* U" o, z! t: M/ i- ?$ }
+ t5 n Z7 k/ g" s/ t W
7 ~1 {. t/ f6 M; w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% p0 r" x* }3 Q( \6 Z0 H1 \ app like this:% @; h0 k# W2 b8 q9 K
1 ? R$ ^' o/ x4 @4 \
BPX exec_int if ax==68
- \6 L* m6 z3 a% j' L2 X (function called is located at byte ptr [ebp+1Dh] and client eip is
3 h7 e# `) j; y+ P+ a. I+ C' y: h located at [ebp+48h] for 32Bit apps)
" {) W, f- |- ?9 |__________________________________________________________________________
7 q) b! Z7 n6 n. E9 v
4 p& ]1 ^, Y/ _5 N4 v4 {6 o$ w0 y4 |! m4 S$ P! f0 i( j
Method 08
3 ?) F% H8 y" n2 E=========0 r1 X4 [' a# N! v: D" H% S6 R6 }+ Y
( C# A8 z( A5 | M0 X! A e' u& O
It is not a method of detection of SoftICE but a possibility to crash the) b; `/ @ J) N! N1 Z2 _0 r
system by intercepting int 01h and int 03h and redirecting them to another$ Y7 X; ^9 @) t% Y' h% T6 P
routine.
7 m, o5 T. \' S& p+ JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( x3 z- t- d4 K- U D; ^to the new routine to execute (hangs computer...)8 c, J. F7 O3 d& I$ j
& k9 C. i/ D+ B& \
mov ah, 25h
0 s! W* f' R% @3 R mov al, Int_Number (01h or 03h)! Q& S& @' d- x% w
mov dx, offset New_Int_Routine
$ p4 N6 u- S$ ?1 D int 21h# O! i1 [' `5 z
3 W! u' i: Q6 ?& l; H__________________________________________________________________________5 X6 e2 v% U% h) J
! e! J. ?5 T1 b8 o. K; k" [4 M
Method 098 K; P }, L3 \# w$ q
=========
% y0 u5 U3 p$ q( b5 u1 t+ q6 S3 B# y' c1 X3 _$ t7 F* p% H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: k* f# H; q- a9 D* Q: D7 }
performed in ring0 (VxD or a ring3 app using the VxdCall).; a4 G, z, s) B4 g; O1 k( i7 x
The Get_DDB service is used to determine whether or not a VxD is installed
, ?* {8 a3 s @& M. gfor the specified device and returns a Device Description Block (in ecx) for
( q, p" A8 \ L1 ]; ~that device if it is installed.& H7 f7 a* o! q8 e' X
+ \6 {5 S6 @& v# N) E/ [3 z
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID" n& ~. [7 ?- f/ v5 x5 ]7 f
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! b0 M5 O( S5 c1 p; i: U$ Z VMMCall Get_DDB
& h' p t) u" B0 y$ P mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
- s, n1 {0 M7 E3 t& t+ P) s7 t, x& I( f! ]2 S7 U: e! q
Note as well that you can easily detect this method with SoftICE:# g. D- _5 B5 R( A9 d/ [" M. G9 j+ G
bpx Get_DDB if ax==0202 || ax==7a5fh9 ^' V+ u8 V' H3 \ g% }3 l0 l0 U1 J- {- Y
2 Y2 C6 R( `2 C) r! O, y3 M& @
__________________________________________________________________________# \7 m: r- j1 m, u
" ~9 ^+ U2 [3 q
Method 10
4 j! y9 h v! n5 p1 v=========
7 x' ?4 K% w7 p) j. v# w& E5 a' N0 p. S8 D
=>Disable or clear breakpoints before using this feature. DO NOT trace with
; o% K& I! L8 l) A0 l! K SoftICE while the option is enable!!
" |( T8 x0 f* V* r$ h( Q. U( `' V `. t! j7 L' q% A
This trick is very efficient:
5 t8 g8 V2 A: ?" z/ C0 Bby checking the Debug Registers, you can detect if SoftICE is loaded9 L5 h) R9 O* X/ J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 ]8 m) U' D- j8 M u) Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
; T' k6 w0 {% ^value (in ring0 only). Values can be manipulated and or changed as well
9 D5 R Q) g/ S7 j(clearing BPMs for instance); J. g$ t- m# {1 E8 m
+ a7 p& I& y. q/ {( s__________________________________________________________________________
, @# h, r1 ~' D& f, E7 B* w1 @0 N7 L) V: t- K; y* ]! ? M$ `3 \
Method 11% y$ z2 V+ S- j; b" n5 `5 Y* `
=========
9 v4 [+ c2 c6 W: u( |$ T( J0 c
2 f. h( ~5 ?+ I& _% @. h+ [$ E3 rThis method is most known as 'MeltICE' because it has been freely distributed
6 { w) l u9 t/ [via www.winfiles.com. However it was first used by NuMega people to allow
% w4 r& I" l* g7 }0 XSymbol Loader to check if SoftICE was active or not (the code is located
a# u) M3 K. m4 X2 @* ainside nmtrans.dll).) Y1 Z2 s2 R- V8 f( Y$ O* [
0 b% x: C7 y4 E8 K1 {( HThe way it works is very simple:
. g( b) r% }; o T+ z- YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ]$ v2 |' N. R
WinNT) with the CreateFileA API.
( s6 P& a2 I \1 Y' u) o6 W& h
. E' @0 y/ @) S F! sHere is a sample (checking for 'SICE'):
8 ^ J1 ^ `8 c: V& e2 ~" U7 _% O3 g7 b: t5 q
BOOL IsSoftIce95Loaded()6 Y' w0 T% s" b9 X8 p+ }; c) N
{
/ s* B" q' U7 G- j0 g% F1 @ HANDLE hFile; 8 ~6 ^! k$ g0 {: c
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," k& J+ A9 X% z- W b
FILE_SHARE_READ | FILE_SHARE_WRITE,( N3 @( ]: ?( j. q# [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( O+ B: a; z) x
if( hFile != INVALID_HANDLE_VALUE )
" P; o$ z7 p, `7 o1 |3 l0 j {9 D. ?7 B& N, u: |! q3 N- w
CloseHandle(hFile);
: W$ j s% w* h' I0 j' Q return TRUE;
2 @# x6 h2 N7 O3 @! Y }4 w! ]0 D: e% |. d) k, c/ j
return FALSE;3 A" X% V$ M ^) c) ~$ m5 i
}: H" w ?; r! \
6 P; i) {$ U6 z" C. ~( T" L
Although this trick calls the CreateFileA function, don't even expect to be) F. r& ?+ l+ z! Y8 ~' f+ V% ~9 Q
able to intercept it by installing a IFS hook: it will not work, no way!
6 a; y) m+ p: b4 h) U: C- @* Z& y$ E! E) lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 E* Q& e# o7 l1 ?, jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" R# [* ~6 t- H' H% X& I. g! rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 M! A% O( p2 D g2 e* \6 Lfield.
7 H$ u5 g+ l) w3 h5 A5 FIn fact, its purpose is not to load/unload VxDs but only to send a / J6 W% u9 d8 W, u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 i! M* }5 q% G/ C& u/ Y; F! [to the VxD Control_Dispatch proc (how the hell a shareware soft could try: W, |' L% K" {5 H; l. }! E1 f1 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 t; a7 q7 Y2 M8 m, m( f; jIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 E# v- Y" h: c& ?
its handle to be opened and then, will be detected.
3 v: A6 a! O wYou can check that simply by hooking Winice.exe control proc entry point
" E1 L- [) q4 I2 g8 ~$ D; uwhile running MeltICE.
2 R# p6 B! g) n) t% ]
, i& m5 p) s4 S" l4 u" O2 h& b1 X/ V3 c% i/ Y& r
00401067: push 00402025 ; \\.\SICE% ^) n8 A) i: {
0040106C: call CreateFileA
* c' n7 a2 P9 B f3 z 00401071: cmp eax,-001
+ k- L) f2 E0 X% y, f( l8 [ 00401074: je 00401091
2 A/ W9 }/ e7 A/ O
$ e% b& [0 \! P6 X! D. B, G6 J" d+ D
" H% \ s/ q; X0 \* XThere could be hundreds of BPX you could use to detect this trick.( L u+ W7 n( g6 y- {' b
-The most classical one is:
6 _6 m4 }- [: a+ m! g BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( X/ e( }, t5 ^$ F2 n. E
*(esp->4+4)=='NTIC'
8 P4 r8 {( w7 T5 J2 w! y7 f( r }4 Y7 Z8 Y1 X. @) `& O- O
-The most exotic ones (could be very slooooow :-(. J: ]. R; |# I9 j, J6 R
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
) P8 T' d) {6 }7 \' p' y ;will break 3 times :-(. L8 D4 Y$ ]" P1 m3 P& Z3 p
, F+ S, F. \1 {9 [' m$ P: k-or (a bit) faster: . B: c. f/ g* p4 v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) n+ ^: P7 v9 S) I9 c. T L
+ P, a$ s* R8 J8 u- b: U
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) Y! P7 v/ e. l& B/ x
;will break 3 times :-(
% }0 V& p5 S. S! Z+ r; g( _+ e- B, ?, M* E8 U
-Much faster:
$ F# D2 {7 @! N BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 V& l, y" F% Y/ L1 r
. [1 l+ [9 x8 C2 r% M, p7 T FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 N$ O0 A: i" S- p) W. v
function to do the same job:4 T u* K# p1 a% J6 K5 p
6 d* j1 n* R7 O- h6 K
push 00 ; OF_READ, A) ]5 U4 c9 [" H+ A
mov eax,[00656634] ; '\\.\SICE',0. i5 {5 {; M+ _' C
push eax* ~2 x# w+ B! ^ Q# t. Y
call KERNEL32!_lopen
/ }' b9 ? C2 q, t; t) p/ C inc eax7 c8 F% f* b& Q8 K" P8 Q) y
jnz 00650589 ; detected% W% |! _2 y$ P! `
push 00 ; OF_READ+ S: U9 I/ p- `4 {
mov eax,[00656638] ; '\\.\SICE'* H; `- Z/ w/ n: e. ~5 m+ N- b. l
push eax6 W/ Q2 R5 H+ |$ V. b Q8 ^
call KERNEL32!_lopen o1 P6 F6 b. [ U7 T, B
inc eax. ~# y+ |) o' W9 H: N5 k
jz 006505ae ; not detected
' }; r) O3 V p" o2 g6 K5 F B2 a q; Z
8 [& L; J; J1 ]7 o [0 C0 M7 @__________________________________________________________________________
5 O8 {6 Z/ i: s( }! [' T
% x. w$ E) `. G0 T' h3 q1 NMethod 12
% _* n' B$ H! ~; `$ U! `" h=========. c4 X; {/ t) p( [( O$ o6 _
2 N+ A/ o; I7 }5 |' _& V
This trick is similar to int41h/4fh Debugger installation check (code 05' R& W3 z+ n% T) c, a, p. ]6 J
& 06) but very limited because it's only available for Win95/98 (not NT)
# ]3 d# l: O% R6 @: Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: s r; i' _3 e: i! J5 g( z/ u
$ d# X N V& U7 W0 v: O' O0 i4 T
push 0000004fh ; function 4fh, O m+ j; y N/ S
push 002a002ah ; high word specifies which VxD (VWIN32), o+ c: G" \5 _+ @( E. e
; low word specifies which service
( c- J8 Q& j. b1 d5 c4 M (VWIN32_Int41Dispatch)
6 Q$ X, p: U' J1 ` call Kernel32!ORD_001 ; VxdCall
1 d- Y1 C, C, T: V- ] S cmp ax, 0f386h ; magic number returned by system debuggers
' z% n8 L) p' O- Y jz SoftICE_detected
2 g H* N+ ~$ n6 V/ u" |
- d- U4 O0 Q. H/ x! {4 O' K) F# KHere again, several ways to detect it:
1 G- y, @; k ?
0 ?+ d" {5 X' ]0 H% @) K: s5 F BPINT 41 if ax==4f& G, b1 Q m8 u$ e( e
) @! \- k; _. P I' w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; A$ L5 s [: t t- g+ r. D' h. E- c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, z$ K6 U u# F+ M" F$ R
5 m+ i4 \4 Z. C4 d4 k' U0 M! v/ X BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!4 O8 `- f& x! _( h; u
- @* o" _2 s6 t
__________________________________________________________________________
" j6 w3 h* A2 y4 ^' l" R! v N$ d! X% N0 |8 G% J( }
Method 13
$ w: V/ N: @. {5 p- B1 F# w=========8 p1 k9 D8 Y6 c/ _
; W+ M/ N2 Y5 y( R) [) U1 J; t
Not a real method of detection, but a good way to know if SoftICE is
7 ?- k' ~- J0 `( R1 rinstalled on a computer and to locate its installation directory.
+ a! i4 v# {) e; iIt is used by few softs which access the following registry keys (usually #2) :0 L( V' t" _5 S
2 T! l) H' E Q; O% q5 ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Y: q7 W) e: V v% i
\Uninstall\SoftICE; \( ~/ X# Y& Y# U6 Q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: p: ~& Y6 H) Q, X- D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
a. H0 g% c0 J E4 [. U& `: @\App Paths\Loader32.Exe
: R: s5 ?5 o* Q: L' K- g! g2 i
8 Z) p6 a e" s U3 S4 _ z
* _/ b0 | s. s9 C$ J5 h( b( V! ONote that some nasty apps could then erase all files from SoftICE directory
% w8 {0 ]: L* s8 w; ~(I faced that once :-(% P/ R' `: Y7 J9 `
/ h; C9 d$ u1 B9 A
Useful breakpoint to detect it:
4 ]- U U5 P) }0 t0 Z o7 n4 P! U- c
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'8 q" z) V+ K- U9 b9 E. I
! O3 O$ A1 n+ O__________________________________________________________________________
6 X2 h& } y* [3 D& a1 L Q$ r, l
K! k. C. }: I" B* J- G+ {6 D6 x
$ W; R* S0 `) c# o NMethod 14 6 O9 d7 C1 b2 q& R! f2 {
=========2 E7 y; b/ ~. x
, I7 r! }) O# | L' HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& ~+ A/ H- ]) c, tis to determines whether a debugger is running on your system (ring0 only).
$ S- R6 o% b& Z% X- O2 N0 S4 t. h4 n+ q% O X/ S( ~
VMMCall Test_Debug_Installed" T7 Z0 L9 M: d" i1 n; e& \
je not_installed
# |2 M0 R: {7 L- h! W" m1 h% @# m, q9 y* Z! S
This service just checks a flag.0 f4 x L W% F! S% Q
</PRE></TD></TR></TBODY></TABLE> |