<TABLE width=500>+ t L7 k# O1 j" W1 Q8 E# Z
<TBODY>
a3 X9 a9 O3 A4 d+ {2 K% j5 e<TR>
* q1 s" z/ Z/ t<TD><PRE>Method 01 3 z1 X3 x1 E7 F p+ _6 ~: H% D6 w
=========
/ |1 I2 ?2 `9 g& ?' U, [! u3 P# L, v1 Y* ]9 U g8 E# b- a
This method of detection of SoftICE (as well as the following one) is
3 ?% @+ M9 e. t1 a5 sused by the majority of packers/encryptors found on Internet.
! _1 r" e1 {; f2 h& d7 p0 uIt seeks the signature of BoundsChecker in SoftICE
$ X: ^! g2 d% i" S
8 t9 A& c5 S! C9 n N mov ebp, 04243484Bh ; 'BCHK'/ ^8 |: W5 t0 J' P
mov ax, 04h
& j+ x/ @) S2 a. @: h int 3
$ d _9 s2 R3 l cmp al,4, E3 D/ g% r! b2 d O; b! `/ A
jnz SoftICE_Detected( i4 T$ [( M j
3 J8 ~: F9 H3 ~5 ]: l___________________________________________________________________________
* {/ w* U! R. c# F) [2 F
' I, y: c) k! D8 h1 Q1 CMethod 02
3 N3 N2 X$ ?- {9 S/ E$ Z=========5 ~( i) j5 H6 m2 q% b
5 {3 ~- {8 w0 X+ G
Still a method very much used (perhaps the most frequent one). It is used( e: w$ K8 w/ `1 f7 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ B# V4 _/ q$ S+ B, Bor execute SoftICE commands...
+ D3 @' }, H; O) r- yIt is also used to crash SoftICE and to force it to execute any commands8 P0 `/ A5 Q0 M
(HBOOT...) :-((
7 a7 J e) j# ~* I9 ~+ x# S8 {( @' _ S
Here is a quick description:' D, s5 C9 l3 F2 Z1 u
-AX = 0910h (Display string in SIce windows)& }! A7 a$ S8 ^4 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); z" g2 K$ d3 T y" ^
-AX = 0912h (Get breakpoint infos)
9 ?: {& L# X/ H. G& f6 e-AX = 0913h (Set Sice breakpoints)
* f' p% F7 ~) k( B$ J$ o$ W-AX = 0914h (Remove SIce breakoints)
% z4 _& X8 }9 `4 I& L6 i
# B7 u4 ]6 n0 V2 @9 tEach time you'll meet this trick, you'll see:. N+ G' H( d4 P4 e6 a( s: I
-SI = 4647h
$ t1 N; U+ x, X; n; X4 b-DI = 4A4Dh8 c C1 M( g3 f) w2 D6 E! T
Which are the 'magic values' used by SoftIce.
; T4 h! u* }( a6 S/ g$ L, mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) J6 ^: e( C# R% p
3 Z3 g( G% Y. Q6 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ _8 x" `; M9 T% AEnvelope utility use to protect DOS applications:+ \" R, U9 `. V7 ~3 N9 Q
& P6 a; ~) h+ ?2 y- k; F" H
- e$ U: F" ~; R! H" q4C19:0095 MOV AX,0911 ; execute command.$ ]. S l2 r9 @1 s m
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
: @- S4 n5 m9 T6 e4C19:009A MOV SI,4647 ; 1st magic value.! @' o* _! x0 u
4C19:009D MOV DI,4A4D ; 2nd magic value.
) x) r& X% G1 Y) p- h$ P4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)& d0 M+ H( M+ u) N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
" W& V2 W) Q) _. H# x4C19:00A4 INC CX% h0 c2 x2 q* X* v& i) ~
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute8 G7 X6 s) m5 P6 h4 _
4C19:00A8 JB 0095 ; 6 different commands.
4 V q! q9 [; b* a( g t) A Q; I4C19:00AA JMP 0002 ; Bad_Guy jmp back.3 V- C8 B r# ?) W! h
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 S$ W) }7 M; g7 _) D( S
5 I3 _* ?5 K- e; |4 LThe program will execute 6 different SIce commands located at ds:dx, which
& v2 t+ X7 I8 k3 b% {7 jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 G. u9 l7 X/ s, M( v) I/ U
6 c% O' x( `; m0 {6 n E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 n N: w2 ~8 E# w
___________________________________________________________________________5 C K% o* D3 ?+ u$ d: M4 T
/ [8 a. e8 I2 S$ y: l3 G+ s& L, ^5 A- z* t
Method 03
" P" k8 a! F8 \" s8 y9 N& K9 _=========
6 u" `/ V* {/ V% N) W
" i- h% z0 Q( ]- X- k/ aLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 w( f6 P% y, P, _9 X% Q+ h(API Get entry point)
7 f$ g, `: f0 y6 S, f8 l: [ * l$ A4 M" l. ~3 B
8 N* ^$ X6 V# w5 c6 |/ Z/ g, v
xor di,di4 n. E. E- _5 h6 W, ^2 w
mov es,di
% |$ M7 O0 o+ u$ B6 o, U mov ax, 1684h
8 W* |9 ]" l ~3 V, |! m$ `( W& H; G mov bx, 0202h ; VxD ID of winice
( A2 {' u z0 C) y& O# H int 2Fh
+ ~! E$ J; o/ h0 {5 s mov ax, es ; ES:DI -> VxD API entry point9 \; B; Z0 j! R& b3 o# z- \, r
add ax, di, H e6 n) _4 { Q
test ax,ax, K" u7 K( A7 @- |2 y4 `5 }
jnz SoftICE_Detected
3 i& ]# z: T& e; G5 ] k$ F
% w+ |5 m, F( d9 Y$ z1 x% w___________________________________________________________________________
. m( M4 O5 E9 t5 r4 i7 v
: K+ o8 }" @8 X- X7 p! D* yMethod 04- ^+ |# K" M. X/ W
=========' y+ I% L0 X" N1 t1 g9 w
$ P' b7 l% A8 G: _ K7 A3 O
Method identical to the preceding one except that it seeks the ID of SoftICE) |8 B+ Q0 e9 T) r/ l
GFX VxD.
4 }( M1 A3 y8 l0 L. @! X2 b2 i6 D
. \5 d3 `4 u! U xor di,di
0 G" g4 S/ n7 i6 z* D2 q+ g) N mov es,di
; w5 p5 y9 _: ~ mov ax, 1684h * L% F4 L% J; j
mov bx, 7a5Fh ; VxD ID of SIWVID; n c, Y: ^6 K( B9 u
int 2fh! q* H% H. g5 _5 w
mov ax, es ; ES:DI -> VxD API entry point
5 Z* a: f/ X* X1 I. H- y add ax, di4 J N* u! {7 T
test ax,ax
5 b' l+ }5 K, } jnz SoftICE_Detected
5 O( m9 O% D4 m% x7 j1 @" ]# Q8 N: o- k1 ]) R, _+ N6 T9 H
__________________________________________________________________________; u0 [, D2 M H5 Z8 z
8 T1 C+ |2 e# o9 \$ n
7 y' X6 R5 l: l. Q$ n
Method 05, v8 q F6 M7 S4 B/ V1 d1 x
=========
' _, t# j( D* V
3 G4 c- G2 n- y: y0 Y5 vMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ s d1 X7 d V6 M4 L
debugger. It calls the int 41h, function 4Fh.
) H) q& o) G& SThere are several alternatives.
. @2 C: W6 D: o" r2 o; P+ d# f. P: U @& I/ L) w+ Q* R
The following one is the simplest:+ k8 h* N# d$ y& r, r8 I2 b ~
9 D, N3 H. Z6 t/ `9 ], r mov ax,4fh: B+ G' H9 f( Z
int 41h
- C/ g5 h1 ]! }- Z6 n& e: Y% Y0 S cmp ax, 0F386
2 O6 o' y1 b- ~& z; B- M jz SoftICE_detected. W$ i" b% ~8 X! U
7 z& M! L8 ]4 g% z. [: T
% x1 ]3 ?! r- q2 J$ a: {Next method as well as the following one are 2 examples from Stone's 5 \0 T/ f9 H# ^# D8 M
"stn-wid.zip" (www.cracking.net):6 e' y9 s9 q7 G. ?1 O" W6 M
7 r7 L* k& a! i5 O; T& ^9 r
mov bx, cs
: ?& M- F6 X* J0 P lea dx, int41handler2$ [9 C$ L; V% A; J8 I7 `$ P
xchg dx, es:[41h*4]7 R1 W, }6 c9 L+ g1 f" d% L
xchg bx, es:[41h*4+2]/ ~0 R8 s3 \9 O' p
mov ax,4fh
# B6 d( s8 J9 Q" J& N N) C int 41h: K5 M! Q% u/ I
xchg dx, es:[41h*4]
5 ]8 P X7 L2 A" R xchg bx, es:[41h*4+2]
1 X! X) b( e+ H* y8 O2 B cmp ax, 0f386h
' D5 l9 G8 x+ U. n% R jz SoftICE_detected8 x7 ?2 K0 ]2 D( i, _
q. g! N2 A* T2 L2 T2 k8 C
int41handler2 PROC% ~6 Z5 R3 T$ u4 y7 p
iret
$ m* H4 x' N7 Pint41handler2 ENDP
1 X3 B/ n/ |" c4 {" u; R' K z% R, v. S. J* O" t# g1 `0 ~2 T
. H7 N; a8 n, A: U/ E2 [
_________________________________________________________________________
) F/ E3 E) k G/ \! a f* O2 [6 a3 r0 p* M$ j- k
+ a" o8 @ w$ N! o1 O/ w
Method 06
+ \: i. S/ H/ Y7 ]( k" F$ {: F6 N; x=========; [! J0 \4 K# V
' a3 h% _1 a3 |6 D! z4 A8 m
% ]9 p! }, b$ z' z9 j/ s) p
2nd method similar to the preceding one but more difficult to detect:
7 R. _% H1 p! o, i- Y2 Q$ }2 r) Q4 v& S8 m. W" `, G
* n# t( o! b7 t) U( _+ qint41handler PROC
9 |5 O6 }6 _- i mov cl,al+ o" K9 _0 [) \0 u/ t- d3 I
iret, _7 i6 V% B$ Y6 B0 Q: a
int41handler ENDP
2 v5 l3 t& i+ k) I9 b2 s3 d7 n8 l! @$ J8 A4 K
$ c) r/ t$ E/ N
xor ax,ax% x! K& w1 ~9 a D2 v: H6 [
mov es,ax5 n) Z6 C4 Z5 Q( o0 w6 t3 s1 R: v
mov bx, cs
) q8 J, t2 c! e$ }" L lea dx, int41handler9 r9 r; S& Z9 U& o
xchg dx, es:[41h*4]
: D/ Z+ G- ?6 U2 C" K2 H: Q xchg bx, es:[41h*4+2]7 ]0 a w# ^- q' n: i
in al, 40h7 Z. o: F: V8 d, s T4 |
xor cx,cx
4 l. C& r& t$ i7 g+ r) E) v int 41h
3 i5 z' Z3 I. x$ i% V3 k" ^! n xchg dx, es:[41h*4]
0 i/ C) p; \6 k( M4 G xchg bx, es:[41h*4+2]
% U2 T( P; a ~6 N }1 z cmp cl,al
8 t* P$ ~; R6 V5 |" D" Y jnz SoftICE_detected
% U1 E# \/ m& q3 |0 E0 |( j! X1 g* R5 v$ h+ p2 z" F9 V3 V2 O
_________________________________________________________________________5 t6 }! N' k b$ b9 O
4 R: N$ p6 Z" y% _& K8 g% vMethod 07+ O- D0 B7 P: K+ T8 s% y
=========
$ e& P. N* c$ @- m1 ^
+ V3 H& _5 j A: U, b4 h' A" ]Method of detection of the WinICE handler in the int68h (V86)
: M& \. a P6 _% v ~' X. X, x) ^( z) N
mov ah,43h {( B( e1 }- t' O; c! F% V' }
int 68h
0 t: n4 W8 |, o8 _) v9 j/ r cmp ax,0F386h
( M2 D& A7 o; z) @! g: H3 n1 w1 a jz SoftICE_Detected
# Y/ R2 T: T+ c5 E B/ \8 H9 M
7 d$ d3 X) M8 s7 l, J
& T4 N# S1 s& d4 k4 M D=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 v& o0 L" k7 m8 F" J6 G& n app like this:2 r- ~4 k1 _4 n! ]8 X9 l! H5 ]
3 H9 H8 Q/ A4 E BPX exec_int if ax==68
" ~; D5 ~- \' @5 q (function called is located at byte ptr [ebp+1Dh] and client eip is
& j+ v1 t9 H ~8 R& \ located at [ebp+48h] for 32Bit apps)% {/ u9 n. O+ L; `' \2 U$ ^) r9 u
__________________________________________________________________________
# A0 t! e( u3 x
& q) h2 y8 k! H7 D. R. X( N3 ~% Y% {% {+ u3 c
Method 08
" C* D% L& @% v5 {" ]7 j=========, M) V5 [" v) d! n F, h
& o; T$ q& [$ g: d2 K: V! JIt is not a method of detection of SoftICE but a possibility to crash the
( i4 J2 w9 c- q% D/ |system by intercepting int 01h and int 03h and redirecting them to another4 x* R$ q4 b e; ~4 N
routine.. r2 T: p H I- v7 }) g2 J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 J% [* y% h$ I. z
to the new routine to execute (hangs computer...)
3 m- x3 X% O+ _; Y2 \- n, w7 G. U- h& K
mov ah, 25h
/ I" U" [. ]9 C9 k mov al, Int_Number (01h or 03h) d) a& f0 B3 r
mov dx, offset New_Int_Routine! c+ ]0 ~' Y# t; R0 x4 U0 o# V
int 21h+ o4 l' x2 ~% `# b4 `
1 c! [# C5 M. }9 w8 u: b; S
__________________________________________________________________________
& ~* Z& { T: y* c6 S/ H$ l/ J9 M5 e( c, p+ p% _! n E
Method 09- E* Q" z) P0 V8 z* s c
=========% N- P2 }8 A% E: n0 N- C
; U3 C& t" W# o5 n Y/ u5 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 J! i- R! N. ], n ]8 i2 L3 d* S
performed in ring0 (VxD or a ring3 app using the VxdCall).% \) p- c0 S+ s" F5 M7 S
The Get_DDB service is used to determine whether or not a VxD is installed" i% N4 P+ `; Y0 p9 P
for the specified device and returns a Device Description Block (in ecx) for
, o+ r2 M& P0 Y9 }3 J+ ~that device if it is installed.
5 A, Y+ P6 d) m, ^5 C' P; r( S# Y% F& [9 O3 O/ {
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID& B8 P2 ]# q k2 p, @- Z& a
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) [7 a$ M/ G" ~: k VMMCall Get_DDB) S& x6 n `( ~7 \1 Y% ]
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 T: a9 e4 v9 ]! @% o7 C9 a: o. F& P7 n3 B" T
Note as well that you can easily detect this method with SoftICE:% _( s+ b) l( P4 F* g/ t% Q
bpx Get_DDB if ax==0202 || ax==7a5fh$ {9 R, q( n4 E) w* }0 k* i0 V$ l
- X& i/ E, R) t( K. E
__________________________________________________________________________! e( k3 R) z1 `% M, C6 s
8 K1 G4 q# s' ?' M
Method 10
/ H; S3 e' z/ Y6 |. C2 w9 V; }9 t=========# y5 q$ _1 h3 J* O! V
1 |8 n3 y: j1 E4 l% Q( L% d
=>Disable or clear breakpoints before using this feature. DO NOT trace with( K5 ]' O/ R) r; a3 w3 I1 o$ h
SoftICE while the option is enable!!& K$ [6 e7 d5 x3 f2 P
0 k! x6 Y# K$ r* nThis trick is very efficient:6 o1 C/ J, o5 i; d7 d3 L
by checking the Debug Registers, you can detect if SoftICE is loaded
. F7 w o: M! i5 X3 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 f1 V' O) s0 ]0 ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) R/ w2 P% I/ gvalue (in ring0 only). Values can be manipulated and or changed as well' N/ r) V1 {) L8 F2 j: K* w& i# k
(clearing BPMs for instance)0 o+ j* s; d# m9 h( }2 x3 X
' o/ H' @/ a! `, _! g$ r/ E
__________________________________________________________________________
8 S# H0 d- ^/ Z' B% [9 X) \4 y7 R+ E2 |
Method 11
9 {* h) p2 F% I0 G0 Y1 s=========1 y: C/ w9 }8 J2 E& ^( F
; h9 s0 ]% s% Q7 f! i1 s) s. }
This method is most known as 'MeltICE' because it has been freely distributed9 B# h" k" c. |0 X
via www.winfiles.com. However it was first used by NuMega people to allow! S! d# R7 v% E& D9 Q+ k0 L! p/ D# j
Symbol Loader to check if SoftICE was active or not (the code is located! m2 S1 L* E6 D
inside nmtrans.dll).
. g: ?1 o/ F/ @9 ^
+ F: \9 W1 ^& }. ~* g$ y9 }The way it works is very simple: o2 P3 k: o4 M) i) d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 |5 A1 c. O& ]8 Z1 l$ iWinNT) with the CreateFileA API.
" r2 V; X7 b1 K* R3 J* p7 D7 N, d/ I5 d
Here is a sample (checking for 'SICE'):" y+ Y4 \" w4 K- F
9 ^2 e3 _/ l. {
BOOL IsSoftIce95Loaded()
6 x; N7 A( @7 V @, p2 j{
# e1 o2 ]; a6 t HANDLE hFile;
. o/ J" F0 u4 A8 C; J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 ^3 k$ L4 m1 \; F
FILE_SHARE_READ | FILE_SHARE_WRITE,
! g; W0 F! h0 m NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( i. v+ Z" @2 s Z$ e6 o2 @, z if( hFile != INVALID_HANDLE_VALUE )( r/ o& D1 v& p" g0 j
{
# E& m r7 G c- j# t6 \7 e3 Z& z CloseHandle(hFile);
! O* [) W& @1 t4 M return TRUE;# @( l) q- v) c3 I7 {
}" F0 w* Z) N6 U8 b# b6 R2 \
return FALSE;
2 |. n) k+ [2 ~, ]8 }- S}+ F7 r) U9 n. s$ X# y
m2 A$ M% Z1 P; a
Although this trick calls the CreateFileA function, don't even expect to be
% X6 F( T2 y* e8 @able to intercept it by installing a IFS hook: it will not work, no way!0 ]0 J% c: {" h9 a5 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' ~5 V( F4 E+ L0 P/ N" J7 k+ _4 j% Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: o: ?1 m& P' g8 U) gand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ f8 E( {! }+ n" k
field.5 X+ f8 N5 R9 n% W* A* \* T$ N
In fact, its purpose is not to load/unload VxDs but only to send a 2 }3 \/ ] ?) V, `. s, Q% r# C. g4 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* G8 V% x7 c8 V g; p+ K8 x2 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! w7 U% v i4 h4 c5 g8 g- l% R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ b2 x* P: U7 W" b, v2 `0 u2 o; Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow" G k! T x' ^% D$ Q+ U0 `0 L
its handle to be opened and then, will be detected.
" q( y0 b9 W3 F& J; QYou can check that simply by hooking Winice.exe control proc entry point0 d# ^/ {) u) y! j9 b+ C, @
while running MeltICE.
9 ]1 L. g9 ~5 f- U' s' |0 @% `+ `( V( N0 h
3 p% A% P6 d8 C& u* T4 ? 00401067: push 00402025 ; \\.\SICE
' r- ^: q! f% n) b. x 0040106C: call CreateFileA
3 b1 j. s( e. y( e 00401071: cmp eax,-0015 _0 d7 s9 H# u) m' s* ~, M% i+ G
00401074: je 00401091! r5 W/ ~9 l+ K) B
7 o+ O4 l# t6 J7 F6 K8 h( w. P* K) m7 d. z, y+ }
There could be hundreds of BPX you could use to detect this trick.
! R( R. p' w( w: F% i' Y3 N6 e0 v-The most classical one is:+ @+ o$ [# `1 F' M7 |! C' L
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
k. j, C! e) K( Z- W *(esp->4+4)=='NTIC') G) t0 C, k5 Q" T4 f. E5 \
4 ~6 X$ P# ]3 X7 y' w8 z/ g+ k-The most exotic ones (could be very slooooow :-(* M4 P- M7 S* X* I- _0 i8 Z
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 9 y# I5 E0 `2 D% A5 h0 M
;will break 3 times :-(, L: |$ N& j) P8 |
5 r8 {( Y0 q. [, y" w
-or (a bit) faster:
+ g- s( Z* V" X+ \+ L7 l* o5 j BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): s% i* Z4 o" }. [' ]# E5 |
* M0 A& F$ v" r( p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' * u: H" t6 D/ g' k0 S8 q+ o/ n2 F6 ~
;will break 3 times :-(
6 Z% A. \" g- \4 L8 u! g7 s( U' W1 H1 E& L( Z/ A& H
-Much faster:
0 q L7 J* @0 R2 e/ S BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& n4 K4 P2 V0 E; l
: g8 h( p; `8 T5 _: U& T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* h- v( ]# W; j/ x
function to do the same job:7 \9 D4 l/ A6 ^2 z
8 p+ `/ o2 d- o+ |' i! j3 ]! L push 00 ; OF_READ
7 v, p8 r9 G* z mov eax,[00656634] ; '\\.\SICE',0
( R E8 c3 R1 N1 F push eax
9 `/ q& {5 d$ h- m" [4 t* v call KERNEL32!_lopen
/ S6 v" {! b# h2 s2 H3 d inc eax& @- a" |) s2 v1 x2 _7 L8 U8 b
jnz 00650589 ; detected
5 Z6 @9 Z1 n6 Y. B8 u4 i push 00 ; OF_READ
2 m7 O+ L9 t- N5 F0 V mov eax,[00656638] ; '\\.\SICE'
+ L, o# l9 K# p5 t9 e q O push eax
8 r; O% j Q4 d, t. g& v call KERNEL32!_lopen
0 X) h* n& L' V. b inc eax
# a# ?! O8 r4 C# R jz 006505ae ; not detected% I5 e6 `+ ^% J p' S" M% s
, o( I% F! ^' ^) P! l" d& j+ {* v3 z
7 V) o$ p* d; M* i4 O% | }/ J__________________________________________________________________________% ^3 w. l9 F5 T1 x' d' _, r- {
* g7 @% c7 g9 _- a" Q5 BMethod 12: F, v1 t6 Q1 k, ~: ^
=========
4 s' `3 E) o! g2 i$ \" r/ Y! T
. s+ Y9 Z2 a' t! ~' }; y, _" A7 zThis trick is similar to int41h/4fh Debugger installation check (code 05
, Z+ _+ L1 e" V* d7 _- y; z* F4 l: g& 06) but very limited because it's only available for Win95/98 (not NT)* z, y& Y) D- P3 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ r R8 ? o( A9 d7 R2 X) E
- ~& g ?$ g! r1 d& p. t push 0000004fh ; function 4fh& D: b4 y, ^# v% n: P4 Z6 S
push 002a002ah ; high word specifies which VxD (VWIN32)
) d& x# A, q, e$ w5 D ; low word specifies which service. z3 Q" O2 f4 [8 M) Q1 S, E* e
(VWIN32_Int41Dispatch)
. {# ^7 ?9 V! _* Y5 p7 z- J call Kernel32!ORD_001 ; VxdCall
# W. h- s4 ?3 e' _6 l$ H cmp ax, 0f386h ; magic number returned by system debuggers% C5 W9 o/ d) O7 p+ I
jz SoftICE_detected
* x. T/ Q2 t! `8 Q- N
8 {* @6 J6 h: _/ l QHere again, several ways to detect it:$ `) r2 J$ g2 w6 Q) r3 [- K8 t
' O- ~6 G2 n* G! f `* b
BPINT 41 if ax==4f2 k- c! k. o: i/ ]- i) E
& [6 Y# q Q" j0 H$ {- ~ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one# T- _/ k6 N* h/ N
, A. K( }) H, d! y
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A! f* v% u; t4 T i1 R+ s
8 p4 M' U5 q9 ]* s
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!) ]4 V" t) @% @9 A: W
" C% _; V) u! }$ ?! ^3 p3 L
__________________________________________________________________________
& ?' j8 O7 c; r m
7 F9 k4 W2 R; G3 u0 ^% r5 r4 EMethod 13
' `! q+ e* y( y+ K' l=========. l. w V' N7 H6 d& y
8 m! B+ e, F h# {: A* PNot a real method of detection, but a good way to know if SoftICE is9 A. w) p: }+ E5 g1 F. P9 o+ r
installed on a computer and to locate its installation directory.
0 }( L' ?- M7 \: eIt is used by few softs which access the following registry keys (usually #2) :
& y' U4 n9 G' d3 s3 x2 B4 G' ]; {8 O* W, M( [, T; _( J/ M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 C: I' O- T9 H% R+ i( N5 Q7 q5 Y" ?
\Uninstall\SoftICE
7 ^! k% f! G6 n' x# y2 @+ r) B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# W6 G* b& N3 g4 ?4 o-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- q/ S3 h7 R! ~: }: X4 Q3 Y
\App Paths\Loader32.Exe
& {! W. V- ~: h! n6 ^! O+ j" g
' ^3 t l8 v, z& S" h
/ `; ^* K# r, u$ ~2 m% eNote that some nasty apps could then erase all files from SoftICE directory
* R) h2 u$ {! J7 G/ F; n1 n(I faced that once :-(3 o8 _0 `& y9 v9 O% Y
' H- i8 L R, U1 m
Useful breakpoint to detect it:
- \2 u( @, R1 ]3 d
2 c* b6 C3 l; |% i8 H% n- s BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
) z% N( Y) |0 P" X' _" O! U
2 e( J/ S5 w+ ~7 Z# ^% q* F( t__________________________________________________________________________
) W- X$ b f- L7 D: n! |+ ~: n4 `: i# x R7 m4 @4 r6 J
' r' v# V9 }) O; Q5 G& k1 g) XMethod 14
4 v& Z) p* z4 y# N# M5 U=========
8 t8 p4 |4 P: u, ^% n$ B: b+ Z! x8 e+ j6 Q/ Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! k# U8 j8 h: a: P
is to determines whether a debugger is running on your system (ring0 only)./ S& e2 `; @0 j8 W3 g
4 s3 S; E+ z; j- y VMMCall Test_Debug_Installed
, ]0 }& Z0 v7 F' i je not_installed
9 x* d6 S3 r9 i5 C3 ^' P. q3 @ [! V1 [% l) `& V# z
This service just checks a flag.
3 J- A9 Z, V. u0 Y0 L3 D</PRE></TD></TR></TBODY></TABLE> |