<TABLE width=500>8 `! o) S$ s3 I7 p" Z( U$ V/ B6 a, O
<TBODY>$ c' m+ d; v2 [7 P
<TR>+ {( I+ |6 c* o; o
<TD><PRE>Method 01
+ y) e* b/ Q* w2 k, @7 ^; p4 V=========
3 K! }9 g9 j) ]
$ {1 x9 m8 A8 j7 k' z. d4 lThis method of detection of SoftICE (as well as the following one) is
5 V8 c4 T$ I) L4 {2 oused by the majority of packers/encryptors found on Internet.
9 I2 | k, H& [/ w, L1 j8 k/ ^It seeks the signature of BoundsChecker in SoftICE1 i( Q" |! _" _% I; H V
% U, }$ x. Z! c i9 h) s9 `* }
mov ebp, 04243484Bh ; 'BCHK'
, [4 r7 s# w! j% j8 K mov ax, 04h
. z; b. M \6 |9 V int 3
6 o5 x9 y: \1 |7 J cmp al,4; v$ y( L: B+ d7 ]( S4 r9 Q
jnz SoftICE_Detected
9 [3 N+ `+ h7 ^5 }! K3 t4 a t/ d) w' p
___________________________________________________________________________4 i% p1 T w, L, M8 W
/ K; m1 m( c' i2 q7 N1 E* D: A# V; ^
Method 02
$ `( O1 b$ c" s' [2 o. `7 a, F/ n=========2 J5 R+ H* S! C7 q6 C
" w: m# }6 ^# O! ]" U" i2 G4 K- S
Still a method very much used (perhaps the most frequent one). It is used
" G3 Q; e \ Z- } p fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ T3 f/ i$ L9 F& }, w) L
or execute SoftICE commands...
9 j) J" R: z, `& Q- {It is also used to crash SoftICE and to force it to execute any commands
; e, N: F4 \" s% f% N(HBOOT...) :-(( 1 d7 t! x( D* S0 L
/ ~0 z ~5 x3 [/ g7 dHere is a quick description:4 k% A( E: ~2 b# @& L7 J) S
-AX = 0910h (Display string in SIce windows)
) z3 M% H; H |6 F7 {1 T7 J# K9 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
, z; M/ r8 U# o- F [-AX = 0912h (Get breakpoint infos)4 N z: T8 Y3 M g, F5 q
-AX = 0913h (Set Sice breakpoints) }6 f6 U8 M! V* m; y7 ]
-AX = 0914h (Remove SIce breakoints)8 y# u" S4 Z2 ]0 p- P0 x% G0 d
# Q4 K% O: Z; L# tEach time you'll meet this trick, you'll see:
$ p9 h& \, H7 p4 l" x8 o6 a" W- u; q-SI = 4647h
b! l u9 F# X, R-DI = 4A4Dh
; D/ c4 d' ~0 kWhich are the 'magic values' used by SoftIce.
( E8 u$ V, z6 d( U' hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 }* w" U7 g# y# I* q- w
/ p$ ]$ F; P" i4 p- i1 d, c* c
Here is one example from the file "Haspinst.exe" which is the dongle HASP; \$ ~9 f9 W" |
Envelope utility use to protect DOS applications:
! v7 X' R; Z: K& A# M* P) c2 z2 J4 H* i, J1 c" s6 z$ J g
' F( i. x/ n% A; }8 v4C19:0095 MOV AX,0911 ; execute command.
8 O( i) b8 w$ @& W% g" v4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).7 U$ `7 A* ^) T" [ l
4C19:009A MOV SI,4647 ; 1st magic value.9 }" d. R. l4 o) j# V, L
4C19:009D MOV DI,4A4D ; 2nd magic value.
! Z$ D) ?4 P+ \4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 _( t, I4 e$ H0 H4 q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
- X. a* n. r' w( Y( Y- C4C19:00A4 INC CX$ z$ M+ k7 `; K0 O5 E( K/ L
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute9 H7 _+ {% e& V4 P* q2 h! V3 Y
4C19:00A8 JB 0095 ; 6 different commands.6 D j; @+ z# ]6 {) H5 {4 x
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 J4 B9 W8 T+ {/ r4C19:00AD MOV BX,SP ; Good_Guy go ahead :)2 t% e7 ~7 U; j' M/ s$ c+ {
9 K7 R; Y; J3 W: d4 G
The program will execute 6 different SIce commands located at ds:dx, which
( c1 S' Q# v$ q/ \. u' f) A3 U4 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 F8 `7 t0 w3 e. ^% A' U6 {2 j |! S- g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Z: v' u' @* O7 Y- z* N* |3 C7 _& X
___________________________________________________________________________' O2 e7 u( `# A$ q. {0 D: q
; r& U0 G- J1 H, t7 s. f+ J$ @3 m$ }* L. r# ?1 @* x+ \
Method 03% o1 Z3 V0 \" z* Z) x3 r
=========
" `: G* h* e/ F
! ], r& G8 r7 @0 \( @Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ G/ Q6 o4 L. p
(API Get entry point)
4 W% u j+ h, m0 W' W
6 w$ ~' P; Z6 S2 {5 m! l3 y$ m% T5 ?. m& G: F* {! _
xor di,di8 Y. V5 E& q) I |7 Q
mov es,di4 s. u4 Y6 n3 a% O: |
mov ax, 1684h 9 E* a$ Z/ `+ A& m0 q
mov bx, 0202h ; VxD ID of winice
4 L4 [+ T9 `' z int 2Fh
% R0 m) _5 B7 n# Q5 j, k# L7 R mov ax, es ; ES:DI -> VxD API entry point
; R9 c# i6 A' I7 O add ax, di- g4 e: W1 a8 j4 n: W' J& z% e( g3 W
test ax,ax- Y; S0 i& B; U8 j
jnz SoftICE_Detected) y+ `( |7 j( C
1 |, ^0 W9 s) K: ~% G: Z
___________________________________________________________________________
8 ^. F- @. u6 R' |. p6 N' ~3 _* C- e7 l$ B7 h
Method 04
: l: E0 ^9 J& \' x* I) Q=========+ a/ m( z1 l$ F( j2 i
/ { S5 a2 ^5 s2 _+ D+ P
Method identical to the preceding one except that it seeks the ID of SoftICE- y/ c& c+ y$ j B0 `7 G* M
GFX VxD.
1 l. q8 X& H. A1 F3 J# i; U/ e! i7 V! ~7 N6 N
xor di,di7 y9 ?. b7 J& `( \6 E& b7 m
mov es,di7 o. d. J% A( w' ]
mov ax, 1684h : F [2 \ w, s* W* `* h- [6 U
mov bx, 7a5Fh ; VxD ID of SIWVID( i* E! y; u+ O2 W9 F+ N
int 2fh+ f# D1 R/ P0 {. w/ b* o
mov ax, es ; ES:DI -> VxD API entry point
8 s3 C4 N; H& n$ {: [ add ax, di* y1 d# R/ H3 H9 C- G9 O
test ax,ax
+ r" O( o! c( X. s4 m) f3 ^! z" I jnz SoftICE_Detected7 F* [2 V2 T: g" g6 J; C
v# q. @" b- _: K* \& ]__________________________________________________________________________" j5 G! ?; |; D2 i6 T% X
; t, k" i: X" G' N) O& f
/ ], G" O, ?7 F1 Q/ h5 M+ ~Method 051 {6 k* H+ p7 z% S
=========
( a9 U/ W# K6 V ^, \' c; I( u+ v7 s# Y# I1 W2 C2 z+ b$ E8 u# Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 N% z# c0 x- F. a
debugger. It calls the int 41h, function 4Fh.
9 N" _, i; n. l2 r5 _9 N$ FThere are several alternatives.
' `/ f0 k' \" g/ ^2 `& T
# n4 y/ @# A2 z: fThe following one is the simplest:4 p. f# \! j2 [; b- C
+ Y$ g$ _9 Z; v9 S% y mov ax,4fh
. P5 t$ |8 p6 T$ V1 j4 Q" K1 p% l int 41h3 T3 M% |' G' B* F4 l
cmp ax, 0F386- ?- _. w* s$ I# I1 [, j+ `
jz SoftICE_detected" _! ]) o7 U& | z" ^6 D/ e! _
" K- C n" ? R ~1 _" Y( V0 j/ a4 O" G9 |& i; w( o
Next method as well as the following one are 2 examples from Stone's
6 n) L C) e- C1 ^"stn-wid.zip" (www.cracking.net):& l1 [( v* R6 p
' q0 V$ D, h1 ~# v8 N. y mov bx, cs# z# Y J3 J5 ^, V
lea dx, int41handler24 {/ ?( D0 g; h. C) l, G [
xchg dx, es:[41h*4]' T2 A$ x2 Y9 W$ `$ F5 @) h4 n
xchg bx, es:[41h*4+2]
; Z; x& Z" ?0 e. [; @. Q mov ax,4fh
+ A# f3 C( Z' j; N+ \9 O( }9 q* q int 41h+ W6 f5 U& K( |: q
xchg dx, es:[41h*4]
- b" P/ T' R1 i8 M+ e5 X* O' N xchg bx, es:[41h*4+2]: ]( d( D, d% H. k# h( T' G% l- @ O
cmp ax, 0f386h1 t S; |; n, l6 Z- Q$ p( E
jz SoftICE_detected h; c6 A8 |6 L, g
2 H0 h6 E5 x( }4 Rint41handler2 PROC' {5 K1 m- `. K$ |/ w
iret
9 y( ^3 @& A' qint41handler2 ENDP
4 _8 I0 x1 J F2 k4 @
I; V8 j# t! B" |, V% E! P0 h2 C0 t& h4 u0 r
_________________________________________________________________________
6 f* B0 m( d5 [3 ]" B( Q4 _4 a) B3 p4 h- W
! U/ x E8 q; m v5 ~+ f: e& pMethod 069 `4 |! D" ~2 A9 M
=========
5 H: r% z Y4 ?7 c
# R1 ~) I% B9 `8 _) {# P% e6 V ]& v
2nd method similar to the preceding one but more difficult to detect:
) ^" h* K& J) c* P- @1 b' v; u7 ~% h
1 h- i* B" [6 s, {! B& z$ ?
: i6 x' ?) ~. @int41handler PROC0 p. p8 i* Z6 y- ^. c
mov cl,al
" l: I, {$ m& v: o7 ?4 q/ s7 a# Q iret0 `" g9 u5 e+ U$ b$ e5 w' F8 N
int41handler ENDP4 q$ x: H) `2 G7 v) q
$ X' [7 e7 v0 _" O1 k; l% k$ ~0 t! M2 }9 W( m+ ?/ `
xor ax,ax2 K. q* {# }# ]$ a
mov es,ax
W" o& D/ p" M$ {- _ mov bx, cs5 s- A" R! F3 O% X) o B& n1 o- |2 f* o
lea dx, int41handler. e7 U# S a" E C( e7 V5 r6 ?
xchg dx, es:[41h*4]6 M% h; e" s, k) S2 |
xchg bx, es:[41h*4+2]
" L y; [. t) p) R6 ^! d4 s" {+ f in al, 40h
+ q" L5 o# K+ c& C8 u xor cx,cx2 x( t$ w6 {: Y
int 41h
( \# M2 w2 Y! p% t) w2 c xchg dx, es:[41h*4]2 s) l5 b* {$ O$ Y3 \
xchg bx, es:[41h*4+2]
- s4 f2 F( `8 i+ g( H& |' X! B cmp cl,al
1 m, C1 i! L1 i3 g" i9 f jnz SoftICE_detected
. g8 W& H5 ` L+ t7 g: R9 |. l5 o4 i
- C6 Y1 z% X# Y_________________________________________________________________________
& o$ O8 R; R7 Q; w. Q2 ]7 v/ z0 p; G; a$ m2 D4 [
Method 07
" G" S( V1 K! c& t" ^=========
/ W+ B1 N9 `! F8 c* G
* [# d% B7 X# x* y# @Method of detection of the WinICE handler in the int68h (V86)$ i, p6 A# B- b) x
& ^- w' ~8 j6 Y/ J. P mov ah,43h
# l8 S- Q# |; f) _/ Z& N3 I int 68h$ G, s8 X$ L9 {1 R
cmp ax,0F386h
3 V$ z; Z4 ^' X2 B3 D6 W" J F/ g, \ jz SoftICE_Detected
& D9 m& j, j0 i. }. Q8 R% `/ Y1 f" {4 f( E; X5 s) Y
/ {- n1 G ?, [6 F: e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 w" z- Q Y% p5 T0 m) J9 R6 S app like this:1 L/ k( V4 W8 K3 @/ }; T$ [- B
- b5 ^' e) H1 v8 R) K0 F3 G BPX exec_int if ax==685 x' H- Z5 Z; c7 T" r
(function called is located at byte ptr [ebp+1Dh] and client eip is
4 Z$ Y* b) U+ D# ?7 D) w& ^7 T located at [ebp+48h] for 32Bit apps)
5 v% v0 o2 S7 B+ _& ~3 }3 j) Y__________________________________________________________________________" E, N/ U8 H x: |4 x# U {) c
. q5 D. q( E! R' f; h7 s
+ P" {$ Z" h6 i0 A; q
Method 08+ q7 |1 Y) P1 b# L
=========' A Y, w) T) X: [5 k4 v' u3 _7 [
. W! i1 F! R1 aIt is not a method of detection of SoftICE but a possibility to crash the8 T1 K r/ z: K" E K
system by intercepting int 01h and int 03h and redirecting them to another$ E; H5 D7 b" f& I1 P7 q3 x8 N. l2 m& E
routine.
+ b0 _! m& n4 T1 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' ~ [* U. \" p; N9 N8 x) F( C
to the new routine to execute (hangs computer...)7 K; R6 E* H, ^6 s% I
9 v. @' S9 U8 g
mov ah, 25h
+ C6 b% s8 ]& z& n3 @3 ?( g" T mov al, Int_Number (01h or 03h)
5 G, n& U; f! ^+ u3 O mov dx, offset New_Int_Routine6 x5 z, Q% B! U1 Y' J: ^
int 21h+ z& ^- i* u4 ~/ U
! y+ C8 Z" _! D5 f. z/ \
__________________________________________________________________________
- O! ~$ q8 j- O4 ]
_7 z6 z$ v/ ?8 JMethod 09
: j0 I6 n; [* D$ \# @7 `- Z* y' q# W# P=========8 m: l4 D5 s) ]/ @* g
; h0 D- j9 A5 j: d: @3 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* d1 g3 |' R- E" W5 K. K. L0 M
performed in ring0 (VxD or a ring3 app using the VxdCall).
; x3 ^0 n }+ ^, M, ?# L0 xThe Get_DDB service is used to determine whether or not a VxD is installed" R& ?, @! Y& ?1 n
for the specified device and returns a Device Description Block (in ecx) for1 b# b. o+ t8 D5 ^
that device if it is installed.$ W) y; ]) ^5 h( \' K
2 B- c8 g2 \( m* `/ x& c @4 X mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; k H7 z6 r1 V mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: Y& |0 R2 L5 @3 O2 G2 M6 { VMMCall Get_DDB
$ R$ \. s+ x3 Y e3 f+ p mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 I5 Y* R/ Z- r+ r$ G8 E7 }
. Z2 w8 S: p9 T) y% D6 Q0 V
Note as well that you can easily detect this method with SoftICE:
$ m) t3 j1 W/ b7 [5 w! e bpx Get_DDB if ax==0202 || ax==7a5fh7 b( c" {5 {% f# h4 r
, ]9 T3 ^# e# |' E
__________________________________________________________________________/ o$ Q7 Q& W, v, v; k
- W8 \9 F) q' c0 j$ l: r6 h& q& _. n
Method 10 M5 Y8 f* Y5 g. o7 |& c
=========5 w) Q+ q. ~1 _8 m" p8 Y
) c: L$ M5 [2 x9 j' ]& t+ e
=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ ~ m! h2 U1 B$ r SoftICE while the option is enable!!3 N% W- Q& i& Z- X; A# o% J
! @0 w) o4 k" A W0 LThis trick is very efficient:# |& t8 p; \: M0 B
by checking the Debug Registers, you can detect if SoftICE is loaded" D0 u! Y. b9 [3 q0 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" ~6 c/ y, k( j9 t1 i) p" B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 D' `% P7 v% b& |value (in ring0 only). Values can be manipulated and or changed as well" I4 V6 ~4 V* p7 ?
(clearing BPMs for instance)4 ~) _$ W/ W9 j: | |3 J0 u& I0 P" b
n) @: ^* C) { P9 q4 ?" J- `
__________________________________________________________________________/ I/ j5 _! R6 ?7 r* n; v; w- C* F
) N0 ^/ J* f2 B& O! XMethod 111 @$ e' A7 ^( }# \% s
=========
# r1 a9 _( }0 a4 z/ r+ A6 g
& X2 z. K/ U6 u2 n1 Z! MThis method is most known as 'MeltICE' because it has been freely distributed. F% H: O& Z; l V9 ~
via www.winfiles.com. However it was first used by NuMega people to allow9 g3 d: _& O1 C# W- @
Symbol Loader to check if SoftICE was active or not (the code is located
+ M/ [( X8 x3 {% ], ginside nmtrans.dll).
/ u9 G! I' s# F2 I& O) F# G: w# C- s) E/ Q5 ^- h
The way it works is very simple:4 N+ z* S1 w: l# x! n, W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* U9 O: R1 q) c d, q
WinNT) with the CreateFileA API.
6 ]1 X3 V2 y0 f8 B F1 v* @" X9 z, S5 [" J- K' H
Here is a sample (checking for 'SICE'):/ Q, g: q- S- m2 u( L+ p
; X0 |$ P2 w X' Q, s8 Q
BOOL IsSoftIce95Loaded()
, [7 r: ?) T. N3 b; W{( S* G1 n& i* Z1 z
HANDLE hFile;
5 x! l7 C( h1 V9 y hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% }4 I9 E5 n& o/ {
FILE_SHARE_READ | FILE_SHARE_WRITE,
% S( u' |4 N8 c NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! L8 P5 ^, T8 c7 _ G3 D: f
if( hFile != INVALID_HANDLE_VALUE )
7 I% Q6 Z L5 X0 v1 v {
" D$ x- E3 I$ A1 Y' U' I$ p CloseHandle(hFile);
, | P6 U$ B; [9 Q. R return TRUE;
3 P2 o( E( N- k( }% s2 C5 l }
& |0 O, t; D- m* o: v; q& \4 } return FALSE; F# r! f4 d2 d/ w% D; q+ k
}& V6 G: i/ x( \4 i& n, L
- G6 @) `6 F/ P4 G1 z2 @& N4 X; u
Although this trick calls the CreateFileA function, don't even expect to be
7 i3 ^3 p5 |+ Rable to intercept it by installing a IFS hook: it will not work, no way!
* F" N4 ?5 X1 B q5 bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# d: M) v& {4 T1 i& T& z ?" Z$ X8 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* u% b) b3 z6 q& Z. C* v: d2 C2 vand then browse the DDB list until it find the VxD and its DDB_Control_Proc; \* r, F" o6 X0 O: h4 {3 O
field.4 j5 Y$ ^9 G2 m5 i5 M
In fact, its purpose is not to load/unload VxDs but only to send a 1 f8 q0 L, }/ p4 r- a4 c. A% k" V3 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 T2 Q- P+ ~8 k& n/ e- L, Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 j6 O0 G& v! I% G5 v+ @4 H3 kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 E, f7 _: h6 }% tIf the VxD is loaded, it will always clear eax and the Carry flag to allow; t4 |# s* V" f( Q- V. Q- c
its handle to be opened and then, will be detected.
; n$ E5 q# a4 YYou can check that simply by hooking Winice.exe control proc entry point& `. G2 @7 P) B
while running MeltICE.# q+ K- Q$ R& [1 |
" p9 T5 c* p4 i7 Q9 {7 D
5 {& F: H& I5 u* r$ v 00401067: push 00402025 ; \\.\SICE0 i1 m. v$ r$ g# Z
0040106C: call CreateFileA
% k0 `5 R7 q1 H% n) I 00401071: cmp eax,-001
! w B+ {7 U& F7 J 00401074: je 00401091
+ W5 Z7 O/ ^+ _) e+ S) f- a
2 I" V3 M- @% u9 \) q! y1 k+ Y/ Q+ P+ m% @; Y$ ^
There could be hundreds of BPX you could use to detect this trick.$ K& D$ f9 o3 K, r5 n, r( y
-The most classical one is:/ a( t' H y( |
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||6 V2 z* x- @* y$ l
*(esp->4+4)=='NTIC'
; [$ R4 i* G* |) o: V ?! y W* O: n2 c2 ?7 L$ Z
-The most exotic ones (could be very slooooow :-(4 q4 k5 e9 H/ E/ ~$ ]) c% S% M
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & I; i' o# K* e. ?3 n" C" F
;will break 3 times :-(, V4 d. M$ _# U4 Y" V; u
, z/ k3 M1 A B' E0 O
-or (a bit) faster:
* L, q8 ]' u- }% r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" F- S2 |# ]* @7 `! ~9 ?: C+ v, n2 M3 O3 I
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) E; Z; X9 W$ P
;will break 3 times :-(8 g# K. [3 j+ O
o7 r/ K e, q& c: z. K4 J
-Much faster:
( `3 v6 y" D& p BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
1 m, ?% L* Q2 H# D
* n/ n* S6 R5 V. F. O. N0 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' l* w' ~9 A+ N% Ffunction to do the same job:
' R2 Y4 y7 r1 ^( ^ t
& l' E# _; Q, Z! H1 V& t$ @ push 00 ; OF_READ; k0 ?' M: `, K+ f, H2 }. |. t) q
mov eax,[00656634] ; '\\.\SICE',09 r4 J! T/ W6 y9 a3 l" g
push eax6 z2 z' O/ c# a$ E3 g' R, ~
call KERNEL32!_lopen
: U8 M% ~: Q9 q6 i: g! k, i5 T inc eax
6 a5 h& i3 N/ V, E! A& O' N5 x# f jnz 00650589 ; detected
# d: s, C! j) p0 B push 00 ; OF_READ
6 v9 ^( _2 ?/ e7 {4 k% @ mov eax,[00656638] ; '\\.\SICE'
5 V3 l6 p5 b8 y2 ` push eax
8 R& ~9 f2 m: B/ O5 O call KERNEL32!_lopen9 x7 a6 [5 o! A4 r) W7 Q
inc eax
" L" M% q' f: ~4 R. s jz 006505ae ; not detected
. x6 `% p4 o' Q
" D7 i0 u; J% e- y9 P" d H, b1 h \
; w8 S. k4 ?5 C9 }3 Z: C+ _9 Y__________________________________________________________________________
0 @4 c( c$ p" h; _; c
6 c0 J, J+ q9 ^& X" ^- sMethod 12( B6 a- O) M. m7 a; ?& z7 w7 k
=========$ d' |, }3 S$ W3 Z8 T
3 ?+ z! H+ [* K- P) f$ XThis trick is similar to int41h/4fh Debugger installation check (code 05; p3 C# k8 e( F9 f
& 06) but very limited because it's only available for Win95/98 (not NT)' ~0 {5 d- L6 F' ~: c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
}: P# k7 ]/ f( N7 T+ p
2 x# j3 H% }: q/ ^ push 0000004fh ; function 4fh
m+ u1 l( Q& S7 { push 002a002ah ; high word specifies which VxD (VWIN32) n9 z1 e! z% j/ Q" f
; low word specifies which service) J+ h9 k& |3 E- _
(VWIN32_Int41Dispatch)9 G6 M1 X. e; f; ^1 Z& ~
call Kernel32!ORD_001 ; VxdCall: k% u, p7 E! x ^, {
cmp ax, 0f386h ; magic number returned by system debuggers3 z7 h" M: V y z( H: @( ?0 {
jz SoftICE_detected/ a2 H! Q2 v0 Q$ ^4 p# K/ E% _
2 R" U- o, w/ l5 a
Here again, several ways to detect it:
& T/ g$ `% }/ s; C2 N$ y: {
+ n! w% J5 o' }9 J BPINT 41 if ax==4f8 \9 T& R: {; \9 R! H5 p
3 j" _9 q2 L/ `. X L! H- n+ V# Q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 C" Y( c1 K x; P1 D' o
( K& l' Q1 L, A( w
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 I% V* w3 A: H# q
1 m% T) B* _. X! a: n# A2 ?0 a# { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& k8 X$ c7 U2 a
, g- |8 Y5 Y( z' P* i, ]( P% {__________________________________________________________________________* g9 K- O( k7 v
- Z; u* b5 W. t; h' x: E6 o$ MMethod 138 c/ r8 ]" }. m- k
=========; ?0 F# s) f& }" i9 I7 v! S' K5 B
3 R4 B+ [+ x3 p5 D4 {Not a real method of detection, but a good way to know if SoftICE is
, p+ S B7 J7 M6 L6 f/ Binstalled on a computer and to locate its installation directory.' c* E: F1 x* Y% x6 _6 P% v
It is used by few softs which access the following registry keys (usually #2) :
0 [, w: X1 i' T5 j/ U
9 h2 \# \, p* ?4 [) l) E% }" b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' M/ R0 h6 x+ N0 b8 M( G\Uninstall\SoftICE$ q! Y7 ~0 ~) s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ X+ k1 Z' r! [ F$ ^: J+ |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! k- j" J, d: Q' O\App Paths\Loader32.Exe
4 n; m. S) S- }2 \7 Q5 v. ^9 i$ g2 p1 W
! `4 H, o- r/ W5 G0 }Note that some nasty apps could then erase all files from SoftICE directory: ^+ G8 R) E1 E2 \7 k5 o2 Y
(I faced that once :-(
5 u2 h" u; S. c" ]
9 M7 U1 k& b4 W( YUseful breakpoint to detect it:
! ]* u) o; e! h
0 ?! J* I9 [+ @( X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
+ L5 g a0 D0 t+ w: Y" o% K7 {& `% R, f
__________________________________________________________________________
+ |* ?3 Q' z- K4 b- Z* @
: A& L9 k6 t8 J* Z/ G" `) [2 U R9 M) P. |( X/ |# K2 y0 @
Method 14 - l, B; r, h+ t0 E: `& O
=========- B0 j6 V- G+ J' [" Y' }' i) R3 j
# n) `* A7 P' t' p$ a; ?( @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: }! \1 W( T* ~- nis to determines whether a debugger is running on your system (ring0 only).
# E* s F; y: y b8 i
: j+ Z8 s4 I6 ~! L( z VMMCall Test_Debug_Installed$ h3 e) f) \; C( {8 \, [" R1 c
je not_installed9 C4 G; R u9 m7 T9 Y h+ b! W
+ T( I7 ^9 I2 o) t3 A% {7 O
This service just checks a flag.& S7 c0 O, y: `' n, z I7 q
</PRE></TD></TR></TBODY></TABLE> |