<TABLE width=500>4 R' o: h- D& M4 b
<TBODY>
+ Z, U9 h7 h! ^6 v- R<TR> w7 n; j: \' w$ j* Z8 W
<TD><PRE>Method 01
; Y* ]/ J% K0 b=========
' ~& q6 s, f+ E4 `1 A3 c
# I8 K$ w3 |4 q5 T8 ^3 s) gThis method of detection of SoftICE (as well as the following one) is; v" {' a$ [" \/ z) p3 r
used by the majority of packers/encryptors found on Internet.
! L# n* N3 e0 T/ O* H! MIt seeks the signature of BoundsChecker in SoftICE& [- O' i+ X. S; Z) Z/ @
/ q: z, Q5 Y1 q$ ~# d mov ebp, 04243484Bh ; 'BCHK'" n& ], \$ O" c& J# ?! V$ D4 c( s
mov ax, 04h
# R$ t2 J: K7 D0 ^* v, \ int 3 r' ^ G/ j L/ B' l5 `1 y
cmp al,4" l8 T2 Q1 a& G) l# g
jnz SoftICE_Detected/ u5 A. v9 y, M4 D# E
/ U1 Q$ A3 _$ I% E6 w" w$ J# C___________________________________________________________________________# N7 m0 L- r, W" `2 ]/ }0 ~
; ~4 t4 b$ u: \9 r, ~* ZMethod 02
) ]1 u6 Y6 n u' z: m J- C=========2 i' q. q9 P. v7 _
# S+ @! R% }( j5 r4 F. u4 r) n
Still a method very much used (perhaps the most frequent one). It is used+ n: u- T5 v2 t9 S: V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, ~, u/ m- V* `: q# cor execute SoftICE commands...
1 {& w6 w% r! e3 q4 Y5 n0 j6 MIt is also used to crash SoftICE and to force it to execute any commands$ G) u8 o$ v, d; p
(HBOOT...) :-(( / z3 [6 f" v# O" d
* S! ? F6 v; l5 g& s9 ^5 f1 x1 _
Here is a quick description:
' n2 C3 F, S; n R; o-AX = 0910h (Display string in SIce windows)
6 n p3 [3 C c8 G/ T-AX = 0911h (Execute SIce commands -command is displayed is ds:dx); P" `! [8 {+ Q' C
-AX = 0912h (Get breakpoint infos): }3 `, E& @; X, a+ r. z
-AX = 0913h (Set Sice breakpoints)$ x6 M1 I6 C0 {# G8 y% P3 h T' A! v
-AX = 0914h (Remove SIce breakoints)! _& J5 j. @" H" s8 V0 Z) k$ N
8 F# l4 M5 s# E0 }) m
Each time you'll meet this trick, you'll see:
+ D- n: J" W9 h8 J ^# Z5 O-SI = 4647h5 E# o/ m8 i: l
-DI = 4A4Dh6 y5 F j9 D! X; W0 {( f
Which are the 'magic values' used by SoftIce. w5 J& _, ~6 a5 f* ?/ y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ]6 ^3 V" I y" s- s
) |1 A. L7 [$ z! o: O* nHere is one example from the file "Haspinst.exe" which is the dongle HASP; ?# L9 ]# m$ U" ?& F. w. Z; x
Envelope utility use to protect DOS applications:) W, N' J2 F e& ]7 ~$ d
3 I& ]/ h1 R* ?1 `8 o( f$ z* l
o6 [5 b6 b+ J% n* ~3 _4C19:0095 MOV AX,0911 ; execute command.- f" _! @# m5 w$ W8 J
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below). _/ ?- y" P9 T, D7 T; X
4C19:009A MOV SI,4647 ; 1st magic value.& r9 F, \; P7 M
4C19:009D MOV DI,4A4D ; 2nd magic value." u2 t, @; z, p7 A+ r) }) x, D5 I
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) A: @9 g b! T6 N. Y( s) }8 O$ _3 C
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute) J/ ~* `& ~$ B. n1 Y# c
4C19:00A4 INC CX) [) r0 @3 `5 i+ d( b% n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 A+ |/ P$ B9 q( ?5 E0 Q$ y3 Q, _
4C19:00A8 JB 0095 ; 6 different commands.
+ @- x' U' I% g; ^4C19:00AA JMP 0002 ; Bad_Guy jmp back.# |5 q2 Z. y; R) c& r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
! D }1 P* V, V0 H8 `2 L* G6 {. W0 D: T! O3 [/ k3 S5 ]+ |
The program will execute 6 different SIce commands located at ds:dx, which1 n! O( _5 r* ]+ E0 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% n7 E q- H6 p6 G
" p7 r- R9 L( @( V) \% `$ @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' m5 l; e' S4 l, ^5 V4 `
___________________________________________________________________________/ [; x7 n9 [9 |$ i( i
- v( w: g5 l* w( F4 x* z, `$ s2 P; k
Method 036 F/ f0 k1 ~2 i& x) L3 g
========= v& Q0 Z# L" o2 O% Z5 L6 D
& }& F3 M% k9 ~4 r8 H x+ O
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ P- n7 H8 M1 c. z(API Get entry point)
; i/ `& Q# F8 `+ g! K & k) H1 o9 L3 _' ~4 X2 S+ }$ N
; h( }3 R( I3 T xor di,di& O* y2 ^7 `6 z0 p% I! o& x; g1 G
mov es,di8 \, E/ U a6 S5 y$ V
mov ax, 1684h . F, `4 a' R- i5 f
mov bx, 0202h ; VxD ID of winice& o; D! P: x; E% f
int 2Fh# K# m7 J4 Q7 d6 }2 C4 Q/ Y
mov ax, es ; ES:DI -> VxD API entry point
1 ?3 y# q6 L" m+ K8 V% s add ax, di. g: |. R- x# |+ _; k
test ax,ax
( w, J- O% e( Q6 q2 Q6 \% Z2 v jnz SoftICE_Detected
* a; q8 R, b+ k
4 x4 ~# s0 M4 Z9 h* J0 Y r___________________________________________________________________________
1 k! k! ~- V- P; X; g; j
$ n* f2 x0 l6 i) s0 B( `& c3 wMethod 04* c' ?: W' l7 p! V+ }
=========$ X/ c z0 a! o% g. n
; @! {8 h8 u; A- z* u
Method identical to the preceding one except that it seeks the ID of SoftICE, l x. I$ R* q% A9 R+ P, V
GFX VxD.
3 b, F( o6 x2 i* h
$ J1 l; A I' _+ `/ v( i xor di,di' b4 {9 T9 g( \) g9 R
mov es,di
8 e4 b, Z; H' _ mov ax, 1684h
. r2 A- N8 z) U" P9 |3 W- x( E mov bx, 7a5Fh ; VxD ID of SIWVID
# Q \( Z7 d% V; H! q- o int 2fh
! e( o& L# B8 u mov ax, es ; ES:DI -> VxD API entry point
& G% ]1 A! a* q1 z9 I- r; [" p add ax, di
2 N9 n! s+ ~* n test ax,ax
. _0 P) Q" E5 W9 W* o' p6 f, e jnz SoftICE_Detected
9 x7 \. w& v+ a! j ?
8 Y$ w9 X5 Y; |4 P* m9 }* u" `__________________________________________________________________________; t5 W" r: T* _" F+ Q/ ~/ J1 R2 g
0 \! p4 p% m5 I
+ Q$ \* A; ]4 q l2 W; G3 y
Method 05, V( n. `7 g% I9 b
=========4 c) a$ X) {5 v. T2 x
! \! P7 d1 d- d1 U' ?5 U$ D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 Y: N. G) v2 Z, q. edebugger. It calls the int 41h, function 4Fh.) L1 B$ h# a* G' x% }
There are several alternatives.
5 J6 h0 |$ m+ G: D. l! ^$ c
- R2 B( C* D3 H( G( C" _1 ?The following one is the simplest:
' N% \- F6 f% l7 m& ^5 J0 _8 G/ c
! v9 Z- Q! v1 ~7 ^ mov ax,4fh" ]* x3 A) x4 q: `" U0 W8 d: N
int 41h3 L; ^5 [. a* \
cmp ax, 0F3869 \% G7 w( h/ K* b, S
jz SoftICE_detected7 }4 d" ]( I* m6 M3 ]
$ O: w) r5 g; I9 i7 U! D
) _/ A0 X, E* _Next method as well as the following one are 2 examples from Stone's
) b$ \! n9 a. q8 ]5 H) i. G"stn-wid.zip" (www.cracking.net):. ?8 k" [3 N% s6 l
# R2 R8 Z+ c) D* A$ q mov bx, cs/ ?* e. v% V. t$ r& I. ~+ k
lea dx, int41handler2; c" a* \/ Y: w
xchg dx, es:[41h*4]
' a* j; |/ }8 u( x2 g xchg bx, es:[41h*4+2]% k) [, l: G$ R0 Y1 k6 f
mov ax,4fh$ U) s4 F" N5 e& I# @/ [
int 41h8 |+ |# L5 j1 F6 P
xchg dx, es:[41h*4]
& q' k8 o3 i& |/ c! I0 { xchg bx, es:[41h*4+2] w6 C* _5 k/ w. y( M+ l
cmp ax, 0f386h
3 `) R, ]* {9 K: d/ O4 ~ jz SoftICE_detected9 G& c0 n* {6 f
' \1 J) Q; ^1 t V/ S
int41handler2 PROC
: g+ a" n% u/ `3 d- s iret
0 d( D1 o& Z8 d. j( i% c& Wint41handler2 ENDP5 W5 ^$ M3 [0 L1 c& a
/ l; ?. W& @. u" `9 E# g+ n
( i" E6 N/ D: R) d( u_________________________________________________________________________
: ?# x: e9 }6 A
. {4 ]3 j$ O4 j* S' c; `" H9 t
' T7 z; w4 g/ w8 L; g3 vMethod 06
]6 }, {% i: ?( t. ^=========
6 C2 u' i+ W: \; Q) H+ A' P; E: Z! ]: d! c
4 C; A$ j+ m; P. U/ p# ~3 q5 I: T. E" F
2nd method similar to the preceding one but more difficult to detect:, l$ F$ |) l8 ]0 [
% v9 x; s5 s; z5 n+ d: k$ f
, D. y; c) S- G; Pint41handler PROC2 P3 b9 |( ~7 ?
mov cl,al
0 t3 j. i& x3 a; ~7 O, L iret; \6 F) [2 X: l
int41handler ENDP! B1 ?: `4 K! T7 M4 n
{- X7 h- z! e: O4 J
3 o! Y! A. ]% J
xor ax,ax( Z6 x, q, u k. _
mov es,ax# ?; r& s# Q \5 y
mov bx, cs% T0 J( d' T! h4 J2 h
lea dx, int41handler
0 H& K1 Y5 l, o xchg dx, es:[41h*4]( y( v7 t6 j3 v3 y- ]" J1 K9 t
xchg bx, es:[41h*4+2]
) \+ k& n4 E }' ~9 {/ ~ in al, 40h
6 L% o& \+ b( y* G0 E xor cx,cx
/ O3 u, Q8 y0 ~+ _8 p) V' X int 41h% J3 z- G b% f. A0 M
xchg dx, es:[41h*4]
# n( C5 v ?% C7 | xchg bx, es:[41h*4+2]
0 @) H) Z' D7 i$ x/ Z cmp cl,al
6 h0 P" a* R1 Y- @ jnz SoftICE_detected
9 i7 k+ |* p/ r7 ]1 ~' j4 T9 ]1 ?$ l* ]
_________________________________________________________________________
6 J0 m. y2 g; `
! t: q- G/ V: X0 n1 H1 FMethod 07$ s8 _4 @4 T7 D' S
=========" q+ d9 V$ ]- K) ~: o
+ V: O* P+ \5 G$ H! B% T
Method of detection of the WinICE handler in the int68h (V86)! f, i5 l2 @! n" \9 r
9 b# ?- T% x j) B M* U mov ah,43h J1 ?& M5 d8 ]/ v/ W
int 68h
# D# L4 C% E2 ^2 @) } cmp ax,0F386h
) h: U- d* D( t6 v jz SoftICE_Detected
8 J; L6 S; v5 ]3 A& H2 R- x4 [5 I! N9 N7 |. H
+ J0 Y! @$ r' e! P3 ^( O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S3 v: `! Q* n+ r, W
app like this:
7 i. d7 {7 H- G* P$ K: x5 P; u
" q3 k6 T1 P% J' t) h BPX exec_int if ax==685 n& j3 Z+ K% \/ T
(function called is located at byte ptr [ebp+1Dh] and client eip is0 R: i" m% Q7 v
located at [ebp+48h] for 32Bit apps)
9 s- t3 @6 c/ H" m* I6 R2 [0 n- r__________________________________________________________________________
- B5 b$ I+ z$ |1 q% @2 W. m
( ^8 n1 D3 e) X0 {/ i- A. v; h
) Y* P1 m) w5 M8 vMethod 08
' `8 B! {- k+ l, J+ V7 F. l/ k% p========= Y4 R ^, ?; k h' i
* U' D9 q4 }8 B; u1 C1 |* I* L% K; IIt is not a method of detection of SoftICE but a possibility to crash the9 m% @8 Y: d9 E3 [ ^# C
system by intercepting int 01h and int 03h and redirecting them to another% x4 F$ M, i; f* D6 x. v
routine.
- ~4 @% x' m& ~. `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: |* Y m/ P& _: A, D, H, D0 Tto the new routine to execute (hangs computer...)$ l) P) m: [+ T' [0 o* ? P
* M& \- y# E$ ~. j
mov ah, 25h
6 v1 K- y% m- S3 p mov al, Int_Number (01h or 03h): d3 c1 n- e3 M6 `0 q: ^; Z
mov dx, offset New_Int_Routine. o$ G8 X( @/ ^9 Q; ]
int 21h
" `, R0 x* g# V, |8 y' ~
5 [/ U% x" q, W. I) l L& l) Q+ O: P/ h__________________________________________________________________________
/ O- j8 r3 W0 @
3 }% ~/ T4 p7 ~8 b5 PMethod 09
. [ A5 y+ j& b/ ? d=========; z' p$ [. s7 F
# `% A" u, L O9 m, C% `: R7 \9 k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 Q5 n* k1 d0 p$ w( m
performed in ring0 (VxD or a ring3 app using the VxdCall).
! o: V% k6 C. a* m7 T, mThe Get_DDB service is used to determine whether or not a VxD is installed
. T# ^) M4 N; \( p$ L) Lfor the specified device and returns a Device Description Block (in ecx) for; z- `4 _" {2 ~5 V
that device if it is installed.1 X) C' Y* B$ \0 W/ {% i8 Z2 y$ K
# f s2 n9 g: P. x9 m+ W+ ~ mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( R1 h) H6 R9 F9 P6 |# P {& B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, I4 f4 q D# S1 J VMMCall Get_DDB
6 D! d! d R: }1 O mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
( [4 ~; w6 U) B) G& {% w/ l2 H
9 h2 R: i% U b6 Y @( x4 kNote as well that you can easily detect this method with SoftICE:
. R- k% H# L/ M, n3 c4 X bpx Get_DDB if ax==0202 || ax==7a5fh
( _$ [, Q: Y* c" e# x! d3 v) R5 o. L) }5 \5 U
__________________________________________________________________________
5 h2 H4 }+ ~7 v
3 ` v: n v; Q$ r! v$ hMethod 10: P5 z# ?) n: }2 m
=========( {+ B% {9 P& h- _; ^2 C5 s
% r/ F) w+ I# f9 k$ {=>Disable or clear breakpoints before using this feature. DO NOT trace with
$ ~( O8 c0 U2 @; K# O" N- T SoftICE while the option is enable!!) Q( X8 Q i& f* v V2 Z/ U
3 Q% ?) W7 Z# M+ _7 |0 B7 M1 z8 d
This trick is very efficient:
% ~0 l0 u' B- h; j0 P7 E/ z+ c$ ?0 Nby checking the Debug Registers, you can detect if SoftICE is loaded
! w7 [0 h$ R2 \* o8 Z) m; a5 o9 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ O+ O P8 k' B% T8 f8 O9 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their w1 ]3 j; H# h) f/ N
value (in ring0 only). Values can be manipulated and or changed as well
! _) C" i; q3 i& O# S5 L3 m. k(clearing BPMs for instance)
7 m- f! e$ X9 U2 K4 c& m7 F# `
" y \$ V# o+ X# C5 N0 f__________________________________________________________________________( b- b: }- ~% [7 O! V7 \% V
! @7 z4 R! r' A8 x) Z1 E7 B
Method 115 r3 S; W! f6 T/ Z6 g( Z8 b9 H8 J
=========0 s" W( y$ I: T5 ~; S
( O; r% z, E" y/ x5 i5 xThis method is most known as 'MeltICE' because it has been freely distributed
8 R/ S) k, F8 ~& W, W! }via www.winfiles.com. However it was first used by NuMega people to allow
3 H% T2 b9 K7 i9 USymbol Loader to check if SoftICE was active or not (the code is located
# O$ o! r1 H" j$ Y: W( ]( Vinside nmtrans.dll).
; E% O- O0 h3 Z" _) z0 h; C( W: z/ r- z2 w; `% \# P& D/ B/ Q) H
The way it works is very simple:1 t! `0 R3 W2 x+ O# n% P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 l' v9 D; z6 g+ J q# T9 p* p8 BWinNT) with the CreateFileA API.5 d0 O, E! Q1 p0 d
: l1 O; p5 a4 _6 I3 k6 @) H" ^" A" [Here is a sample (checking for 'SICE'):
! b/ ?6 d) j3 M5 P, O, I. {
- ?+ O% i! ~, z* [- r1 eBOOL IsSoftIce95Loaded()
. ]" S' X# N2 U8 e: {0 a2 |' Y{7 @4 h% K! O: H; U0 Y
HANDLE hFile; ) `1 ^% I6 g2 P
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! t5 Y9 ]2 ~& B. c0 N: Q' y! h
FILE_SHARE_READ | FILE_SHARE_WRITE,% o4 }1 l9 i9 s. A9 [
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. G( f4 s- @* S if( hFile != INVALID_HANDLE_VALUE )
1 |, V# G) `, M6 Q, U8 C {& U% B1 U! K' `& v0 S( B0 ^' m
CloseHandle(hFile);
0 m Q: }$ R6 T; B( }; [ return TRUE;
* f9 F$ b6 t; E2 ~) V }
1 a' l; `9 F- X return FALSE;0 K& [* F: _4 I% x- e2 t
}
1 [" v' g" @9 \, @& T" C: |% c E- r" j2 {! q& u6 r4 o- n, \
Although this trick calls the CreateFileA function, don't even expect to be/ X9 @7 \0 M. J( s- @5 Z5 b
able to intercept it by installing a IFS hook: it will not work, no way!: J3 }! _$ M6 I' s; K' }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 G) t. x1 X7 h: @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* t8 ^! Z$ a. G& v% A1 C( q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# i% ?. R/ F+ w" g+ H0 \6 n" ?field.
& R' G8 N; M; A% W6 I; k& k2 H! LIn fact, its purpose is not to load/unload VxDs but only to send a
9 I- |9 h7 Z" N6 |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" S% n: M6 n! Z. m4 m% j6 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# j5 Z, `( t8 P4 q" ]# i( a6 J0 [% Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).% M, s L2 i) e v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' L4 d% `8 q% b% h3 lits handle to be opened and then, will be detected.5 K: ^0 v4 f* V+ J' }* b* W3 R
You can check that simply by hooking Winice.exe control proc entry point2 x0 M8 h4 e6 U9 o3 a4 w
while running MeltICE.) v' n- I& T A0 P2 d$ K3 S0 y( F
* H( z, Z0 z1 z1 h- n$ N% c! h- O" a" W! Y. Z. J
00401067: push 00402025 ; \\.\SICE
7 C! M& g- x( c" h) u 0040106C: call CreateFileA
' T- S+ m ^0 O1 E 00401071: cmp eax,-001
+ R0 W9 A7 p# \: M 00401074: je 00401091
4 E. X% f2 d7 [; N0 N3 S; M' u: f
) }9 n M' a( x& Z4 n" U% |
4 Y* R+ l2 U5 ?7 b& \$ |There could be hundreds of BPX you could use to detect this trick.
! D$ z: O( p g9 O5 b-The most classical one is:2 J1 o2 j. m- y( j% ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
6 ]: F( Y; D( [- `$ n& n *(esp->4+4)=='NTIC'6 l, V; o- A$ E6 `9 B; Q8 E$ ?
& c8 a9 H a+ O; @3 ]
-The most exotic ones (could be very slooooow :-(
* }7 l( w2 L$ ?# q; [' E. { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 P; B* a1 |" M% r+ p
;will break 3 times :-(
. s; F1 \7 [( j7 s1 S L `" ?4 o5 H- T9 {- b4 _
-or (a bit) faster: " W& @2 p5 Q+ l* b
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 c3 W: [* A0 {- g- h; j
3 }: d, C* L1 t, w. c+ m BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
# B* [3 h# V8 F& a5 v7 ` ;will break 3 times :-(( q8 p) M) I" S, N, g x" T
/ Z. ^; _7 M6 }- j+ ?0 C-Much faster:4 `2 B, t2 k2 C7 K' w4 D9 B
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'9 X I% d" L8 L- E+ U2 X# ^
, |% \2 |8 ^4 p3 g$ @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 X" F% q. h+ M8 |$ g$ x$ Wfunction to do the same job:
: p" h. ]+ N9 i# G! }# b2 Y$ e3 B& K/ S Y/ j( @+ Z* u. t
push 00 ; OF_READ: y8 K `, V1 v
mov eax,[00656634] ; '\\.\SICE',0
8 V6 c; F0 `! S: ]0 N8 u push eax
2 p0 R. Z9 [0 R/ ~ call KERNEL32!_lopen i9 c }5 F- y7 _: k/ K1 M9 r7 z
inc eax
% w" @. N: V; }& |. U8 V( r5 T jnz 00650589 ; detected
1 s6 [8 G+ g% @ push 00 ; OF_READ
2 k4 p' w7 N! x: N+ |2 \- r- u mov eax,[00656638] ; '\\.\SICE'
2 r3 k; Q1 p5 S push eax
# B" @/ I$ u# u9 K call KERNEL32!_lopen9 j( O& B- w5 R" C* y' U
inc eax8 j: `8 G. k5 ~+ ]5 F
jz 006505ae ; not detected
# R& ?- U+ k3 r0 \, t
$ a! f0 T. b3 @2 r9 O, T$ U( J7 p" d5 j
__________________________________________________________________________
( l/ f2 r& O h2 }: a) ?. H* [/ t+ C& }; a4 J. }' R
Method 12" r0 S, N& ^: n' b
=========3 s; ^* g8 V$ ]9 b
6 l# P) v9 _+ J2 M2 ?0 gThis trick is similar to int41h/4fh Debugger installation check (code 05. Y ]% Q: U, M) l( b' Q3 N
& 06) but very limited because it's only available for Win95/98 (not NT)$ J4 J- `; f, R( M0 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 ^ b7 ~4 ~% y1 B/ {. F" y
2 V3 K5 _) p! g
push 0000004fh ; function 4fh
5 [( d% w5 {. C; \' S- K& U: ], b& n push 002a002ah ; high word specifies which VxD (VWIN32)
5 ]- X4 _ Q2 X1 q# M B ; low word specifies which service
2 Z& @7 ]2 S+ k0 f# r- F (VWIN32_Int41Dispatch)
O% [$ Q6 r: B call Kernel32!ORD_001 ; VxdCall) s2 R. t$ ?1 `3 h7 O
cmp ax, 0f386h ; magic number returned by system debuggers! x1 L7 R! p8 j$ q; c
jz SoftICE_detected2 g( @& n) K6 t- |: w
, {7 t$ P2 D' B% @4 j
Here again, several ways to detect it:
5 [* n5 G" G# u! d+ j1 K( h3 q; Q
6 y) Z3 w/ n5 h2 p BPINT 41 if ax==4f' c* ?, b* Z/ j: _9 B! B0 j
+ D7 y8 Y, S# B' b+ b BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
/ C- M! k: x/ P2 f: H' A& y* ^' j8 M6 D* d; \8 `
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
+ y9 T. Z0 f" E# x ~. J" T# N4 y: W* O
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!: g1 w6 P5 }, w+ l
0 F) I# B1 U1 ` @__________________________________________________________________________
* U0 g8 k+ R% W+ g6 ]5 q, f
# S0 a) Q1 k' t/ Z) `4 n! J6 FMethod 13
0 ?- G- r. Y, b& s4 S& o=========2 @7 n9 q; X; d: b/ R( k
: M- m! L& x+ t6 s j3 x
Not a real method of detection, but a good way to know if SoftICE is
! x: \9 i: _; X+ Oinstalled on a computer and to locate its installation directory.
2 o1 V' {0 G9 jIt is used by few softs which access the following registry keys (usually #2) : j: h8 I. g0 f- b2 R7 j
e6 }' G1 B8 i& D8 o3 R; `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# l" t# h$ ~$ z- F) J3 ?
\Uninstall\SoftICE; ^9 Q- B8 H0 B9 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' U9 o+ E+ C4 `/ o& ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 ~; V! d- H$ K V* _\App Paths\Loader32.Exe
2 r5 O8 U/ U6 h8 V. U/ S [1 h1 P w) @% {7 p a
: J/ m* X* z! x7 e$ z1 d) D+ [/ ]Note that some nasty apps could then erase all files from SoftICE directory+ J' h2 c, R2 e1 D
(I faced that once :-(+ {. B5 T+ ~9 z+ j+ c0 S
( S8 V3 s8 ?0 ?! m mUseful breakpoint to detect it:
1 K" l5 V9 q i; m. s: X3 r- j! L( R! e2 \
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 r: Q: x$ J. O
# L. l7 g. m% k3 G9 k+ A__________________________________________________________________________
- y8 E5 l9 ~0 ?. P3 r2 `4 R
+ ]) W$ q: h Y5 e+ V2 r+ Q; ~* r% Y( j) S0 p5 i* E- I
Method 14 n% r1 X2 F! o/ ^% X1 Q
========= ~" S: P$ m9 A4 J7 D
3 e- i$ ]; C& d# u9 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
q+ k) }( K4 x# U* ris to determines whether a debugger is running on your system (ring0 only).4 B. v) i4 O: |; e# k
! W, \5 L! Y+ A
VMMCall Test_Debug_Installed. s4 j8 S/ \) E0 L7 k% K7 z
je not_installed
/ f* f, `8 o8 e9 {' X! B! N4 ~
: u/ e4 X4 y0 M" }# PThis service just checks a flag.
1 ]' ]6 @7 _ J% L: ^</PRE></TD></TR></TBODY></TABLE> |