<TABLE width=500>! R; Y" |- W8 O% M$ S
<TBODY>$ u* d) i3 b- Z2 }& N. N) [
<TR># y) Q2 d- q$ Q0 Y5 ~0 L9 B; H! D
<TD><PRE>Method 01
6 I" }; e2 |* a& |=========1 c; Y) \, ?1 X, i. c6 Z% X
& `8 c/ U+ W$ p+ N& B+ v2 bThis method of detection of SoftICE (as well as the following one) is/ J8 Y7 F" i! |1 L* g
used by the majority of packers/encryptors found on Internet.9 b! X1 Y) n- m% Q6 |
It seeks the signature of BoundsChecker in SoftICE3 |6 M% o4 W9 ~ b; `8 f, d
1 W ?+ V2 b1 u; M2 L1 o3 i; T1 ^
mov ebp, 04243484Bh ; 'BCHK'
! D7 d) x. y5 l9 L, r8 Y) U d mov ax, 04h( }) V! j! Z* u4 T
int 3
9 \& K1 ^, a& x0 Z% n. h cmp al,4
& ^! {2 s) }5 z4 v. g! i jnz SoftICE_Detected
% }3 ?; ]- l* ]7 q, F# I) y' {* s' Y$ s
___________________________________________________________________________
- L {' ~8 ?; A; i0 X, U7 \# g# ^' F" X4 l7 |3 P$ g* ^/ _
Method 02+ X5 T; E/ S: E3 I# S/ `) @5 N
=========0 P% ]% E3 `3 W# ~* t$ z" p
1 L" n* [: u# N' J" gStill a method very much used (perhaps the most frequent one). It is used3 D' R$ b) H" [8 E- g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 M" V5 q( N& ?1 s+ r# Por execute SoftICE commands...0 n4 z8 Z( p2 f( e( a
It is also used to crash SoftICE and to force it to execute any commands
( W+ Z! P! B) ?0 g' R: E(HBOOT...) :-(( + a, T4 H* `, J: M" s" J' O
4 v$ F# a8 x, P1 n |2 }4 mHere is a quick description:2 h% i ]& w' W8 K
-AX = 0910h (Display string in SIce windows)# N c7 ?9 Y/ @2 @# W5 |0 z4 A
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)) k" }$ o- D1 C( K' W" v0 y; o
-AX = 0912h (Get breakpoint infos)5 Y, S: a' A i: z* m: p0 u
-AX = 0913h (Set Sice breakpoints)+ [; V+ t! z& L$ y$ y {
-AX = 0914h (Remove SIce breakoints)
0 _7 q$ d1 t" H& h0 B& h9 D: G
8 U* J7 I0 |! h7 a* @% h4 SEach time you'll meet this trick, you'll see:0 i5 [. ?' ~0 j& L, G3 y- \
-SI = 4647h# d' Y( k" c& c# a! n: W. |# R
-DI = 4A4Dh
& h) U k7 P' d/ [Which are the 'magic values' used by SoftIce./ b! Z+ h8 \! _; b# P7 P- z* T' Z% Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* u6 @) r6 o% m) p9 A `
* r) ]2 \ b1 W9 U) y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 x, X y' V7 P rEnvelope utility use to protect DOS applications:3 _! E' h3 t- z# a3 J
$ f& ^) n0 {8 F z' J1 w, t+ P; h. N' x3 F6 S/ G; I
4C19:0095 MOV AX,0911 ; execute command.
; W4 }- m; R' p8 y# B0 @3 t4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 k/ m; l; C- F$ ]$ E4C19:009A MOV SI,4647 ; 1st magic value.
3 E8 V2 r3 r/ k. n+ [% S4C19:009D MOV DI,4A4D ; 2nd magic value.9 z" |+ l0 t1 |7 o+ J y
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ _/ c4 |- Z/ h* C2 N4 \
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ Y/ m( H* V. M) G8 q" v
4C19:00A4 INC CX
* ^; ]! c8 j$ I# t& X/ ~. i5 N4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ v! P& G% E# n. g$ u) B4C19:00A8 JB 0095 ; 6 different commands.0 }; C$ }, {! h9 Y& M6 R
4C19:00AA JMP 0002 ; Bad_Guy jmp back.4 P! d/ x' _/ n9 W9 s9 p) Y; o8 i. f
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 @. ]/ O0 a7 a' @
# L0 J8 G; ~. ~The program will execute 6 different SIce commands located at ds:dx, which8 b4 c+ w7 x/ w: v8 q1 j. f& }: p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 h! H0 t8 }( |$ n
$ M0 m* X* k4 x! }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) F% ~6 ?* j2 N- D+ s- j: |___________________________________________________________________________
/ L4 F8 h; y; _) r/ F
! f$ F e$ U0 e: x+ ^
4 X0 d e1 \: y( pMethod 03
' u, i, z+ B: Y; t7 j" E=========; G6 y* F, h# Y- H3 `' b
! v% m2 B. q* P4 Q# cLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 _: e& i5 k. H3 ?/ W" N: A" P(API Get entry point)
9 P" }; I. ^0 ^( u* a
, L3 |3 y% C0 y1 S( @( R: s0 w( o. F2 C
xor di,di
1 n; @) O) _5 W# p7 R+ x3 V; y mov es,di
3 |8 ^, r4 y% u6 q$ i, {# h: ~ mov ax, 1684h # u, e; t2 F1 A# R- D7 v/ f4 m
mov bx, 0202h ; VxD ID of winice
$ O0 x; \, r; Q int 2Fh8 m* [# n; z( A
mov ax, es ; ES:DI -> VxD API entry point
0 |+ ~1 l: c5 O3 Z# q add ax, di
; }. A, X/ C- a( _2 _ test ax,ax
# ]4 X3 F5 F, B# O3 x jnz SoftICE_Detected
8 ~. e. \8 F. |2 ?
( f7 G8 R9 _" M$ a( q% L5 ^) h___________________________________________________________________________
4 r! y& H/ L) I
0 r# X& l8 [: _/ {) N, n# B6 sMethod 04. x8 S" F% r5 A m1 l' `
=========
# J4 }) M* f- N7 P
" C, Y1 B8 ^- {9 \% E6 |Method identical to the preceding one except that it seeks the ID of SoftICE
( R" V5 ^9 [1 I+ [- BGFX VxD.
, U5 g# Z: I, }7 }3 j7 V8 v1 Y2 w7 x5 V0 v9 R# ]
xor di,di
0 d# I7 V# S( D! k mov es,di
+ v5 Q% k. j: r$ J mov ax, 1684h R+ j- U w6 z, A5 A- H& M1 ^6 x
mov bx, 7a5Fh ; VxD ID of SIWVID- s+ M. F, D& N3 d+ f* ]/ p- P
int 2fh
( R, M" V7 Q& O1 ] mov ax, es ; ES:DI -> VxD API entry point1 n4 w! M5 l1 U' o& C
add ax, di; ?' n% i* P" v1 [1 w0 L u' |
test ax,ax
/ h# K% L) |- G0 K; g jnz SoftICE_Detected6 T& i9 h9 q% [# _) F# h- v& I* @, f
8 Q( R+ b& Q, Q8 y! G__________________________________________________________________________
( H0 E e& h( k( b1 U, M* c5 e: e% R6 }" q; o5 N d
# F) z1 q2 C; p: _$ l" o& X/ ~4 d+ K
Method 05
" s: T* v0 e& Q! A. \! C=========
7 P1 a" ]" \: n
7 [5 T8 l/ O) a# u! `5 y$ \8 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 b7 \8 H/ g; K5 c l' Edebugger. It calls the int 41h, function 4Fh.
( O: R O! ^0 _There are several alternatives.
. ~3 {. B9 D3 W
! X/ ^8 E3 }7 jThe following one is the simplest:
3 B& w: y0 o, a2 |5 ~6 a- A2 [9 t D9 j8 j% c
mov ax,4fh3 k& I: v9 Y" F
int 41h
) O# \) v5 U; g5 X cmp ax, 0F386
9 M* A \9 J( r) T! W+ f jz SoftICE_detected
5 o% m+ q* L+ t( ]$ r: r" h0 C O$ ?/ s% L3 }
5 C: @9 k5 P* N# s) @* XNext method as well as the following one are 2 examples from Stone's
% t$ t3 l- T6 j# k! S"stn-wid.zip" (www.cracking.net):! Y( A% i; g: A3 Q- Z
# ^6 e: A- [9 Z5 ?1 { mov bx, cs0 H$ T6 E% D* H$ j) h* a! s& p
lea dx, int41handler2
5 E. i" y% s7 } xchg dx, es:[41h*4]7 Y2 d5 {7 K1 ^# m4 P
xchg bx, es:[41h*4+2]" X, {' `7 F8 w% P
mov ax,4fh# Z# A9 n( M# J. e7 |; l
int 41h
% P# H" f, ^. K$ x* `$ @ xchg dx, es:[41h*4]- ?+ i, w1 x) R+ M
xchg bx, es:[41h*4+2]
* S7 e+ g( Q' E8 d+ J" y5 a cmp ax, 0f386h. z/ U- F- |4 r( V
jz SoftICE_detected- B: P$ Q. S: ?& d* s& O' [6 r& |4 p
- B- F2 ^0 s5 X/ L
int41handler2 PROC
5 a6 L6 }' v' j% V iret' W$ n: J- F ^* k
int41handler2 ENDP' ?/ {$ _0 m2 Q( W; b0 e9 @
3 a7 z5 T6 R; e9 P
+ W; ]4 {7 j, R' ^+ T% e
_________________________________________________________________________% k' ]: f7 m) }6 w
" C, s2 Q" w2 w" ]& P" B. `0 R
4 b$ ]; n7 j3 }* z* y' oMethod 069 M* Z+ p+ U) t
=========
9 ]3 W2 \+ s, E3 G1 M- {
2 c) [+ x& n( S% ~7 z7 g5 x) h8 o9 |: C2 w
2nd method similar to the preceding one but more difficult to detect:* `2 ^9 N9 Y' x. I5 `4 G* T; P5 M
9 f( P8 T8 r( E# u, H, G( C; ?6 ~1 u
# D; B6 q9 X3 ~0 Q8 }6 v* Gint41handler PROC
. K0 \+ R: C* D k! p, z mov cl,al
G' a/ [. m/ Y6 I) \7 B# C/ a6 O iret
0 d! s$ g$ X) E7 r9 k" Vint41handler ENDP( z" {! ]9 r) {
) @0 ^+ u! b7 O6 y! c+ j* Z0 g+ S
: \5 f* o8 j' G l( p( S5 U( T xor ax,ax
9 I& c& K' R, D9 N0 Q mov es,ax
" d: \7 V$ n/ \6 [: S, j8 R* d7 C" I mov bx, cs
8 c7 _/ \, b. z- T lea dx, int41handler0 G% g$ w( M0 V2 |2 Y) ^$ X/ R
xchg dx, es:[41h*4]" b0 Z2 ]1 P. |5 U R
xchg bx, es:[41h*4+2]+ i) ?' r% q9 T) j& ]1 z& Z
in al, 40h# _8 J. E: l2 ~9 I
xor cx,cx% l5 X2 y: M o/ L5 {. @) n2 C' L6 u$ D: [
int 41h% S/ O) X' ^" ?4 n/ t: w
xchg dx, es:[41h*4]' I' j( ~$ Q# X
xchg bx, es:[41h*4+2]
( S' ]: C4 W9 c" ^/ X/ m: q cmp cl,al
7 ^5 c1 h0 M( [" M) a jnz SoftICE_detected
2 P' G, Q# E% u2 R; z" P2 [
7 R9 {4 x4 g6 P; |0 m! r0 V: e_________________________________________________________________________& o6 L: s; ~) n
' V) A# @. Z9 S6 @ v( [
Method 07
- Y# R* n# B+ ^6 J0 h8 ~2 H U=========& j1 e5 }1 n7 _9 R2 E7 `" ?- B3 {8 |
! w3 w1 C" P7 A& P
Method of detection of the WinICE handler in the int68h (V86)$ c) F' l/ K e: N6 V$ ?1 E1 {
) K0 E1 M8 m. g
mov ah,43h
9 v ]* ] T$ y& g n int 68h
7 M& e4 o9 H: a$ U5 ] cmp ax,0F386h
0 x, p' N: b: |, r jz SoftICE_Detected, S0 N. V5 Z8 R' i$ d6 p% I6 q
. N. E8 s. K/ ?. B# ]( d( D/ H# A: X3 p
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! `) g" k& r2 O; [) v0 e; |9 Q app like this:
2 G6 p% ^5 i7 `1 l. X3 l2 H7 {7 Q A; `9 Z; l+ M
BPX exec_int if ax==68
% E+ z5 ~, D' M, ^1 e) r# b (function called is located at byte ptr [ebp+1Dh] and client eip is' i+ W5 r3 G3 Y( U# m* C( I
located at [ebp+48h] for 32Bit apps)1 }" }# J% F% u# a+ V4 N) H
__________________________________________________________________________
* e9 ~/ J. E2 i! r$ q" c0 ^" B+ o* N' M; S
* Z1 F8 C. z# ]4 KMethod 08
+ O. `' \9 \5 _9 `=========) \! P$ x% i) x/ h! Q0 }2 ]
0 U2 o) u, b0 \, KIt is not a method of detection of SoftICE but a possibility to crash the1 Q. b0 r& b: R& G
system by intercepting int 01h and int 03h and redirecting them to another
8 w9 [5 v; s$ b. r; I0 g9 b! {routine.- |! H) W' M4 o' f) @) F3 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) b. Q8 T3 I) E2 A$ n$ n( g7 e
to the new routine to execute (hangs computer...)/ K5 \) |0 r, j* k$ F$ M# _
2 [8 R) a7 m( N* ~' x& n
mov ah, 25h
! u# a; U- B- S5 A3 C6 Q mov al, Int_Number (01h or 03h)0 C5 q; R! }7 m4 } E2 O' P, K
mov dx, offset New_Int_Routine8 n) ?! x5 A; _2 x' `7 O& v
int 21h
9 r& v: A( N+ n( G5 O
+ c9 Q. A: F% E# Z__________________________________________________________________________
5 `0 C& ?" U9 l4 ~. R8 a
2 x: |) D: {; P. G$ mMethod 094 z2 F8 A; |6 r9 `' x5 n1 T* |/ J
=========
+ k) U J+ Q6 R6 g
; r+ H% H c% [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 L% y6 d4 e0 r8 b# _8 G0 @# Mperformed in ring0 (VxD or a ring3 app using the VxdCall).5 g5 w! N9 r) ?; G- w/ U1 u0 [
The Get_DDB service is used to determine whether or not a VxD is installed
" O0 j8 y9 k4 _, i" a! m) m u4 rfor the specified device and returns a Device Description Block (in ecx) for' v$ Y" l3 E4 C4 {4 X
that device if it is installed.
2 n6 s: _) U7 U7 ]3 y( g, ^0 \2 C2 O- H
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID) w6 F# q8 ~6 k/ S5 R
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% _: k" N4 l8 X6 { VMMCall Get_DDB
9 w" T! H/ j/ R! Q* b mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed7 a( D: R5 m) i- k. `
( U9 Z: t8 @+ P" H5 I" q8 N8 ]Note as well that you can easily detect this method with SoftICE:% Y( H+ Z( V; B0 t( G- P7 y
bpx Get_DDB if ax==0202 || ax==7a5fh2 }& e; H# Q L$ t, Z
7 b2 ?& X& z1 j- U__________________________________________________________________________, a2 Y3 \9 y% [% W
/ |; O% x9 c* H3 VMethod 10
( P* b8 l) i! v% h S! \0 F: ?% r=========
- c. u1 N: m8 T0 ` f4 J; \6 @; _; f- p% _( ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with/ h0 R! k' ?0 S( I$ H9 |+ P
SoftICE while the option is enable!!
- I0 {% k# x% G( _* D. S$ D# k! ]" Z" {( u8 D5 V6 z
This trick is very efficient: D0 R& b1 |5 p6 P" v" Z" |
by checking the Debug Registers, you can detect if SoftICE is loaded x% q `2 J+ g$ G9 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. z5 q& W. M7 l" E! d8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their. u+ d8 Y1 I& ~5 M
value (in ring0 only). Values can be manipulated and or changed as well3 j1 `) U$ j. w; Y4 D6 D1 N9 z
(clearing BPMs for instance)
8 r: g. m* z. U6 V: E. t" v5 Y @* j! B" D: f/ i% a' u
__________________________________________________________________________$ J) @) x0 |8 N. n! o0 S% @5 [
% b f. ~& B5 T4 ?8 XMethod 11
9 t/ k5 J2 b0 ^$ M1 a& ]% C: u3 ^=========# T7 f" f. A% f' a3 K. T& ~9 N
' n9 A$ T$ ^ U+ O5 L P9 W
This method is most known as 'MeltICE' because it has been freely distributed7 }( H& H$ ^) U" G
via www.winfiles.com. However it was first used by NuMega people to allow
* g+ j' x1 g: ]6 Y+ oSymbol Loader to check if SoftICE was active or not (the code is located8 }" W$ i0 o8 ~
inside nmtrans.dll).0 D: R. j0 ^* c/ b% {
) T, A' A* c3 Y( L$ [The way it works is very simple:0 A7 H @$ R) k' ~2 Z" Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ M; N" h- \. h9 G* JWinNT) with the CreateFileA API./ F. Q; ?$ {8 w- w( u: G
& F( v4 F4 B# h% n2 ^. x5 v6 uHere is a sample (checking for 'SICE'):0 a, _0 d4 W# V
# p* S6 {+ ]9 D e+ D& @
BOOL IsSoftIce95Loaded()
& n6 D L9 C) o5 R{ O" e6 h* K2 Q
HANDLE hFile; * |- ^- v& f$ Z0 R% W
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 c9 m9 A, s, x M, }3 C: x6 Y7 T FILE_SHARE_READ | FILE_SHARE_WRITE,
6 V( t( G5 |* q0 u NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 \) a' ^% |, }8 w8 L# V, l8 Y if( hFile != INVALID_HANDLE_VALUE ): H. [9 E5 x- y- O! S3 g* |4 X
{
+ Z3 s, J L9 j CloseHandle(hFile);; r' V0 B# g# s2 @( i( Y7 ^3 ]
return TRUE;
/ u1 X. z8 k6 H; x) m }
: |1 W* u1 V' U return FALSE;
+ g+ p* u2 k$ a. U: n0 j3 P}
3 c/ s R1 w& K2 U4 f& k+ R
7 c7 `/ ]$ r: [" H- |$ M5 D; x' LAlthough this trick calls the CreateFileA function, don't even expect to be
" d( q$ ~4 l& }" bable to intercept it by installing a IFS hook: it will not work, no way!+ u' T5 V, w# c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F D) `5 U; n% W. I$ q* _0 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" g" w+ }! m9 K" G( w3 \0 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' z2 d' G8 ~+ Z( S
field.- ]! @: u( s4 p2 f' V J
In fact, its purpose is not to load/unload VxDs but only to send a
( i# o- J& S1 z: k8 D" `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! r I' y) Q" ]" ]+ A! m* j& j8 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 j9 ^5 A6 T% p1 C: B/ R2 P: u; @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' c- G( k( r. d/ R4 {+ x* U0 m& QIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 j s5 C6 k' O, u( r6 x! p
its handle to be opened and then, will be detected.
3 ?! e: ?' c3 V( |8 f+ C/ qYou can check that simply by hooking Winice.exe control proc entry point, {" Z/ M4 u: P% t4 B* O1 C
while running MeltICE.9 p. f: k1 g0 }
/ X+ t4 t1 Q- _3 s
; q1 ]3 B# y8 ~5 d, q9 E 00401067: push 00402025 ; \\.\SICE
! k% I0 q3 c. {5 t% Q' z; X 0040106C: call CreateFileA" @* J* V. F2 `5 t# E$ S# i
00401071: cmp eax,-001
" z4 \. n! Z0 k- K' ] 00401074: je 00401091
2 k; B/ x1 m' b! g+ A& D( ?
5 c5 t( I: S! s) Y# A! ?- v' i2 F9 S) Q
There could be hundreds of BPX you could use to detect this trick." y4 c2 r) C+ a# J( B
-The most classical one is:* ]( {! b$ q" O4 a1 D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||% c( \: r# t9 ^- I, _4 ]: E$ R2 g
*(esp->4+4)=='NTIC'; l" n; n8 q/ ]' K: b
+ `) t F) z9 {, h9 d7 W-The most exotic ones (could be very slooooow :-( z3 F- i$ G3 A
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: E* M9 a- o* Q9 ~' }8 s0 | ;will break 3 times :-(" Y2 s& S2 h' G8 a- ?
6 _: p4 m/ ~. j3 d-or (a bit) faster: / {% h" d4 v, J9 r" m- }5 ^; P( q
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 R, L* }6 }3 ?! ]' ?% Z
, n3 h9 x" i) l BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
$ Z" I4 f* w8 Z ;will break 3 times :-($ Y1 Z# v9 d. O4 a* k- g
8 F5 [! @; ^- s3 |# e' h2 J i& A
-Much faster:
% T V" ^. ]3 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ f% n: M7 F$ f. x" W2 h4 w* o8 l3 `; U0 M6 T. ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ T0 f! F+ j; {9 q m+ Tfunction to do the same job:
2 I. C# E) A: B/ s
; ?! F8 a/ F' Y/ {5 t- H! H push 00 ; OF_READ
# m2 z. m' e) Z* h& g" s mov eax,[00656634] ; '\\.\SICE',06 ^! j& Q p- D! x4 C2 f8 L- M5 @
push eax
Q2 d; V3 M( ^ call KERNEL32!_lopen
% m, n! Y; }8 b6 H) D inc eax4 Y+ v# H& H5 H' l
jnz 00650589 ; detected
! ?8 t( r2 ]1 S0 g, h- M push 00 ; OF_READ
3 _/ x5 A- T3 X: O! R1 O* M: K mov eax,[00656638] ; '\\.\SICE'
) v9 i8 \+ n8 W$ a* J push eax
R/ P' N7 S1 E call KERNEL32!_lopen
6 K! \6 w: M' X, ^$ B2 y inc eax
q z I0 M% A: q) M+ u5 M jz 006505ae ; not detected
$ b0 s {5 l7 X) i- C) J6 X$ J( S( P, e0 I: F2 `+ a( B% \6 Z: [
9 O" @# W! K6 T, U7 Y6 v4 O__________________________________________________________________________
, V, e* p5 k, U6 |9 d
5 m8 H: {( \1 A" p8 rMethod 12' ?: ]0 N) h, L6 Y. g6 q$ F
=========0 J. M& |9 `0 J9 E2 [# K! w6 i# V
* N; G( F; n+ r3 KThis trick is similar to int41h/4fh Debugger installation check (code 051 h; B2 r9 Q4 A; D
& 06) but very limited because it's only available for Win95/98 (not NT), L) y( Q5 e5 n; I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 y" n% o! b5 J. P
1 e, \' q+ g4 L# Q
push 0000004fh ; function 4fh
: o- I3 X! K, u0 Q# B6 D push 002a002ah ; high word specifies which VxD (VWIN32)6 l- T$ U& u& Q5 g6 D) U
; low word specifies which service
& s& R4 {% |( ?& Z (VWIN32_Int41Dispatch)8 S# H7 w2 e; b& c* u0 D
call Kernel32!ORD_001 ; VxdCall
9 C. K( w. ?; W& e cmp ax, 0f386h ; magic number returned by system debuggers7 G7 R* A" n1 p
jz SoftICE_detected
3 p6 M8 A$ M% e+ {9 i( n- n$ w- x8 {! a/ j" t
Here again, several ways to detect it:
- y- j+ m4 B" O2 R. a# G4 ?1 p) W G9 \0 K" N. i! h
BPINT 41 if ax==4f6 @4 w- a! z: t1 d
: g9 ?( n* ?4 p1 C
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
; I* \& I0 W5 E3 o& i- t' Y2 t/ o/ J' c* s4 a' Z/ I9 c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A9 o/ l. }5 z/ ?# |2 c3 [
# d1 f3 W( a5 Z+ g) y9 ?
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- h3 c7 V! A! i l2 c
( h- y2 n* G& B$ X5 k y% [
__________________________________________________________________________$ U( B a9 B9 Q# p
* Y, u; L& i; H" q0 ~ qMethod 13
! P' K- z6 S/ L1 V. P=========
1 }) X' h8 H$ s; `& Y. b: v5 l& [2 Z4 r0 s4 h: i- x0 J4 {
Not a real method of detection, but a good way to know if SoftICE is
) R/ Y) c" W1 Zinstalled on a computer and to locate its installation directory.. p9 @, \. v+ t2 G$ p U# x
It is used by few softs which access the following registry keys (usually #2) :
$ _) b' J. U7 l( l- R
% k7 _8 g7 k& f8 r8 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ?8 K1 z& R; L+ b' c( [\Uninstall\SoftICE5 h% A& d5 x" w B/ z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" t! o! y8 Y$ o+ ^4 O2 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 }2 q8 J" }2 f! E5 _\App Paths\Loader32.Exe
2 ~. m" g7 ?2 {4 D1 y
' j% f/ k4 `* H- D: C% G, V. M l8 F6 _9 V$ n$ p
Note that some nasty apps could then erase all files from SoftICE directory$ {) Q' h, K+ }2 Q/ p2 T. ^
(I faced that once :-(8 ?: y# M7 i9 N3 N& v5 d, w2 }. E
% F8 Q) i% Y# j8 y3 o/ Q" a4 n; @
Useful breakpoint to detect it:" m) K2 u7 e3 D' S" Z7 h
6 d& D+ {; t+ O* w( P0 u. ]
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
9 M O1 c% S* X9 p0 x! ?1 O9 d! f0 L$ ?' s) C1 ^* f( S
__________________________________________________________________________7 }' L4 d8 {, @% c
2 R+ {6 e x" \- [' y( I
2 b a" u' p! C* G4 k
Method 14 4 Y6 v! C. c, ?# u
=========3 r& K, F7 T2 g4 B3 R- d6 x
9 i5 u) B2 B p9 D( J/ F0 w) fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose x' a- i: b- ~- d
is to determines whether a debugger is running on your system (ring0 only).
1 d- C; ~* m- o0 a3 O3 O. |! d8 ^% z, V3 g q. h/ y5 H( ?
VMMCall Test_Debug_Installed2 e7 Q. y5 t, t1 E0 S4 P
je not_installed; P, I. a3 _) T
. c$ \/ N) _6 C% E) Q+ H! N
This service just checks a flag.
# B5 ?' I- P% X ?</PRE></TD></TR></TBODY></TABLE> |