<TABLE width=500>( \+ }8 \. q9 p" f/ b3 Q& Y
<TBODY>
3 J1 B& L5 {% D<TR>7 l" e2 D2 J! ~" |1 u
<TD><PRE>Method 01 ! N6 V/ E% z2 ?) [
=========
0 ~# R$ F& e# ]) i$ K# S
8 u/ w! z/ \& S6 z% }- nThis method of detection of SoftICE (as well as the following one) is/ j! Y$ t: ~: \& m0 C" n
used by the majority of packers/encryptors found on Internet.
9 P5 v5 l E: Z1 ^" d+ x2 t7 U( k: yIt seeks the signature of BoundsChecker in SoftICE+ w* F$ A' P& G2 D
( u# E. A$ f9 L4 m) F mov ebp, 04243484Bh ; 'BCHK'
, I& g7 d, _& Y3 k' o$ k% a6 E mov ax, 04h
& J% K( _0 \0 {1 ^# W* p8 d int 3 : l9 ?& d$ s- ~
cmp al,4
3 D8 e; M7 W5 g0 m, I* u7 y jnz SoftICE_Detected
0 ]) a/ Y: C3 z' b' f3 [0 e( H. R5 ?! ~+ U b
___________________________________________________________________________: |- j' M; G3 ?0 u
6 k) i* G) \4 \4 TMethod 025 g9 V, a! ^' Q1 z$ S
=========& k+ [8 K: o0 t$ j5 l
1 {. M% T L; d: D
Still a method very much used (perhaps the most frequent one). It is used6 l1 f2 L, x/ Z+ f% S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( I3 {1 G+ C" w! l$ w! dor execute SoftICE commands...5 n: Y) Q* l$ R0 f7 v" T
It is also used to crash SoftICE and to force it to execute any commands9 c# r2 A; @( g; Y9 s
(HBOOT...) :-(( 2 p) |8 E4 g, j5 h0 P4 M
" X6 Q- ` P4 c6 j s) Q* i
Here is a quick description:
! M2 p% B) D& J) V8 Q! ~1 L. d P-AX = 0910h (Display string in SIce windows)( v* l t$ w/ g
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
) f, {% I8 F2 W2 F' J' K* j-AX = 0912h (Get breakpoint infos)
0 \4 d; }6 i! V) k-AX = 0913h (Set Sice breakpoints). l, ?: K+ B$ i: i! E
-AX = 0914h (Remove SIce breakoints)
$ ?0 ?/ H& f' [9 q& P" \. H. \, Z: b+ c& Y' h, @' I) F: x
Each time you'll meet this trick, you'll see:2 {, z# Y; @) l7 ?, A
-SI = 4647h
5 W Q5 O/ N% R9 } B-DI = 4A4Dh% ]5 A0 }/ K" X* ]+ o, j6 T
Which are the 'magic values' used by SoftIce.7 F: d; F$ @1 y G( c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 J; `/ G2 w1 x% R: Z( D- |' p# [; v1 M( ]4 J3 j2 S# L
Here is one example from the file "Haspinst.exe" which is the dongle HASP# _% ~* r0 g/ Y% N, J0 x4 {
Envelope utility use to protect DOS applications:# V t l# X2 _& c0 O G8 F- b
$ \% l1 `/ Z1 |' F& K! e( X6 o; [
' o0 S8 x9 g; y0 c! I8 z) ]1 G
4C19:0095 MOV AX,0911 ; execute command.
; L' z! s0 }+ E# ~( ~% S+ ?4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ V) e5 c( ?5 |* C
4C19:009A MOV SI,4647 ; 1st magic value.
8 A/ O( m4 f& c0 L: o/ A* |4C19:009D MOV DI,4A4D ; 2nd magic value.
8 h9 O1 l, W6 t/ R8 F, Y% r, k0 w4 x4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). |* z6 c3 q, r5 C" o1 z( r) s/ X, _
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 ]6 f* z, y4 t( g5 V! X3 [4C19:00A4 INC CX
9 Z0 N: I! V1 v Z/ Y7 N+ n2 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* n& a m. S3 b0 @6 H* R: S$ U6 t4C19:00A8 JB 0095 ; 6 different commands.# D; y* F5 h! x4 G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ X' s2 T+ a7 c4 o- ^
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); Z1 [$ W( o% e1 k9 S3 H$ z
3 a3 l2 D3 H7 O) f
The program will execute 6 different SIce commands located at ds:dx, which
4 Y3 p- I+ s% N4 ]. Z4 |3 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ O! v8 H) J* E1 D( }5 n
) E5 V' R8 I4 T- a* _, i5 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* H% i1 v6 W6 m1 |; z" G+ d; |___________________________________________________________________________
6 c4 `3 w* a1 L. W0 F& h; h: E6 ?" Q9 f Y/ b
* L7 T7 \" d) o- oMethod 03' Z8 B: w' ]/ }) x
=========
+ |; |; `: o7 S% l/ O: I
) U6 M9 W+ X% mLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: Y, Q+ J- E# m0 a4 I, a(API Get entry point)' D# O2 w4 }! a8 W# ~& k1 R
* f$ I# g( C4 D6 X4 `
0 x: ?8 Y! b' q! [( M
xor di,di
" w6 P! D7 l: F3 B2 r4 \0 N mov es,di
' Q+ z) p, l; u2 @3 \3 }5 x mov ax, 1684h
0 S8 e* ], N& I4 i mov bx, 0202h ; VxD ID of winice
4 L" T# k2 _ a Q/ R& F/ D int 2Fh
5 H( z" @9 Q/ m1 C b( l mov ax, es ; ES:DI -> VxD API entry point
2 M8 T1 g/ w9 g$ v" i8 S add ax, di
9 f: U- a/ Q0 @! w: {0 K test ax,ax
' q7 s5 l4 h: D' \. i" h0 s jnz SoftICE_Detected
" O2 T! r2 C0 t [0 |2 W; o: A8 }3 w) B5 @, k `
___________________________________________________________________________
; E% C, _! F/ M% W* a5 h( k+ s* O+ C+ T" P. U* I1 q: y% L- U/ I
Method 04) X- P% P8 E1 f: F9 u8 h5 _8 C1 n
=========
8 e( c( E7 B# u! J K8 v
( J' q$ w4 I" E7 n% C/ x% TMethod identical to the preceding one except that it seeks the ID of SoftICE* s" H$ l4 o4 U& \' L7 C
GFX VxD.4 m/ L$ C; E% ]% ?
5 e9 Y9 R' ?, x; |/ Y; `4 q
xor di,di" F3 G9 x9 M( T: U
mov es,di7 V) s" i8 `! M1 d* h% ]3 ?
mov ax, 1684h
- C. c, F6 k7 z# y; G6 x' f mov bx, 7a5Fh ; VxD ID of SIWVID
2 P, P. j6 a0 C' z0 W1 m# j int 2fh
" f$ T% |( [/ N- m' S mov ax, es ; ES:DI -> VxD API entry point, @3 S% [# I' ]
add ax, di0 p, e) M! w+ r) X
test ax,ax. ^( T2 T: w. a$ I8 F6 s
jnz SoftICE_Detected. c& K, R% Z v6 \1 l
5 {( X' V; F; ]2 B0 V/ ~- q& K__________________________________________________________________________
! B& Y0 s1 g/ H d2 T, i/ a: z! t
3 |* a" Y1 k& ?, m1 m5 _
g# N v# Y; }. E" X& FMethod 05
) f+ z. U4 h( @: B4 H) O' G=========& S5 b. \' k$ e$ ]9 v4 S- I
3 c2 a# g% R! _4 O3 o5 g- Z3 u$ {
Method seeking the 'magic number' 0F386h returned (in ax) by all system( N$ o- P0 k6 j
debugger. It calls the int 41h, function 4Fh.5 G6 d6 B$ N9 j( ?( f* i
There are several alternatives. : L1 G/ R+ E! \, k0 L$ {
6 i( R- l) V; C5 g3 A1 k
The following one is the simplest:
9 l1 P3 C' M" M5 j7 D2 K2 D' Y" l8 H5 l( Q* J' K0 H3 G9 z
mov ax,4fh
* d2 Z& L: Z6 O int 41h
# p6 V7 W6 N; D' ]3 v% Y8 c2 ^ cmp ax, 0F386
& v# V% v3 l* s, J O jz SoftICE_detected
1 o9 G% P% Z4 K9 s
' ^: s8 H r4 U) M" S: P6 c: f* ~& N# j9 X+ L: E
Next method as well as the following one are 2 examples from Stone's
5 ^. B( V: v4 {"stn-wid.zip" (www.cracking.net):
' k# u f, y- ^! Q5 H
# a2 e4 S* u: y! V/ ?1 R mov bx, cs, j. y5 ^! @$ ?- Z% n' {9 F" `
lea dx, int41handler23 b. K, Q4 A2 z, L$ f" m/ k
xchg dx, es:[41h*4]
5 D% w4 D1 ?9 o3 W9 h! V! U- l xchg bx, es:[41h*4+2]+ D# G2 ~4 g# E d# r
mov ax,4fh
0 D w4 M4 Y. ^8 e; n. E8 r int 41h
0 ^: _' Z8 ~5 t9 _; y1 }% m xchg dx, es:[41h*4]9 j4 Y, Y3 \/ V% |" a
xchg bx, es:[41h*4+2]/ i# J: f7 n _9 [3 z/ P
cmp ax, 0f386h5 [( ?$ A4 `/ l, @% z
jz SoftICE_detected2 c( Z" Y* @9 ?3 g
, B1 W. V# |: Q- D
int41handler2 PROC
3 X- o; ?8 {, d V+ x iret- \& D- ^0 D5 a1 b" {+ F
int41handler2 ENDP, L7 p$ k6 |5 c! x5 F+ x0 I
7 W6 A% Z) E; i8 u5 }+ b/ T
- r, c1 D( v; b& b3 q- h9 `9 c7 w_________________________________________________________________________( j8 ~# r9 @ n* @
7 F2 a2 S+ C2 j: f5 ?
; b( P/ c8 L1 V' eMethod 062 g7 j: ^5 v: O+ R
=========
# q$ V; v+ s' z& r
2 |4 I% c7 y1 v9 J* N y$ ^* `' @/ s% l' v0 q
2nd method similar to the preceding one but more difficult to detect:
' ?# [: |8 Q7 m
, P, [, d/ H$ Y, ^3 L
0 w- c5 F. s3 x4 ?int41handler PROC
' E' q' ~% ^0 E8 u O' `4 P mov cl,al+ M z' O- N5 x2 _- {
iret
4 U) {+ B+ G! ~* X) U; `9 ?int41handler ENDP @# l5 e( Y! s- A
% s, Z9 M7 F8 c/ |% Y
! p; i/ ? J2 X
xor ax,ax D/ a C/ K% U. {+ F+ p& q, Q
mov es,ax
! p; e5 g- N) K# O; \- ~9 W( Q mov bx, cs5 v$ |# A1 L4 C! Q) X4 G2 M
lea dx, int41handler- Z8 q0 T. B- L, `% ?6 ?+ S
xchg dx, es:[41h*4]
# g5 e! R i; i' O" P xchg bx, es:[41h*4+2]2 L8 X2 v+ [7 [) B, }. r
in al, 40h
& V: u. Y' r' H6 n+ k/ O z6 o xor cx,cx
+ u Y6 j0 ~4 O2 w! m2 |" e3 j int 41h
0 D" S0 T' N: ]7 q) g9 Z7 Z xchg dx, es:[41h*4]
0 j/ R: @- ]- \5 ^3 |5 ?2 [ xchg bx, es:[41h*4+2]. k3 L& G$ H, z
cmp cl,al' Y* k X7 ~, R+ \- j! X/ a
jnz SoftICE_detected
7 {6 R* S4 d2 Z) r
) ^0 G6 j* j) `. |$ I) v* Y_________________________________________________________________________
, p" {! y. K( m8 M1 p+ v+ t) i5 [+ T4 ]8 z) o
Method 07
% U; u! v9 x7 `+ I: ]=========, d1 Z2 h" g8 u$ t
) e" |3 x* ^& j) g7 E$ @. nMethod of detection of the WinICE handler in the int68h (V86)
8 D1 ], d+ S4 M5 E* y+ A8 E
7 t' {* C' l7 I: ~2 y' b' E mov ah,43h" J& y8 G4 v9 W. G7 _7 b |
int 68h9 B9 z R5 e3 b/ p4 y# o
cmp ax,0F386h
2 y0 b5 V) n, Z) H) M" { jz SoftICE_Detected
. P* j5 b M4 \; b" h4 ?" @ R% v, x9 n2 S8 l8 c
- f; |2 m4 b# D- q) u8 w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 T A* e! { f+ ?* Q, d
app like this:5 y3 c- g3 h T2 P
1 q! S. q1 ?/ W0 f; I6 Y* j BPX exec_int if ax==68 D! ~9 _4 Y. m, c9 `4 d* j
(function called is located at byte ptr [ebp+1Dh] and client eip is
8 Y1 G: R- G2 N( ?* A/ ^4 S+ ~ located at [ebp+48h] for 32Bit apps)
0 Z; n2 c' j) f__________________________________________________________________________
6 p6 N7 _7 |+ c/ B/ q5 F8 r! @/ d' l( ?% Y, e( I
5 N! n2 q+ w) }$ H$ fMethod 08) C, X4 ]6 n; @; Q
=========! ?( M9 I9 t* U8 m; t, _0 K
% C& |9 b; k+ W. l, d3 hIt is not a method of detection of SoftICE but a possibility to crash the
4 [" e' N* J2 u, A4 c( A+ msystem by intercepting int 01h and int 03h and redirecting them to another
2 j9 Y8 ^5 }' \! troutine.' P/ W8 Y; o2 @* u: \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 ] Y9 f. u4 l" m7 O( g# D
to the new routine to execute (hangs computer...)) a3 D8 E* n7 x. [# T0 k
3 w4 a* G8 ^5 `* o% o5 T6 `1 C2 a mov ah, 25h; m! S. C% t- c7 y8 H0 p0 Z6 m
mov al, Int_Number (01h or 03h)
6 _, m4 x4 u* [3 N' i/ Y, i mov dx, offset New_Int_Routine
: ?) U8 H5 U9 k& ]- p int 21h$ d; `' m# ?! k- ^, g
' f& |4 H- _* n/ x
__________________________________________________________________________/ F- |$ N3 \" H3 _/ X# L) P
* G' }8 T% z. |
Method 09) e; ]# K) o5 r: T9 R
=========
1 j6 k8 G4 J( s$ E& i2 v
; Y) z$ f' e2 ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 u% } }7 h" Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
% Q" ^: W0 Z1 P/ kThe Get_DDB service is used to determine whether or not a VxD is installed! W# d# T$ x9 T3 f; v6 N& l
for the specified device and returns a Device Description Block (in ecx) for7 x) O. h1 w) T1 a2 s& N% [- b$ d: Y1 k
that device if it is installed.% N L( e. Q p0 E8 g, F
# j9 ?0 Y; {$ H0 V" t, Y
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID% R! z- e# N4 j3 e3 a8 d
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& K6 U1 k2 F; H0 L5 I
VMMCall Get_DDB( n% T) l# c5 h2 u, j( M/ i
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed6 T6 _, E/ ^/ @
- }/ j5 n6 x( `Note as well that you can easily detect this method with SoftICE:* p$ @: p C0 b; D& k8 L! W
bpx Get_DDB if ax==0202 || ax==7a5fh
9 z) U6 w# `8 O
. C( J! b* p2 \' v9 ? a! n__________________________________________________________________________, z- D! K+ d& N% |$ A
, d, g/ L; ]0 b* }% Q1 o; `6 RMethod 10
3 H& H4 F; R) n=========" n0 \% k2 x! W, x
4 `4 X& h1 ^9 E9 { w=>Disable or clear breakpoints before using this feature. DO NOT trace with
9 ?( d. |! |9 q+ g B SoftICE while the option is enable!!# c( q/ E3 Y: r, k: a) G
9 A" G8 K1 @% N6 n1 [This trick is very efficient:( a- g+ n0 A* g, R
by checking the Debug Registers, you can detect if SoftICE is loaded
# g! \$ Q( [+ `5 p3 X& w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 g& x/ u. r8 }0 X% _+ }
there are some memory breakpoints set (dr0 to dr3) simply by reading their! [ E) b% Y, ?# _9 F
value (in ring0 only). Values can be manipulated and or changed as well
: \+ b, ?; W: v+ o(clearing BPMs for instance)* l8 _0 X( _) z: u1 s: R
4 z! ?. F9 T ?8 D' ~/ @$ }
__________________________________________________________________________- E6 J# K6 g, c2 }8 \$ W# u
! A5 ?) m2 a' s/ Q* WMethod 11
5 l$ G) Y1 v* G* G3 d, O6 J=========
% U5 k5 p' j, [; Y5 O( q w! A3 w; V2 }3 V/ t% v+ {5 v, H/ w7 b
This method is most known as 'MeltICE' because it has been freely distributed
. R$ I! D6 X) u/ c9 {# d" q/ ovia www.winfiles.com. However it was first used by NuMega people to allow" u* Y% q0 N+ U' l
Symbol Loader to check if SoftICE was active or not (the code is located) X/ _; a9 t3 N' {! v
inside nmtrans.dll).
- e7 ]; y- X* S# D4 P/ l8 I$ K9 r
- ]% r$ W7 M& V( j) fThe way it works is very simple:
) y5 \9 \, M; |' _* b, r. E& FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 ~- G. e( h" T+ ^WinNT) with the CreateFileA API." ^& a s3 @1 g" a: [0 {
' R; ?$ K6 x, cHere is a sample (checking for 'SICE'):
" _" B- V+ R- ^% B- O( t; }: z. |; w
BOOL IsSoftIce95Loaded()
0 t3 y# ?* a/ k& ?8 S- d+ k4 ?{
: f; w) K, b2 V! i6 Y2 l HANDLE hFile;
) `7 o6 [7 `. m* f2 ~4 k$ N, T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 u3 ~3 M! E. v* C+ {2 t, X FILE_SHARE_READ | FILE_SHARE_WRITE,3 V- X# r; _. a; K8 L) J8 Z! u
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 m: X$ y0 S& p1 p) i h
if( hFile != INVALID_HANDLE_VALUE )
8 q$ [) @3 ]( p5 K( `6 M7 l {( Q3 h+ ~! z ]4 K7 ~
CloseHandle(hFile);- X$ C( d; V' i* e
return TRUE;5 H3 x$ @; X, k/ a. T- n' h4 H
}
$ R* N( i# _/ ^1 J, S3 O* q return FALSE;
7 V$ e o: e6 ~}3 f' c' M$ d& D+ a: e8 N
# [: C& E" d$ H0 a/ m& d- X1 W( _) k
Although this trick calls the CreateFileA function, don't even expect to be" r/ @7 b. A( z% {9 F
able to intercept it by installing a IFS hook: it will not work, no way!2 r6 \# c$ F4 e P e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- H6 F- R; V) a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): y) _$ N2 [% T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# W( ]7 X1 f1 m N( afield.
; v$ |1 M& e9 J* n+ r& T2 g3 h- mIn fact, its purpose is not to load/unload VxDs but only to send a
9 I, Y3 I5 E! G+ J: \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 L" S; o1 D. @, R+ L$ T" G: c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 e) t, |8 n3 \, Y9 e! c6 G0 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 J8 \4 ]5 {6 s. D+ E* SIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 U/ j# K& x" J: h! l
its handle to be opened and then, will be detected.
" J1 V* @! p, I H4 VYou can check that simply by hooking Winice.exe control proc entry point0 Z5 q3 u1 J1 e6 u
while running MeltICE.
8 x3 J% w: Q5 d7 k0 R* f& e% y0 m! v; B' ^: B" E: F/ ]# B
+ u# p$ G/ k3 E, c2 B! L
00401067: push 00402025 ; \\.\SICE
x. F) `* g8 g3 w$ N' o 0040106C: call CreateFileA1 }6 v- J& |, [2 l
00401071: cmp eax,-001
: p" m8 m6 Z* ?5 d" h; f& P 00401074: je 004010911 k [/ Q% m# [2 E0 b# `4 G+ g; R
& r8 g1 d; o6 t A& ?
2 _0 J) c1 ? A) @ \/ jThere could be hundreds of BPX you could use to detect this trick.
9 u0 p3 K, G6 n* z( G$ I-The most classical one is:
- s' t/ w# x+ i$ ~0 [& w6 r BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 S+ V# x* s: b) V% U *(esp->4+4)=='NTIC'# n. k3 w$ S8 m
9 X. J' l. V1 r* A0 P' Z
-The most exotic ones (could be very slooooow :-(
# j4 ~2 B0 `# v, ^9 i6 @ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& T( b3 K2 I$ U ;will break 3 times :-(
2 |0 Y& m# s& c8 W) d' [& V. a; n$ m. z* v; A! V7 c3 p0 V
-or (a bit) faster:
3 c# \7 p" m. N BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 p5 N/ v; I- P: t5 ~0 V5 X2 ?6 _+ N
- [5 x H; i; Q
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 4 Z8 N3 U& M e
;will break 3 times :-(6 _: x, |; I& ]2 G# [+ }* k
" f# k$ d) Q% a
-Much faster:
. j* g0 ^6 H& Z* V- A BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
9 T* [7 ?9 g. D0 X0 q* }! H
( }: h% m, g; CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 z- C/ K, ^9 lfunction to do the same job:
8 r( m2 W- F+ W2 {# G: }5 }0 ?) [ D# N' Y4 ~
push 00 ; OF_READ) W" F7 L0 C, n0 T
mov eax,[00656634] ; '\\.\SICE',0
" B4 h1 h8 ?& T( s S' X push eax8 o, R* ~# B# [! N$ V6 A
call KERNEL32!_lopen0 I6 }$ \7 P# k) j) i4 h* K6 S( l
inc eax
B6 q ^9 f# V# R; S jnz 00650589 ; detected
1 D* M* d9 ?2 ?& Q( n push 00 ; OF_READ% r% b ^) U/ T0 g2 l" B" k
mov eax,[00656638] ; '\\.\SICE'7 E. J3 z1 D. R# x
push eax
8 i' b6 s# B- h, q7 c call KERNEL32!_lopen9 d+ h; T$ T" s
inc eax
) p0 U. W( U) N7 q+ n: { jz 006505ae ; not detected( _: b) ?( `5 D7 \% w
) x: R% J/ V, D, \$ `2 |
% f3 c$ b" `9 A3 U1 g/ Y__________________________________________________________________________
8 r. z# U9 J) b! z2 F% t/ v9 n1 F9 P5 k( v- i X0 q" C
Method 125 Q7 D, p. M7 d1 }
=========, Y$ T0 j. b0 }% \6 P2 s; X8 S& Q
+ p; |6 W5 E' i1 k/ DThis trick is similar to int41h/4fh Debugger installation check (code 058 R5 P/ S( k5 K
& 06) but very limited because it's only available for Win95/98 (not NT)1 b6 i s' I2 {2 W8 f# W. A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" a, S* F- s3 C1 a% I2 A9 u
S" w) p/ b4 \! q g% r& |, L push 0000004fh ; function 4fh2 }: z( m& M# d) H
push 002a002ah ; high word specifies which VxD (VWIN32)
: G& C5 `) X+ K ; low word specifies which service
" W$ i6 y( a3 R; {. F+ j (VWIN32_Int41Dispatch)
$ m% B$ ]& A# S) l call Kernel32!ORD_001 ; VxdCall2 t6 F* R4 E! B3 A4 Y
cmp ax, 0f386h ; magic number returned by system debuggers
5 K! L9 ]' U: \1 V2 ] L* v+ O jz SoftICE_detected2 l& c" }& _" @( N3 d& L
$ T$ y5 [0 v: }3 I# ~1 c9 w) E; u
Here again, several ways to detect it:/ l1 b9 B5 T- w8 H1 t/ [8 P
& |2 R* _" R; C* C: b+ u& m6 ~
BPINT 41 if ax==4f
6 ^8 Z V6 Z2 M! u# @4 |6 z( O g& r% U$ h
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 q* ]7 c% Y' E; ^8 E& V5 `
; B3 y: m9 N' D1 T9 W9 E& I& C7 C BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
9 ?- l" U# r' m
( q% ]5 z. H/ ? f' v% Y BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! X$ L2 R& m: {& h$ I/ I, \
* C& m8 y" O' G7 u& X__________________________________________________________________________# s' Y2 T9 i+ m9 i1 K. h8 Q
: k7 I1 R8 f0 y. M7 G
Method 137 D/ Z7 [5 S+ I. q2 F J2 L( G) T' W
=========
0 B( @9 x6 v) F8 V* d5 _- T) q) w
6 Z7 d+ q. S# }! p, [Not a real method of detection, but a good way to know if SoftICE is: y. [: _& { w; d% r Q& Z
installed on a computer and to locate its installation directory.- G/ b( _1 P4 B1 f
It is used by few softs which access the following registry keys (usually #2) :) A- u. Q4 C8 s8 k; B! R
, Y% G/ W" o2 K* l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% U5 F0 m+ r3 P+ n
\Uninstall\SoftICE, b: G; i- v8 B4 u( K' G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: ^9 p* ]8 z v% a9 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* C2 F( e) Q6 N/ |9 U: k( X4 k\App Paths\Loader32.Exe
; A6 ?* o1 S* m" o# n( ]
, W/ W1 X3 `' N$ c2 d9 G
, O& r1 B2 z& k, Y! \, T& T, k* VNote that some nasty apps could then erase all files from SoftICE directory; K4 @) R$ o, M( O' a; t
(I faced that once :-(4 r2 L2 i# j. p
! C m W0 G% sUseful breakpoint to detect it:) X+ p$ Y; [0 Y$ }
$ D" T) o1 b, e7 C6 q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'1 ?) b6 @; ?& R' u- {, K1 Y
% U8 F( c/ T0 B__________________________________________________________________________( I, u/ Y3 ]$ R, o0 v5 V! M
$ e0 T S' e) J8 K' A
" }& L! I' T# u7 [+ ?/ F6 YMethod 14 , {8 y; ^& a) W
=========( |& j5 D! v! s5 [6 Z! P
0 }6 j6 p _1 n7 I/ ~
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 l. ?- x2 ~9 |% Y
is to determines whether a debugger is running on your system (ring0 only).) J: P. ~/ h7 @' R
2 S5 q& Q( P. c, A VMMCall Test_Debug_Installed. ?/ V5 B' h$ ^1 D: e
je not_installed/ [0 {3 S1 e2 S
; `; b$ }* s5 I) q5 c3 S0 ~
This service just checks a flag.
3 Y. K% j# r( k( z/ y1 W</PRE></TD></TR></TBODY></TABLE> |