<TABLE width=500>
6 F1 n7 t1 b+ I4 ]# k! y/ |: r: f<TBODY>
3 c% u. R6 Y: R<TR>! Y3 g, n( Q, b! Y
<TD><PRE>Method 01 1 o1 E1 t. w' \1 [! T! j
=========# K7 V3 ]* [: }- u* g9 D' n- Z
, Z8 p: C D' }; b; vThis method of detection of SoftICE (as well as the following one) is
( D$ d/ Q4 \6 S3 G. n, ]used by the majority of packers/encryptors found on Internet.3 T8 a5 \% U" ~
It seeks the signature of BoundsChecker in SoftICE x ?2 `/ H0 O
* {3 F: h/ l4 Z# w8 r& H- W$ j mov ebp, 04243484Bh ; 'BCHK'
@ C9 d- K6 k/ q6 _ mov ax, 04h8 |; z" v5 P5 e6 @
int 3
9 n3 ^& [% N& g$ d, p5 } cmp al,4% V* V O5 f5 r) _& u9 C5 j
jnz SoftICE_Detected7 d. S, N9 I/ R# R' I6 `
' ?% Z9 N. \6 E___________________________________________________________________________) h- l2 E0 Q7 J) [2 d
, O' A1 G/ j0 ?$ j! n$ c+ U) fMethod 02! x4 o3 K3 g6 k$ `6 u) X
=========( q: K H, Z: g3 v ~
: ]4 h. r U7 [+ m3 o6 D n
Still a method very much used (perhaps the most frequent one). It is used
* b) j/ E9 v* O; T% n( x( nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ^, y8 j% ?( l9 \0 d( P
or execute SoftICE commands...6 q5 O; y0 }- D% w/ q, N6 \
It is also used to crash SoftICE and to force it to execute any commands- W) t1 o: E# x$ I# N, N5 y% T& k
(HBOOT...) :-((
4 ^- z# H4 ^) Q1 d6 f4 s' G6 U7 v/ D3 y6 m- n4 v
Here is a quick description:+ T& v9 m9 x. T) v3 f
-AX = 0910h (Display string in SIce windows)
c( S- f5 z5 y- r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
" o# Z" k: L1 y! }2 T2 W-AX = 0912h (Get breakpoint infos)2 w0 B# c- ]7 g- G% f" D
-AX = 0913h (Set Sice breakpoints)2 K- U4 m. f9 D; _ b3 B h/ W
-AX = 0914h (Remove SIce breakoints)2 \" Q- V4 K& Q) K
" V5 c" h$ T& P: {* i, a8 @Each time you'll meet this trick, you'll see:
7 E$ ]' ]8 @; w( l8 d7 P/ ~-SI = 4647h
+ A/ a; I) I& S-DI = 4A4Dh9 Q3 O) H8 ]. {
Which are the 'magic values' used by SoftIce.6 L4 h% }2 y D+ u3 d1 }' y- R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 U( L; P5 M# \) i) O
% z" w% q( i3 g+ \. T& _& BHere is one example from the file "Haspinst.exe" which is the dongle HASP- q3 P, K6 c N l5 O0 @
Envelope utility use to protect DOS applications:0 K! z, ?2 V/ d M
1 f8 T3 m! |" u# h Z
: ]7 `) {& ~7 B% u4C19:0095 MOV AX,0911 ; execute command.
: J& F8 v; v* w. o5 w8 Z- Q7 x4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
. d$ N% \! {; M9 ^' `* d4C19:009A MOV SI,4647 ; 1st magic value.
! U) ^& G& Y6 N) q4 a+ g5 A4C19:009D MOV DI,4A4D ; 2nd magic value.* @0 X, R/ `5 ]8 O+ E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 N2 |7 }3 C g5 Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 I* C+ Q3 t( N+ m9 N, p2 H7 s
4C19:00A4 INC CX
. m6 z5 S- z! l) m4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; N' ?/ G/ B. w) O o4C19:00A8 JB 0095 ; 6 different commands.
, [5 R& Z, Y' _( N" ]* Q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
' }. x/ m' @8 ]4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
& E( ~8 P% _. B, T( s5 w
! v) M. V i- K# N; S0 r+ l+ VThe program will execute 6 different SIce commands located at ds:dx, which
8 J5 R" T. B5 q# g3 W6 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! w, k3 g9 k; d! H2 d" ?
6 B8 a8 V' s" Z5 z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: X( Y5 c& u6 o
___________________________________________________________________________/ e. c) e4 B* p! o( Z4 q' \, U
/ E5 C, Y8 v3 x: M5 j
) U% w) E y+ t5 E6 _9 f+ O0 pMethod 03
* t2 F; M! i+ B* Y, Q8 R3 i=========* A! {, ~6 j' k0 _1 Y
0 S' J" j6 ?9 d5 c, n# P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 Y0 @5 Q) x8 y0 j1 Q
(API Get entry point)' \7 K! G1 \4 u$ V6 U4 a
y) ?" _' Z, S7 B$ h
2 F( A. Y V4 e9 D9 q- ^4 a" `* P/ f
xor di,di1 b4 n, A3 O0 q- Z3 i: h/ J
mov es,di
D9 c8 e! w% B {/ \# I/ _8 V mov ax, 1684h
! L F$ f& u( Y" @ mov bx, 0202h ; VxD ID of winice3 c5 Q/ i% H/ x& ~
int 2Fh
- R0 Z+ {; j; q2 \, H# q mov ax, es ; ES:DI -> VxD API entry point, o8 x( q. I/ _. \& e
add ax, di v. |0 |' Z+ Z2 {- s
test ax,ax6 H9 T9 H5 n( K. O2 h# o& Q
jnz SoftICE_Detected) R4 G% W$ n+ N3 c
~3 o* s. t; P0 k9 R
___________________________________________________________________________, R) t9 ^4 U0 s9 e, k! _
7 o6 ]# f4 y! j& q" m/ o& K0 OMethod 04+ D' i) [# `3 Y& A& |
=========
5 Z* q9 J" x% i1 J. w6 ]2 B' ]5 W, f! ?' g5 j8 {
Method identical to the preceding one except that it seeks the ID of SoftICE0 }. b4 m* F5 U t
GFX VxD.; Z: J+ Z. |, }7 Q; Q
- X' k0 @+ j+ h( n/ b6 q xor di,di$ c# ?) h3 I- Y" {' F
mov es,di7 W; q2 R; p+ h" F- \3 R9 a
mov ax, 1684h 9 h* v }0 g8 R! {
mov bx, 7a5Fh ; VxD ID of SIWVID
; _. i+ S) c ] int 2fh6 W9 E2 `5 E9 q
mov ax, es ; ES:DI -> VxD API entry point
: Y# v% ?, r+ l( y add ax, di
' a' l; ~2 u* k0 U3 Q/ n) h test ax,ax
' o2 a6 i2 R" a; l3 p% a jnz SoftICE_Detected
4 t/ F( M8 B- F1 O" X& j7 }4 i
/ f+ K" g$ T0 l) w0 H__________________________________________________________________________& t4 b, ]/ V. A- q9 H: z+ @& T
: c1 B' d9 L& s1 ~9 f
# n5 t- J5 m7 ` _; n U6 _
Method 05
* x+ K! P a1 C) }" T1 |7 p m+ s=========
1 t- k! M: d6 O1 Q) Q4 r# K- K O" S0 l1 |9 W4 V7 R% m
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 L1 J" v. d0 X( E* O% P; W
debugger. It calls the int 41h, function 4Fh.9 ^: Y& }- N: Q" a/ e
There are several alternatives.
( Z& T" s" I+ Q! D* o$ L4 S
% q2 F5 P; H/ E9 M$ rThe following one is the simplest:
* c9 b2 g* u& g& U3 `& g% s4 j, ?) X' H2 x; p8 ?
mov ax,4fh( x X6 c8 ]9 R/ [* D
int 41h4 ?, ^# `) P, U1 W; c8 I: T0 E
cmp ax, 0F386+ X7 D' f7 w5 x6 o6 r" O5 l# W# O
jz SoftICE_detected
# @0 @+ ^6 ]0 Z. b; h! } j6 Z# C, W" }, w) [
) G- F8 O) t( MNext method as well as the following one are 2 examples from Stone's
, A1 [1 f5 [5 r, q"stn-wid.zip" (www.cracking.net):
+ E( Q( e/ z5 j: }- C
# g' } ^1 [- a5 ] D9 u$ U+ S mov bx, cs
) E6 {1 q* e% r& B9 o lea dx, int41handler2( x) `* L r' c% i& z4 N& V
xchg dx, es:[41h*4]
2 s( ^6 M6 V, ~0 r xchg bx, es:[41h*4+2]
8 m8 w. O2 [0 a9 O0 c X* f& M mov ax,4fh# S7 J7 ^1 q; u+ t
int 41h' `( R) b' H* D7 `8 H' A
xchg dx, es:[41h*4]
2 o2 q) {: }# G; b1 O xchg bx, es:[41h*4+2]
+ }9 m, ?; {7 K$ q2 q cmp ax, 0f386h& l7 U, `9 b% M; ^/ J
jz SoftICE_detected
/ k8 U2 s! x2 q
7 [' f: e# s: {int41handler2 PROC
8 J8 p; ^1 \0 b. U& i. Z# t( Q iret
# Y/ _2 ~# I- |! v" A: j- k6 cint41handler2 ENDP
3 V4 v* K$ {5 w3 J" F0 _% R" R) I" j& ^
; Q$ ?' D+ |5 a* P8 Y6 ~* j+ E# F: P+ O
_________________________________________________________________________4 C1 Z/ D" n. b, G: m
. m9 R' U- o2 J$ ?- D
( M9 H4 L2 ^6 G# t% ?Method 06
4 ?/ W. `2 j" p7 w+ L=========- w% N ? j: z0 L4 L1 P
- E* f/ R/ O; ?8 V f, {' K! s' j) {* C0 _
2nd method similar to the preceding one but more difficult to detect:9 E w+ w' e1 y1 H6 X5 }" P
% E" G+ p' Y K" v% ]3 h+ W
9 E2 f/ A; G) @/ ?* R& B5 Z* U
int41handler PROC% u# W i4 |2 J6 [- T& t; v
mov cl,al
9 x) s' p: ?9 i5 ]) _8 c* z# _# @1 i iret4 W3 D% a, B) K5 _ s- L
int41handler ENDP
% Z7 C" T1 U/ N& v4 ?$ R& u6 ^/ L- u6 }8 M0 u' J$ N
" j# R$ z; `1 L5 d& y8 [1 T xor ax,ax
2 F' T5 ]2 w5 s( P5 _* ]( o: e mov es,ax
3 M7 B4 s' @3 G& k, G9 V, E mov bx, cs' \1 y3 b' ?/ L7 B1 W8 l
lea dx, int41handler
3 S$ @* H- z ~9 |/ K5 t xchg dx, es:[41h*4]2 M! v3 _1 I0 k0 q4 n5 u# @
xchg bx, es:[41h*4+2]; g) }# t5 [% ^4 c: C
in al, 40h
4 E$ l1 E! L5 `4 R' ~/ h xor cx,cx3 D/ e7 t6 X& {9 f! D4 B/ z
int 41h
+ H. p1 p3 m4 G6 f' { xchg dx, es:[41h*4]
' K, a# a+ c6 R* l2 X xchg bx, es:[41h*4+2]4 r( E" |8 V* Q' ~' ^: b9 m! F% c
cmp cl,al
- I0 y8 q& q' v4 Q: K1 W p jnz SoftICE_detected3 l- J& B% y& e0 m
! |# i5 z8 l; ]4 t' O+ k
_________________________________________________________________________3 K7 K* W/ a& ?# O5 M$ Q
% t, }0 d, [, H' [* ^Method 07
* L4 E2 A1 v8 c" M2 K3 W X=========
# V! `9 ?. V# }5 H/ o" l0 f! D% m5 F( j
Method of detection of the WinICE handler in the int68h (V86)
# X, C* Q- ^# k* P" d3 @) T
0 m: z& }6 H* d/ n8 K mov ah,43h3 [5 m: h( X) X P: X! g, s
int 68h
2 D6 A3 j6 |$ z0 O" u cmp ax,0F386h
+ q6 k) C' O4 H( m jz SoftICE_Detected
2 X+ X" C3 {/ F6 G& Y8 h, z. M. ?4 x% b* W" i
& S7 i% i% E, e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 x; D' |, a( `4 ]6 t1 r7 V
app like this:
8 y) a3 T3 ]2 E5 E1 S! H9 H# A! `0 Q* U+ Y0 A
BPX exec_int if ax==68
$ ?2 n5 ^ g: I2 C (function called is located at byte ptr [ebp+1Dh] and client eip is
3 J! {7 O8 `5 x/ `9 Q& L located at [ebp+48h] for 32Bit apps)
+ t; C; _$ N# |: s. T__________________________________________________________________________! y1 t: r1 A; u
4 A6 Q {9 A: k
2 j7 i* |1 Z0 \5 cMethod 08 x! X& L+ U/ I. U5 Y
=========
8 {- Z8 r: P9 s0 I. i, @/ o2 L: \) V% L' c
It is not a method of detection of SoftICE but a possibility to crash the
, ~* r1 x, r$ Y x! B( usystem by intercepting int 01h and int 03h and redirecting them to another
, D, Z. B* g0 j9 b4 g* Zroutine.0 H9 h" ?' o: X+ n/ ^, c, h! S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ g% b% A; _: q# ?& |* `to the new routine to execute (hangs computer...)
( c1 ^' j {+ Y. I! o1 |
" Q# a& A; w! a6 \+ q: i# R mov ah, 25h
. s0 F# n6 ]! G9 w ^! ] mov al, Int_Number (01h or 03h)/ L/ j" S7 L, r" ~7 g. U Q0 [. M
mov dx, offset New_Int_Routine5 }5 C1 l, x4 r
int 21h
3 |& Z5 t1 ^ [) U @1 Y! _1 Q1 T% V! o* {% q ?+ s
__________________________________________________________________________
, X+ A4 U. L0 ~& K3 K' @! k: b7 I( m7 n& G; F( u
Method 09
% t# \& E9 s6 N6 T; k7 P" ~=========' G- C' [' S# _; U6 U
9 k! @- U% d6 |/ z6 U5 Z: \3 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 U- k0 d+ x/ jperformed in ring0 (VxD or a ring3 app using the VxdCall).
; r3 r5 V) }; h, }The Get_DDB service is used to determine whether or not a VxD is installed" i3 |2 ?) c8 Q9 e: z9 B
for the specified device and returns a Device Description Block (in ecx) for. b3 \) z) F+ n2 n
that device if it is installed.
8 a' ^+ N( Q% I
/ b# Q; ~+ \* j8 Z' E mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 F7 a$ {. u/ i) t! q9 J mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; `. z6 ^! y. k! v: r1 d5 T5 v VMMCall Get_DDB
% J& n# k! `. Z5 y8 R: N2 D( ]: |4 }- d mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ A* m! H$ Q! ^$ w, ?7 \/ {! _ V4 h" Y: \- c
Note as well that you can easily detect this method with SoftICE:# b; R+ D' R; v/ _, r
bpx Get_DDB if ax==0202 || ax==7a5fh" T" Y* K3 [+ ~, t& ]7 J# W
5 q9 x! X; j g% y, G__________________________________________________________________________; b9 l- l5 L; L# K% Q W% \3 J
* y& i* F1 [, i8 m
Method 10% {$ N( H8 I& k" A* a
=========& w$ i* V. e- o% P9 t1 p5 U
) A% L3 Y' V9 \4 k" z/ X7 i: Q
=>Disable or clear breakpoints before using this feature. DO NOT trace with0 j1 W, E9 d7 ]% {
SoftICE while the option is enable!!
5 o( K. E" D, n# E4 I& H I, [) p; T, f
! C1 R, C" D9 W; O2 U5 m6 XThis trick is very efficient:
( e6 H: {! P3 N! s6 R2 nby checking the Debug Registers, you can detect if SoftICE is loaded3 L: \6 M$ M/ c! A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) e$ r# B0 P2 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ ]5 P' d) y4 u
value (in ring0 only). Values can be manipulated and or changed as well
" M, M" Y: g8 w(clearing BPMs for instance)
2 e/ {+ l O) d# Q" ^! l a; \$ D5 e5 i+ p1 D1 J: d% G
__________________________________________________________________________$ X9 Y2 `8 \ Y3 w' P& D
2 T X1 y, ]! ^8 }& m6 H# vMethod 11/ Y8 s t7 M/ h/ m5 m
=========
1 D9 w7 `) v- r: r" e) p/ G
3 l1 w+ g- _7 q8 K. E, @This method is most known as 'MeltICE' because it has been freely distributed
' x5 H7 i) `/ G4 B% evia www.winfiles.com. However it was first used by NuMega people to allow8 O a% `" s3 @ p/ e1 G( C7 F
Symbol Loader to check if SoftICE was active or not (the code is located$ j# x9 D7 C% a0 ^; T" L$ Z
inside nmtrans.dll).
) e( G" g8 n* p3 ?3 b+ i+ T( H+ y# C4 E: R8 l
The way it works is very simple:
B+ G$ u) [9 C4 \+ u& TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 e5 C- g+ g$ ]* h
WinNT) with the CreateFileA API.; E1 a0 H% [7 d2 w7 d4 Q) ~
L8 }0 R) y2 O
Here is a sample (checking for 'SICE'):+ Z6 R: T: ]5 I1 w1 G3 E' i3 D9 I0 p
: B1 w6 H- R) Z. ?2 @( A; r3 D( Y$ f4 ?" |
BOOL IsSoftIce95Loaded()
! J9 d8 r @& H0 C{
/ O* |$ v, b5 n/ h, [: n HANDLE hFile; 5 g( |: N" U" d$ O4 W, I
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# C) g/ m2 M7 d FILE_SHARE_READ | FILE_SHARE_WRITE,
1 B6 B; w" ~% ^) l, m6 C NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 ]$ I- K. x9 m. `! Z* s L
if( hFile != INVALID_HANDLE_VALUE )( X8 e7 F) o0 A" S/ K
{
8 X' E- Q& k* Z- V CloseHandle(hFile);! D, Q# X! k. ` L2 i4 V+ F5 K
return TRUE;
' U, F+ W0 d q }# }5 I6 J! s% U z$ i6 D u8 @, A- H+ H
return FALSE;
% e- S* i3 E4 j) k% }3 |}
9 [+ Y4 a7 w1 s8 i# l" W5 S1 t. f6 c& {+ r7 U! S
Although this trick calls the CreateFileA function, don't even expect to be+ B1 q A& e. E4 k4 n* c1 W! d
able to intercept it by installing a IFS hook: it will not work, no way!
( c4 G4 f$ H8 w" S3 I1 t8 jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 T c( y( n* l; \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ ~# y! r$ A' }$ C8 m7 X* K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 x8 c3 G3 H/ T5 \# f7 V/ p0 rfield.. `* B, k& ]( }6 W, x `! S
In fact, its purpose is not to load/unload VxDs but only to send a
' Y2 o/ J. S6 E# F; o: p9 fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. J1 G) z7 v( Y3 ]) Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try( u5 \6 g% C# d4 o7 n( i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) e. ~, {9 L+ u% T: k2 v+ ]8 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 k9 X9 Y3 H7 J5 U8 p. [
its handle to be opened and then, will be detected.) `0 W0 \( V* b+ k+ M
You can check that simply by hooking Winice.exe control proc entry point2 [- S8 m! K3 P0 p) Y* D: p0 ]
while running MeltICE.5 t0 Z9 [; `6 [- r7 \# B W- b _& o
3 `3 g. ]1 e# q0 q; d% S
0 `3 ?+ ^# Y' D5 R
00401067: push 00402025 ; \\.\SICE9 @" U/ d. u8 O; E3 y q, c% p
0040106C: call CreateFileA
8 `/ z9 P4 x2 Z1 ^+ H3 V# ^ 00401071: cmp eax,-001
3 ~- T: h ~( A7 l7 M% J$ A 00401074: je 004010915 S% H& _% |9 C- i( S E
. W6 w5 f- @8 U" T$ v% ~ b$ v7 N$ M+ H* K
There could be hundreds of BPX you could use to detect this trick.5 f; d' q( h+ F. n8 P2 {
-The most classical one is:
" C5 q5 x$ [7 H. h; D% m BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
) a# x, U9 i$ |0 N8 o *(esp->4+4)=='NTIC'
5 x) H9 p [/ ~; O3 y7 ^8 c0 U6 X5 ?1 ?# a, W2 X
-The most exotic ones (could be very slooooow :-(5 X1 g# L2 f2 I
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 A0 L( J% b% b! g% O( e- d
;will break 3 times :-(
/ L) Y) w4 R. @
; y/ ~1 C5 t8 P- J2 Q! I-or (a bit) faster:
" U5 e) F; g$ Q* O2 s' l+ A BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ I$ g7 O9 W9 z3 E5 N- m
9 W- Z# b1 [* _+ k8 J
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- n1 }# {0 f* L" ?( J ;will break 3 times :-(6 A! q7 }: w; ?/ t, d) K1 A- ?, Z
: C: A, h8 U" f' ^ v6 N8 ], w
-Much faster:6 a6 s3 Y& q/ y A; }/ n" ^
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& d; _7 w7 s0 C9 t& e6 |4 d" a
( Q$ I' u2 d. k, o# XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) l* \* J) W9 V7 p
function to do the same job:
' w% Y* H9 e% b
3 @/ e& L3 ^& T$ L push 00 ; OF_READ5 }" E! x' V2 P, `
mov eax,[00656634] ; '\\.\SICE',0
; g% J" K6 Y2 r3 E u V3 N push eax
: y. v& _( Y$ B+ \ call KERNEL32!_lopen1 S Y: Z0 R9 n" U( c
inc eax" e- j8 f, T; `5 Z2 A' p9 o
jnz 00650589 ; detected' |- L: L8 C ]1 V
push 00 ; OF_READ5 T- n! A/ P/ P9 D7 n* Z
mov eax,[00656638] ; '\\.\SICE'' x* j0 K B: k- ~- ?1 S
push eax
4 t; H( o$ E- |" f7 T* Q" x2 m call KERNEL32!_lopen
7 T' {+ x$ `( G5 c2 k3 V inc eax/ S9 t, F# e! k; m. o- F
jz 006505ae ; not detected5 C0 w3 i- s9 S; ~. B2 `- f! u Z# o
" A; ~; {+ n/ n, }
" y, s- @! A% p6 Z) j* ?/ Y__________________________________________________________________________' q, v6 g" E+ C/ {
7 K: r9 X9 M A3 h
Method 12
1 K5 h8 i6 f- J=========$ j. J( f' q$ V _: [8 ~
: k0 k) J3 |& ^2 jThis trick is similar to int41h/4fh Debugger installation check (code 05
6 Z i7 }" N" c1 I* ]1 g# Z& 06) but very limited because it's only available for Win95/98 (not NT)
9 x: r+ h' F- n' m/ Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 j8 e4 h! D) V% q) X# n
, g" T8 }- ]+ D$ [ push 0000004fh ; function 4fh
7 k: P; K( s4 j6 P/ T5 ]; B push 002a002ah ; high word specifies which VxD (VWIN32)
/ H3 V! V. B! C a+ H ; low word specifies which service
& g) O0 G$ F0 j3 |) }3 A' y (VWIN32_Int41Dispatch)( O0 p2 R: E3 ` U& n" m- e5 J3 v
call Kernel32!ORD_001 ; VxdCall
& `+ A8 @8 z m4 B) p+ v; B! f cmp ax, 0f386h ; magic number returned by system debuggers
" L: l: E' w5 Z) x0 |# n jz SoftICE_detected; U0 |$ @3 @ L% }1 ~; H+ y
. b4 o/ g) I) s, ~3 r, M6 N5 K
Here again, several ways to detect it:1 g+ K* l! g8 S+ u6 X) n
; H$ P- y! Y8 S$ ^' M
BPINT 41 if ax==4f
" z5 N9 A, D3 S6 ^- g. p# Q
+ R3 g& v3 m5 z' q BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
5 B. t& c. G# {, z: J& q' L9 w" v3 R6 E0 d- ^* Y" z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A, [& S% H. R/ e2 Q9 M
* m Q! S8 c0 Z" @" `' |
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ {: h, ~+ L; h5 \! y/ k2 h) L' T# O) U
__________________________________________________________________________
# w& p4 S* ]; A$ `' ]; Z7 A
, w c! l. ]: ?3 o* ]& bMethod 13
. t6 a7 m: v7 E0 V |=========7 C; I* S- O. H3 | h: u
. i. j' y/ Z: \; BNot a real method of detection, but a good way to know if SoftICE is3 E. M" z+ c/ h2 R& Q3 l
installed on a computer and to locate its installation directory.
( v# a3 G( J8 L1 x; uIt is used by few softs which access the following registry keys (usually #2) :
, {% n- x6 n, T$ t6 x
) ~. X8 J0 F, f2 f0 L9 O3 P8 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 K: p& X! T) X& L( N; m
\Uninstall\SoftICE$ u5 N' n0 Z4 Y+ W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 h# X$ g1 | |0 S ` w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ \: N- f6 C( q3 M+ C3 D
\App Paths\Loader32.Exe
5 @+ Z( V; W4 A5 ?, R- g
5 [% V7 y+ \& G$ p& Q! ]- ~& M% b8 `" C
Note that some nasty apps could then erase all files from SoftICE directory
4 @8 x7 u! j" a9 u; C(I faced that once :-(, v: l1 G$ L5 q! A' C4 j4 M$ ?
6 ?6 P/ w# A1 g
Useful breakpoint to detect it:
2 g! S0 M! m- M
: q9 }9 I; p4 v" r j BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 r! v. o0 h- b$ \- W. d: c
" }- @' J' v% J7 [! N( h% ~
__________________________________________________________________________
7 D. [* y4 Q: a2 B! @# Z: |4 ~1 p2 N: l( t# ~
: b5 J- m( @; l v3 \Method 14
9 _4 M) ~3 }1 R2 I=========! `. ~& q/ e! V9 s& `$ ^
V3 j4 ~3 p, w( [; R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# B% \) n# ~. d+ }3 \
is to determines whether a debugger is running on your system (ring0 only).
5 r2 v( c! n/ t$ a5 n- z3 S( ]* k4 Z& G/ s. v4 \# h
VMMCall Test_Debug_Installed
+ D3 S# X( H; H3 Y je not_installed( B1 y- z. p8 d9 Q/ {
1 g e% `" O6 n/ K( h' a2 GThis service just checks a flag.
. t; w2 s% O6 a9 Y& e6 C6 f</PRE></TD></TR></TBODY></TABLE> |