<TABLE width=500>, H& @. G, E; j
<TBODY>" m& T; `# c# W( [. V3 {
<TR>3 ], P1 s6 m x. m) t8 z: Z- i$ e0 y
<TD><PRE>Method 01 , P3 a- B* ?& Z& @: T2 C
=========
* m# D9 U, V' ^4 e, H, C# k/ g0 @+ z# c6 R+ H* {
This method of detection of SoftICE (as well as the following one) is9 }3 u; v' N" e; y% a. N
used by the majority of packers/encryptors found on Internet.2 H; W7 j8 I& {$ ` z/ a
It seeks the signature of BoundsChecker in SoftICE2 H( P' [) {. \% Y5 E2 O! X
, F. b0 {; N0 _9 F% k6 U9 V* U
mov ebp, 04243484Bh ; 'BCHK'
* S. H- ]8 W5 A0 P0 ^: F mov ax, 04h
" b! n6 ~) ~; ~# t# n0 k int 3 ) t- M+ r9 `2 Y# O
cmp al,4
( d4 z; ~& |* W) D, d0 l jnz SoftICE_Detected
* y" h* t$ Z# N, o1 |: j( f9 g. H$ w8 b0 U* y5 |
___________________________________________________________________________
0 X/ }' O4 ^, Q. X- J9 [ ]; G9 Y$ M- n2 W3 ] Z, \0 U
Method 02
9 [0 k4 v3 A( ^6 v+ Y$ b. ` T=========8 o1 g9 ?2 Q7 G" [/ l6 F9 H. _
/ {! m/ W1 K/ C5 z b( i
Still a method very much used (perhaps the most frequent one). It is used) Q$ J I4 t% H6 O) e6 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! o' q7 K6 P0 ~+ D& a: }5 m6 ^6 {/ j* q2 Hor execute SoftICE commands...
% s! P' }: A' Z! s& `. k C* AIt is also used to crash SoftICE and to force it to execute any commands
! s& j$ P, ^3 P$ K: ^9 w) }. L% y(HBOOT...) :-(( 2 n: `8 q, @4 y
$ y& X, t+ R* M) e' m) sHere is a quick description:
9 p/ }' I# N% ]3 H8 {& l-AX = 0910h (Display string in SIce windows)
3 g: N: _9 M2 r-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: t L* R& a- V) t# O1 ?-AX = 0912h (Get breakpoint infos)5 r5 q& D ] p" R
-AX = 0913h (Set Sice breakpoints)2 |# i0 |! C3 F# M6 h; m) c: L/ q
-AX = 0914h (Remove SIce breakoints)
0 w0 c Y: L& D5 S8 u- \7 V) _
& D$ E8 ]$ F9 x* W0 w) g! |Each time you'll meet this trick, you'll see:* R% t5 v: L; ^$ {
-SI = 4647h- u6 i* Q/ w+ G. u# p, F2 ^% E
-DI = 4A4Dh
( _- B3 }5 g; D8 JWhich are the 'magic values' used by SoftIce.9 m' o }+ E4 S6 H/ ^2 ?8 @
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; w L5 E' b! ~. ~9 ^3 R9 B; }
. Y* D6 _* r5 t# h% Q% vHere is one example from the file "Haspinst.exe" which is the dongle HASP# y5 D" |. T! e1 k4 F" W( `" k
Envelope utility use to protect DOS applications:
3 |) Q6 e5 y1 o9 M/ s4 E' r- q# G1 f( i1 T
, X% G4 H/ o+ X$ @( o4C19:0095 MOV AX,0911 ; execute command.4 T9 ~2 p# p2 h/ t% V7 y- L. w' H
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).3 Y ?1 v( T$ C; o/ G
4C19:009A MOV SI,4647 ; 1st magic value.' U8 [ x! [# g0 N$ B. ]; @
4C19:009D MOV DI,4A4D ; 2nd magic value.: C( o4 K% H1 R; {' r8 L
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 A4 t5 e. D+ u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 ?! |% U: Q) {0 w# g8 g
4C19:00A4 INC CX
7 W8 }# v7 x; o: F8 l: p4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: z }& t: F8 Z* o T4C19:00A8 JB 0095 ; 6 different commands.
* N j! O+ v% |( g) l* B2 t4C19:00AA JMP 0002 ; Bad_Guy jmp back.
7 z v; p( w7 }- h/ i$ w* g4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 S$ x+ A- t% ~1 j# X/ w% Z
. Q- c5 x( w1 JThe program will execute 6 different SIce commands located at ds:dx, which
' z- z% E8 p, `( h3 _- x s \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' Y5 I6 z& Y% C
% R) S' f! V: ?8 `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 C2 m( z( `6 O- f1 u8 a* x; |( ]___________________________________________________________________________
0 ^: a! q) `2 i/ r6 E* I
, k. B, l/ e- c" I0 Z- F
& j* K$ o* B) G0 @/ }1 jMethod 03+ m8 l# r$ Z) d: t2 x% F
=========' o6 ?8 Z7 Y: _9 m5 e) [
/ z& g( g* Z' S4 \, r+ e# |7 W4 `
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% r1 B: O) {" c5 L1 u; x; e4 k0 B
(API Get entry point)
6 E7 ? |9 S" t$ x- h' _
+ N5 g i- [7 _% J: S# T& b8 u+ Y1 d' z8 D# K
xor di,di
5 f; s7 h; X h: M+ _# K4 x mov es,di
$ h# [' [1 S4 D9 {- u" U4 p mov ax, 1684h
4 C) g* a" |# U8 ?5 c9 x. V& k mov bx, 0202h ; VxD ID of winice
' ]( X L, B6 X( o2 D, z int 2Fh
* s5 D. N" L$ h6 J mov ax, es ; ES:DI -> VxD API entry point/ o7 N* B! U: K; }8 A
add ax, di8 j2 n: J# k! C, r. X
test ax,ax5 P! t% \* S+ C8 t, Z' Y
jnz SoftICE_Detected
5 C/ S# D& y+ I }9 d8 W, B
$ A3 b: c ^' H1 j___________________________________________________________________________* S* p- J9 _" |* K. U% |
" u& K# C- Z6 M1 j: Y" eMethod 04, x9 `, I8 l, A" U* N
=========: h5 z2 a! C% v3 Y
" F$ p+ W! o" @/ OMethod identical to the preceding one except that it seeks the ID of SoftICE
" M. I$ u% c( \+ _; x. \9 q! f8 hGFX VxD.8 k; Q8 T7 \- d2 x- ?* R& {. x1 j
. w5 ?4 h# ~$ q6 S xor di,di
, W/ r. L. U3 n7 O. ?3 U/ B mov es,di
8 ^! j( \. _/ X: a+ O mov ax, 1684h
/ q( y( W! B1 }5 ?6 J5 K) k mov bx, 7a5Fh ; VxD ID of SIWVID
/ Q7 `5 e: [, y2 Y" G int 2fh
9 c/ g, Q H8 F% t7 M) { mov ax, es ; ES:DI -> VxD API entry point6 P3 V3 }" H+ ]
add ax, di
5 ^5 P4 V: E3 `7 H- X1 _+ o/ f test ax,ax
4 C: O% V3 l* n w+ `) ` jnz SoftICE_Detected
3 K, m1 k3 M9 v- |" m: s( V' q- K: H. W9 B1 N
__________________________________________________________________________" V5 E) q# N6 g( w3 g% X: a: ~' x8 X
3 m' A% X( a" ?, F# f( y: J2 G2 V6 {$ K6 J* p, a
Method 05! J y J4 i+ B1 i
=========5 {8 ?" Y6 J1 a8 Y* B1 Y
. L9 k& C1 l$ i$ M( ^) S- t' OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 Q" j! ?; i* I3 i, V- L: n3 rdebugger. It calls the int 41h, function 4Fh.
/ O. p2 U& @8 |There are several alternatives.
: ?/ B1 L( _- }
8 ~4 R* y. n! q& N; J; BThe following one is the simplest:
; n+ @: @0 ?1 a3 g0 t( S6 J$ e7 s1 Y- W* Q+ ~
mov ax,4fh6 i6 z4 Y& ]0 y+ D+ G& a/ C
int 41h
5 t( u! d& g2 F9 t5 X cmp ax, 0F386
% q" H% c3 \9 t, w$ U jz SoftICE_detected
8 \! j% }5 U% }, s! @9 s5 c. u- q; `4 n8 e1 c4 X0 x& c
) g1 M7 N8 e% N( p0 q% M: N! U: l6 p
Next method as well as the following one are 2 examples from Stone's
; v+ Y; p, Z; `* K G"stn-wid.zip" (www.cracking.net):7 J3 I( J! f4 z; A7 ?
" X: _' a% Z! Z) \
mov bx, cs
$ d& R6 [& p& \5 g" n) q8 j lea dx, int41handler2: `9 y% [9 `/ X1 U2 k5 a d3 ^+ D
xchg dx, es:[41h*4]
- E* u& E! m# E4 n! f ^3 ^6 Z' W1 J xchg bx, es:[41h*4+2]* Y# t: m) G* N: ]9 q/ o8 n. c8 r
mov ax,4fh. I2 v1 G! D% }$ H2 A# B+ R! z
int 41h, P: l! Q9 X# j" ^
xchg dx, es:[41h*4]. e6 c( F- z) B" C0 @0 P/ w2 G$ G. N
xchg bx, es:[41h*4+2]/ b8 `9 W' _7 a! ~& L) Y7 Y
cmp ax, 0f386h9 a1 Y) h1 |% J$ s
jz SoftICE_detected
H/ V8 D# K1 B6 ~
+ c$ g" j/ \, C$ sint41handler2 PROC
4 \# N- P) h9 U6 ]9 w/ k; U iret
( D3 l0 r u4 t; R; Fint41handler2 ENDP
/ `0 U/ M- r; E: C" h% ~( @
2 H- }& y% z1 r0 y2 ^+ n! @
7 R& F) Q* H8 Q3 H, ^_________________________________________________________________________% B9 U8 U, E# N/ c/ m1 D" ~
# S: u: y4 C7 D& X+ A. I
( p) R4 d& a' q$ E+ l9 c1 M& S
Method 067 y3 L; G* F, Q7 Y: k
=========- \5 t# A. [0 z: M5 q- y j
4 ?. Q! A1 N; L) B! h& k
& z& X/ d" C, Y" {# P0 [2nd method similar to the preceding one but more difficult to detect:
7 N/ C# Q5 P. C$ `2 @1 G E& t0 ]4 q5 p6 d. l
$ C0 k5 Q/ m z! j, s; }
int41handler PROC+ Z8 J8 s! a3 k$ l
mov cl,al5 D# W/ f1 Q0 y: G% K* _& ?
iret* s" M- Y, K0 H0 x! i3 v
int41handler ENDP
+ c0 O5 ]8 ]2 ~$ u: @( G" z" \7 w; r- c, F. x ]3 m; L
y7 N# O- u0 i3 r xor ax,ax
% S) ]7 A) X( T; k- U mov es,ax
$ y3 o( F; u. @# {3 U6 T mov bx, cs/ W! _, e& o" h/ c0 o; Z
lea dx, int41handler
9 @) ?9 U4 i. k7 q: Y xchg dx, es:[41h*4]$ E& z3 K8 @/ m7 n
xchg bx, es:[41h*4+2]
' x1 m, Z; r# V, t- P in al, 40h& W/ x1 e3 }6 A
xor cx,cx5 k' l% k+ s7 `2 o8 \
int 41h, C% D7 j) f4 ]" i6 k
xchg dx, es:[41h*4], I# y8 F$ S! B+ H5 M
xchg bx, es:[41h*4+2]
/ O' F7 g7 F! C; T/ {! y cmp cl,al
( @7 o d/ H* t& ^ jnz SoftICE_detected( X7 \, _" Q" f+ {3 w
( f5 n: U$ H( d* z. v
_________________________________________________________________________+ u0 a9 @) E, H1 G& s
! B* a/ w0 j0 e0 BMethod 07- w+ O- z' w q3 u2 o2 a
=========
( Z* }- m( c2 G& Z* Q( P* r5 a6 f: s2 b' b) D
Method of detection of the WinICE handler in the int68h (V86)
0 R) _/ J5 P* o4 L/ n" l6 Z7 {1 e) z! i4 c: U" y
mov ah,43h
# {1 ^+ u' A- d8 e" k int 68h
- M1 C, V: r3 p cmp ax,0F386h
) v5 ~3 n: n1 {" g jz SoftICE_Detected' d* R) m% r- T2 D
% U K1 ^# T+ _; P/ B0 W/ u1 M
t0 O$ H, O; Q/ G$ {% C" s=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; d# w, }. f- x
app like this:
% ]: w1 i7 O; q, l6 E. G3 \( R( Y8 T1 e' B& X
BPX exec_int if ax==68
$ t" r! J; n5 Q (function called is located at byte ptr [ebp+1Dh] and client eip is2 o* {, w/ E9 b5 l( m
located at [ebp+48h] for 32Bit apps)' y1 C w' _1 [& x; i
__________________________________________________________________________
- p+ l3 U) G7 r1 J, x" `1 G9 h! `
: J/ \# b$ M" p) {' m5 k6 |. E$ R
Method 08/ C2 ~0 f/ E" ~
=========
2 J0 J# P, L9 u6 h
/ P% e0 { _0 @0 F! EIt is not a method of detection of SoftICE but a possibility to crash the) g( h# }% x' p$ H3 e9 ^
system by intercepting int 01h and int 03h and redirecting them to another* X) x) e! j; Q9 u; J+ ^4 w
routine.
$ \& X* _; h/ t& OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- A/ r9 a' h% X+ ~9 ]+ Tto the new routine to execute (hangs computer...)
, m( v" ]. H- G- W6 X' Q1 j8 q6 M% E4 d$ G/ D
mov ah, 25h ]4 {2 v; ?# n: Z
mov al, Int_Number (01h or 03h)& G/ b9 Y6 Y p9 Z9 p
mov dx, offset New_Int_Routine
4 i- n* [2 K. f% o, V7 O y0 o q3 t2 a int 21h
* j2 Y' M2 J) W0 C7 F( G' }9 z, ^" T0 m- ^ r) [! c
__________________________________________________________________________; Y1 r3 v F: \8 i1 I+ Y0 J
0 { {6 Y5 X, a/ u, ^0 bMethod 09
. |/ e7 K$ j3 G6 l7 h2 W( {=========. v2 \4 Z/ ] G. n# j# F! [
a: w" j! ^- E" m+ C* jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* O) O* g, i. H) Q( h7 ?! A" Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 {" g L+ c; N$ a" P# UThe Get_DDB service is used to determine whether or not a VxD is installed( d" C. V; S2 Z( @
for the specified device and returns a Device Description Block (in ecx) for2 h4 w9 c6 r. r. r& |
that device if it is installed." u4 M% v* K6 y6 A
1 x4 V. K* W/ K
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 U1 N! z% m1 j
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) T2 W2 j8 ?. B3 p- _
VMMCall Get_DDB1 ?* h4 h+ |0 I1 N! q
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 t4 l( D% u5 s0 Z2 I7 K2 j
8 J& X5 q9 f4 f8 o3 yNote as well that you can easily detect this method with SoftICE:/ H( @( c0 S* D7 Z0 P' i8 }
bpx Get_DDB if ax==0202 || ax==7a5fh
9 L: F( q. l M# u+ Y
5 S, i7 g* P! g' u% }5 @ q__________________________________________________________________________6 q6 V* b8 K$ G7 J* Z" |7 m" c4 ^7 C
6 U: j, V( o. R" G0 m) N jMethod 108 F0 e8 H7 N5 Q" g. L
=========
0 [: ~- q X+ C# @
# i) q6 [! K" L=>Disable or clear breakpoints before using this feature. DO NOT trace with+ F8 A3 d- T8 g# H
SoftICE while the option is enable!!
5 L1 _/ y, ?. P2 d( P9 n, |; T2 q" S; h% c" O
This trick is very efficient:
2 r+ }& G4 Y1 G$ T7 V7 Eby checking the Debug Registers, you can detect if SoftICE is loaded
+ z" T$ \# Y; |( y) J4 W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 ]% Z; _) O$ ?, v+ kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: }4 D0 z0 W( z% Hvalue (in ring0 only). Values can be manipulated and or changed as well
# {" ]8 {( j/ _% v8 p( _(clearing BPMs for instance)
- F J' p6 S1 T& ~# N
) S/ W3 }6 r. r" {" h1 j: J* G__________________________________________________________________________
! d- _* l" O) L+ `! f1 P0 [
! }9 J: t1 P% H6 HMethod 11. @: o; s9 S# T+ C/ ~, Q8 Q
=========
% A s9 X; Y$ V w+ G T; z7 N
8 l5 Y: M- S$ O0 `' s7 P8 R& CThis method is most known as 'MeltICE' because it has been freely distributed
2 T' a9 p) L. t# L" T# V6 w) wvia www.winfiles.com. However it was first used by NuMega people to allow3 P& F) F3 m" V/ |. C* p
Symbol Loader to check if SoftICE was active or not (the code is located2 N2 R9 C& d/ g3 ?9 |6 y, A
inside nmtrans.dll).
' q" B/ d, |0 A( g' A6 p2 n6 u, G% V
The way it works is very simple:1 D {& K* M$ n; V2 n) K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& z% `- V# l0 a5 U5 H/ {WinNT) with the CreateFileA API.3 M7 Q$ L' r( R; A r2 e% e+ f
* A# ~8 g( c( a
Here is a sample (checking for 'SICE'):9 L, C6 y, m" X* A
- w( ?$ ^7 z4 W9 d
BOOL IsSoftIce95Loaded()
$ `2 Y Q- C8 V* u; F{
4 \/ r3 M5 y [# ~ HANDLE hFile; ( y" m/ v0 O; N1 s
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ o' {8 A8 ]1 |1 O8 \ E FILE_SHARE_READ | FILE_SHARE_WRITE,
) t9 u1 _- c! S! s. V; Q. R NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ _ @, V) {. l2 p' F w if( hFile != INVALID_HANDLE_VALUE ). q9 [0 x4 S- b2 k
{7 S/ L) ~$ B4 g
CloseHandle(hFile);
4 C, g7 |: r" X return TRUE;! u! d6 p- z0 W$ `1 L; W
}# E2 x5 T7 F- V/ F1 ]6 N/ O
return FALSE;
+ O! M3 S) s2 L0 I}! D2 U/ P# [0 f8 g" N2 p: k
& _7 Y/ b4 h- J% @
Although this trick calls the CreateFileA function, don't even expect to be6 J* B+ Z) f) u, Q
able to intercept it by installing a IFS hook: it will not work, no way!
% f, \- A& c/ F$ B+ q+ `1 `, cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ J* X, ]8 H# _$ @1 z+ _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 |3 [1 m, g$ w, g2 A8 q$ i" Rand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 }3 f+ k4 w% |! t7 n5 J% pfield.
# h* Q' \/ Z% M9 o/ y" HIn fact, its purpose is not to load/unload VxDs but only to send a
" E" N; Z3 d }) A) L. n4 r, M( L; bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* {9 U1 u) f$ N, X# n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' u5 Z$ c; H# x! `to load/unload a non-dynamically loadable driver such as SoftICE ;-).# K6 Z" I6 C' H2 p. G5 V8 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 @( w4 r/ P- c1 `
its handle to be opened and then, will be detected.
( w" r6 L+ E! `& K: l7 n2 F3 G" m" IYou can check that simply by hooking Winice.exe control proc entry point( m |1 }) b6 B q: i0 H. r2 C
while running MeltICE.1 G+ Z( O4 Z3 Y' l l
. j1 d& J% e) e
+ }6 ?' P) e# F 00401067: push 00402025 ; \\.\SICE
) J! C& V! Q. N6 H: }1 \* K 0040106C: call CreateFileA3 z9 ?( |# p) `
00401071: cmp eax,-001
* Z& [" h4 w! D5 `0 y 00401074: je 00401091
1 F& V! E0 A$ t
3 U2 X! i; ^3 U/ [& z" X/ O& x" `/ A" ~/ y
There could be hundreds of BPX you could use to detect this trick.2 @5 m" d) i7 n1 A. j2 m
-The most classical one is:2 l. O8 i) P4 Q+ i, D. v+ U/ ~7 ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ ~0 M4 e- P+ s9 d, \ *(esp->4+4)=='NTIC'( n9 D. ?( x- a3 k+ W" B( M5 ^1 ~
7 @; t* R3 ^2 C. S0 ~% c* w
-The most exotic ones (could be very slooooow :-(7 ~7 X- S5 U6 q5 |2 V; v" C) Q( G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / Q; a; q3 e) W. t( l
;will break 3 times :-(
- x% \; o9 `- g0 F$ {. \
- P. t q, o5 D4 p3 _( z-or (a bit) faster: 4 {( o8 B/ Z" \# `# R3 O2 o/ x
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 d7 {2 ~! B7 s# X" F: V6 K
4 J' m2 p, Z; h BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % X* e% o4 A) o& x1 M4 Q; b9 `7 a+ k
;will break 3 times :-(6 j) o/ k! U. ^2 e3 O7 h
" M3 d4 Q7 o: E5 \0 L-Much faster:' S9 H- L& ?" l$ ]( F
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% M6 Q% b8 U' w1 j2 }: |" D
/ N! L/ t8 [; j) w. w INote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 M0 K6 h- p& G
function to do the same job:
9 Y2 q& V/ X9 h6 S# Z3 y h
. K% Z5 F* B/ T- Q( e6 U% [, N push 00 ; OF_READ
?3 Z0 ^; M( {# [: O8 Y: r0 w mov eax,[00656634] ; '\\.\SICE',0
6 m# R: L, N; x% f. s9 j push eax0 K) G/ k! X7 |/ v! } t, g
call KERNEL32!_lopen
2 ?) I. |2 b; K( C1 ~ inc eax
, t2 T: e1 O# [" W* ] jnz 00650589 ; detected
! E. z) q3 m# h2 Q" P push 00 ; OF_READ
: ^" S4 t+ K/ [, F% Q, ]' ? mov eax,[00656638] ; '\\.\SICE'% v# c) n, t5 U& ?4 f z1 q
push eax
1 w, y# u4 n( Y call KERNEL32!_lopen' _1 O* y2 a+ }6 k6 \
inc eax
4 E: K" a3 q: ]9 w4 O6 ? jz 006505ae ; not detected9 T. g6 V, J# y! X+ h& [. r" H
9 h0 ^$ f, ~/ G" U: z, j
( X2 w$ t0 S! C__________________________________________________________________________: f% q; q2 l" N
+ U8 n6 }" T( y, Z9 b, ?4 \
Method 127 v' {' k9 r6 W! N5 k4 i9 x$ \! O. w
=========
1 V c: A* u3 [: S S) x8 I1 @, j4 b
2 E7 s% ], }, N1 v( fThis trick is similar to int41h/4fh Debugger installation check (code 05
6 s" w0 S0 c, f8 r' @( e& 06) but very limited because it's only available for Win95/98 (not NT)- _0 y% D/ A1 L" i& e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& X6 c$ }. A' o% s
6 H) s/ `3 A/ e push 0000004fh ; function 4fh
! S' \. X) w; V/ R# w' a+ J push 002a002ah ; high word specifies which VxD (VWIN32)
# n v* \& }0 G4 y ; low word specifies which service6 |; \* P3 B8 }$ t, l& g% D! ~8 _
(VWIN32_Int41Dispatch)+ k/ a; t- N' a( b' Z* V% s
call Kernel32!ORD_001 ; VxdCall) e% G; R+ I0 V0 F* p% D C# z8 h
cmp ax, 0f386h ; magic number returned by system debuggers
0 l" l7 F: C% u, Q3 X4 Z jz SoftICE_detected( ^; L3 M2 c9 @: P& @
3 N' `4 n5 _9 w' p% G% ^Here again, several ways to detect it:* a8 V: b7 o5 b; w: T! u! @# o
6 C2 G% @' J; M9 v% V- C BPINT 41 if ax==4f3 c: u! r; V* ^/ r% P
7 H, t) d# w- A9 y) G8 k& K BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one4 f! Q2 m. ]8 u5 M( w# s) k' v; ?' {
" U; Z4 R0 H- A
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
! c9 [% t; s* j4 ~$ d8 i5 W
) C U! W: d$ Q! s1 V: h/ z8 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ U; `7 ?0 l: c
; d6 k' V. \, u9 E__________________________________________________________________________* u! K- E( | ^0 t
* @+ _$ Y h% ?6 r7 G1 d' g2 i( K! v' TMethod 13
3 C& ^& T, O& K8 v6 [0 a=========
6 I" Y$ N, G& Z4 u, T7 Q6 ~* y
0 }3 m% q' O3 [3 i% `Not a real method of detection, but a good way to know if SoftICE is1 ~' ~) j; g! ?% C# H' T* o1 h$ c/ s3 D
installed on a computer and to locate its installation directory.0 |+ O: i& g) ]& ?
It is used by few softs which access the following registry keys (usually #2) :
9 V3 ^/ x. K, X* E
0 Z: p. T6 k- w, W7 X) L) N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 |) r0 ^* X+ N5 J$ O* p) ~4 S\Uninstall\SoftICE
7 `& E) r4 I2 E7 ^8 R* [" o* R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ Y/ o2 t( e% o5 h) Y7 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion b9 G: c! f& a. p4 N1 K5 z
\App Paths\Loader32.Exe0 w3 o) I/ ]5 V
+ W6 @" j4 x! {3 n& t2 c6 j
& u+ H7 Q- t6 _- |! N, BNote that some nasty apps could then erase all files from SoftICE directory( Y9 w. b% i; U* Z- s' s
(I faced that once :-(* @; P# k9 i: g/ Z' f
; D2 c9 n+ v; s( D3 OUseful breakpoint to detect it:
4 u( k2 {' ]8 q- s, |3 f
$ H+ r$ z# Q( V7 L& _% ^' Y* X BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
1 c7 f2 {, Q0 p6 d q
$ L# z& H z+ X' R% U' ^__________________________________________________________________________
, P4 b4 m0 w* i8 ~1 u/ @& C% P% t
- c( {: p4 _5 j: B8 U1 G9 V- X
Method 14
+ o; R' O( i5 p=========
0 J2 a- d9 Y& g/ ~, A9 ~2 a, X
* K% s4 Z0 |" X t& h L" r9 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 J- n- o8 x, p" w' d( r8 Nis to determines whether a debugger is running on your system (ring0 only).
/ q% G8 Q4 w: c! F* Y& U
, T5 J+ b& M7 }* P1 Y* N: s% I; ] VMMCall Test_Debug_Installed2 p; Q' V' ~, n T" o. j6 T: x
je not_installed
7 N& u4 e) N0 C$ X: n$ e; G
, M. U; Z' |5 h% i' p$ A% bThis service just checks a flag.
# x* R3 L' M+ P" [7 g</PRE></TD></TR></TBODY></TABLE> |