<TABLE width=500>0 T$ F9 O; R( D! U; c a
<TBODY>' r+ j7 z+ ^' n
<TR>
' V* v5 {0 t' D4 w% m! D! Q<TD><PRE>Method 01
) c: l- N3 [% `- s5 e9 K3 _5 v) b8 L=========- {; A: ?: R6 P! z t# M0 ]; j
( X1 n! F# s5 ~/ j9 CThis method of detection of SoftICE (as well as the following one) is* y6 x" a! a% ^6 f' J( X, h) B) y; [; u
used by the majority of packers/encryptors found on Internet.
0 p/ W( C0 ~" ~+ bIt seeks the signature of BoundsChecker in SoftICE8 {6 g) S( l; z. P& Q
3 {" |2 C5 }, U. L* b6 O mov ebp, 04243484Bh ; 'BCHK'. e. f7 \% H8 l% v+ R! w5 g
mov ax, 04h
/ g0 t3 `+ {. P1 ] int 3
* w( s9 \ P0 k( L8 ? cmp al,45 x% Q3 {: y" _& b- ~
jnz SoftICE_Detected' F+ L* E' G" I7 `! y! v
$ I+ I: \5 D+ H6 M8 s+ t___________________________________________________________________________
( f( i) q6 Z u* R9 h
' l% w' k) r3 Y; e) ~5 ~Method 02
. s3 p" J7 i6 L8 X$ e0 u: S6 s( T=========
$ d( u ]& v5 [" ~# x: f% V- r) ^0 Y7 o6 J9 m# m
Still a method very much used (perhaps the most frequent one). It is used
! }% c3 U, I/ }3 X y5 P4 }: }: ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! w- a( v; T) k
or execute SoftICE commands...
0 \5 L% g" W$ b* Z% E$ m) jIt is also used to crash SoftICE and to force it to execute any commands
: e! W/ j9 F5 g. y(HBOOT...) :-(( ( C. \2 k/ y+ L( n2 |1 ?6 M
3 x4 k. X! B- D! X8 L7 O9 @# K
Here is a quick description:- d, J- b6 l1 }. m7 a
-AX = 0910h (Display string in SIce windows)0 h( |& ^7 o$ _8 E9 g3 y" v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx): G/ A0 l& }) G
-AX = 0912h (Get breakpoint infos)
* j4 G* H+ n/ }& b- \- z$ R-AX = 0913h (Set Sice breakpoints)
0 P9 f' o- Y. o0 j% i6 z$ \-AX = 0914h (Remove SIce breakoints)
! J2 [* a7 S c$ w/ v" H9 q; W' c' d0 J% T
Each time you'll meet this trick, you'll see:
; n9 j' j+ `0 X( k, ~5 F ~: B-SI = 4647h/ G. m, o/ _6 `. C5 J& Y
-DI = 4A4Dh: B h7 j6 a- a* \* k
Which are the 'magic values' used by SoftIce.8 P4 F6 N% G6 c1 |- a! u5 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
p/ G& A1 g$ v$ W* p/ D; o+ m
0 G/ j% t1 w7 Z) d+ THere is one example from the file "Haspinst.exe" which is the dongle HASP7 K0 r- } T' O V, Z i+ \
Envelope utility use to protect DOS applications:: G O) J$ ^# p) }* K
* X, Y( `& @( D! H7 N
`# I9 a* p5 `! ]4C19:0095 MOV AX,0911 ; execute command.
1 f& ^- _5 L, N( ~9 L, Q2 t' o4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% V$ Q6 X1 ~5 i* V
4C19:009A MOV SI,4647 ; 1st magic value.6 d1 E, ?0 @' Z- y/ F
4C19:009D MOV DI,4A4D ; 2nd magic value.
* Z% O5 V' C& n* p4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' i0 u5 `1 [# H7 ^- E7 Q4 |
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute9 Z' Z% z7 s4 Z( P( i
4C19:00A4 INC CX
7 _5 Y: V0 X; L* H5 {4C19:00A5 CMP CX,06 ; Repeat 6 times to execute3 \0 l f k* }6 G G9 o. j8 E
4C19:00A8 JB 0095 ; 6 different commands.
* e8 \9 F, _" L) Q8 ]5 t) S, Z4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 }& ?: L0 B1 l) \$ f6 w* o- x
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 M8 _' d$ N' `( G! C, K( U5 e* }0 p
0 d3 N9 ?. |( r4 E' VThe program will execute 6 different SIce commands located at ds:dx, which Q2 y4 d/ v2 k G1 s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ b8 C0 E8 ^/ J; n
9 v/ p- H: @6 o! [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. x" C# Q- P& }* N2 V5 d8 ~0 @___________________________________________________________________________
2 _1 o) t; j/ d( u4 |5 W% n- I& _5 [. t" Y/ \1 X) X
! a* W" L3 i8 y" P) x$ b; q" ~( q+ @7 r
Method 03
: g p# e2 S; x" B1 ]=========
. ]: T) Y7 l8 B& x& @3 J/ O# W
" G7 e; A L2 t# f$ W# d/ E9 j/ ~7 tLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ K9 x3 c, k$ b& f(API Get entry point)
1 k7 C( d K2 O( z( y9 D6 A ] ' }7 \% R6 T4 G
8 w$ R# o, E. a$ J) o7 w xor di,di
" d- v5 p/ M7 `# e1 J# a/ G1 x# ` mov es,di( D3 q( o+ K U8 u
mov ax, 1684h
7 e! {, r0 a2 t y. [+ F mov bx, 0202h ; VxD ID of winice
7 w, ]" q7 h0 n+ a6 Q* u% q) j int 2Fh- L! R9 ]! \! a: N9 ^0 }6 C
mov ax, es ; ES:DI -> VxD API entry point( [0 _- k8 u0 b) }6 Q* p4 S |
add ax, di- N9 q* J2 U1 h1 r H2 Q) y
test ax,ax
) X, v* T" ^2 t6 _8 ^% g# c' X' Y( l! R jnz SoftICE_Detected
0 ?+ ~6 p1 x/ e; V$ C( H0 o$ U4 g b' g5 ~, ~- A: q
___________________________________________________________________________
% `( f' B7 t8 a3 ^6 S0 |; L/ D, f1 \3 P
Method 049 z2 j2 K0 C$ L4 V+ X
=========: H2 @0 F5 A. H1 e' M t+ @
# \! x- [4 g& Y4 z4 eMethod identical to the preceding one except that it seeks the ID of SoftICE- j% v3 @+ j( Y+ R
GFX VxD.
( d( p7 F0 ?% ?7 `& I) I* g! `1 H' R; O8 V
xor di,di) O, U' S' A( t; M
mov es,di
" |5 r+ v+ B% V7 b/ p v mov ax, 1684h 0 }7 x& p+ y" v4 X& D* S
mov bx, 7a5Fh ; VxD ID of SIWVID
2 x/ N% E& s2 @* | int 2fh
2 Z I4 V& d# z- y/ M6 | mov ax, es ; ES:DI -> VxD API entry point
2 w3 e1 a9 r; S0 G; k6 a1 w add ax, di
0 i, q2 a! f1 } test ax,ax
* q( R4 o9 S4 i' ]3 L: U/ B jnz SoftICE_Detected1 M/ C, f" X3 r7 n: h/ G4 L% {
# i' O" t' B/ J
__________________________________________________________________________
) ]7 v% v4 Q2 @# f5 G- K( ]& y" N" c3 x; n" X
( ^4 e9 d. p: q8 R3 I, nMethod 05
5 b- \9 F% \( U2 h=========+ P! i" g; R$ u8 g0 L
: r* x/ k) H. h: ?8 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system, u# f% z; g- @5 x$ q* ^) y
debugger. It calls the int 41h, function 4Fh., I1 V+ i6 b' K( E- ]
There are several alternatives. ) ^/ ~6 [" E/ h" K" e0 ?5 a) N T
6 h/ w0 W( ]' Z" P! h$ P
The following one is the simplest: }( n6 S' z6 f
# r& s. _3 N! k& x; Y( S
mov ax,4fh& N) y! ?7 x" }( f) }% i0 Y
int 41h% C) ?' V; D% n1 s4 s8 I
cmp ax, 0F386/ ~0 o0 g2 [: S7 _
jz SoftICE_detected+ u b L( ?& K" }1 P
# j) n1 U& t# _& S( x/ { s+ p1 z0 N/ S$ {/ S5 N" T
Next method as well as the following one are 2 examples from Stone's
: g7 z2 W9 g6 z) f, U8 s"stn-wid.zip" (www.cracking.net):
: @0 m6 E1 _' B, H7 L5 W/ w# L
6 _& \3 ?! a3 a c+ s mov bx, cs
1 U4 j; x# G0 |9 ?- A lea dx, int41handler2
5 h K0 R8 H+ s8 T1 K xchg dx, es:[41h*4]$ G# _4 s+ u! D L3 m( V
xchg bx, es:[41h*4+2]
4 w( m1 x! I$ W' s4 M, {& P mov ax,4fh
: S0 N/ @% |* E7 f8 g4 P! O; G int 41h! R) b! w* q: B# U* f
xchg dx, es:[41h*4]
' Q; f7 e) b0 d$ o0 f! B5 p+ f r5 r xchg bx, es:[41h*4+2]. o4 p9 ~0 j6 Y9 R% A5 A2 ^
cmp ax, 0f386h7 r ^% _0 s) R: V* T8 t; d; s7 o
jz SoftICE_detected
1 F( a' R# c% U' \& j2 z1 U) J. N
' X. Y5 v7 C- V& @& F O+ Rint41handler2 PROC
! l7 S, U' A* f* B iret4 n# ?6 I: a8 M( ]. J
int41handler2 ENDP8 |9 [1 L( \( Z
! E5 d, e& b" ^) L% S P
: u& a8 c w- l8 t_________________________________________________________________________
- R, g! A* L; X4 F( j2 _7 w! ^3 b; C+ z W [) g; L6 s' _) m
0 p# k% [$ |0 t# _: V! l8 W3 S; \
Method 06
: N9 [8 J6 k7 T" Q=========6 \: M" M% k ^7 s9 R; x
" [+ N! G+ ~! g' S; _. |% R7 q6 @8 N9 M# K% y3 }( [+ ~0 U
2nd method similar to the preceding one but more difficult to detect:$ y+ j" A3 K' L# E% t6 p
. @; t( q C5 G5 e6 Y
" }: A" u. g9 J# E% t& ~
int41handler PROC
7 {7 e# f- D$ V* L7 q: I0 U mov cl,al1 ? {0 X2 k+ y' s" @* ~& k; A& _
iret- G$ t1 ]7 [( o9 x4 ]/ n3 [7 F/ x
int41handler ENDP/ @: M9 H& m# L: q" D* S7 D" G. u2 v
0 E) \4 N. }0 h! t1 L8 e; _7 {
5 u( P# k% f/ ~* r8 H
xor ax,ax& C9 M/ F3 E/ {" B8 a3 R5 ?
mov es,ax- C1 P( q+ ?% N
mov bx, cs
( @0 A/ _2 F7 Z8 }2 [ lea dx, int41handler! e3 y' N' m* D- N' E
xchg dx, es:[41h*4]
0 L/ @" a: g1 O+ w* _0 O xchg bx, es:[41h*4+2]6 h) e" ]/ \. g5 l9 ?5 |
in al, 40h3 }- ?, o7 k/ y
xor cx,cx
$ ^0 U+ [% f) q3 Q7 o' I- h5 D int 41h
8 F( k- g% o( g) u' O xchg dx, es:[41h*4]
# t$ F |* N# N3 o7 i7 Y0 n xchg bx, es:[41h*4+2]; S" R# v6 `* C( I
cmp cl,al+ O2 F5 a! |& ?3 L5 n
jnz SoftICE_detected' T5 s/ c1 M8 k. z
* l& r1 R- X0 K/ ?3 }! C }
_________________________________________________________________________. A5 _, n$ r8 U% ` s9 k" }
- `1 l) l Q I. p! b9 x7 {Method 07) m* _ h* S" y1 B
=========/ J0 n8 @+ D5 U# m
2 G) M: k8 K% B5 m v( z" O
Method of detection of the WinICE handler in the int68h (V86)
, \, ?/ O) f" V7 k' t V+ r; V4 a/ ?* `/ g, A3 @ N: t, L
mov ah,43h
. n& f* f; Y; Y4 V* `; S int 68h
1 i# e; I4 W5 H5 J3 g$ o cmp ax,0F386h
# O4 s" S9 J2 V jz SoftICE_Detected" L6 ]# ~, i5 E
" S+ h% t ~% b M4 w/ w, F* j
' p, S$ Y4 [/ r; F=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) a/ O" e0 p- |1 m
app like this:# Z3 b+ b% k) b* A. U( N# [( J
2 t, {- K$ j6 V) } BPX exec_int if ax==687 I6 t( K6 Q4 x# p
(function called is located at byte ptr [ebp+1Dh] and client eip is' m' y9 R! f8 p
located at [ebp+48h] for 32Bit apps)
+ T- V7 B+ v4 y+ O( b# w* B__________________________________________________________________________; V* \& r5 Y( [! n! h6 {2 [
/ u$ K' w& F4 F0 B3 h% j% N
+ o( T/ J' Q6 Y9 u" `Method 08
+ `! H# W. I. [- G& N q, V( c1 |=========
3 @( m* m4 r }* \, U& D v5 h' A* @3 P" o9 w, @7 ^/ ]+ {3 C
It is not a method of detection of SoftICE but a possibility to crash the
2 m& ~% |" C+ p4 Asystem by intercepting int 01h and int 03h and redirecting them to another4 [0 n9 t" t' A& S4 b
routine.
( x* o$ f5 o! @( i7 C; zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 g) E4 `& c, S% N4 D( t! Lto the new routine to execute (hangs computer...)3 r& a" j; X3 P" S( Y
- t. s9 _7 R9 ^, s2 b8 t
mov ah, 25h
- s9 J1 ]$ l, U7 E, d- s4 w mov al, Int_Number (01h or 03h)8 e! f' k4 E) t$ i D$ M/ C* M
mov dx, offset New_Int_Routine1 m3 P( j* q9 p, u5 w$ P
int 21h5 O5 E# Y! l' d1 Z
# i2 Z: u5 U0 G( S- N
__________________________________________________________________________
& _# K( s; o$ W5 M2 F @0 [# [8 p$ q7 S+ M5 ^" L! z+ H) @
Method 09" L' |6 o! z& o+ a0 }
=========) L* o9 [, C; {* s
! V" j& A j7 ]0 f7 Q4 [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 d: u7 j, `' L _2 i1 }. L, Vperformed in ring0 (VxD or a ring3 app using the VxdCall)., P+ L3 x9 N2 |0 M: E
The Get_DDB service is used to determine whether or not a VxD is installed4 G, u, a- \1 r$ u" h
for the specified device and returns a Device Description Block (in ecx) for
, S# z7 y' g+ F7 Y$ [& Ythat device if it is installed. v3 F( s: z/ i4 p& n
I2 T# ]2 n; b# o7 u, ], ]; I mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' O$ o' Z- F, d3 B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 n7 q3 {9 Y0 W' b5 Z VMMCall Get_DDB4 o9 ]2 T' ]8 U3 u2 ]3 c+ I/ K
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
O5 K: L, `6 h7 \/ o( {- e/ f) A% `2 z
Note as well that you can easily detect this method with SoftICE:
. @3 A/ R/ d/ H3 u4 R5 ` bpx Get_DDB if ax==0202 || ax==7a5fh: R( L; w8 q8 u ~
$ \& Y7 n8 B2 f8 p7 w) m7 }
__________________________________________________________________________
/ u* Y6 I% n& G5 Y% b9 K' ^
! z( B7 a0 V C& ^6 ^2 _1 N: W1 }Method 10
( b: a, r+ y# v7 @+ A=========
4 F5 k* [- p) f; B$ Y: F
& k# S! V+ [# \% j' h* X0 P2 b=>Disable or clear breakpoints before using this feature. DO NOT trace with, G, u% s9 K5 G, h$ b5 D1 k2 a
SoftICE while the option is enable!!% S. Q; i1 G8 N {+ ?: R
- O# o! o ]7 }6 R
This trick is very efficient:. W2 g% |9 c& p. F' s( n9 C- a
by checking the Debug Registers, you can detect if SoftICE is loaded
a6 p2 j$ ~8 @ T" Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: J. ?: d7 b: N# _; P; Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 h* h# I( D9 Z+ [value (in ring0 only). Values can be manipulated and or changed as well7 u d9 L8 p$ n N1 g4 M
(clearing BPMs for instance)7 ]/ q, p2 G3 J5 q7 m4 m/ m
( v6 Z# f# i' N3 b__________________________________________________________________________; d& h. r3 ?6 \5 ~% [
% U' {3 e: z3 ? ]) X. b! l
Method 11
+ d# w. L1 R- e! M- y=========
r* G" D# C/ x! Z5 p7 n }: P: y, M- u) c e8 p
This method is most known as 'MeltICE' because it has been freely distributed
% `/ b' [: j) }) F) n$ ]. a5 Wvia www.winfiles.com. However it was first used by NuMega people to allow
& ]' u( ^) e: _% Q0 [Symbol Loader to check if SoftICE was active or not (the code is located
+ A( T4 g' y& }) y" c, x% z9 einside nmtrans.dll).
$ [- w' q7 b% P! K) g9 Q" h2 g1 @0 J( z4 |- Z& C
The way it works is very simple:/ [: X4 w8 q# n+ F0 L/ m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 z8 A8 V( m6 v, ?* G) q2 mWinNT) with the CreateFileA API.
+ _# l) Y! p& ^- r1 a
8 z5 ^# j" L% A0 z1 u& ?# s& ZHere is a sample (checking for 'SICE'):* {- J8 U, _5 d9 _& u" X
+ M$ }9 v) O m I8 `- ]8 jBOOL IsSoftIce95Loaded()
* F4 _ S" Q: V8 y+ F( }{: P: d$ ^7 P4 H% u
HANDLE hFile; % e5 {7 D* ~ g8 E
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 ^% q6 x" K2 ^# ?+ F' ? FILE_SHARE_READ | FILE_SHARE_WRITE,
" O2 o* I) G5 i7 Y8 d% F( G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 v; a' O( w3 r6 U
if( hFile != INVALID_HANDLE_VALUE )+ w, G. Y, |1 Z' { u; K& I
{
! C4 v0 ?. x E/ n* H CloseHandle(hFile);% X2 {0 O7 g" F, }
return TRUE;0 {7 { ^7 Z) C0 i# e
}( P; z) w- n& P7 F E
return FALSE;- Z9 t$ ?( D) j
}& {) K0 L% P; q* K; ]6 l
( r+ t: Z6 J0 a6 i' h' w3 W8 x( Z
Although this trick calls the CreateFileA function, don't even expect to be2 p( y0 o& z4 V
able to intercept it by installing a IFS hook: it will not work, no way!, D% Z' f- Q2 f" M! @5 y. P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: G/ k# {, ^, X6 f6 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# B6 m; s) k/ a+ a' \6 i- j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ? f! N3 c, V* d kfield.* |5 B h9 A) W( b. U, t& _5 S) {) ?
In fact, its purpose is not to load/unload VxDs but only to send a 6 q8 O. t$ i' e( U( |- O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 D5 w2 i% z" b& `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ b( Q1 \# Y( Q# uto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 h; {, I' {$ ^, S/ E
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 G5 w; K* r6 [' ` R7 \
its handle to be opened and then, will be detected.
! `7 y, ~+ i- f5 ^/ jYou can check that simply by hooking Winice.exe control proc entry point
0 V0 e& V% K2 A3 {/ U! _: K) Awhile running MeltICE.% t7 t% z; J" E/ E8 W' t
, O9 D. d0 G0 T
?" v" t' a8 Q2 X, T2 H 00401067: push 00402025 ; \\.\SICE- S7 X8 \9 ?4 G4 Z3 X+ F
0040106C: call CreateFileA
7 C& [. A( Z# ^ j2 C 00401071: cmp eax,-001
. t6 r+ y1 v& y6 p- T0 X 00401074: je 00401091
6 S3 l& E3 c$ ?$ y: D' P! m. `) @6 S/ N K! W: z: X2 _
8 W# q! F- d, P) ]: F# q
There could be hundreds of BPX you could use to detect this trick.
4 D6 ?9 r0 x6 v! j' y5 g-The most classical one is:
4 v% }- f- ~( V BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 B1 r9 n- W. L6 i9 V
*(esp->4+4)=='NTIC'# s7 X6 ~; c! d1 A4 ^
. Y; J7 n0 c2 G$ F, o4 N-The most exotic ones (could be very slooooow :-(
; z k6 [+ b4 s8 [4 u BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 6 H' G$ `7 G6 s$ B; ^* i
;will break 3 times :-() F1 ?$ n# W$ |% w/ ?% i4 @
% K/ s$ v6 G. D-or (a bit) faster:
, E# [/ H8 a& P1 U* E6 \/ L; a0 b BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 \, c% t3 t) r
5 I5 w+ r! G5 [3 D9 h; C9 P
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) J2 Z% [! F" ]( ?7 S. Y ;will break 3 times :-(
5 s' G4 ]* K' t) g, X& e7 d7 R7 W8 T6 c
-Much faster:
; ?2 p8 [1 Y1 W% e' G9 V BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
* j4 ?5 ?6 ^8 v$ G7 l* V/ g
. D- X/ {; N- Q9 E* k0 A, XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 y9 w* O# v3 D- L1 b5 j
function to do the same job:& n; [) m* l/ Q- ]8 y1 `4 Z. |
: p; Q0 [+ I$ h7 I0 z4 S
push 00 ; OF_READ8 c* `4 t: w1 }5 c
mov eax,[00656634] ; '\\.\SICE',0& H. ^: C( _% _. B6 Q. k
push eax& q2 r3 c/ K" ]- x# q( C
call KERNEL32!_lopen4 K; l, m4 _! T; M6 `1 h1 L
inc eax
4 z# [% x- }% o' X7 b6 T! K! ^ jnz 00650589 ; detected
0 T; f" d) g! C) t/ l1 K' _( \- ~ push 00 ; OF_READ
: A' k/ ?) z1 A5 `& Q5 o1 [ mov eax,[00656638] ; '\\.\SICE'
+ i- G& q# W8 o- @( a# n0 ~ push eax& t; n( q0 e& i* _! [! j
call KERNEL32!_lopen0 J" Q+ ^- ?% l4 g1 [
inc eax
2 H, r2 F7 d7 r9 j jz 006505ae ; not detected3 s! b, B' J7 `7 a
# R# k+ B/ {0 n! F; ^- [5 v B
8 J: z2 N( u' T$ l2 `" M& W. ]8 P- |__________________________________________________________________________- v; r$ B. ^% ]: F3 t
4 I1 L- L7 N x, i% o" n) ~Method 12" U3 C6 e2 Z. ^5 {7 U
=========
3 }' ^1 R: \; Q i$ W& w8 f3 U0 a8 |! C- S% K) b( S; r
This trick is similar to int41h/4fh Debugger installation check (code 05: Z- s' [. j1 w& D$ E. {+ M" a
& 06) but very limited because it's only available for Win95/98 (not NT)
9 L1 i; e% P Q- F$ E- [2 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- S7 P% J9 Z: j6 y6 M! a9 p; ^& i4 x* R/ G) I
push 0000004fh ; function 4fh
% N+ q2 I* j: n+ P/ q( a1 R2 l push 002a002ah ; high word specifies which VxD (VWIN32)
/ q9 |3 C3 Y( s: r- z% u _ ; low word specifies which service
* S( l7 o3 h2 H (VWIN32_Int41Dispatch)
% o" G J# {0 G% U& X call Kernel32!ORD_001 ; VxdCall
2 I: o) D3 Z3 N$ p4 J0 w- {" \ cmp ax, 0f386h ; magic number returned by system debuggers
. r! I, w* D/ u jz SoftICE_detected/ J" ]- ?- C4 O/ N' z) I
, @ s9 B% J. G1 r0 G
Here again, several ways to detect it:
: Z. N, b3 x# g2 C, F7 c7 b# Y: ?& D4 `6 W0 l5 X
BPINT 41 if ax==4f
! f# G# w6 t8 m( `& _$ v% k" s
5 `2 u; P- W& z% }# h9 g7 H BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# d# n Q! a; P* d7 k1 D+ M4 P0 X8 A0 C0 d
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
. q5 [) N& m% b3 }/ V
$ r% d. f5 Q1 { BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!( }) V7 {* q( @
$ I) [( _" U% ^( n. K3 d
__________________________________________________________________________4 o' n( Q' P! g0 v) B
7 ^6 Y9 x* p6 K3 v9 J; |! w) dMethod 13
& {# ^) ]+ E" H8 C4 e6 ]$ m=========4 h; A! k1 j, c; J5 t
4 B6 a# ?! K) q7 lNot a real method of detection, but a good way to know if SoftICE is
9 d) h3 G5 |' p. {: a* l Iinstalled on a computer and to locate its installation directory.
* b6 N, n4 F) X8 g8 B& j6 pIt is used by few softs which access the following registry keys (usually #2) :
/ |" u# Y9 i4 A1 L7 Q8 y$ `9 h8 v e( L: p* C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ~# W2 J6 Q( {) R, B w\Uninstall\SoftICE* ]% o& w1 g9 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 ? u7 l! f: d; ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: J' Q' L9 n9 g; @* W3 Y. x\App Paths\Loader32.Exe
9 i N3 T! R1 V1 F: |: |& \6 o0 t: ~
+ p9 [. S1 ^7 L# Q& m$ qNote that some nasty apps could then erase all files from SoftICE directory3 r6 _* ^; D$ ^/ K6 i
(I faced that once :-(
% }0 n2 t$ X! X/ g7 b6 o X' R& Z9 m1 S
Useful breakpoint to detect it:4 X0 z$ C7 K/ t' R6 I* u: Q
3 Y; O9 A: p$ J9 | a BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
# o# Q/ |( ~ q8 G4 l c: _: | c* V4 V6 M% m% T
__________________________________________________________________________" m6 C$ b( F0 R g
3 }7 S3 S' Z% Y- D; H
+ l% g: D! T6 [3 e- F$ [ ?- c" tMethod 14
7 D+ ~4 y/ k+ a# ?, e=========! ]( ^, D) K! O; Z$ h1 d
: a9 O9 I( t; T1 \% s( N% LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* Q; f2 f' I' Fis to determines whether a debugger is running on your system (ring0 only).6 {& A# s# c# P' o0 Z5 ^
7 |( S& o, R) ]+ z, g VMMCall Test_Debug_Installed% l6 {9 R3 h1 B4 y! v: P8 b+ v6 O
je not_installed* X$ J o( D. \' F
+ N5 G# ?, L' J- h% D( H) @+ P
This service just checks a flag.
: ?, g* |3 U; J* f; v# c* ~</PRE></TD></TR></TBODY></TABLE> |