<TABLE width=500>
5 f) t" S" P8 @+ D0 h<TBODY>
' v% O/ V5 x6 I) } D; r<TR>
4 _# k4 f- s0 V# }<TD><PRE>Method 01 1 f: x$ Z9 e$ A3 m* P% D4 p7 q& J
=========
( B2 S z! B, J: B, c$ R* }0 _9 I& ?$ u2 \- d$ T$ p
This method of detection of SoftICE (as well as the following one) is2 e4 v3 [9 I5 D( n
used by the majority of packers/encryptors found on Internet.
L5 i4 T, `- e7 M6 w! T& ?It seeks the signature of BoundsChecker in SoftICE
' t4 M E5 ^" ~* E! \4 M' u& g8 z9 a( p
mov ebp, 04243484Bh ; 'BCHK'
9 Y( A* y P% H0 r: j mov ax, 04h* f$ z; ^. p$ u5 W e
int 3
2 b& R1 ]# H* a# a7 I cmp al,44 {! g' o# K+ h- J; v4 }" N6 c
jnz SoftICE_Detected2 z( s2 [. v' }" R2 K
1 R$ B7 y e4 M# g___________________________________________________________________________6 U6 u& d. U ?! z
3 q( p2 ~( N8 Q+ _
Method 02
9 g3 d* u1 M* G2 ]+ U x9 @=========0 L J$ g2 x1 n3 c; n/ _# M1 _: M$ }4 p
. T) b2 W5 @ I" n5 _
Still a method very much used (perhaps the most frequent one). It is used/ ?: ]/ K9 |$ R, Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- h1 j5 {2 s) x6 n
or execute SoftICE commands...
7 i2 L# o! G' wIt is also used to crash SoftICE and to force it to execute any commands0 @5 f2 K2 X% W/ e y+ ]7 j. O
(HBOOT...) :-((
. {4 E" G" @2 J }8 L! F/ @6 y. @
Here is a quick description:5 ?1 P5 e0 N/ Q# m5 E: w
-AX = 0910h (Display string in SIce windows)
5 e, C7 j- ]. P) f) S1 k-AX = 0911h (Execute SIce commands -command is displayed is ds:dx) n1 ]* {% W8 E
-AX = 0912h (Get breakpoint infos)
% w: ^3 c/ ~; W, ^9 s v' T! D- G-AX = 0913h (Set Sice breakpoints)
9 k ^- s! j2 c3 V/ v+ m-AX = 0914h (Remove SIce breakoints)- a) Z: I3 y! l1 S
' `' @" `0 y* y Y+ G' o P
Each time you'll meet this trick, you'll see:" z; k6 F/ e8 p. W( w
-SI = 4647h7 K1 O7 M' X8 _, M$ L" S. B5 Y
-DI = 4A4Dh
2 x# v6 L ?3 z3 ^Which are the 'magic values' used by SoftIce.
( I. o1 G" k$ B8 d9 E6 a& lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 p. T/ R, L6 L- k8 I
, c; R0 f- o' G1 ^! B& }6 Y) iHere is one example from the file "Haspinst.exe" which is the dongle HASP1 ], M9 F6 m- u4 k
Envelope utility use to protect DOS applications:
! h: V0 e2 z, Z7 s/ m3 y2 z" h0 @# F' b4 T( a6 @* k7 s9 W. G s
. _7 ]& A3 z5 W1 I; B4C19:0095 MOV AX,0911 ; execute command.
. } }! | H6 K) T4 `6 M4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).6 t* P9 c. X8 W% [* H
4C19:009A MOV SI,4647 ; 1st magic value.
' Q2 B( {( ~+ x4C19:009D MOV DI,4A4D ; 2nd magic value.0 l- B1 j7 E% E: \( f
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)/ B- \/ M3 r1 i6 j; L- C* s7 l
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute* N5 k. H1 n' x: T( [
4C19:00A4 INC CX% h" A- m2 w# z0 `3 N/ i G6 }6 A9 F* i: ]
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
/ C: r `8 [ L* M- E0 ~4C19:00A8 JB 0095 ; 6 different commands." o& A! z- } s5 A
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ E# w3 r: L' j' {7 ?4 `4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 c, s5 @* X! @. j6 Q9 V* N3 L2 a# Z5 Q6 o: \. r ~* I7 e
The program will execute 6 different SIce commands located at ds:dx, which( u+ R$ g/ d2 K2 C0 t4 I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% Y. U1 \$ t+ n+ J# l* @" w3 E( e0 h9 O- u: [$ H1 E8 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! |# i" m% P& F; G- s4 L___________________________________________________________________________
1 e# j4 ~! q8 k( P
" g p/ W" r r, ~8 y5 k% L Y% m. R9 a# U- U+ e4 A" X
Method 03
5 \1 q' }, C% M" I=========5 B$ M" ^7 Z7 O9 V- C1 n! a0 v' k& E
8 y0 V: L% Z9 d3 j. v' I4 f3 [* D
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* ? j/ H, H d& |(API Get entry point)
% b' \9 y# e* B; n$ c) W
3 @- O8 _0 p' H& l; H" C* C# h) t% ^! S$ [7 L2 @) v/ z
xor di,di$ l" ^: a# p9 P5 x" ?1 V* L
mov es,di
* `) p: {8 T, n5 G mov ax, 1684h ! `0 x0 j9 t- ~4 {, X( s
mov bx, 0202h ; VxD ID of winice4 H7 S2 I$ ~+ r) H" ?" t+ ~
int 2Fh; K% @. z0 M8 u
mov ax, es ; ES:DI -> VxD API entry point
) l- o6 A% D. T. Q5 |6 [$ x add ax, di2 u, I: D3 z, r/ q9 L
test ax,ax, z& ~$ y7 j5 I; N# j' O+ K$ k
jnz SoftICE_Detected
8 h* ^; A7 u1 l( U2 ?$ Q# S* Z! D' i- g0 s6 x
___________________________________________________________________________
@* k" N+ A+ R# a5 }; l6 j9 K
& r @( I9 v8 U3 j, VMethod 044 \; M E2 n, T
=========
1 p( ^* ] o/ w7 F1 p! O( b" B M# O$ y9 c
Method identical to the preceding one except that it seeks the ID of SoftICE. }# q( P- y7 |/ k r. A+ K" p
GFX VxD.
2 C4 `9 |+ z! a( d
) W* [8 M4 w2 I9 S, x( y/ m% Q/ E xor di,di
7 `3 a+ z- @: T9 Q& D mov es,di
/ e( b& I7 d/ a- t) }2 Z mov ax, 1684h
# a \* p4 j: r! y+ v1 l mov bx, 7a5Fh ; VxD ID of SIWVID
. m4 }; H9 X1 f3 B' o int 2fh: K" h+ a1 s# M4 r W
mov ax, es ; ES:DI -> VxD API entry point3 w2 ?0 i) O, {+ l& B
add ax, di1 ? w$ b9 i: y! g6 i
test ax,ax
/ K% b7 z/ F3 G# s5 f- w jnz SoftICE_Detected2 k! s2 T" }0 B* y& l+ s9 q- P! V
, e6 ]1 _/ e: R/ v" W__________________________________________________________________________
7 V% {# ^9 |; V) I& g
$ G9 e. n4 R* i: F- W5 t. m# E$ ^) @+ A6 l$ t' Z# ~
Method 05
) f' K$ p" A' C8 x=========
! E1 N* A9 y) X( ~/ h" r$ M! O6 @) o( ?% o! [1 \5 m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# {8 [; P* B3 @* u# f8 S: @* u7 W- \/ Pdebugger. It calls the int 41h, function 4Fh.8 G: E' f) s2 J. q# z" {- S
There are several alternatives.
, t8 L' ]4 F/ O$ P' q
- P# }0 \+ u+ ~& Q* V7 LThe following one is the simplest:
6 J N8 ^# y- k8 Y" _: U
8 R& W6 H' A- w; K# t D! X mov ax,4fh# Y; q e( E) z, L# @6 y/ l0 m2 w
int 41h6 [- N( s( C$ A5 U" t% Z
cmp ax, 0F386
! P3 H# k4 Y; y# Y jz SoftICE_detected; ^2 V3 O4 e+ X* d
2 {9 g' s" J" J1 v4 }; M7 n3 s4 [: B# {3 X* Y$ [: j
Next method as well as the following one are 2 examples from Stone's
6 P9 {2 b+ a; q/ m R, m"stn-wid.zip" (www.cracking.net):
) a6 j! @# R' k) i! l+ Y/ N7 K% @# L* V) {6 X2 a* `: e" K
mov bx, cs
$ o0 l" {2 W, Z: [( E; }2 o lea dx, int41handler2
6 z2 s, H1 F) L, {- H xchg dx, es:[41h*4]
/ |) [0 @9 e; H8 B& X7 R xchg bx, es:[41h*4+2]: K1 i. G9 l7 J5 D$ B/ P, X' w
mov ax,4fh
' k) R! l8 a9 N- E% D! d5 J/ X int 41h8 O; c9 e2 D; B: p' n
xchg dx, es:[41h*4]
7 ?) m- X8 p8 @6 |: j xchg bx, es:[41h*4+2]
0 F0 i7 p; B$ H' K; f. A- X cmp ax, 0f386h, ]: j4 W0 m3 A7 y9 ^: n* Q
jz SoftICE_detected
$ j7 K6 v# T& h* ]8 X7 O: n8 u. S8 N+ X0 d7 ?" o
int41handler2 PROC# J' R/ O1 r( N- h* w7 M
iret4 \6 `( @" ^, t3 y4 {6 ?
int41handler2 ENDP3 P/ l9 ]3 h8 A2 c
3 n) g' ~2 { J4 P
1 K. w2 j% J7 ^ d' H- C( ]; s1 X_________________________________________________________________________
/ K! Q) W$ K% \8 i" k! Q4 J( j- q# [3 \" v( j9 F4 c) K v
' C, K- b7 x+ t5 ? n9 ?& i! y% sMethod 06
' _; V# t2 E7 F5 v=========
V; U i7 g; Q& R
* C K9 `. C% ~) d! y) T) r
$ [: E0 ?% ^+ c/ s$ B2nd method similar to the preceding one but more difficult to detect:- Y& q/ n- L! M3 P6 K! O6 q6 `
$ m% x4 F# T) J( J& l$ \) `& A
/ A4 J U s9 o
int41handler PROC
7 Q: `; w6 W$ ^% u) _ mov cl,al: o, i6 C& M2 Z
iret- ?1 m4 ?3 ~3 x J. @) h
int41handler ENDP; q- W# z" ^7 B( [! o0 V
3 ]3 u# Y5 m1 C& H2 l5 }# Y
Z5 c& v2 B, P( m+ M. m xor ax,ax
0 D: l' ^) S" [- K( u; J# ~5 b mov es,ax$ h- j3 e4 c+ p, w5 W
mov bx, cs- o/ L8 z' \6 u- s. e
lea dx, int41handler
' q4 F; H$ Z) q% s5 u# G; B xchg dx, es:[41h*4]/ X' q% `. `/ u$ v! b$ e
xchg bx, es:[41h*4+2]5 t$ h+ S# R- a' g
in al, 40h( N( y) I8 V k, b" t0 i* b& S" l
xor cx,cx
) ]( u7 e( [% P int 41h
! H2 w0 }6 d& e& V8 e7 m: I xchg dx, es:[41h*4]
! z4 f& {5 Z3 I( r# g( q xchg bx, es:[41h*4+2]! |" A, I T0 t. |- S& s
cmp cl,al8 F2 L0 a0 e, s7 E% P: m* y- r
jnz SoftICE_detected I1 w& N+ @: f; G% V
8 B8 Q( D# B7 p% G
_________________________________________________________________________' v+ j5 A) ^3 q9 J. N
, |9 |5 W2 E! y- C; G3 ] hMethod 07
! I) ~" k/ e. A/ p7 _3 f. `: Q=========: p( N! O5 c% ^, s9 L: w) y2 \0 V# [
/ Y1 t; m0 u3 R1 B/ GMethod of detection of the WinICE handler in the int68h (V86)
0 k" y4 c8 @& m, f. @& p& v2 n7 N, w
mov ah,43h# L* L1 } E, ~, P6 S y% I) t& r" m
int 68h* O2 j- v9 |- u1 V' t, |& Q+ ^; g
cmp ax,0F386h$ R5 T5 C; T7 x: ^: z/ J! u, w
jz SoftICE_Detected9 q5 w* t$ i1 n ]1 A" Q6 ?& [+ M7 A
7 W7 L7 A! r5 ?7 {* j3 m! q) h5 Z: U* S e8 W4 c9 U
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( R/ v8 k+ ~# s* U6 J) I) B6 v
app like this:
% o. O5 r, @. X: K
) \5 ^7 @" B9 v1 O M- X/ M# v; H1 a BPX exec_int if ax==68
# v* E( }/ ^5 E! h/ D6 a k" y6 F) A (function called is located at byte ptr [ebp+1Dh] and client eip is
* @3 \- P; S& S' m! X: s2 F# d$ X located at [ebp+48h] for 32Bit apps)2 B! d7 W; N7 N
__________________________________________________________________________
% q7 K: r9 O, u6 ?) w% p- }% t/ d1 T
4 v7 M" _3 f- ]# q
9 n5 [+ N, J1 E) U; Z1 ?5 hMethod 08
' W6 i: g; \( U, n9 f) J=========/ x/ x! b/ d! ], q# B+ ^
4 x. V* H! y& | K: P }' o) r. f. R
It is not a method of detection of SoftICE but a possibility to crash the; ^0 l# h* \ @
system by intercepting int 01h and int 03h and redirecting them to another3 {/ M/ `" j/ [+ f0 p, j5 ], s5 w
routine., `' m: V, T& x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 l2 g! y' a+ }$ E2 ? yto the new routine to execute (hangs computer...)5 D- d7 L- G j: X5 ]& J
! y% o: J2 `0 Z
mov ah, 25h
Q" H/ A- u, H6 Q5 D5 } mov al, Int_Number (01h or 03h)( L0 N+ o: o& D9 d
mov dx, offset New_Int_Routine% S1 B+ @/ J H7 k
int 21h. g& `) {0 H! t
' p! }. S' ^8 a; L* c4 [__________________________________________________________________________; h2 F7 F6 k, j z
U$ q0 j% }; y' ?Method 09
% E* J S: v6 Y) d# d& g% ~+ C=========! x& s$ {3 Y- m: x5 y5 ^$ v3 s; F! r
( M3 b- j0 c6 ?! u# {( d L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* L n0 Y2 q% | @) v3 P
performed in ring0 (VxD or a ring3 app using the VxdCall).9 N, d- f7 [' C3 j3 ]$ B# V2 b
The Get_DDB service is used to determine whether or not a VxD is installed) G; I7 I! t! h& h# |$ t4 ~
for the specified device and returns a Device Description Block (in ecx) for
, f t* h0 }* X* d: u, m! athat device if it is installed.0 g* u: ?) c M1 c( p7 i! Y
/ K9 H; H5 d3 S7 Q mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 j! `, o* ^- r3 g0 W- l/ [ w mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( Z2 I& n: X6 T0 O VMMCall Get_DDB
. \+ u6 l" B3 U8 u mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' e o3 q1 x8 {# p! f
6 |1 ~+ I& D) ?0 d7 H* `2 dNote as well that you can easily detect this method with SoftICE:
1 B* x$ N, |0 E* L5 ` bpx Get_DDB if ax==0202 || ax==7a5fh
9 b2 `9 e) ~: M2 q( t. b8 b: x! q: _8 I# V# V. d, a# \
__________________________________________________________________________- N' ?* X3 L9 E7 d' L! Y
, V7 {. E; v, C/ O* b2 U) o& R3 `
Method 10% i6 A; Q; C( `3 |6 ]
=========/ A" x+ j: ]& A/ g/ _) f8 X
+ V0 r9 {3 I; }
=>Disable or clear breakpoints before using this feature. DO NOT trace with# Q( F1 H# t* U. a3 i* z& L
SoftICE while the option is enable!!
0 g8 P# }" k% F1 \% q9 M# w8 w, D0 R1 N. E
This trick is very efficient: k* t" p# k) _; C
by checking the Debug Registers, you can detect if SoftICE is loaded9 x0 J# o7 F1 k: _! S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! I* M4 u$ A$ C0 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their" K2 S s5 i- Y; v% U% d/ z+ y7 E& C) y
value (in ring0 only). Values can be manipulated and or changed as well }7 m) C4 A& u( k; X
(clearing BPMs for instance)
! J* ?! v# {( u6 o" h# H& { r7 @/ C- E6 s4 V$ u( b- d3 x$ g9 c
__________________________________________________________________________
4 u4 z# j" B4 d5 @+ ]+ ?5 w3 ?* n6 q$ C/ t
Method 11% X% f+ H$ \; F' t: e) R6 d" m
=========
9 H3 q$ P6 H J( a- \2 e8 I1 W. b2 t, P. |8 [
This method is most known as 'MeltICE' because it has been freely distributed
( P& {( N( X3 V0 B: E0 |: K8 Pvia www.winfiles.com. However it was first used by NuMega people to allow2 I i0 U$ L6 s1 ~
Symbol Loader to check if SoftICE was active or not (the code is located
, t6 ]) k5 Z! l$ Uinside nmtrans.dll).
' {! e4 N& l+ L, [# ~1 \. K0 ^2 R: p5 g
The way it works is very simple:2 W! L5 W, G; p! A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 ~1 J) \, y4 T: J/ W4 s* bWinNT) with the CreateFileA API.5 z4 d! u0 G# ^8 U K. V, ?
' l6 u( C j5 ?; s* `. l2 oHere is a sample (checking for 'SICE'):, z P+ _3 ?) }% F; G' [
2 u# ~1 C, t' ~0 P" O8 WBOOL IsSoftIce95Loaded()
2 E+ |- ~$ p: w6 l{1 r7 H+ y2 H# h5 X0 p: k- u$ ~
HANDLE hFile;
6 l3 ~" B$ S( T4 \2 P, n6 V9 H ~ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' ~+ m9 c3 f. y$ {1 W" I8 _9 t
FILE_SHARE_READ | FILE_SHARE_WRITE,4 J& ?, v5 M9 T" T A
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, L9 I0 t; d" j. H# l, F if( hFile != INVALID_HANDLE_VALUE )# \, y+ _( @+ z' L, C
{, L6 v+ v( o. t; g1 c2 i
CloseHandle(hFile);
5 z9 y; | G0 W: Q. _0 d return TRUE;# Q/ M: T# U9 q" H& Q
}- N) S0 r& g9 o8 \* u$ v; ~
return FALSE;
7 d$ g3 |$ q! ~) x0 K8 }. Y}
) ~. h7 K# |7 ]5 D) b; i7 n* R6 W! h8 l7 F6 [; V: A2 K, }
Although this trick calls the CreateFileA function, don't even expect to be
3 d' M. u- b/ n! zable to intercept it by installing a IFS hook: it will not work, no way!
/ x9 S) j5 c6 @ VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# ?3 Z a0 j) D7 J8 Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ h0 F# b2 e$ Z5 ^6 `and then browse the DDB list until it find the VxD and its DDB_Control_Proc( ~. P+ R& S4 `2 R4 y2 l/ z! O
field.' P$ [# N9 [- }
In fact, its purpose is not to load/unload VxDs but only to send a 8 R$ |9 f* s( U; q2 q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 `0 D g+ Q! R) E9 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" }, @6 @; \' q6 z; h. |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; L, u( A. x4 G) yIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& }1 i; \% m" Y$ f. V/ J8 ~its handle to be opened and then, will be detected.3 ]% b0 R3 N. q, F$ q& h! t
You can check that simply by hooking Winice.exe control proc entry point
* D0 s# S- ^9 k9 Awhile running MeltICE.$ i4 z8 R9 A) L0 \& C
2 Z3 m5 S8 K" T& m0 X6 x9 @
' Z X) [: E4 m& M4 e1 F 00401067: push 00402025 ; \\.\SICE- V x' B$ k- U; F% ~% p4 k
0040106C: call CreateFileA* ?4 ~1 b1 d) x( d9 c( `% [
00401071: cmp eax,-0019 F. [) k g* B( P9 Y! H
00401074: je 00401091
+ S, J! s3 x) ~* a; S( x5 l: X! j0 `
( C0 `: x- U& R
- [- E3 |) g) O3 @9 h) nThere could be hundreds of BPX you could use to detect this trick." ~# t( b% v( J1 ?, L! j/ Y
-The most classical one is:: ?( L: v: T; E5 y% V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 A7 {" c' ^3 g. f7 i
*(esp->4+4)=='NTIC'
, L8 r* ]4 u- `& T# }' b* @2 ?1 s2 I. w
-The most exotic ones (could be very slooooow :-(( u- {9 |( E! z3 o" m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ D$ G5 @! ]* p" @7 P
;will break 3 times :-(
4 u) f; ]. c; }! b
& ?4 Z" h9 V& M/ h. {-or (a bit) faster: 2 x" B4 e& H6 {# m ?
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 F1 @ @( K% M3 B3 Q# @7 z
& s& K5 G. B3 _4 W BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
% P! I4 N' W' v" b7 C% ]& y ;will break 3 times :-(. ~% C1 Q' u, P' E0 y4 b$ n
% X* d* y6 e9 {+ k, p
-Much faster:0 \4 J- e1 M* i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
+ q) B) T2 ?. |7 W" n
& \( l! m: X* Z+ p& t0 QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, P+ ]- T4 F/ l2 g" z( Q) ~# hfunction to do the same job:9 `" b* F$ P& t3 ?' m; i
. V, y' l( b8 }0 R: |/ T
push 00 ; OF_READ. a- n, {; @* u, x0 ~( G1 a: ~
mov eax,[00656634] ; '\\.\SICE',0+ j) L/ ?5 Q; b. }9 T% `) h
push eax+ r7 `" o& k; a% v; N& u
call KERNEL32!_lopen4 W; @) [: J. \9 ]
inc eax5 P1 P% r8 K; v3 |2 A/ L4 \/ [
jnz 00650589 ; detected) ~, A( r: a2 E; ^
push 00 ; OF_READ
5 g% |8 [# B; ]- o2 _# p1 w* ^9 h mov eax,[00656638] ; '\\.\SICE'
' P% Y$ E( r/ c& ? push eax0 u7 |: \. o3 h$ Q, n4 V( n
call KERNEL32!_lopen
$ F, h; h0 ?9 Y2 s6 p- s; H inc eax
4 q* T7 j2 X0 d6 b3 P jz 006505ae ; not detected/ P. G3 y0 P) I' v9 E- }, a2 R
1 l5 p$ Z. C8 V1 V/ S H
7 m9 G' t) L2 ?; J+ K# n__________________________________________________________________________
9 l/ r+ G1 e" D/ e
2 h$ x* P8 p/ N/ e$ bMethod 12 C% u$ P+ x( y( b
=========
, k8 J) X& I' Y% i, i, [$ e
' W* W" r! Y3 o0 g6 GThis trick is similar to int41h/4fh Debugger installation check (code 05
" Z& [0 N& T! A" N( d& 06) but very limited because it's only available for Win95/98 (not NT)
1 e5 i% {- F% |2 i- Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 y7 i: C4 [9 t H, f
9 S- j) p: ]# v( z7 |2 A& }5 u- C push 0000004fh ; function 4fh
; I9 g& `1 D6 F, c, q" b push 002a002ah ; high word specifies which VxD (VWIN32)
5 t2 p8 i, b. h/ } W+ T- k7 k ; low word specifies which service
) E" t0 d7 l% P+ g (VWIN32_Int41Dispatch)
% B. d/ ~8 P5 ]6 T3 S8 l/ u3 T2 k call Kernel32!ORD_001 ; VxdCall
+ e- ^; e6 a4 ^2 s W3 G' E cmp ax, 0f386h ; magic number returned by system debuggers ?% T2 Y& r1 C( F2 c
jz SoftICE_detected( V. n0 V7 ~& m( U6 u
/ e5 I2 f* ?2 B9 h
Here again, several ways to detect it:( u4 P8 Q" [8 p; D7 n
3 f6 z! H) ~9 [; s( | BPINT 41 if ax==4f
5 N1 w G1 N2 J5 G$ S! G4 v" n% p
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one7 v/ ?% s! m7 w: z4 v% V
h/ [; H1 h" o) R: k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
& ]; U, B! s) l) g# H4 r/ U' j
4 M% D7 D& X$ T J% h BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
' I1 x- m& c" P" v# ~% ~/ j2 J; k% w& r" d2 B; U
__________________________________________________________________________9 U, r, s, \: n; r+ J; k' D+ j
# Z5 z1 Y' A/ f$ _
Method 13- T) T" V, F5 d$ K {0 p
=========
1 t. _4 t+ c& L+ U ~: v* l( M" K. c$ {/ D) J% i$ m
Not a real method of detection, but a good way to know if SoftICE is
7 Q1 m% B/ l/ Ninstalled on a computer and to locate its installation directory.0 j% ~/ g' _/ w2 V
It is used by few softs which access the following registry keys (usually #2) :1 }0 y$ ?+ L; `& `' }+ Z
, Y6 T9 t' G' ?: Q" L# w+ m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 ^% t. j8 }- A u% C/ F; d2 ^
\Uninstall\SoftICE
; E- Q5 a7 O* [# I+ ^5 |2 N5 Q% K {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' o) a; ~1 i7 m: b5 Z n3 f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 C g0 i: Q" @
\App Paths\Loader32.Exe
9 s1 H8 ^# e9 C
7 W. m& O# K# j9 {& A* ~
5 A N/ v( _! N4 U( kNote that some nasty apps could then erase all files from SoftICE directory, X6 M. z; d) G1 A9 U
(I faced that once :-(# F4 M. T) a5 \; v
. t* c( v% h ]; n' O0 `7 kUseful breakpoint to detect it:
4 u8 N3 N, G1 f Q- t! |% x, L! V8 t8 R3 T
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 Y/ X) U, w$ Z' k' M/ k+ ]
0 w: j- \! N) D8 f# L. H; D1 e, J__________________________________________________________________________6 E8 c5 K; u0 ]: T
- ^: V( e! r9 H. A$ q+ B
8 o6 T/ A: a7 n u/ S! fMethod 14
, c7 K2 s J0 ^$ I6 R$ L3 w" x=========
% t. o2 Z1 T( g/ x5 f- g; ]: a2 d# z# g( ?4 Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ }- C/ D Y5 K8 e4 Jis to determines whether a debugger is running on your system (ring0 only).
% b/ H/ ^! a+ y" f
p: P/ D9 ^$ j: t' q- `6 t5 a VMMCall Test_Debug_Installed* [: z* {$ b$ R9 O# C( N" n; h6 t
je not_installed
0 R0 Y! ]" b/ r$ y4 b3 g* A: I7 ^" s: A# J Y7 o
This service just checks a flag. v7 B2 _ m1 W( ]( p$ g
</PRE></TD></TR></TBODY></TABLE> |