<TABLE width=500>: D- }0 b; z g* _% M
<TBODY>* P/ U. o1 @ X3 f# ]% V; M
<TR>
4 |" s( r* K. w8 H5 W4 x<TD><PRE>Method 01
2 X) j' Y/ Y$ j" x=========) j) k$ _" R- ~6 T! N' n4 m
4 M& ^5 z+ G5 l5 \" ^# d( U1 f
This method of detection of SoftICE (as well as the following one) is, G* K9 B" ~4 X" x( n
used by the majority of packers/encryptors found on Internet.* r: |# Q; d( a" D- u( J
It seeks the signature of BoundsChecker in SoftICE
% F' n' |! D1 b7 g. b
) A% y% W7 ]; I1 H: w mov ebp, 04243484Bh ; 'BCHK'
* @# K) r0 `* S5 f( e mov ax, 04h
. K* {6 \* B8 T+ Z ]4 I: H) z0 ] int 3 0 [- P7 A) l; m) X3 w5 e" ?
cmp al,4' W c6 p( Y, l1 P3 O) ?/ a
jnz SoftICE_Detected
+ `# B! }1 U$ D. B
- `- O4 u& `! A y- e% ?% n6 Y___________________________________________________________________________
. ^& s! R. h7 e) d* K( n, \; K7 K- H. b% A. a- X( U! H
Method 02
1 l5 v5 y V! T5 H' I7 x=========0 B! `1 _! q' x0 f
9 T% e! I* m& F3 R; k: ~Still a method very much used (perhaps the most frequent one). It is used/ j. A/ p3 A* K; t$ e% G' K: j8 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' H1 b* u8 K {+ }
or execute SoftICE commands...( p8 y% h- B' X0 Y0 Y
It is also used to crash SoftICE and to force it to execute any commands$ L( g7 {8 ]" }! z6 y
(HBOOT...) :-((
7 l* o4 y* [& h' n8 Q5 h, K$ R! G* ~) v' t
Here is a quick description:
6 d9 v# m! L% D! u, Y0 S6 d-AX = 0910h (Display string in SIce windows)$ F- g" t' D# B- i
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 L. U" C& B3 j! p- g-AX = 0912h (Get breakpoint infos)
/ h, Y; G/ N% A. z-AX = 0913h (Set Sice breakpoints)' h0 H8 [$ s5 {
-AX = 0914h (Remove SIce breakoints)
. x4 A+ S$ c9 S5 _2 z" _: X1 j6 i
4 m) T; I% H; _6 L1 x& U' @3 ~) F6 MEach time you'll meet this trick, you'll see:
/ Q+ v q6 R6 e; N$ V-SI = 4647h L0 F' @- Y+ W8 L; C2 P: r
-DI = 4A4Dh
" M- n, A3 q) q9 F; v1 qWhich are the 'magic values' used by SoftIce./ e- F" f+ c/ v5 o @" u" J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 S, c" L6 V' o2 o
, j' U% ]- @4 v! e3 b) [/ Y. b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ J v9 @& m) @. sEnvelope utility use to protect DOS applications:
/ S, c9 j2 ~, I" h% a
( y# I6 y8 W4 Z t% _
. r3 b9 j3 e! [4C19:0095 MOV AX,0911 ; execute command.0 Q Q: J4 M/ p2 P! l- S
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
2 I1 T$ x9 C, `* K8 j- [( v! W+ q4C19:009A MOV SI,4647 ; 1st magic value.
' ? e! n8 p$ o$ A2 `4C19:009D MOV DI,4A4D ; 2nd magic value.# |5 t. Y. n- L# D2 D0 V- p2 e5 t
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) J; J) X: Q Q9 o3 X7 L, M/ C+ f# Z
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
@8 b& ^6 p8 ^/ G4C19:00A4 INC CX( Y$ q, J/ D' w. G" D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' W9 r3 E8 c* C6 o4C19:00A8 JB 0095 ; 6 different commands.
, Q& K* G& I& _ {& @* d4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 g( z7 j1 u! ` k5 q
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% r j: J, P! C# h6 c' T9 u4 Q2 b, h1 b
The program will execute 6 different SIce commands located at ds:dx, which X' H9 j$ Z, a$ _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. b, B8 V# Y8 ?# D6 {
0 v" F8 v, A& f; c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# ^4 e" }' Y7 P. ?$ t' k+ J
___________________________________________________________________________
9 ^/ B6 @' t. o& l% r5 u' z5 Y s9 S. r* L; g! B, z8 K2 K
4 p# J( Z+ @7 \6 jMethod 03. F* l1 i9 m) ?& y
=========# c# s; S( w% s: R8 _! @
, e) P' l- S1 o* T" v5 x
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& h8 }% ?; H) ^$ e(API Get entry point)
% x7 ^- m4 M ^1 {1 Y
8 B* Y1 ~2 d; T' `: e! ]7 ^) h4 h0 ]( E% E& \4 r) H# A5 a( e
xor di,di
g: Z; T1 L' ^0 o# K mov es,di# S+ p, j4 I1 D3 }' I
mov ax, 1684h 5 c" \6 L# u7 J( _3 p [, x
mov bx, 0202h ; VxD ID of winice! R( n% z! y) @2 `, `8 J l/ t) L
int 2Fh
* E& r) Z1 }; s& C+ {" j8 ^- m) E mov ax, es ; ES:DI -> VxD API entry point
# t% j, ?) h. S$ e( R add ax, di
: c0 c. X- p, M9 y test ax,ax
( R2 x4 p/ O* o" Q, X8 z: G- R jnz SoftICE_Detected
) u% {! A0 d. [7 g/ g( Y& t
& |1 E0 C8 \- [& P2 C0 X) r3 p___________________________________________________________________________. Z0 ?& Z: H, c5 }6 R5 q
c6 X }4 O1 q7 V
Method 04" {3 b* ^4 I: l- y' X: S
=========5 U% e8 H8 s3 L1 C; l4 A
( T: {; I2 ^! X3 D% @. NMethod identical to the preceding one except that it seeks the ID of SoftICE6 O8 Z* P5 W. |& a M1 _( c
GFX VxD.
~. ~ \2 W+ b# \1 T3 A( H; n- k: O0 o: Y, \4 x
xor di,di r N# I* i9 S# Q
mov es,di
: e3 K. w+ u/ D* ?- h7 W mov ax, 1684h ; v# D. j: X" z- U
mov bx, 7a5Fh ; VxD ID of SIWVID0 \$ L9 R! A# Q/ z, B/ h& i
int 2fh5 T( `8 F9 P# t L
mov ax, es ; ES:DI -> VxD API entry point5 l$ z. m: @% C- L# Q0 A
add ax, di+ U, \ f: j& K; {3 u
test ax,ax
& o- i( D) ^) `7 |" ^ Y$ M4 r jnz SoftICE_Detected
; B3 {$ w% o6 p+ U" S% ~1 _
# k+ W9 u4 z2 C9 b( ]/ V! s__________________________________________________________________________
: N! X# `1 e N& o6 L
5 i# [/ y( Y! K; u9 q b8 A6 _- I: S! {0 @6 q1 p
Method 05
4 l; a2 R9 o# _, u+ F=========
* c: b# \' J: Z- A. ~" B, V2 `7 k0 O
Method seeking the 'magic number' 0F386h returned (in ax) by all system; ]" ^3 U8 ~+ M- ~" _
debugger. It calls the int 41h, function 4Fh.
+ A1 [/ Z# U) P2 Y q! s! uThere are several alternatives. # O5 e7 t( E5 z0 l4 |
: e0 V! ^) ?2 y- @" z' G& N2 k4 E1 _
The following one is the simplest:, q( M" ^* _7 \5 v D# m, U
0 t% ~: E. N: J- V- }5 j9 ^
mov ax,4fh6 [" {1 q7 q2 t' l; i4 |5 ?& [
int 41h
; H! N2 b$ {. n4 i- s, m cmp ax, 0F386
8 H1 h/ f$ V3 S) f( { jz SoftICE_detected# Z: i$ X# _2 W$ T5 G0 y+ L
+ n2 {8 B6 K$ o, C" U
$ G# I9 r& N, d& d( ]Next method as well as the following one are 2 examples from Stone's
1 N- B+ M; d, k c+ j"stn-wid.zip" (www.cracking.net):# N2 L1 M- d, H0 g* c9 i2 A
8 c$ Z5 i+ r% ^9 `: E
mov bx, cs
- i) L3 v/ h4 \/ A6 ]! v lea dx, int41handler2
+ d- G0 I6 Q, ~- r xchg dx, es:[41h*4]
. \ [% x* w, [ q {9 T5 u1 e xchg bx, es:[41h*4+2]
, g/ q, ~) o" C7 D( I! T" q/ s mov ax,4fh
3 F# ~. H8 m' I8 R( k5 u' c# j8 p1 M int 41h- p7 D; _1 w+ \9 S, T* M
xchg dx, es:[41h*4]
: `+ M7 o4 w, t. n xchg bx, es:[41h*4+2]
, Y, Z- g( H* h0 q& Y% R cmp ax, 0f386h/ O+ F! |$ T+ F) z; I
jz SoftICE_detected
" g' D# m9 n9 V& }, `7 Q4 [
# W& j- t) t6 j' F H& bint41handler2 PROC
( a( f' Y$ `, a6 h iret
2 K8 {3 j. d) _/ C8 gint41handler2 ENDP
9 K# c# k; d6 _% d0 `: r; R9 }* [
8 F( l' C# r1 u. Z$ J! u/ Q9 W9 ^% h, a
_________________________________________________________________________
0 l! r; Q$ c9 }4 s) \
0 J" z+ P+ P. b7 ]) U! B+ j
2 l" s, H0 x9 r# sMethod 06
- j1 ?6 t, h" r4 X=========
+ B% Z7 S3 V9 [& Z- h0 D7 o% G% I- W2 `0 a# M4 M
# d+ b# W* w& S; d0 M2nd method similar to the preceding one but more difficult to detect:
; [1 k' k8 M$ e( j/ _, a! h/ T; v( E+ `: N
4 p4 M% Q( a9 V2 q3 T4 O/ wint41handler PROC
) B, u- n, f, o6 L3 Y mov cl,al- t# A4 D) f/ N/ J$ a
iret
1 z; H6 R- Y0 ^. V& \/ dint41handler ENDP1 u& t0 I! @4 ?6 ?( @* a0 ~; [1 Q
- e, W0 A9 J ?9 {2 T2 T: [. f' y |" ~, D v3 o5 p9 Q
xor ax,ax( K' q4 t% a7 `! @
mov es,ax
3 D1 F- g( I1 {- c: ? mov bx, cs2 e; p' J, N `" X, E
lea dx, int41handler
4 i3 u$ U# b5 r$ ]6 s& }0 M& `2 C/ C xchg dx, es:[41h*4]( ] q! x9 {& }9 @5 t" [
xchg bx, es:[41h*4+2]! H* P j$ L0 Q5 }
in al, 40h
4 P3 C" n% G6 k5 z6 F xor cx,cx
" y3 W/ l. n" ? int 41h6 \" R8 k0 g! ~
xchg dx, es:[41h*4]( [" g K/ R% |' k' q) y' Q3 ?
xchg bx, es:[41h*4+2]( ]% f$ m0 V6 }3 O/ }
cmp cl,al
2 V, A5 O9 F1 p' ]% |, z jnz SoftICE_detected
. }* g" @7 |( ?1 n$ {
; o; V6 L- j5 C8 c+ F_________________________________________________________________________
+ f: I8 f0 [; c6 ]3 r
5 E4 I& q" |3 L- L5 ^) O7 F; jMethod 07! L+ u$ z1 j5 j
=========
. L2 ]7 o& |" K/ p; X& y. w! h. w7 N* h8 S
Method of detection of the WinICE handler in the int68h (V86)
) d8 `) c1 C! D I* e5 {. v$ `4 [" F: u* X4 U0 u
mov ah,43h
$ f% r$ P3 a. R4 \' D int 68h
) g4 A( h' P9 ~) C. ` C: \, j' F cmp ax,0F386h
, R" v& h3 Z: Q! H' B/ C/ ] jz SoftICE_Detected& I/ F5 Y O1 S
. B8 _% f; W1 [9 N& e8 x2 P
# P, c4 t( T$ G% m& B, m: T$ u=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 g6 `' ~+ p) H$ E. M) V app like this:9 m1 {) i1 k( \2 C, [0 c% _
% |1 ^; K: _" q
BPX exec_int if ax==68% @" s; z4 f0 a1 k# U) M
(function called is located at byte ptr [ebp+1Dh] and client eip is# [) m+ M/ f9 c. |9 g) _7 _
located at [ebp+48h] for 32Bit apps); f, C; j" a# o" S9 b! Z0 A. n" B
__________________________________________________________________________& ~2 D4 W4 S( e
, ^( S5 N" _! ^3 l; _ n1 l) ?( r k) p
Method 08+ S+ X& g8 s6 T3 ]
=========- d: i* a$ u; F5 a3 Y
; w% m% p1 B8 q$ T' P. G8 n& H0 EIt is not a method of detection of SoftICE but a possibility to crash the
" y8 X+ d8 x$ Q6 ^% O/ ?system by intercepting int 01h and int 03h and redirecting them to another- w! W* `9 E2 ^) F5 D- U3 g
routine.' i8 o) n' G* y- C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% b3 j! f; }% t! ~( H/ l
to the new routine to execute (hangs computer...)
2 f6 O+ P1 @9 r$ b5 V2 Y/ k$ w% \: D: M" i( M
mov ah, 25h
7 e6 s# R2 a' I/ Q" y7 a9 l mov al, Int_Number (01h or 03h)
8 F4 P( A- v( J mov dx, offset New_Int_Routine
1 _1 e$ l# {. x9 [" p3 A int 21h# {& n; v# s! Y4 |8 @: b( A9 m
# h7 J$ g% `$ q% f: @__________________________________________________________________________+ i2 k/ ]3 F6 j7 \2 Z
5 v$ A4 v \! a) T- n" [Method 09
7 g9 f3 ]! F% ^& C" I L=========
/ Y9 c/ i' K& @0 n: H6 M
+ W B7 ?) X- `- nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ V; u3 N2 [8 i1 t, ^
performed in ring0 (VxD or a ring3 app using the VxdCall).5 v5 ?6 y9 C) E4 c( j! L4 N
The Get_DDB service is used to determine whether or not a VxD is installed4 x0 J+ Z: z& L0 `2 G& l' K$ o( T( \. s
for the specified device and returns a Device Description Block (in ecx) for
8 s( W$ X; ]- C# f6 A/ O1 Xthat device if it is installed.# q4 y6 s7 d0 f. l$ \
, M- W$ O" ?6 m' `: ]* V1 N/ b0 R) S. R
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID M0 ?' D! K8 B! }2 m% v
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 t& d) W F6 U" Q, t0 @ VMMCall Get_DDB5 O! S5 V( d- k% Z$ x" z0 d
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
/ L4 s6 a% c, @. _( t9 m6 N, A
) }9 { A) o+ L4 R( l. kNote as well that you can easily detect this method with SoftICE:: `3 R M9 \8 J$ }) m
bpx Get_DDB if ax==0202 || ax==7a5fh
0 l& ?4 t3 M2 t+ z5 M+ s# _% {% N+ Y1 {" `
__________________________________________________________________________$ f: M- H! E: {1 R' w
: z' c4 s$ i! M$ |! V' d) v
Method 106 t3 v. Y8 q: C' K
=========2 W0 y# e P1 t
4 R( A0 y$ d( `7 g: e=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 E0 c4 P# q. n+ l: t SoftICE while the option is enable!!$ v/ |, w6 F: z
; N( b5 x! ~7 _This trick is very efficient:
+ a+ i5 q# w! H- _! fby checking the Debug Registers, you can detect if SoftICE is loaded
% u9 } E, Z/ Q' k) x% x(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* l" v5 x# c1 _0 c* c" d3 E
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, p" n6 K! i% n; n! t2 z0 Fvalue (in ring0 only). Values can be manipulated and or changed as well) y" `- ^. g' P0 c
(clearing BPMs for instance)
" |( p/ u6 G6 \, d0 @. f
: r$ S8 A6 _, x* d1 _5 E__________________________________________________________________________' m |! a, ^. b! L9 q
2 i. t K! l" c" l2 k. U1 u3 t
Method 11
. @1 k8 M9 z7 E8 ~/ v$ ] n3 o=========
$ j3 V+ P4 }' @% J$ i! B; i4 K& W7 g9 u
This method is most known as 'MeltICE' because it has been freely distributed
. D8 |* ^/ ]- _7 h( N& E7 Mvia www.winfiles.com. However it was first used by NuMega people to allow( T. y: h N2 r' T7 N+ D2 R
Symbol Loader to check if SoftICE was active or not (the code is located
; Y! m2 a- ~. s. V7 I& r$ l5 linside nmtrans.dll).5 B* g/ c5 ~; P) p Z( o5 h
8 S) u+ M7 j: M E- G. l @, k* E7 a' _The way it works is very simple:$ Z9 S0 F" e! ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# a+ ^; V& Z& F g7 g( _WinNT) with the CreateFileA API.( Y* o2 ~0 ~9 t1 |! r6 Q+ ~7 o' Z; {
+ W3 R1 o* n ?Here is a sample (checking for 'SICE'):/ i. G- x0 _! j
2 Q2 n# e, k" h! X* s$ c+ s1 zBOOL IsSoftIce95Loaded()
; A! V! t0 T: m; g{
( h. I t; K$ \' G% v/ h/ n HANDLE hFile;
1 ~# q8 R, l1 B! T; Y' } hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; _0 y/ B. z! P1 i1 I FILE_SHARE_READ | FILE_SHARE_WRITE,
3 @) |+ X: u2 h: {; D) j7 |& g NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
E" x6 \' p' @0 _/ b( i# |- s if( hFile != INVALID_HANDLE_VALUE )( ?0 M2 @5 v- |$ S
{9 T4 {0 P6 g5 A- w3 O
CloseHandle(hFile); n. k7 h a7 j( _+ U; T' G- N
return TRUE;; }8 U x: q, X m) [
}
! l8 W) u. O6 Z! T$ W+ S9 Z: N3 N return FALSE;
4 D% _* U: J$ r7 t4 n/ L' C}
% n* b1 G1 k% g% ^/ W6 [% e- c: r$ Q2 x3 x, L0 ~$ g
Although this trick calls the CreateFileA function, don't even expect to be* Q1 @- P( G7 @( I6 N- a
able to intercept it by installing a IFS hook: it will not work, no way!8 L, T* Z. D' E* i% a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) W5 ^4 g# V$ F; j" Y" B) Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. r7 s" F! d1 Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc! `" C' W4 {4 L5 j
field.0 t: b8 s% I. E) c' N: j/ X
In fact, its purpose is not to load/unload VxDs but only to send a
5 X& [$ v5 I9 M3 Y8 \. NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 H" ~3 S1 U) l. l) [5 P, [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
R; o2 q" x1 J' tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m2 p/ X. |+ `6 n& N+ UIf the VxD is loaded, it will always clear eax and the Carry flag to allow' \/ o9 t8 Z) I) O
its handle to be opened and then, will be detected.8 P. F1 i O; E2 T
You can check that simply by hooking Winice.exe control proc entry point
7 Y2 L. }" N D4 x- ]while running MeltICE.
0 h/ C& b! Q* N& Z4 H
8 f8 E, M @& @! u' o$ A( t7 I6 Y4 i2 z4 l% A' \7 x; s9 [
00401067: push 00402025 ; \\.\SICE+ K+ e* `' [. |2 V7 \
0040106C: call CreateFileA
/ h# O& H4 Y3 X$ q( m' A3 h/ @# _ 00401071: cmp eax,-001/ e' l0 Z( F, H1 ~! w" m# F
00401074: je 00401091
0 \9 o: ]) b5 h$ M/ I4 Z
9 P3 p* x/ Q5 H2 }
( g5 m2 U7 M, {' @! uThere could be hundreds of BPX you could use to detect this trick., ]# V1 Y7 O' f% {. ?% P' Z
-The most classical one is:
% z% o$ L$ t i0 K# x6 F BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 Z. `$ G: m* r' i% D# e8 K2 G& Q *(esp->4+4)=='NTIC'2 C& Q2 J0 C# O! b% }; Y
5 B$ f* o! A* A: f/ q6 {9 ^0 {-The most exotic ones (could be very slooooow :-(
/ j2 b" W4 G7 V* E. f I5 z. P BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') & h3 T6 E7 ?* L0 r
;will break 3 times :-(
) d# j7 G7 R' T7 x1 x
1 z% e# P; @4 M$ D-or (a bit) faster: 3 Y$ K" p2 ]9 ?% F, u3 _ q; I7 Q9 @$ Z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! }& o9 Q9 K' h" F5 M1 Q! f
) i$ x5 P1 E2 U3 u BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( B2 L# H" u+ m5 ~# ?
;will break 3 times :-(
8 D0 Z+ E e. n4 H L9 ~- J! Z, C! C' E2 S9 c
-Much faster:0 A& s5 K4 m9 L0 n1 Z1 k$ T
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
5 a" c- [* }) d/ L% ~. `: Z$ R" t" t4 h- W5 S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 X# ]( H: F6 ^& q' S& n; |# zfunction to do the same job:
4 G( `& G3 l7 k( |: c3 o. e3 f9 z1 j$ g$ d0 e4 O! G& B: r
push 00 ; OF_READ
0 U' O3 I$ B1 k6 \* _8 T mov eax,[00656634] ; '\\.\SICE',06 H! T3 G2 e- r2 E
push eax, g7 y/ Q! Y, {+ U, G) N9 M$ Y1 d
call KERNEL32!_lopen
& E5 u0 A' @4 r- M0 {" O inc eax
! d5 F3 r: p4 {" \" u7 R3 H jnz 00650589 ; detected z, \1 a" i0 q# a8 O T, j/ T* ^% g
push 00 ; OF_READ+ G# f! y6 D5 h% v9 c3 y
mov eax,[00656638] ; '\\.\SICE'
' W6 S4 ?/ {. L' n% q( B3 S& d. l* m push eax
! k; Z9 G2 I; U" f: k9 t call KERNEL32!_lopen: Z% t+ `! ]) s7 M+ W( _: U- Q+ R" j; i
inc eax
5 Q. T% s2 c* |/ O t jz 006505ae ; not detected! s% t" g, @' w0 l, S! l
o1 t6 `( c9 x6 L3 q" y R) x. Y# A/ d
__________________________________________________________________________
7 k5 w, N( Z) A- d7 H+ o1 p) j! n6 d4 r0 S% }
Method 128 @5 U: L) t8 V& f- g
=========
5 y8 p+ @8 p, X" b! e+ Q) Y, c1 H4 v6 l% m. C
This trick is similar to int41h/4fh Debugger installation check (code 059 ?( }" A7 \, O4 i: t# n. ~$ O B
& 06) but very limited because it's only available for Win95/98 (not NT)
6 t, A# C( p% j6 Y! W" r4 |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 L9 ^/ W. j/ j$ y8 Y. C- }$ G) V
push 0000004fh ; function 4fh
6 f% t' w9 a# m a! L2 K" @ f push 002a002ah ; high word specifies which VxD (VWIN32); X) K2 `* ?( P }+ t$ f3 N
; low word specifies which service* q" R* N0 m3 g' W& ~( D" h
(VWIN32_Int41Dispatch)3 }" N0 y1 w, U3 _8 [# Q
call Kernel32!ORD_001 ; VxdCall) t' Q3 y6 n, }' ]
cmp ax, 0f386h ; magic number returned by system debuggers
- F, F* |; ?) `* M! X F4 x7 I jz SoftICE_detected# V }; Q$ _0 Q
+ n+ [8 f3 J4 a! O/ G; J$ y4 a
Here again, several ways to detect it:0 N. q) F7 v* e _3 w% V3 r
4 d( H% g7 t+ N+ z; J+ m& T BPINT 41 if ax==4f
$ K, I$ t! d& m1 J% `
! h4 x) j: {, s BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one! |2 e4 X7 ~2 E
- d- [: W6 A2 A$ D7 Y6 r6 _7 Z
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A$ A5 b" }1 D) [( w! I1 N& m
2 \& R6 G: d( O1 m- N9 Z# u BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
, L( m: j5 {! N) e' I) M" `" z( D- r$ a
( Z6 \( G4 t* I__________________________________________________________________________$ M2 d3 w7 {; G. j1 _
9 X: Z: j6 H" @ O; T8 L; O
Method 13
/ X7 B, u7 j* o8 c, C- Q* O=========5 B1 F2 J" t( O, o
$ a7 _: u) A8 ?+ {0 `
Not a real method of detection, but a good way to know if SoftICE is
* r& U8 ]& H4 ?7 Z( minstalled on a computer and to locate its installation directory.
. G/ X8 V" ~( l( h8 `It is used by few softs which access the following registry keys (usually #2) :
, C+ _/ J8 J/ @8 n6 k' ]( r# `2 E7 i( e- _- h4 s0 o% }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ~4 c) @2 [" I1 W$ j* ^( ]\Uninstall\SoftICE7 [( n) `7 o3 v/ q5 B% [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: W6 ]5 A/ i2 |: ~7 o1 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 b: h5 i- u1 [$ H5 h
\App Paths\Loader32.Exe- n7 O/ e( q- f6 i0 ~7 B
+ a+ u A' |8 B- F7 x( D0 k& i0 y7 k7 F0 U: j+ z
Note that some nasty apps could then erase all files from SoftICE directory
0 Z! R( x. y$ R m9 I(I faced that once :-(
* p1 H6 f7 Y a3 k1 ?
) I) i0 g+ W+ E1 e* X! v1 q* y+ [Useful breakpoint to detect it:
! p" a x4 b% u& ?( U& O6 Y+ r( K9 |- N6 m7 p
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
, D" Q2 ^* w" {0 ?0 w* E4 ]' e/ D
- |/ p% @' L! u/ ^( O) b) l__________________________________________________________________________
1 j! g, O6 @" o3 u- ?- {, n
6 v8 i' e* o- c5 H4 r/ m2 Z% e2 y) g4 s# D' r
Method 14
, t- ^7 h& z% _, X=========2 |" g9 f0 I. }/ n/ ?8 E2 N9 _
) ]7 ?! |4 S% l- `( [1 N/ f7 H' z, {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" b6 R7 T9 x3 d1 lis to determines whether a debugger is running on your system (ring0 only).: G" r. h+ r9 Z" v; E$ o) R& i
! M) N3 Q4 C/ z4 U
VMMCall Test_Debug_Installed
* y! h3 v U6 O0 r; l je not_installed9 V3 U+ `3 ~8 m7 P) H) H3 ~0 K, _
8 W3 a! _4 z+ w$ jThis service just checks a flag.% {6 m+ V; A$ \' D( ^" s
</PRE></TD></TR></TBODY></TABLE> |