<TABLE width=500>
4 O3 n, i! ~4 W& g$ R) m; J# P: s<TBODY>
+ a5 @; }0 X5 X# A q<TR>- A" T0 v) h! B' g/ [( \* ]) ]7 t
<TD><PRE>Method 01
4 s9 b6 @0 z$ n* ~ S$ s$ e=========$ ^, r6 K4 D3 m8 B9 [( S
; Q9 _3 j* J/ p
This method of detection of SoftICE (as well as the following one) is
: @ |' F6 P% r! }used by the majority of packers/encryptors found on Internet.
, d' q; P: n% {1 X) BIt seeks the signature of BoundsChecker in SoftICE
4 ]8 d6 L' o, A! q5 d( ]8 c* g" ]" F1 i# ?' E7 ~6 Q5 D& S
mov ebp, 04243484Bh ; 'BCHK'" m7 _) c0 s! F# E, {* E
mov ax, 04h
/ y0 ?( u2 }! v. J A( F" q5 \/ _ int 3
$ A# C! d B( c9 `% a( c: N: t( q% X( s cmp al,4
+ E( L* j! d/ q5 R4 V" G jnz SoftICE_Detected- J! \* z, X Q" M, j
9 c& y* A+ [+ `4 T* J___________________________________________________________________________
+ q+ ^- v% F5 j% T1 z/ T2 \: C' z2 N. P6 q# o1 u A3 D
Method 02
: [( Z. W* { O5 z=========
$ T0 b( K" ~9 K& m4 _$ F
2 A3 E2 K2 Y$ d: D& E$ Y) n, rStill a method very much used (perhaps the most frequent one). It is used
5 \2 G0 q( Z2 |: q9 P; pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 x: ^4 }1 ]% W3 ]6 f4 e: x. }or execute SoftICE commands...5 h+ z& K' l' Z; T1 ^7 Y i
It is also used to crash SoftICE and to force it to execute any commands8 a/ A8 n: C. z; U: h
(HBOOT...) :-((
, X8 E$ `+ ^( `' J( o
: H- n9 F) A! c9 EHere is a quick description:
; }+ V4 H+ _% t* F' ~# j" X-AX = 0910h (Display string in SIce windows), l( D& V7 b; S' G/ s
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 G: s( C* C9 q* V-AX = 0912h (Get breakpoint infos)
0 n- Z- b+ y8 \1 c: d-AX = 0913h (Set Sice breakpoints)3 N$ y$ v$ ^3 J" ?* }9 A2 \; q
-AX = 0914h (Remove SIce breakoints)" d8 ]# B$ d9 Z; o9 z* y5 T
0 ~0 T8 M h! B, l7 [) t' \Each time you'll meet this trick, you'll see:' K9 {) y: _9 V6 b6 Y
-SI = 4647h- r" t4 R# E( Z4 I4 A% m
-DI = 4A4Dh
0 F5 A- M# ~8 cWhich are the 'magic values' used by SoftIce." @2 o( P1 b1 A& R& F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 ?- i2 G& \* q( w: h9 }2 C2 N4 `- o$ e/ m* n6 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 f+ `0 H' f& w8 E) eEnvelope utility use to protect DOS applications:
) i3 Y+ _9 O8 v5 u" e1 {' \5 ~$ `$ R! e& R
. g$ x+ z: L. g! O: O% E1 l4C19:0095 MOV AX,0911 ; execute command.
9 Q! z; B" ^1 A9 ?6 X3 i" i# {4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
/ w' S! L. [ {, W4 N4C19:009A MOV SI,4647 ; 1st magic value.. v$ b! [/ v1 y& h. f" |1 U- Y
4C19:009D MOV DI,4A4D ; 2nd magic value.- p( V: M; H2 L( ~3 E$ O
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
# h" T: F' |/ ~# A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ N: W1 B0 x' h- y/ v- B8 b; I
4C19:00A4 INC CX" B+ K E: t% z: _
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' l) _; Y! }# I" L4 J) Q# j) i4C19:00A8 JB 0095 ; 6 different commands.$ W3 F& x4 G* E$ s5 q( | K
4C19:00AA JMP 0002 ; Bad_Guy jmp back., U. U/ ]7 @& D
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)% K" R% d2 k w# \+ [6 D+ C) F* k' Q
- W. P( c& A; @$ s. ]7 r0 YThe program will execute 6 different SIce commands located at ds:dx, which3 t$ ~6 Y6 C: W* F( J% e2 |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 Q) E$ _7 X( D/ G" N
1 B1 i7 q4 x/ s }% b2 ?. M# \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 ?5 ?, d' q, g6 ^+ `___________________________________________________________________________6 L4 ?/ }* M- O
, @* X, o4 V" F# B7 u! d, Q+ W5 @) K% C) Z# M2 A
Method 03
/ r+ s+ B" y( A! X6 t=========
3 n" r: v9 D, D1 h8 ^# l7 f6 j# y7 _* F% f
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h: j6 \+ v7 N# G& u6 v
(API Get entry point)
/ f# ?$ Y2 V3 f( o7 J; M- p7 \ $ l' m F1 X' e& h
. n1 B. [: R5 m8 L0 a+ k, j+ _) U
xor di,di
8 R! W0 i6 M$ i$ p7 ?1 ~ mov es,di: F! g6 [, `$ ], L1 x0 @
mov ax, 1684h
$ Y) u. i" D" E* l- N mov bx, 0202h ; VxD ID of winice
# N! y9 g* U" c' X int 2Fh% @$ ]# d- @- A: L9 [6 T
mov ax, es ; ES:DI -> VxD API entry point- ?( M5 S1 e a
add ax, di. M, w. K! R, E" X% B
test ax,ax% T( y9 ~1 K& x6 c5 L
jnz SoftICE_Detected$ A1 E* P- b. H y* g1 i7 _
% [# B! N: l: A% ~2 v1 L. f___________________________________________________________________________
, L: c$ I* L% h% D" \ W! x4 U9 ?$ k, h+ [2 Q# U
Method 044 G: C r+ d3 J( B) O
=========
, i5 i+ ~* ?/ |5 r# S
# @7 b& N* X, p5 Z `8 cMethod identical to the preceding one except that it seeks the ID of SoftICE
9 F- ^# n. X/ h/ q7 `' BGFX VxD.
/ o* |* g; U: |# j" Q% U: p3 r- ?. Q+ S8 t0 |8 d
xor di,di
" q( z3 M+ r2 j @ mov es,di
& Z+ Z$ v4 f3 p# Z( `* R mov ax, 1684h
1 f- N$ Y- i, {; H- a mov bx, 7a5Fh ; VxD ID of SIWVID
3 [3 E+ u2 g2 P/ O int 2fh+ B5 q* ~1 e1 g" D8 r2 [! G
mov ax, es ; ES:DI -> VxD API entry point, N5 m7 y7 `+ A/ r, q' Y4 n# ?
add ax, di
. F0 O* c4 h E( N F Y. i' F2 W test ax,ax: q! j5 a8 v; R N+ Y) @
jnz SoftICE_Detected
7 j4 _- z! o- L, z" ^
: U( \3 v2 e: a2 o" B5 P! [' N0 M" F__________________________________________________________________________
7 ~! M# d) P2 P5 i" {0 M" W! B, u, a5 O7 ~0 V+ a% _4 V* I
, |7 f1 l5 \; c$ n* B; u7 o( J# v5 RMethod 05
- P- a; }$ L: p3 x6 r, V: x=========8 Q9 _; q* L! B; G- c
8 n2 N$ s/ z. M' L% hMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 \* S' u% z6 A6 O' W: \
debugger. It calls the int 41h, function 4Fh.
) p* Q5 D8 z5 s4 m; q0 f$ fThere are several alternatives. 2 S$ s; s9 a3 E B; D
/ v/ o+ A& G* w2 M$ P4 U- z
The following one is the simplest:0 r; Z4 Y* Q" z2 t2 [
( M2 z( Q& @+ K. c8 a( G: ` mov ax,4fh
; `, u& G; H j' O& {* S int 41h
, h! s& o9 z. L. A/ A/ p, m cmp ax, 0F386$ I! H F- x' _* r
jz SoftICE_detected) Y5 H) e: s* s( m% D9 z
. v3 c% K* `! x# T3 W3 W- R6 J, U: |- x
Next method as well as the following one are 2 examples from Stone's : j# T" c% k6 S" j
"stn-wid.zip" (www.cracking.net):0 a# H, P( |2 p- d, k8 ^
. a2 ^( j& Q9 h8 ]: H) ?8 c mov bx, cs5 n4 i' O; ?- M6 T% X( x5 y
lea dx, int41handler2 L- `' }* ?$ D
xchg dx, es:[41h*4]0 p8 ?- A) W: }9 i
xchg bx, es:[41h*4+2]
, r' J9 O* a4 ^$ k9 d u2 U: b# V mov ax,4fh
& V0 ?( P/ q# S, O2 b int 41h( M5 y5 V; K4 u+ V# E" Q8 e4 i
xchg dx, es:[41h*4], J* f; _% D8 v( G+ S
xchg bx, es:[41h*4+2]" S- [; I* P+ O2 F
cmp ax, 0f386h
* \, h. G7 ]: A5 w' V jz SoftICE_detected
' P! E7 `$ L6 {1 s
* t n1 y/ H+ D4 ^9 [" ?7 Wint41handler2 PROC
" U$ s. c: z; j) _: f iret6 L0 a1 N; C1 x8 [$ |
int41handler2 ENDP" W& y9 m4 }8 `: l- }5 |1 P! N
) S& Z4 O( `/ p5 E! T _# g) R) u6 F/ @6 j+ g6 t
_________________________________________________________________________
$ W; k: ~* _- L) s7 o' B3 y8 }* b7 J
( {6 Z) {; C& ^$ L$ l; B
g% N4 m. `5 v* W% hMethod 06
' G1 h9 n2 g3 @/ J0 ^. E=========" L! Q8 y6 d0 a; Y! |8 v: a, v7 O
! r1 M- ?/ g" P) `; [! {. h
2 d; u& X7 E7 _7 ~8 F2nd method similar to the preceding one but more difficult to detect:2 I7 J0 a, S6 ]) u
5 A5 E n' J# j; e6 Q1 b/ J6 D1 L& W6 z9 [0 |
int41handler PROC
! m1 n- A7 @0 C% M n1 r2 Z9 ` mov cl,al* I4 B% u4 W! n* c1 X; w4 C
iret( A' N9 R. I/ A* B; M
int41handler ENDP; R/ R$ s& D: g, \, I/ {
! ]7 Y! n6 {" F* d5 Y% ?' D8 N$ e% z( Y- E+ [
xor ax,ax
2 G8 W5 Q2 E# K: a3 c mov es,ax# [& U2 M2 w) D W9 x
mov bx, cs
' X) R4 u4 X- h lea dx, int41handler
/ J( \. h+ b- B xchg dx, es:[41h*4]
8 _, n/ y2 Z5 S, O6 o xchg bx, es:[41h*4+2]% k, i: t3 e8 e: b7 X
in al, 40h
# J2 P- R- L9 e$ N xor cx,cx* }6 x+ E h4 |
int 41h& j$ d1 o* L, P2 d! }
xchg dx, es:[41h*4]
h% X8 ~3 i2 ~) m. E; c( R xchg bx, es:[41h*4+2]9 Q) \& ^6 s0 f5 `5 Z J0 L5 a I
cmp cl,al( T+ z6 u- |) D; F3 r3 Z
jnz SoftICE_detected. F' S1 I9 P) B6 P) l
) d6 n1 l& n4 N1 j0 v
_________________________________________________________________________! H( e6 z1 e: x6 r4 [ u
* n2 S2 }* w& }8 n9 r
Method 07; P8 I$ `( J+ _, s
=========% t" d( z9 ^! X7 @( k/ Z9 G+ N
2 }5 B( }* i3 p5 _2 @Method of detection of the WinICE handler in the int68h (V86)1 [/ k6 G4 u7 ^- v0 p% @1 A
, ?$ I3 h2 C+ ^3 }- I mov ah,43h* P$ I& C6 o) m/ }
int 68h
4 I3 v7 ~5 T9 j cmp ax,0F386h
) P" B" }9 H7 G7 S2 x) m jz SoftICE_Detected5 z6 Y' q ]* z* W5 O% Q+ t* I) r
6 _* A1 X2 F* p; p5 Y. F' \1 y* x. J: b6 ?6 P, J% J0 X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 L2 }8 X; [7 f( H T
app like this:. U4 g" x; F$ _1 r0 F8 I0 j$ S1 ~
8 T$ i2 o) j1 x* y2 q) v BPX exec_int if ax==68
, y5 d' I" I9 l& u; o (function called is located at byte ptr [ebp+1Dh] and client eip is
. F# O/ c' ?* v3 {( G/ a located at [ebp+48h] for 32Bit apps)
- c1 y4 I- p2 k! M, w( d__________________________________________________________________________, {. l, \( V2 R$ \
* w# a' v/ a2 W; A4 V5 p4 Y5 }( n- s9 ^, C
Method 08
; k8 Y) e* \. T2 A" u& L' e=========' ^+ ?9 b1 f3 {
" }$ r' u$ C6 A+ z& X$ ?
It is not a method of detection of SoftICE but a possibility to crash the
3 U$ r3 ]% S& \. D' o- ^system by intercepting int 01h and int 03h and redirecting them to another
# |& r9 W# `7 c. b! ^routine.' M; `0 J# V' M( E$ J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ G# g2 n0 \4 m9 ^$ ~0 `
to the new routine to execute (hangs computer...)
7 b5 L; e, T& E/ h5 D4 s
; \6 j8 r6 F& J& r, W: { mov ah, 25h3 M& |% Z" p- N
mov al, Int_Number (01h or 03h)
3 G, v% u& f% u! t. U9 n: j' L mov dx, offset New_Int_Routine# f2 [2 M0 p0 L* e3 Y4 e: i" f# w% A
int 21h
0 v4 l1 X I _" ^
1 q; D6 h" P! G) }' [6 E A__________________________________________________________________________
- u, O8 M( O. K$ q7 Z
% t+ i3 Q5 }& J4 o9 Y1 Q BMethod 09% u1 u) X( \6 Z
=========
/ p: R) L; g! ?1 J- a) T3 ?* C6 f( w( C7 b5 a5 ]8 u, F) f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 g, N3 \. C4 T) \! q9 `8 ~3 J3 n1 {+ j
performed in ring0 (VxD or a ring3 app using the VxdCall).; j0 ?/ M; D2 N3 c8 y3 A
The Get_DDB service is used to determine whether or not a VxD is installed
z: R( A$ ~$ @; \) Cfor the specified device and returns a Device Description Block (in ecx) for
3 t# }; Z$ t) ~7 Y9 Kthat device if it is installed.
' }. ~7 p. p7 k8 h" H5 z+ E" z9 Y5 s, N. Z) d, i8 T* M7 O* I; { k
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 H* Z4 p1 D* o* _
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: @: b: o- _7 X: N" j4 ~ VMMCall Get_DDB
/ C+ s( c' H- g mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 s, w, R7 k1 p$ n7 @ N
3 w ]1 O" e' e2 wNote as well that you can easily detect this method with SoftICE:# N/ h) k' g! E; P2 x" h
bpx Get_DDB if ax==0202 || ax==7a5fh: D1 i+ k( I% n* I3 |) v
: x0 \; D% t( ]% f2 W6 i
__________________________________________________________________________& y/ m9 t# B! j3 m
. o, H! N, a9 l9 o7 oMethod 10
6 a' Z `! |" D, }( Q=========1 X; q# f6 I6 Z% a* `
( y7 B, j5 g$ f7 U& Q! M# M! D3 W
=>Disable or clear breakpoints before using this feature. DO NOT trace with+ K$ t$ V% {6 m k8 Y. G, q1 d
SoftICE while the option is enable!!# e5 c$ M& T5 H- h( m9 h* F
2 L2 R0 A* o& m* l }6 G! gThis trick is very efficient:
4 ^+ G! n7 ~: i" a7 n% E8 Z( Y! oby checking the Debug Registers, you can detect if SoftICE is loaded
: L' {0 F" z1 d9 m# b/ B8 F1 T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 y8 \" r4 ]0 N; j$ ~4 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their: Z0 n8 {1 g# ^) ?: a' m, o! T
value (in ring0 only). Values can be manipulated and or changed as well
- @5 j+ N+ t# d, T+ M+ D(clearing BPMs for instance)
6 y3 W3 ~% J: ^# Q5 W, z0 Y, S: v, j1 K8 x, n& ?7 Y/ [9 c
__________________________________________________________________________* Y$ \) a+ o/ t2 e' h! y& }+ s6 l
0 b8 @, |: r2 C! Q
Method 11# s7 o& l3 d" B q+ t2 k, r
=========
. B( }& M3 k, x! _, O& n
( K* `7 P5 _% A3 P) iThis method is most known as 'MeltICE' because it has been freely distributed- ^# U1 e. C0 x9 p+ ?6 ^
via www.winfiles.com. However it was first used by NuMega people to allow
5 D i1 w& a* m# s& h ESymbol Loader to check if SoftICE was active or not (the code is located
2 n2 h2 c. @/ V' U8 y' I" ?inside nmtrans.dll).
3 x5 H- Y4 X2 u9 a7 y
s& k$ A& H( V+ g3 T' H0 gThe way it works is very simple:
) v* K& P4 ^0 d8 ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 p. n* R2 y6 A5 r
WinNT) with the CreateFileA API.
: H3 B0 w% `- U. s1 f1 s# b0 y$ F. q: {4 B8 Y$ L: t, ]
Here is a sample (checking for 'SICE'):: |: I7 i* N2 D1 Z# k4 j" H
3 Y& _7 f" j) D8 C7 \
BOOL IsSoftIce95Loaded()/ l9 e* Z: I0 `" n& K' ?
{1 T7 M% w8 T6 [# {
HANDLE hFile; 0 N! b! Q( E8 Y3 {& r% J- Z
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; f" N4 w) v5 i) a5 ^/ D FILE_SHARE_READ | FILE_SHARE_WRITE,8 h- \, w1 S8 I1 X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' E1 u' a) T: m7 q8 |3 ~* t
if( hFile != INVALID_HANDLE_VALUE )- O: q j' X- I2 q" Y3 u, r- k, H, M2 d) |3 |
{
) f0 x& |, S0 {* I* m+ i CloseHandle(hFile);
/ T) x% X( T1 K! h/ ^3 a return TRUE;
: V8 z2 u* `" W. K }
# ?- K! Q9 d! ^& a( q return FALSE;5 ?- G$ L7 _5 L! }! k L9 X# ]
}
* L1 \2 U) K' B- ~: n M7 s
, `' a8 p+ e3 ~: i' W* g* BAlthough this trick calls the CreateFileA function, don't even expect to be
) ?! L% M2 h! c9 R) G0 p) ^able to intercept it by installing a IFS hook: it will not work, no way!
' H( y1 H" b3 ]! \, w* ^# hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( c# }. A2 B4 A& C. r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ j% u2 a2 K! ]4 [9 l, X0 Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc* {8 q, N/ D" [0 G
field.% f8 u# A9 y8 K# ~4 J
In fact, its purpose is not to load/unload VxDs but only to send a
+ v0 {/ K1 X# M& m. i4 ` }& F7 TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 s) f- H2 ^: a1 H- {4 ~% |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. S- x) Q. j; s" ~, g* sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ Z7 p3 [4 c J; DIf the VxD is loaded, it will always clear eax and the Carry flag to allow# S: y" v0 C0 z+ e0 u
its handle to be opened and then, will be detected.$ Z0 c- [# N# W8 L- T# I8 Z. t6 Q
You can check that simply by hooking Winice.exe control proc entry point b& {* `1 C- T. ^8 U
while running MeltICE.1 k+ L" l* O8 [+ Y7 l6 R% t, u3 t1 U+ }
* x+ y) W8 @, ?3 M" w2 E
3 ?, j/ z) b) ~) u2 u5 | 00401067: push 00402025 ; \\.\SICE8 U, g; G" X+ Z! u8 `9 s( q, w
0040106C: call CreateFileA
. D2 a% U. H! W. `9 W4 U+ A 00401071: cmp eax,-001$ r7 X: q! k3 Z
00401074: je 00401091
. a$ q4 h! Y5 |' E' K9 y) U( K ~3 [
; [3 Q9 g8 p( v qThere could be hundreds of BPX you could use to detect this trick." T; v, @2 o$ _+ N
-The most classical one is:$ D+ i4 Z5 R* D
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
4 Q- q8 p5 m% G+ D( ?, Y0 J *(esp->4+4)=='NTIC'9 S/ [) F2 B4 h
" M) Y* J7 N/ I# R) D-The most exotic ones (could be very slooooow :-(& x# ]9 k% V0 K, W8 H9 [. j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') ; h& w, s! z) r5 d3 o% Y
;will break 3 times :-(& G$ r0 ?+ H8 \' V
1 X1 c @& x4 H3 W: N-or (a bit) faster: 2 B' B9 P" ~6 Q" u/ F8 P
BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), |4 {. B4 t; l% K O. w
! X* Y3 A, W, ?. {! } BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) |2 u5 Q6 U: F4 ]0 A/ Y) E5 C ;will break 3 times :-(( \- l, |9 h9 o" Z# _6 L
. q: Q% C r" M3 o
-Much faster:; Q0 _! m* c# _8 l/ o. D: j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& {& {" O5 t+ ~+ Z0 s/ D. H" C
* K8 D/ U c/ h$ l6 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. }9 O4 H) t) |* a5 T+ z! H$ Wfunction to do the same job:0 p% l# m6 p c# v8 k! r1 X G
6 ]' h4 e: ]% q
push 00 ; OF_READ
. V) r- P* v. W' C mov eax,[00656634] ; '\\.\SICE',0
) L8 [: M! h5 F( W push eax3 B7 V8 ?* @- T5 p) K
call KERNEL32!_lopen
+ B p n; L& [( L) b5 n inc eax
9 l- g5 d' F$ }- C jnz 00650589 ; detected& g2 S/ f9 I" O; Q5 q
push 00 ; OF_READ d% O5 O$ u0 r* ], I8 k5 ^
mov eax,[00656638] ; '\\.\SICE'7 i4 v; K7 h/ n0 q8 X
push eax3 f$ U7 k8 c2 f, D. R
call KERNEL32!_lopen! m, u, R, \% z
inc eax/ y, r! g$ H$ s5 f
jz 006505ae ; not detected
+ U4 b8 Q! p, W9 A- f) O$ C0 g. ^, k
9 T% Y# @# Z6 i
__________________________________________________________________________# B9 _5 X, V) u( B5 t
" |, |1 K5 W" EMethod 120 c2 N) ]* ^+ u7 |- h
=========) \. e4 }5 E' w/ A& J/ z- u
# V5 l' V5 Y+ {0 s3 wThis trick is similar to int41h/4fh Debugger installation check (code 05. Q. F O: G2 Q
& 06) but very limited because it's only available for Win95/98 (not NT)
! z- N; i$ {; l# _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- l8 H7 I" |1 k* X# b
. _5 [6 v4 O6 m" F2 w" Z& Y push 0000004fh ; function 4fh
2 u6 V4 P0 E, L- }) ~7 Y" g push 002a002ah ; high word specifies which VxD (VWIN32); D4 L4 L' |2 ^* x
; low word specifies which service
1 k! ?' D6 A- T9 P9 v (VWIN32_Int41Dispatch)
, X* n; B- ]2 G* g& }2 r P call Kernel32!ORD_001 ; VxdCall$ X5 @0 d$ L; c8 h, U# y1 D
cmp ax, 0f386h ; magic number returned by system debuggers6 h8 M1 i9 A% I. Y! X; G [
jz SoftICE_detected
8 a# A( H) Y8 `6 E- ?! ]- v6 W& G) k5 U0 \& l. s
Here again, several ways to detect it:0 ?! O0 c% p( _& U3 x# v0 p) y
. k7 o( W9 _& [) v5 T BPINT 41 if ax==4f
0 r; A2 B& N) ~3 f: \7 y9 {
5 g4 l) V+ f. M8 ?6 m4 w BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ E, R4 u; ?" s8 W# h
; Z! b+ X/ ^( r- m. O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
) \ w3 |4 ?9 O- K1 S* x4 W4 I# F: M/ J
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow! d' s8 A4 S! h$ v
g1 c6 |" y, q) s& P3 G* }! L4 V__________________________________________________________________________9 B7 q$ p: t) b, h
* {# s# I, s0 F2 v+ k/ b+ JMethod 13
7 i; W: c3 s) X1 j=========
0 u9 B. a: r! j2 _! } b1 v1 X7 I" v' O, x. u* S
Not a real method of detection, but a good way to know if SoftICE is
3 f1 \% E. m+ S% V1 c2 Cinstalled on a computer and to locate its installation directory.
& {- d, C- V% AIt is used by few softs which access the following registry keys (usually #2) :- y( T' l' j) |) y) v! R
5 T+ P6 k" X8 ]8 b& p, d! D* y/ _6 ?* l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) B5 {8 j% G! b6 m) }\Uninstall\SoftICE- g' O: s5 _' p9 @+ W' j1 R( q
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* g' X; G* i: @9 }) Q1 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 `) n n4 b- {6 m7 \ d; j
\App Paths\Loader32.Exe
3 b6 }0 W0 F, @1 }6 a3 V: F/ ^' M* S% X, }
: F S+ J! n# `. ENote that some nasty apps could then erase all files from SoftICE directory$ F- L) ]3 b- o& n' c
(I faced that once :-(4 L O* O/ m8 j- | u/ V" U
- k! h6 c8 I; ^8 sUseful breakpoint to detect it:# W9 e8 `. J. O* q; W! n1 j! |
" ^" f3 c1 d, D BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'. b4 |3 y# I* g _# ~( a d' U, c
. {+ R$ c& n# _% h$ r% J__________________________________________________________________________
& V4 K. e: A2 X% |: y1 e& {4 F" T7 b4 o
+ x; j# B0 ~9 wMethod 14
1 v* { J X! r( d=========- @( }3 C& W' [2 X
' G# K& V* V4 T) B0 r: @9 RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. z4 w, T5 V. ^+ bis to determines whether a debugger is running on your system (ring0 only).9 [; s# b5 g6 x
: [. }3 J ^' \% M Z6 d' N* X( y VMMCall Test_Debug_Installed- Q: h D _8 Q' P. j9 S8 f0 u
je not_installed
% q, w& R$ V! K
1 Q1 w9 s3 I8 ?This service just checks a flag.. g7 v8 O, H$ P9 E7 m
</PRE></TD></TR></TBODY></TABLE> |