<TABLE width=500>, a+ B9 c7 _( X
<TBODY>
! t( L$ Z* |' R P: M _<TR>/ g& ^ S* s+ w/ X
<TD><PRE>Method 01 2 l3 Y- z$ f. l" s
=========
! A' X3 O' |6 c# e8 J' X1 B& @+ R; c4 n# K1 |" q
This method of detection of SoftICE (as well as the following one) is
" Y3 h3 |5 @& X* [used by the majority of packers/encryptors found on Internet.
' p- d, Q) Y! J3 ~It seeks the signature of BoundsChecker in SoftICE6 Z+ Z: i3 y0 V& \- u# `8 s. i
4 A5 Y3 q& h* b
mov ebp, 04243484Bh ; 'BCHK'* R, O0 ]+ C9 M/ b; V8 B
mov ax, 04h( F, ^) ?7 ?9 o4 p. n' k1 _
int 3
5 M% g8 H: Y( u$ Y' V# ^) _ cmp al,4
6 N- d/ X! B" L. h5 M# Z jnz SoftICE_Detected. k7 b% j- q$ J8 ^
/ {6 Z f0 b2 l# {3 ]___________________________________________________________________________
z5 _/ ?6 Z% ]! {5 @/ m8 B, q0 _* T. t
Method 02
& k: |6 w( R7 Z: Q4 D=========3 C' w+ I: O% ?5 g/ ]5 u
p0 ]- D: |- n; YStill a method very much used (perhaps the most frequent one). It is used
# h4 j3 E) G/ C4 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. x9 B! ?" Z9 |or execute SoftICE commands...2 e: t+ w8 Q/ X( @4 d1 s
It is also used to crash SoftICE and to force it to execute any commands
' K9 E6 H7 U1 o) d) o% l5 y(HBOOT...) :-(( * O. E i" p6 }
+ x V# }- I6 N, P0 V& ^7 }5 \Here is a quick description:
2 a0 e3 K: @1 g; [: |, u, t Y8 ^: \-AX = 0910h (Display string in SIce windows)' }6 H: P* r( m3 z
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! b: q* U M) V) L( j6 B-AX = 0912h (Get breakpoint infos)
! [5 i3 F' s4 l-AX = 0913h (Set Sice breakpoints)
/ |: N b8 ~# _-AX = 0914h (Remove SIce breakoints) X/ ~ ? `2 ^
& ~* m O* y6 I x3 v8 |/ J z
Each time you'll meet this trick, you'll see:8 N$ f) n. L S# o! B+ i
-SI = 4647h
' |" E1 e7 |4 D. p; B/ c5 {0 d-DI = 4A4Dh- }3 o. }- k0 g# s/ j/ \
Which are the 'magic values' used by SoftIce./ B4 ?0 C% O" n2 W' r$ H0 [* }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) K# `/ U& ~2 z4 \
5 g5 j/ A4 I1 xHere is one example from the file "Haspinst.exe" which is the dongle HASP( V% K8 U( g, r" c h& t2 p/ L
Envelope utility use to protect DOS applications:, }) ? z# z: P# R) m
/ N8 h" M) l3 F* T
9 n% Q" U& t: H- A, ~* Q3 M% L0 W6 |4C19:0095 MOV AX,0911 ; execute command.% s+ K% {* C% f0 m% ?
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
' y$ |" H* G8 ?& D, Z/ L4 U2 z4C19:009A MOV SI,4647 ; 1st magic value.5 t. x& r- J6 R2 x
4C19:009D MOV DI,4A4D ; 2nd magic value.
- R9 _# @3 P& I! m) J0 ^5 l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 D! F. z; z0 z, h4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute+ R3 d( U/ m ]2 O" T3 Y
4C19:00A4 INC CX
: C: | _6 k. f; ?4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
: E1 N% s/ \5 K/ z4C19:00A8 JB 0095 ; 6 different commands.0 P# g# V V$ k/ l
4C19:00AA JMP 0002 ; Bad_Guy jmp back.# j3 S& u! k& y6 p
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)4 F! K% h, B/ L2 k
( {! Q7 L; w0 w2 p
The program will execute 6 different SIce commands located at ds:dx, which
4 }2 }" w' x* D; h j1 sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 C9 Y+ s) e# X* {% r- h. e9 a6 Z+ ]7 b+ B9 O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 W. C* Q$ p6 q3 j; e6 X
___________________________________________________________________________$ f5 [- |8 B, @' W
- W0 V$ A8 Q9 Y) \& x1 C$ v
* K, J9 ?. q. F6 \; \% n" J A
Method 03
+ z- _6 t3 O/ _. r8 ?* [8 B" m=========
/ \& y* F1 ~% W( W$ W2 Y p( k# v4 b2 f, n) b# X
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h U. e( g9 ^' x0 |9 N! k P4 z
(API Get entry point)0 c/ r3 H8 Y3 D
1 N8 t) z! q. L
4 B6 z' h+ \. M' I0 d: _9 }: E xor di,di
4 i; [$ u ]9 M) A. S6 D1 n mov es,di
0 g) q; F- M! K" L mov ax, 1684h 3 V5 [# |, y6 n! l
mov bx, 0202h ; VxD ID of winice" ^. [- B/ z4 k: A0 v3 H" Z
int 2Fh4 z" @2 ^& S- y8 M/ M6 U3 k/ g: i
mov ax, es ; ES:DI -> VxD API entry point2 T" ] m" ]: s* K. _# [
add ax, di
7 [; n* n6 e# Y: Y" ^( h2 G test ax,ax
% G! r7 T1 U1 Q6 q, }) L jnz SoftICE_Detected H7 O+ G% o, q! d0 |
) m. h" ?& n9 B- X; R) B4 a
___________________________________________________________________________& n( B* X* g# w$ C) Q7 X
+ i" C5 S: r5 y }- \9 vMethod 045 {3 G7 \3 t, K; |$ o0 z
=========
g) M# ~& V+ e
! Q$ S6 j& }/ Y$ p0 x9 kMethod identical to the preceding one except that it seeks the ID of SoftICE7 s3 K6 ]8 [5 c% A
GFX VxD., y; [: x% p) A4 ?7 `
0 b. a# b+ w5 j7 b: i xor di,di( G& N* s9 B+ a& e. d: L% N; n8 w
mov es,di
. k6 b4 {' p$ [ mov ax, 1684h 8 r4 G' p2 K* P. `
mov bx, 7a5Fh ; VxD ID of SIWVID
- G5 N$ H( l( | int 2fh0 P# N3 Z/ |% |0 F9 G
mov ax, es ; ES:DI -> VxD API entry point
- @4 _; Z0 [( n$ U+ M! V add ax, di
+ J. N4 M/ A! c& n7 w: _' w test ax,ax
8 ]& w0 R: a' \) E9 x) L- q- D: j jnz SoftICE_Detected
* S7 G- j# ]; w+ \% L& C6 b0 f$ u, `% u7 g8 |7 d/ V& D Z
__________________________________________________________________________
& M; n1 {/ \0 Z( ^. A. a) ?
* I5 [& P1 k6 d0 A' c
: V2 V9 B7 K! Y) A$ KMethod 058 A& _8 q+ d8 k9 |
=========- ? e2 Y/ @# ]6 r1 O
& o8 f3 v3 f6 d5 t [/ PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 G, M9 U; d3 x6 x- S6 R0 s% wdebugger. It calls the int 41h, function 4Fh.' j: O) \8 ~) `
There are several alternatives. $ K- @) J- g5 Y ~( X
~) S2 e/ i6 a5 lThe following one is the simplest:
* _( s3 ]$ U) O/ n3 ?7 X i: [- j3 V: ]+ f) }
mov ax,4fh& W/ C$ e* T1 w1 |. o8 I
int 41h( u. b& y# ]; P/ n- M4 D- B% X
cmp ax, 0F386
, Q# T' e, W3 W) l4 O0 Z/ E jz SoftICE_detected
6 V! R6 C- Q7 x0 O, f5 s" D3 x% k8 U7 P( k. v" V. E
3 N2 \; t' k0 M' J- v
Next method as well as the following one are 2 examples from Stone's
$ H2 T- T' ~/ S"stn-wid.zip" (www.cracking.net):, _6 u7 [: z2 S3 J6 s( m
' s+ A7 u7 X, R) J/ T' k% C0 F mov bx, cs( f4 p9 t4 P9 b# T. ~& C
lea dx, int41handler2
: U2 L8 F. }$ n* e4 N xchg dx, es:[41h*4]
4 b1 d& u; e* G/ j1 C xchg bx, es:[41h*4+2]5 c+ ]8 c% A2 u9 Y4 J( o
mov ax,4fh
% U4 U- `+ R* [* d8 i int 41h: L: j; `5 I* Q1 Q
xchg dx, es:[41h*4] u3 _; K# U- U8 a8 D ?/ m
xchg bx, es:[41h*4+2]% X K8 t* ~7 e9 p o, A- V
cmp ax, 0f386h- F# F- d+ q6 @& ~% [& i0 r" d
jz SoftICE_detected- q' n& M1 m6 t2 o: L( K
2 r+ j' Q0 i) d( cint41handler2 PROC: u% `0 k1 m& y) n' x) C- r
iret1 N& _8 J- `5 W! U
int41handler2 ENDP
5 A4 w! m$ a3 _# A0 P. J) t0 n4 J
; z) C" B/ [$ V2 S T7 e$ b
}: E. D0 W/ |2 ^( s. i4 ]_________________________________________________________________________0 \0 h) i* Y p# r
5 E a# m; F+ Q3 x( N: A% D3 S# s
/ p; Z- z o3 |2 X+ y# h# AMethod 06
2 w( }& X: e7 L% T5 r) O/ h9 J=========2 E( J+ K; S0 J6 O
. H( U2 R% s2 X: _; r
- Y9 l/ h9 k7 M Q! B7 ]- A2nd method similar to the preceding one but more difficult to detect:/ z7 \8 e8 E: t
( k$ e* {1 |1 N l+ k+ q+ W' x. R1 \) K" `; M% l$ r
int41handler PROC
. Y2 y. p2 Q1 c# C mov cl,al
9 c1 D& E6 Y; a* S* m A: S iret
+ Z b( G2 O; o" |int41handler ENDP
$ `+ t g% j9 b/ W( R; t( E
8 c' M' `. ?9 b" I9 z
1 B! M4 v+ e, o4 Z6 [) b2 m$ L$ ? xor ax,ax; C4 {2 ?+ y: w6 y4 C1 X9 Z1 M- i
mov es,ax: h0 f2 w% f3 J3 u
mov bx, cs
" ~3 l3 X* A- D( h6 H3 u( O3 @ lea dx, int41handler
8 Y) [3 C1 f" o xchg dx, es:[41h*4]
2 h: q# H$ B: _- j! M5 _& [ xchg bx, es:[41h*4+2]
{) M5 S2 H) J& ]; O; q$ d0 Z/ \* C in al, 40h0 g% W9 t& l/ v: m& x% X. w
xor cx,cx
4 H( b6 l2 a; R4 U" V3 Z int 41h
. i. a5 I) {0 Z" O! {; b) |0 W xchg dx, es:[41h*4]
' I! h+ w) E3 q2 X7 V xchg bx, es:[41h*4+2]
* D! Z" d7 i O3 v( |; E cmp cl,al. \ L- U" R9 Y
jnz SoftICE_detected9 X5 A' N$ m6 v# N9 v- `- E1 | U
/ _, o g3 q& P0 V_________________________________________________________________________) D+ x& k0 G4 X3 b, Q& z
# _) k9 s) d" l
Method 07
6 }. M& a$ |/ k6 H=========
F$ |- T8 [+ _# d0 ~) m8 _- Z8 T2 v; h7 i/ D* B
Method of detection of the WinICE handler in the int68h (V86)
1 H9 H* ]6 {, U& }
. X( e7 ~' T( _; F" o) b9 w mov ah,43h* `3 r% d; F- q
int 68h
, z$ L% ]( B/ }. Q" ]; y4 { cmp ax,0F386h
: o* s9 ^- T5 N- `. x. r0 T jz SoftICE_Detected2 E: X. h: t3 ^& b- W0 E) W* ^
+ s, D$ Z3 B+ d) a0 D- \$ X
0 L8 g( b$ H7 s! l* m5 x* s# w=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* x6 s0 B1 @% k5 i# d% W' z+ i app like this:" T1 _+ n4 m0 G% z4 c. F$ \+ d" m n
7 X+ J* X, i( i. @1 W BPX exec_int if ax==68
3 p7 b O& T) A1 {. W2 }8 Z( u1 u (function called is located at byte ptr [ebp+1Dh] and client eip is# S) n9 q: o* r" M; G4 T& a
located at [ebp+48h] for 32Bit apps)1 p4 `4 k9 J& b* a
__________________________________________________________________________ b3 M3 h7 H7 i
$ t0 a l/ d+ e- ~% J0 i0 `
% p) P. T; Z7 V/ {; {
Method 08
, n7 J3 N% ]4 c9 e: x=========! V/ x6 P. k: s8 s
8 P2 I' l& r, a) rIt is not a method of detection of SoftICE but a possibility to crash the6 O: E7 k( R8 W% i9 {! l
system by intercepting int 01h and int 03h and redirecting them to another4 i9 x9 p# R5 C
routine.* _2 J* p J" k0 b3 r0 v3 F, t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ x9 [5 }& E6 \' t7 \) ]- o5 Yto the new routine to execute (hangs computer...)( T3 v* K% ?2 w; N j" Z/ T
5 Y5 m/ p- t& Y, i% e5 u( P
mov ah, 25h
7 }: I2 p2 P' |( K4 e mov al, Int_Number (01h or 03h)
4 T8 c: ^9 q* e9 e# B3 q: G- } mov dx, offset New_Int_Routine0 |- {1 x- ~+ }/ R& ]" Q' m& D
int 21h
' `3 y: Z3 H7 \" j* g# y8 }% S; f& A. m x& Y( R. m
__________________________________________________________________________
+ ?; v" S/ q/ P+ k9 a1 r" c) C
; c3 j8 ?+ F* {- R. |( rMethod 09! c9 R1 P, n" y& w; _
=========
. N) f+ s3 A1 S( c3 a& Z5 L- |3 {* n; v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ]# \) e$ H+ u' T+ a+ `performed in ring0 (VxD or a ring3 app using the VxdCall).
9 o, M4 w. g, ?* BThe Get_DDB service is used to determine whether or not a VxD is installed
5 T X# ^! Y$ o' R% O6 }& s' k# ^6 _for the specified device and returns a Device Description Block (in ecx) for' v4 ^) H6 G' _3 f P. \
that device if it is installed.
# J1 ]. I" B7 h8 T
) ]/ o7 Q9 l l mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; q' ]' M, J6 G8 [/ b" E+ } e6 U, B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* D% G/ O# }' |! B1 C VMMCall Get_DDB% U- A! i' A: s0 X
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 r+ w* m/ a6 l7 k: M3 r
7 U: t N8 S3 x- v( s! F
Note as well that you can easily detect this method with SoftICE:
) P) d( I0 u$ V2 w8 Y3 g" ^ bpx Get_DDB if ax==0202 || ax==7a5fh- K5 v' B: r' V d! t
$ A# l+ f; r6 \" t4 w$ ]
__________________________________________________________________________
) z! {: K: ~% S# {( R) c( z; L: K7 b! g9 b1 ?$ j
Method 10$ i2 t) b3 v' N3 ^1 v( W
=========
, s- Z9 R& B5 G$ s2 h" _3 n
/ [2 Y" B# B* Z=>Disable or clear breakpoints before using this feature. DO NOT trace with/ b6 B1 u. ~- A! x: k/ u2 L
SoftICE while the option is enable!!
7 `6 w ]- F2 X" a4 t S
( r& G6 ~6 H5 `* l* NThis trick is very efficient:
% ^& ?; C0 q% L" u1 jby checking the Debug Registers, you can detect if SoftICE is loaded) L2 r5 V, b3 b' k4 s" l% B! Y$ x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* m; o. {3 }" [( E* Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- [7 l6 l& r- ]value (in ring0 only). Values can be manipulated and or changed as well
" t) E4 O! Q1 d N( {1 L(clearing BPMs for instance)
2 z# N! V, N, t: z
; F" F( u% ?. P+ [8 b__________________________________________________________________________( q- g4 _4 n. V+ P4 u
6 @- Y: r% m1 r: t; vMethod 11% A9 o8 Q" K0 c/ O( H8 R
=========
0 k- ]( u U4 `/ J2 x
5 ~- v$ G. v6 IThis method is most known as 'MeltICE' because it has been freely distributed' \& x# U3 ~) |. h
via www.winfiles.com. However it was first used by NuMega people to allow+ Y! L% c4 A7 o* q1 { b
Symbol Loader to check if SoftICE was active or not (the code is located
" ]. w2 I. V* S0 {% L( sinside nmtrans.dll).. G: v k5 B1 J) g8 `
& h3 @4 v5 j9 k0 H9 C6 a1 z
The way it works is very simple:/ \5 `8 G3 q3 Z# C1 x+ G' w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 p# y6 p! {' Z- L7 X, P/ A8 ?WinNT) with the CreateFileA API.5 i1 |' G- u; d' `; V
3 m& D7 s/ w0 z/ a7 [% w) n/ {2 q S
Here is a sample (checking for 'SICE'):& {- V% B6 L* ?$ X( _' \/ l5 W
& }9 ?3 _+ O% u; Z9 E. r/ Q
BOOL IsSoftIce95Loaded(): h9 V, O" Z& v0 F, O9 w/ ]! z
{* R! ~# Q! g3 v
HANDLE hFile;
$ {4 }6 I( }4 f0 R" a8 w6 W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 q4 h% E7 B1 k; q2 `4 N
FILE_SHARE_READ | FILE_SHARE_WRITE,: ~+ X* S5 z2 @' _1 R2 r0 b8 ?
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# \* d+ ~5 N( H* D0 z
if( hFile != INVALID_HANDLE_VALUE )8 U# j; S6 @' _7 \3 Y4 q% P/ u
{) X5 j2 b% S+ x3 M) q$ P6 X
CloseHandle(hFile);
& L/ s' `% z5 |$ t( B- l3 l; N: M return TRUE;
. o* M( r r6 y) f& M }
' @. X! D" h- Q3 ^: Q) C' J return FALSE;
0 V" |$ m, c% [) z8 O8 D. }}
4 }( [8 v; R1 V
. N [) {7 T: b5 NAlthough this trick calls the CreateFileA function, don't even expect to be6 }( T3 o# ~8 {$ j$ |
able to intercept it by installing a IFS hook: it will not work, no way!2 [- n* Q4 W f6 J! O' P' b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 w) J6 B# k. P0 b# Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( L3 Z' t% c1 Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc# c C8 V H1 o Z) ~% ~6 i0 f
field.2 P! r$ M5 G2 ^! c0 f" P/ t7 y
In fact, its purpose is not to load/unload VxDs but only to send a Y6 ]7 _& R$ \% h7 e7 n/ n- r$ a! U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" M: ~9 s! d7 d/ P. P ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 f+ J2 I3 e+ V3 @ _7 R! ~, O4 ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 l/ V* L" u4 o% y4 U( m6 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, l5 F. c* D' q1 l+ R6 hits handle to be opened and then, will be detected.! z: h4 |+ T0 Q3 |7 c4 ~& v: a9 o
You can check that simply by hooking Winice.exe control proc entry point
" {, w6 H& }, P3 u# n( ^* Rwhile running MeltICE.: O! T0 H9 K7 Q9 K( _
- y8 ~0 F( P1 ?2 S d6 P& l7 j9 J
00401067: push 00402025 ; \\.\SICE
: N+ k9 D+ M/ E" k2 s! U- M# G 0040106C: call CreateFileA. \ ]- _* m+ z. S& |" w% w( X5 u& T" n' f
00401071: cmp eax,-001: ^9 t$ [# E/ I! b% X8 m. i0 ~2 v: e
00401074: je 00401091
" O" t! P( ^3 e4 s7 Y. h# n$ b% A- Y1 J1 E) n+ Y6 u
' m) H( P$ C7 `& ?( G- V6 B, W
There could be hundreds of BPX you could use to detect this trick.. k2 W5 u. A h; P1 a
-The most classical one is:
7 j2 ]* T/ i8 l9 X; x7 z) K BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
8 h. o" d$ n, L+ r+ K1 w- Q *(esp->4+4)=='NTIC'/ K3 z F0 z" @
) S3 f8 }! F( o
-The most exotic ones (could be very slooooow :-(! }# r* S; n( R0 \$ K7 K! G; x
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 o5 K) X' U8 M
;will break 3 times :-() E& h2 X6 c5 O+ ]" A/ f; a
* f- ]' K; M& }5 l-or (a bit) faster:
* k3 `3 J: S5 ]$ K3 {1 x BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' Q+ e( ~- p8 @+ i' Y) N* j/ l; p' ~4 t. R0 J2 Y% _
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' # M+ B" f0 F4 S
;will break 3 times :-(9 i! n' x$ x/ _9 x3 m$ N
$ {7 b$ k9 l9 w# J; U _- M4 j
-Much faster:
% k5 A" v6 z/ O% U9 z) [5 a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
& L2 u) [* j4 v
- K/ z6 O4 |0 B% P; c& w5 C7 N3 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 W1 W2 Z, N( J; Q8 X; }
function to do the same job:
8 F K3 @: f) C# M6 H! E7 ?6 Z- l# ~2 w# j. [
push 00 ; OF_READ
, u" x! ?; F& H mov eax,[00656634] ; '\\.\SICE',0
0 p' L6 x% H9 L1 I- ? push eax6 c* k$ l& M3 o$ b4 x% T# A3 y5 s$ N2 c
call KERNEL32!_lopen, }$ ~1 n! G* {
inc eax0 r0 ]- U0 Z" }1 l8 D# S2 Z
jnz 00650589 ; detected
0 d; }& j( O4 R. y9 H+ N* \. o% ^ push 00 ; OF_READ! Z# w! H7 D) v2 R+ c& ]
mov eax,[00656638] ; '\\.\SICE'
( a) u0 t6 ^* D R" t push eax: r- G8 M! D) B0 w: E# _
call KERNEL32!_lopen+ G4 f3 c2 j" j" {3 v- s
inc eax) e& O9 k, H6 i0 B4 Q
jz 006505ae ; not detected# G9 d/ [ a( b; C; V
) F) l% w& W0 j
9 N# a7 j5 ?7 a1 U/ H% q
__________________________________________________________________________
( L h E: H; C0 Y; B' b4 e- b+ c+ B3 A- n' @5 u8 H0 p4 o
Method 12
3 E; t+ M t& @8 ^* L. r6 ~3 x8 t=========) e3 X J9 O2 U2 j0 Y& C
+ N3 i( C7 o0 {/ M, J8 }' e2 VThis trick is similar to int41h/4fh Debugger installation check (code 051 i/ {4 Z# v* f
& 06) but very limited because it's only available for Win95/98 (not NT)' C% q. _+ z6 M. N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 k- s+ w* C/ @) p/ u
4 W& y, V6 |# Z' O) W
push 0000004fh ; function 4fh
2 B _% ]6 {( G: _+ D push 002a002ah ; high word specifies which VxD (VWIN32)
8 d" s! `1 p( R n, {- w ; low word specifies which service6 s& J$ D* ~% O8 N
(VWIN32_Int41Dispatch), t& g1 W6 _7 o( N. B, T
call Kernel32!ORD_001 ; VxdCall7 T' L; ?9 M8 s* t9 t% e' w7 \, ]
cmp ax, 0f386h ; magic number returned by system debuggers
* B* h7 p1 {( ^, a8 R2 E ^' ^4 Z2 o* _ jz SoftICE_detected7 T1 g% c: u2 r8 {
- i9 z6 K. r2 v) D" x, Y
Here again, several ways to detect it:. F- f! A" q2 d& \0 C' \: X$ S
( l* P1 t# q: S: L( p
BPINT 41 if ax==4f& v% h4 ?" }/ P2 {: c+ {' X4 Q1 A- O( `
+ I# l& b! A5 p3 D BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
% P5 W% j& ]! t4 p' P$ S! n4 P
3 N; j+ ?( U/ a9 {5 D BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
1 |' p" m A% p
* C; W4 K) R5 ` ~1 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ X5 q4 [, U' Z3 C! H9 L" m
, X/ I, F" T: W- B" i__________________________________________________________________________: u+ h* I2 h) x1 q: y
% t# ~; f4 z3 G* D7 F9 c" k" j
Method 13( \- ~1 `; s8 x$ ^# y& h' n
=========
! h C# X+ A1 A7 l% i
; x% {8 d$ j, z% gNot a real method of detection, but a good way to know if SoftICE is
7 N2 Y! y7 `) e. W6 M* ^installed on a computer and to locate its installation directory.. i8 X8 {- B# O1 C
It is used by few softs which access the following registry keys (usually #2) :
$ t/ Q" G6 A, C9 r* W, X. X9 A6 x( w2 i/ S1 j2 p3 @. `0 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: }* x* Q% v& i: O! T\Uninstall\SoftICE
6 j5 E! m/ g9 B: F/ I6 n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* H- m* F M% ~& W5 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& Y2 p" T/ k. k9 q; v8 y: i\App Paths\Loader32.Exe
( r8 P. K9 ?6 r! Q" E- R( e8 T1 q; l9 Z- j
8 J8 Y1 S" S' M# z2 b0 e, ~: _, @Note that some nasty apps could then erase all files from SoftICE directory) h1 c3 e6 l2 D1 y5 l/ q7 a- k
(I faced that once :-(2 j; j9 f4 v6 E7 N* M
+ ?' o2 T( L% y5 R
Useful breakpoint to detect it:
8 p/ y2 V( G: @" z! g! p) ?! o0 n8 s6 t& _% Y) I
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
7 P: \" C3 @, I
) Y3 }3 N4 l) {8 Z; D0 z- q__________________________________________________________________________
' E% T' E7 e0 v/ e( x2 f9 A0 g. {" N* E/ F5 S
3 r, S% h6 O/ E6 p% {
Method 14 ) F, l! N3 O1 ~& p
=========$ J/ R8 e; T. ]+ ~' Y: w
* o. `' F4 e! ~) U8 e# K( eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! u& u/ D \- }3 C
is to determines whether a debugger is running on your system (ring0 only).
6 U# g% s2 Z1 B: k P9 t1 V
5 e* r( C# Q: p+ D1 a4 M( m1 I6 { VMMCall Test_Debug_Installed- K' V ~9 j! V! h& [7 e3 a+ O
je not_installed
- [3 ^6 k& F8 z! [9 C7 U5 w
$ ~) Z! Z+ Y+ B/ MThis service just checks a flag.
* D3 s; E) d% G</PRE></TD></TR></TBODY></TABLE> |