<TABLE width=500>
* B/ P; F9 |1 w# \; O. O7 H: ~<TBODY>
2 H: [8 I1 e5 Q<TR>% h! c" C; c9 y2 g% y2 Y
<TD><PRE>Method 01
1 Q* T* x# S( v: L' ^& K3 e& u=========+ d' O; x1 S# t o
) u8 _, D$ e1 x H/ F) |. g; iThis method of detection of SoftICE (as well as the following one) is# i9 K6 X& J2 I) t* D
used by the majority of packers/encryptors found on Internet.
* S% f% n* j* A$ Z: C7 EIt seeks the signature of BoundsChecker in SoftICE
4 q% Q3 `$ v0 e0 m: y- o! C# t3 U- ?7 g ` ]3 D/ s' U
mov ebp, 04243484Bh ; 'BCHK') |" }1 w) f5 H& o! R" ^+ W
mov ax, 04h
m5 f& D3 k9 q1 B int 3 4 \$ L" v& u: K f! U& l% V) Y- _
cmp al,4% x/ d; S; M4 o9 A0 B7 s& ?3 g+ K
jnz SoftICE_Detected
% l! b, h3 M5 F' u5 \- G; i' \% B- \4 _7 C: M; d4 S
___________________________________________________________________________
3 w# |/ z, m1 O, E+ v- Q2 H5 B$ S; m8 A- ?' `
Method 027 r* ?9 A2 x* c0 \- t$ o
=========
$ B& c$ z' {& s7 Q# Z) k& b3 D* K$ m& `% K- {/ `4 }2 N- c
Still a method very much used (perhaps the most frequent one). It is used$ G5 \3 d2 Q4 ?% w2 r, {4 V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 C; K* Q8 u) y, X" u8 q/ u
or execute SoftICE commands..., q% V9 } w2 @' I6 U, \" o
It is also used to crash SoftICE and to force it to execute any commands/ u2 W3 j. d6 P! V3 g2 ~
(HBOOT...) :-((
5 F9 d3 @% q2 n5 ?6 e* R7 t, F% D5 J) H
2 M' g! A6 b* \% fHere is a quick description:
' Y: _9 `- H O5 r5 _! z$ B-AX = 0910h (Display string in SIce windows): e$ L( Q4 f! l& }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( Q/ T R7 t1 E0 a1 o-AX = 0912h (Get breakpoint infos)
! y2 J! r2 i2 }: Y [8 h! ?-AX = 0913h (Set Sice breakpoints)$ W+ E/ P7 k2 s* v5 T) t
-AX = 0914h (Remove SIce breakoints)
& M9 \- r. y/ X/ ]3 }' D8 u r) k5 N9 {. x, E/ Y" j
Each time you'll meet this trick, you'll see:
) r7 m a _! x& D8 p-SI = 4647h3 V/ O# ^: R- V+ \' y/ Q
-DI = 4A4Dh3 j# [: ]' T; z- [* e
Which are the 'magic values' used by SoftIce.
7 A2 t( y7 J, ]7 v* [" Z7 Q4 [- xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ _- r1 ^ J1 Z6 ]0 s3 z9 u: f6 f4 D+ X' J% g! Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ C' d& \+ c: T3 V$ J1 Q& S
Envelope utility use to protect DOS applications: o% ?" Z" h8 r* a* j) D; i
9 C) g; P) i/ K& P/ y s; n J3 D1 n7 \, m" P
4C19:0095 MOV AX,0911 ; execute command.
) B7 [% ?3 i3 i, |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( g I: {' Q. b$ c/ {4C19:009A MOV SI,4647 ; 1st magic value.
9 A2 ]/ i( V* k; x) ^3 p9 g, O4C19:009D MOV DI,4A4D ; 2nd magic value.( t6 t$ l7 a/ z( z5 Y9 X6 n
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) s; l5 [" W$ U% c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 y- ^1 t8 a! ?3 s) o' D4 U9 q# W2 J4C19:00A4 INC CX. S' \1 Y& b( L$ _; Y9 I7 T( b: N
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute$ N; d" C2 l" n
4C19:00A8 JB 0095 ; 6 different commands.* Y) ~" V% D" n
4C19:00AA JMP 0002 ; Bad_Guy jmp back.% J# M* N1 r2 Z. e1 m
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)( H, d9 t, e: W$ i
" u& z) h* d) ^7 X3 D$ o9 ~/ TThe program will execute 6 different SIce commands located at ds:dx, which
! V- h6 `" b, c" q V; Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ Q7 N! ~. G" D) M/ M y* r
4 G3 C4 \; c m1 ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ G* d% N* [5 f3 { q8 T___________________________________________________________________________1 W2 A* g7 w6 M$ ?
% k, E( x* l6 a" L$ y
( d/ A$ e! N3 O( b/ ^Method 037 W) q9 I5 o. R6 e: y
=========/ G @7 L& a5 s% y0 B9 {9 B$ `
" S3 H8 R3 V) e8 P+ P
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h" n* w- }, X2 n/ {9 S$ t
(API Get entry point)
- g* A) L0 [( T4 l2 j) ?7 J 8 I% x& h. M9 Q' D0 _$ [
8 x8 @9 y+ |" H# G0 s
xor di,di
9 i% o( O4 t( P8 R' \ mov es,di
: i9 ^3 Y' y9 a2 W' P2 U mov ax, 1684h 2 D8 H- n: e# D) E
mov bx, 0202h ; VxD ID of winice3 F: v, J- W7 ?7 T5 \+ M% _3 i+ P8 v
int 2Fh
, f( B8 r! H0 y+ k mov ax, es ; ES:DI -> VxD API entry point
" n% B1 `& L( O/ R6 O6 o add ax, di
4 w/ z6 N6 ~4 o K1 R. @; Z test ax,ax( l3 p9 V" _( y
jnz SoftICE_Detected P/ j, l' k9 L+ d! t
0 O* Q+ ?# ]7 o; m6 [( p# a___________________________________________________________________________7 {0 Q& E/ T5 u- Y7 w- i; h3 {
( H# j1 o- _, M0 E l. Y6 s+ uMethod 047 \' g4 j6 L- T6 x
=========+ j5 O1 J6 }# J4 q2 X' @
% n4 Y6 l1 c9 a5 g4 |8 x
Method identical to the preceding one except that it seeks the ID of SoftICE
, n& A+ }, z7 ]" QGFX VxD.
% K% U B. {) m2 k! ]& t7 j( M4 C; A8 ^3 T
xor di,di
) Y$ L Y$ l3 R! _& P7 @" F mov es,di0 F& D8 V7 }1 r
mov ax, 1684h & o9 P1 t) v3 Y5 B4 f/ y7 o8 v" K
mov bx, 7a5Fh ; VxD ID of SIWVID) l# C. J, L# _: ^% G& X; k
int 2fh+ H- w% t& u1 G9 ]5 S8 [6 s8 P
mov ax, es ; ES:DI -> VxD API entry point( m! z: Q g/ A9 _- W. e
add ax, di
: ~0 y6 }# N- W' V+ x1 A test ax,ax
. z3 }+ Y j" I5 F! ]! u jnz SoftICE_Detected- C; a8 h0 S+ _: D
) \7 _% h4 \2 `+ U0 a: r5 l( I6 X__________________________________________________________________________& C8 A( O! V1 u. a; v& E: {
5 e+ S; c/ S3 q. u
0 y6 p' r2 N0 M4 N- r0 a" ^( rMethod 05# b" q' {* l+ r( ^2 k( k/ o
=========
) l5 x) A, ^+ I g# v& t7 |- J/ ~' l9 t( F9 K; R+ |: ], V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 \" Y7 J3 F9 s' b6 {debugger. It calls the int 41h, function 4Fh.
, j# ^ o/ _' c) `1 ]There are several alternatives. 9 v) r1 x( x7 n9 [# V# L2 H
: @8 Z( r$ w' v/ f, L$ ^
The following one is the simplest:; k3 t, Q) H$ g9 @
$ M$ W7 f2 k$ d( h" r0 \8 A mov ax,4fh0 S6 ?7 N) r4 I, M# z
int 41h3 S @3 l& |, t. o
cmp ax, 0F386
6 U& R& o9 U5 r& Q( {. W% i, L! X- { jz SoftICE_detected6 c: @' b* X2 z2 ~7 D
* N/ V* h: r$ o- p
0 k: X0 M; z1 s, |8 HNext method as well as the following one are 2 examples from Stone's 6 Y1 Z8 N* `/ b. s. W
"stn-wid.zip" (www.cracking.net):
6 t/ |# a$ u7 i; m1 O& ?; K- T5 K6 ?) a# U
mov bx, cs
* i& z$ M+ X2 \' k lea dx, int41handler2
4 r- K' I9 e! z xchg dx, es:[41h*4] j" _' M) J1 |8 @
xchg bx, es:[41h*4+2]
% y) \1 d. y0 a* H3 J mov ax,4fh
! B. e( {& n0 l$ u5 l int 41h
C6 |" h9 Q% p9 ]# p xchg dx, es:[41h*4]
: G' T4 O1 e" s/ F0 L5 W xchg bx, es:[41h*4+2]& s% j) T* t3 @
cmp ax, 0f386h1 r, S# A/ f/ o, ^2 E
jz SoftICE_detected
! j [/ l% T# I2 F, Z$ V
) L0 b/ T( G) q7 ?' d) }int41handler2 PROC
# t2 R3 O2 I3 p2 ] iret
: l) E9 i+ m* u) y: ] ^int41handler2 ENDP
( i2 I: X9 e1 P
' W8 y# `8 v5 Z; m7 @4 z* w( T0 P. Y
_________________________________________________________________________( U% }; W7 ]/ F1 }
{5 c k: S6 d, J: e5 m
+ q; W3 f: A' Z1 A4 v2 }
Method 06
6 @+ [+ s% l7 ~- M& A: c c=========
1 [# Y+ i0 G0 d" j$ \- F0 L: z$ [ m% K% h) E }7 V. ]1 P Z! p
0 v% A( c5 c1 Z7 G) r8 v- [2nd method similar to the preceding one but more difficult to detect:
" ^0 I- c6 j: n* \1 p" j g9 O/ S
$ o) ]; |8 G$ B/ x
2 Y! O& m6 _6 C3 A: {5 j0 Vint41handler PROC7 e/ ?) L8 L& F5 y( E6 Z2 I7 ~
mov cl,al7 W/ J2 {5 f$ x( ~: [
iret6 @+ z) m4 `8 r7 e/ D
int41handler ENDP
, s1 O: t- d4 p/ D$ L5 D
& p2 V5 l4 y: I% Q# k6 ?+ \; E, R5 `
xor ax,ax6 g9 d* _$ C5 f0 |
mov es,ax5 y$ }' x; G1 Z- N1 e
mov bx, cs5 H I, B" e, s% [( S0 K1 b- w
lea dx, int41handler& T$ L& N) F( b" y
xchg dx, es:[41h*4]0 s/ D6 V: I9 d5 ~6 B) V1 R' o6 `
xchg bx, es:[41h*4+2]$ U; u, N$ X- k9 c
in al, 40h n+ S& k9 g9 w7 q/ M& b1 t' A
xor cx,cx
$ e2 {; Z- ]9 F int 41h
' r0 u2 A, o5 x2 |3 _; q! L# j xchg dx, es:[41h*4]
3 T. a; W y s2 }# T3 T xchg bx, es:[41h*4+2]
% g4 W9 R P d/ f9 | cmp cl,al6 n. X$ ~; J! q2 Z* d
jnz SoftICE_detected
* f f+ u- Z4 |* g- L! C, F1 J- r, Z
_________________________________________________________________________: V* c' u4 {$ g
; J; G; ^& \8 U/ o9 Q, \
Method 07
+ e a( t l6 x# {2 H O( u+ Y=========
# X+ Z. i6 L5 e3 O8 Z1 ^, x& V& t4 y% U) p, I% V: g
Method of detection of the WinICE handler in the int68h (V86)7 ]3 Y8 m- p8 E/ ?( p2 Y8 U; G% j7 n
; ]4 S+ V' o, w. \. E; A% M
mov ah,43h
$ r/ i! s" {, r, J# G9 j int 68h9 n0 r/ t- }0 z1 d3 c
cmp ax,0F386h
+ F% r% d4 ]" Y# {, L jz SoftICE_Detected0 o8 S) r- m. w1 ~0 H) \+ G
7 e* p a9 j) z2 k! @
1 K0 M4 R3 U9 Y: D6 S3 [+ Q
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 ?; }2 m/ {# ^$ u: R2 U6 l- T app like this:
/ ?( `; y9 i* [' t7 Y
. e; i+ s& @- ]& F BPX exec_int if ax==68
0 f" g. v0 e- S. f `: t (function called is located at byte ptr [ebp+1Dh] and client eip is+ _( g) r( E+ r1 i. s! x' p
located at [ebp+48h] for 32Bit apps)/ G0 h4 X' ~# r2 T
__________________________________________________________________________$ R! L: P# e6 \! ~( r P' `3 r
. H4 y: M/ }% b: r) R& y
1 H# D$ C- l7 o" q0 n9 VMethod 08% V' m/ l9 F" g2 }, e9 c
=========- c: f, `9 W: b5 g/ e2 v( p
5 K: Z, u' ]7 i d* X! }9 p
It is not a method of detection of SoftICE but a possibility to crash the1 z) c! I- S/ n9 @. O
system by intercepting int 01h and int 03h and redirecting them to another3 k7 t6 ]) D1 F8 ]% p
routine.+ b/ q+ n& {5 B2 D7 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 K6 m% G6 z% E# Bto the new routine to execute (hangs computer...)
6 n7 I6 S- O( ?8 |1 l9 q; k) x Q6 [2 { c! j! R# i( @
mov ah, 25h" X: P7 l% ~0 {' s# g1 t
mov al, Int_Number (01h or 03h)
* m& u7 [4 \- T$ m mov dx, offset New_Int_Routine& n' p; s1 H2 V$ [3 M# p
int 21h
2 Y5 c# L: b7 R' m2 X; Z6 a, ~6 }$ L% a8 h1 p* g* T3 g
__________________________________________________________________________8 q8 }3 W# |# i2 ?, o8 S
/ X! ]* P l) X6 X
Method 09. d" N6 I' B6 e( S' n
=========
7 ? I4 |/ k9 ^- p. Y! [2 L& A
9 k0 b3 v- S5 O9 [- \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 F D# L3 _5 _
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ v+ x2 Q9 y' m2 Y& T8 FThe Get_DDB service is used to determine whether or not a VxD is installed
6 q( Q: z5 U% S: `for the specified device and returns a Device Description Block (in ecx) for t2 A$ ?( `& h
that device if it is installed.
+ Z6 l2 L/ r% r/ O( g* B0 y* Q; I( c v
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( t# _. \1 }9 O1 h7 T, {% w; Y
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* L! V' h' g8 i' k* i& C5 B& z VMMCall Get_DDB0 t9 I4 ` W2 ^% y* B5 F# ~
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ k, ?8 i* C2 r
( ]/ |( K8 X0 i5 n, P* `+ qNote as well that you can easily detect this method with SoftICE:9 g, y5 ^% H* N# d7 M
bpx Get_DDB if ax==0202 || ax==7a5fh6 Y- D0 U; l) j5 l4 r& f# H& Y
. {! j. I( `6 W) V__________________________________________________________________________
; _8 D) A! j9 p. ^% Y. g
4 o: @" R/ {* }4 W6 ?$ GMethod 10
! c0 \/ X" F* a0 {. Q7 Q9 l; B=========
; K1 j4 q% t* A) N
" o2 {) Q( o2 F) u# L=>Disable or clear breakpoints before using this feature. DO NOT trace with8 \0 Z; u& q/ c" X$ _
SoftICE while the option is enable!!+ c; N, b1 G$ A+ K/ _) C' i
! y& w1 M }& x' U9 {This trick is very efficient:
0 r" X; p/ l) N; ?" v; ?7 Tby checking the Debug Registers, you can detect if SoftICE is loaded/ |; w; q4 c9 S5 F3 [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. r2 Q2 _3 v" H! v% ~3 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their. c" A9 j! z; A
value (in ring0 only). Values can be manipulated and or changed as well
, X" p) P) Z' ~5 k8 _4 ?" i7 o(clearing BPMs for instance)
% ]2 h: q' U$ ~% o' k4 D0 y _4 b1 n$ T
__________________________________________________________________________0 u! p# k4 z+ n" S0 }, X% K% q% R& H
4 S3 @4 O i, y; P7 h$ o4 w* b- V
Method 11. X# {- _. x& e" c- ]9 W
=========" |+ d* R0 A9 [4 n: Q
& r4 T& j+ c. [7 p8 kThis method is most known as 'MeltICE' because it has been freely distributed
/ Y7 F4 Y8 P# d( G! cvia www.winfiles.com. However it was first used by NuMega people to allow
! U* [4 d- k+ R6 ?Symbol Loader to check if SoftICE was active or not (the code is located" {5 y! \, v& @9 k9 m1 i3 l
inside nmtrans.dll)., |9 g A; A& b+ E3 p2 l% A
8 W R: g# Z" N7 X% g% Y0 U
The way it works is very simple:
1 c( ^" U T* t1 Y) `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 Y% y1 y+ F) CWinNT) with the CreateFileA API.( l: E5 F3 j% _, H3 y
% e; h; K2 }! X- C4 r# ~
Here is a sample (checking for 'SICE'):& V& z) ^2 x# q) v/ ~- n2 g
4 }( b( O) o8 a/ T% h; G/ N9 U
BOOL IsSoftIce95Loaded(), v) z: h' X% J. I) q0 Q
{' q5 i% R3 K* t' w; e* j
HANDLE hFile;
, g$ q2 N. `9 M I! r; t. E7 [ hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 e; k& e% `* W% h
FILE_SHARE_READ | FILE_SHARE_WRITE,8 H/ T% Y0 E; E) G& t7 F. g2 D
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 M( g0 ^% |' j$ Q. c' E. x- j
if( hFile != INVALID_HANDLE_VALUE )2 r+ R$ K4 o, t4 G% |* ^3 ~4 V
{$ H2 B \( M5 A* `5 u$ I
CloseHandle(hFile);
2 ?& e) d, @4 c) z8 Y" R; h return TRUE;+ }& m# H$ p' A& s3 ?! G( y; U
}, l- r0 n5 b2 V! K9 V
return FALSE;
" m( P2 f2 G5 E) d1 F! X6 B: B}- S' a- d+ l6 i; ~. i M6 d6 ]: a
0 C+ ?- D+ }/ r: Q3 JAlthough this trick calls the CreateFileA function, don't even expect to be
4 f* r; J* P& g: E$ J& h. Z8 h1 {able to intercept it by installing a IFS hook: it will not work, no way!" e& l6 v1 q$ O6 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) w$ s/ t4 z7 B; I1 P) O" A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ L4 ^& a) s3 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% W4 w. _- O! y% P% x$ j9 Ufield., m# ]; O+ c# L' k
In fact, its purpose is not to load/unload VxDs but only to send a ; A' Y! `% ?% p$ F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& }# _& t7 C% w2 h2 L) S& Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try! q4 T$ s3 i) u' K( u6 F7 R3 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ L$ s9 K. @2 A5 i" [If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ ~( Z" F1 [& j( A: jits handle to be opened and then, will be detected.
/ N3 t- J- r% z1 \! t% \You can check that simply by hooking Winice.exe control proc entry point
' g# Y6 r3 m1 r! T K1 t" mwhile running MeltICE.
+ M4 g! P7 U: K* r7 D1 Q! {) J* ~) N. ?: L7 J
4 M0 h; l8 l3 B$ y0 V3 d! A5 s6 H4 I 00401067: push 00402025 ; \\.\SICE' R1 I0 A2 U% S- H2 Q2 n" L. t& @
0040106C: call CreateFileA9 @; n" w. ?5 d; a" }
00401071: cmp eax,-001
+ K" \4 y7 \8 b& M9 f5 Q 00401074: je 00401091- s+ u' |, n) w; t
( A5 s( ^, e1 D! X' J
& D2 Q0 G9 @2 q/ h* JThere could be hundreds of BPX you could use to detect this trick.
, k @- |/ g5 u! r2 i-The most classical one is:3 z. ?7 u+ N& z% T5 Q V
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' || t/ y$ Y+ s( m" |2 \' E' V
*(esp->4+4)=='NTIC'
" X L6 E7 V) q9 E- j
+ J5 G7 @; r) A# a0 ]-The most exotic ones (could be very slooooow :-(9 y3 H5 D5 K6 a) a2 h; x" G
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % F! Y$ i: v7 X2 N' Q, y
;will break 3 times :-(
5 \+ g$ y6 n8 o" O6 }
: ~2 G. G: P2 M# f-or (a bit) faster:
( L9 i( o4 J- E7 U. g3 L BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 Z6 k, [( x$ ~! \
1 d: e3 n0 Y- g% x; L
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
: W' J4 e* S( F ;will break 3 times :-(0 b. r6 C. T8 t* e: ^
6 i5 l. Q% n) y. j( Z
-Much faster:
' r. d3 h1 W4 O( I1 M, J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
0 W8 Z# Q! m( E4 b& k- [" ]3 K
6 D+ O8 x2 P; @' GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: |" A+ h; B, `" e& j9 I
function to do the same job:5 r* Z$ F8 P+ y8 Y3 u% C
; j8 S& c# i. u O. Y push 00 ; OF_READ7 N7 r$ E# m. _- f L8 }
mov eax,[00656634] ; '\\.\SICE',0
4 |2 `( f; g0 ?- u" ]- T, S push eax7 r0 c/ g3 `7 ^) o
call KERNEL32!_lopen
# J% V; f# o9 W- Q8 v! w- F inc eax& V2 i* I# C$ u, Q- \# I
jnz 00650589 ; detected: W; Y, Z9 W- b( t* y6 H) U3 ]
push 00 ; OF_READ
+ B, |2 n1 @+ K8 j: X! F: F# P mov eax,[00656638] ; '\\.\SICE'
$ E* V1 C6 u% U% h- |0 ~+ [ push eax
- i/ m% p' i! T call KERNEL32!_lopen' T7 w- Y2 f0 t/ X2 k
inc eax
i( t! ^2 q1 Q, c- I jz 006505ae ; not detected3 G: j$ T( O. J( H& g
1 f2 b q! O& P# R; p: H5 ?, U+ n9 E7 {2 W
__________________________________________________________________________; v: [, f( w8 G* g$ N$ A* J( R: \
( ?' t& Q9 J' V: o' }5 nMethod 12
7 U2 z- H) g) |' |. f=========
) Y( t* z4 g' j% B% g2 A# G) V
. R7 N, ] P! Q1 XThis trick is similar to int41h/4fh Debugger installation check (code 05
# f3 R" e; W' ?9 r& 06) but very limited because it's only available for Win95/98 (not NT)
! G& v0 {. B# f; C& O O; mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 R! |4 V" l+ ?$ n% j% P
4 Z' S9 `! `9 m* g( l, P push 0000004fh ; function 4fh
: w, A- `( S' t; I1 U' l, m. A; y push 002a002ah ; high word specifies which VxD (VWIN32)1 L7 r5 P u2 T% t5 a& D
; low word specifies which service
5 i: Y2 y7 V n9 ]1 @1 r (VWIN32_Int41Dispatch)
! A+ \3 H8 Q- y( W2 S7 L/ [# Y call Kernel32!ORD_001 ; VxdCall- Z5 f4 |& O0 z r
cmp ax, 0f386h ; magic number returned by system debuggers
6 h; @/ n5 k) y" o% e jz SoftICE_detected U4 _6 B) d8 G) X% K- S# m
& ^3 Y8 W3 S0 i- R6 K1 n" v
Here again, several ways to detect it:
! c! P" m% m2 B
3 U9 G3 k1 \5 z% [ Q BPINT 41 if ax==4f
* K' O4 B5 g, \; b4 r! o6 u2 G3 O9 _% ?+ c+ {+ H; ?7 ?: E/ J
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one( V% g% m) e1 U" `
/ W5 k4 o0 z8 L; G BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
, v. H" [# T9 o
, c! r0 ]( f" J! y0 d BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
/ L5 P! w$ d& `# A0 y
7 o* G4 f: R m5 u& w$ u__________________________________________________________________________: W6 [, U- F/ y3 |1 t- ]
- @ ] ?% O# N: m7 g1 z, L2 eMethod 13
6 V' B6 d) m& K: o' T3 i! L$ j1 W=========. J. N/ a8 I. ^) @/ S' d
5 o6 A; L+ P- d8 T, b* `
Not a real method of detection, but a good way to know if SoftICE is
9 p; i+ d1 k* u) k' a5 O# Sinstalled on a computer and to locate its installation directory.. N* \9 T9 v; {+ c: r1 s
It is used by few softs which access the following registry keys (usually #2) :4 g5 H7 B3 j; a
$ m( o% a) Q0 g. `/ m2 p* h( K* z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 V3 R% _9 D4 f( _
\Uninstall\SoftICE9 K8 ]9 K$ z- ^% n; I" e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ q) U# U ~/ j9 S1 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 C0 l$ q# B/ b# H
\App Paths\Loader32.Exe
, Y, i/ h0 @# s* P# f/ x [4 \
' m& C4 H' y$ I+ ]9 F2 E
+ Z0 f- `6 o0 Y; I" t3 dNote that some nasty apps could then erase all files from SoftICE directory0 q/ N( m: `. `# k
(I faced that once :-(: `: S% A# s" T a4 w
& w: ~! u! }" ~5 F+ [2 s7 X8 G* y. g/ |
Useful breakpoint to detect it:% l4 f% N A" K/ r
$ `5 n. C' Q* b. K" A$ p! n% N
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
4 `5 w/ q/ _. T4 G7 l$ F0 S- V# C2 v; }' a2 e
__________________________________________________________________________
& p/ H0 g$ H8 @7 y+ r* p T6 R6 k* }
) }' e3 p& Q) v
* E, Q0 u- e& M7 OMethod 14
+ }. S& {/ y+ ?( y5 s=========# p% o7 |7 J1 s- v3 _4 g# q
& w9 t6 A! A8 _% Y% O# hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: |* q9 Z9 \- K7 @! t6 Wis to determines whether a debugger is running on your system (ring0 only).0 z ]# s9 x* Q& r! q
' W/ r6 a! z' p& f
VMMCall Test_Debug_Installed% @ [5 j4 N3 x% \* P
je not_installed, X5 f6 H+ W* L/ a; L5 V& J+ Z
+ s4 ?5 M7 Z- {) c, d
This service just checks a flag.
J0 C8 S" ~ J, D1 P! s% l0 R+ C</PRE></TD></TR></TBODY></TABLE> |