<TABLE width=500>
! b b: Q) T0 G. W/ f- J- Y: |/ T- u<TBODY>, f9 u; N) ~9 y8 O2 b
<TR>
3 B, v* @9 N9 X) R5 o<TD><PRE>Method 01 ) `- U1 `+ G' A, W6 u
========= {9 i# B) `/ V
0 B+ Q3 |$ c' k) XThis method of detection of SoftICE (as well as the following one) is
, n; m; O- j6 h( { g1 k8 kused by the majority of packers/encryptors found on Internet.- I, o ?/ k, p% C7 P v2 B# S& n
It seeks the signature of BoundsChecker in SoftICE* n) e7 d0 V$ ], C( t: m
; F) W, F- a6 m7 @3 {! J; R% y. p
mov ebp, 04243484Bh ; 'BCHK'
( S ]' Q: h2 p2 V- ]% y- m mov ax, 04h5 K; W: G& s c# m5 W1 Z/ A( w; q
int 3
) K& C4 m8 Y* h cmp al,4
3 O) y" z* K7 e" t, k jnz SoftICE_Detected. U' ^' g3 p: e: p& q' P
" Q; v% U; V8 _6 W9 x: N___________________________________________________________________________
" y1 c4 ~" y6 V9 }3 j' n, ]+ d$ B: l0 Z" `: ` B' x
Method 02
$ _% q- [. l( g0 P7 W+ c% p3 v; G=========1 x: k; t9 D/ E1 g$ l
5 h7 U. d) M8 m ?Still a method very much used (perhaps the most frequent one). It is used
9 s; n& U( J1 z0 M6 V0 K7 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; V. x+ J; u+ q! Y1 B
or execute SoftICE commands...
1 G8 X s. `/ M: I8 b; IIt is also used to crash SoftICE and to force it to execute any commands
% N$ M/ Q, a" L+ X" z; J(HBOOT...) :-(( 3 u% ~6 R; f m
' t2 t! ?" n- v
Here is a quick description:/ T. x2 u/ v2 Q/ N; ^
-AX = 0910h (Display string in SIce windows)
* M, Y3 K9 Y6 y/ h-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
( q3 Z. ~' s0 a) x* ?3 i' e' w-AX = 0912h (Get breakpoint infos)
7 Q+ n6 w5 p! `4 @7 i-AX = 0913h (Set Sice breakpoints)
# M- l+ o! ]5 J. R& f4 p, l; w-AX = 0914h (Remove SIce breakoints)
7 e$ w/ D0 c' [1 F4 x% w3 o; u* I- [+ w* s% s0 B2 I5 n9 X8 q
Each time you'll meet this trick, you'll see:+ p! a" d, H9 }! a- O& b
-SI = 4647h
& v% D( C) D2 S" w-DI = 4A4Dh
% z% `. Z$ w# l, ~7 I& j5 YWhich are the 'magic values' used by SoftIce.
8 I' z. K; }0 a, L0 X6 e4 O* NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
j* K: v8 e* R4 Q. ]
$ p/ I# s5 k1 l! `+ ~6 q* yHere is one example from the file "Haspinst.exe" which is the dongle HASP& l' V& `5 h- R" i
Envelope utility use to protect DOS applications:! |3 i2 r, `( Q: @; S- T$ b
$ B( U3 `( c# z5 c' ]: u6 a' f& f$ V% v
4C19:0095 MOV AX,0911 ; execute command.1 T2 I* ~9 ~3 ?8 Y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% S o: c/ N$ u, b3 t$ J/ H
4C19:009A MOV SI,4647 ; 1st magic value.
& T9 Y0 G2 H2 p. N4C19:009D MOV DI,4A4D ; 2nd magic value.
+ @: C5 S, H$ W5 p7 F4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
: \: c5 }2 ~/ q4 n# g4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ Q& B& Q8 H( |* ?$ M# B7 ^! {4C19:00A4 INC CX
7 a# g4 R8 ]; G N: q3 a6 q3 ]4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
. w% e& P# k3 a# W0 f- T% ]1 M4C19:00A8 JB 0095 ; 6 different commands.- C& N+ [! J5 M3 g
4C19:00AA JMP 0002 ; Bad_Guy jmp back.2 z; k+ V* \; s0 _; [
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
7 t9 N3 g) p7 ^4 Z8 a, X( v0 c$ Q5 C8 `
The program will execute 6 different SIce commands located at ds:dx, which5 ^0 u' @5 w; ^9 u$ }8 A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% \+ c$ A3 e- Y. m" S& }5 f2 T0 Z2 `$ s4 z! Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 v% [/ p" C' K5 D% s4 Z( U___________________________________________________________________________
* n8 h h1 Y! @2 A3 d7 G4 l V( q* n! N5 T3 K _
6 Z3 q: V: j5 ]' AMethod 03
# F, t5 k- o1 ] E) O=========
! \! {. r5 Q9 o
4 H) m2 T4 E- P2 |& gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 W3 q! S- N3 B' j8 T" M' |2 Q(API Get entry point)
# V/ f: g: W+ W& W3 C- z+ s, ~1 U1 P
J! H- H- o& k2 z' [ v/ K9 _" J* n# c* P* n: h. j+ A/ i' X' G
xor di,di
! I8 ^; H# {. l- T mov es,di
. t$ C& M3 B" ~* } mov ax, 1684h - z$ ^4 r# O+ a9 h+ l# M
mov bx, 0202h ; VxD ID of winice
; Y4 V& i0 s7 D, L" ~& C int 2Fh3 n$ h% E, h0 b/ o2 A$ N( G
mov ax, es ; ES:DI -> VxD API entry point
5 T U) {5 @8 d6 \ P" a* f4 V add ax, di) c& g4 D/ @) S
test ax,ax- W5 m0 k6 t5 g- f3 C
jnz SoftICE_Detected8 D3 k, I1 B% R2 C k q1 u5 E* y
6 k2 u* s8 k2 W; {1 u y! n2 N___________________________________________________________________________
1 p% g) N+ @1 m) Z q" O9 U% z+ z+ }1 S* y
Method 04
8 F6 O: N1 [3 N! s+ G# |# m: P1 c=========" W2 f0 I- D- ~
0 R0 X: ?$ J7 g: e9 m; T |Method identical to the preceding one except that it seeks the ID of SoftICE& N$ Z# i) B! f- C: l3 f& ^
GFX VxD.
2 d, ]: @- [. k1 {9 N' r3 w: f: h0 u" l- n6 T# L
xor di,di+ I3 @* P; q6 u, C
mov es,di
: {3 Y* r/ Z( {) B3 d6 s2 c mov ax, 1684h
! Y5 a/ T2 H- f6 x" M$ m mov bx, 7a5Fh ; VxD ID of SIWVID* F+ P& H6 N, V1 {8 A2 M. N! u" [7 e2 ~
int 2fh# U: O* _3 a0 w7 W u$ D+ t0 K
mov ax, es ; ES:DI -> VxD API entry point& [! ?" k, ]( {7 I2 O* c F) ^
add ax, di/ n8 M5 [& a" T2 w
test ax,ax& E. ~" B( V1 |% h+ K
jnz SoftICE_Detected W' V3 N. Z! M/ ]* v) k
4 L2 H; P4 k7 Z1 g7 z) @4 V7 a& \
__________________________________________________________________________
- S- L& |' p5 G" u3 j) g* N, Y
6 f/ H& ~3 E. M! t- {+ n& e+ J- u$ n r) s7 |; F
Method 05& S; N4 e7 M4 b3 Q& J' u0 t* m6 g
=========7 u3 e' _8 ?9 [) j
7 ~' X8 A; _' v" ~5 i3 e0 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 M6 o8 t; C( @) }1 L
debugger. It calls the int 41h, function 4Fh.( l k0 G& S: a' t1 U
There are several alternatives. ' N+ r: z1 v. f0 H8 E
1 _* k t- k o) |( d
The following one is the simplest:
1 |6 g# B- W+ h
, B( l; b" z& `* k* X$ C" l; p6 R4 y2 T mov ax,4fh
! ]/ x/ o) M8 {7 _0 R int 41h( T8 p, _! ~& P- q" f
cmp ax, 0F386
2 ~( v D+ L' {( k" d% Z jz SoftICE_detected" o3 i% Y- |/ b( K) ~! l. _
M9 ^1 f7 p7 T
" l% l6 ~' V _1 [& @2 [Next method as well as the following one are 2 examples from Stone's
. S% h$ s( W$ J3 i7 G"stn-wid.zip" (www.cracking.net):: O7 ~, T, p' [! g! `+ Z
7 V0 E9 E; t7 `) W7 V. L% E
mov bx, cs1 f% k( s7 j: E4 C& R o! [
lea dx, int41handler2
& k' [3 Z( f1 u( d C; [ xchg dx, es:[41h*4]
% U( l9 V) p" N5 n: X xchg bx, es:[41h*4+2]4 v5 } c5 t% y& S
mov ax,4fh
* t; U1 Y9 b2 a, _& Y% s/ Z int 41h- E, c8 \$ c$ J5 R! Y
xchg dx, es:[41h*4]+ J* c; p1 F: K( ]2 r
xchg bx, es:[41h*4+2]0 L/ ]* v1 m5 X
cmp ax, 0f386h1 G; F5 q. ]! J
jz SoftICE_detected
! C" V% U4 t6 T& u8 U
8 f1 p9 M* `, T& Eint41handler2 PROC
4 X& D% Z2 y t7 ^0 h iret
! J. G2 ]: B2 a$ N$ f: N7 oint41handler2 ENDP
* Q3 t0 b( B' D( V; r! j) ~
: v& B; j4 \; u& H/ w5 S0 g- }" R
n- N; P/ B; p, D6 u) h& _5 D_________________________________________________________________________
/ K. Y3 E, {' }/ a# I+ B* P7 o( p
8 U2 H: G; [% b
* q3 K3 m1 K1 w' PMethod 06# F- [# n. s: Z8 P
========= O4 P4 ~' A" i
& Z! F- R; ]. X3 b5 H2 w0 o2 {1 r$ G
8 v, a8 u$ Q# T) D/ R$ e
2nd method similar to the preceding one but more difficult to detect:
+ J2 N6 m, j, F5 g0 L7 e+ _3 [2 r6 j+ O+ v4 k- s
- Q/ q# a0 E# E2 R8 K4 i) o; yint41handler PROC
5 u* V8 x8 M) q: Z0 h; V mov cl,al. h4 z2 e! ?# ^6 a( O
iret' m+ N+ x3 H" f2 r0 k6 R/ V2 R
int41handler ENDP
% R9 K5 m9 Q1 x% I6 z6 g) F
* f0 w# |$ q: e. b+ [9 L9 g. {/ M3 t( U, r- H2 E
xor ax,ax
/ R- N! g9 R% T/ S% e( p& _ mov es,ax
! o1 z9 n, H9 G mov bx, cs
1 Q5 O/ G- ] h: D" h lea dx, int41handler6 t% K5 P$ q% P6 ]$ J* W
xchg dx, es:[41h*4]" X5 | ?# J% K6 K# B4 Z. i' r- A/ R
xchg bx, es:[41h*4+2]. a5 T; L! u5 h% h' E0 _8 F
in al, 40h! ]+ a# d/ l* K
xor cx,cx
' F3 t" B3 L) _3 N$ I int 41h
# i% C" d9 o& n" v3 R xchg dx, es:[41h*4]
u2 s5 ^1 Q" G7 w3 }1 h0 Q xchg bx, es:[41h*4+2]
! c. j" F1 _1 g9 X) { cmp cl,al
8 a& c( p2 j& `8 d/ d6 ] jnz SoftICE_detected5 s4 s: Q* W: V- ~# Z( ?' ]
" U$ a* A( B8 C_________________________________________________________________________" x6 |8 U( O6 g
' R+ A* U3 b0 i* s$ Y- ]3 ZMethod 07
! R! y: T' T& Q- u=========
: D% s3 y; O! t1 k
# b Z' \2 s' F- a; a8 x1 AMethod of detection of the WinICE handler in the int68h (V86)
1 }* j F% W$ h9 f' U- ^) H5 l9 a/ }8 b
mov ah,43h
" Z) x- i) H' f: O6 p% U/ S int 68h' Z3 F. |6 P7 ~6 ^& ^
cmp ax,0F386h
, A& E8 a6 H0 {- T$ | jz SoftICE_Detected( [8 ^ S( v. E- w) R
! } d" s) A( c
: I6 M4 X9 {% N- m" ? K0 c=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 v' G+ b1 t3 n' v' t2 m
app like this:
7 s& ~7 T/ K$ T1 q* ]5 T4 K
& D. P7 R0 e. O) u& ^6 s1 D BPX exec_int if ax==68: N6 |1 Q( ]( o8 \, |2 B& R
(function called is located at byte ptr [ebp+1Dh] and client eip is6 v$ h$ n5 B, @/ t7 u3 @
located at [ebp+48h] for 32Bit apps): c+ E7 N8 ]5 u* A% O
__________________________________________________________________________$ ]: m3 y/ C3 e% f
; Y. L& S2 H4 O# @4 R6 ~! w
! j! }! J# d1 _1 \
Method 08* ? V2 O; k/ V- M" a5 x' }
=========# }! F- }1 g, t K; y0 a
6 O2 ^2 Q; z$ X! G" X ^
It is not a method of detection of SoftICE but a possibility to crash the0 v( b) j) V7 h/ { t1 y) C! X% C
system by intercepting int 01h and int 03h and redirecting them to another( ~( G- |. R. v5 ~& J6 O
routine.1 b2 @* g' @$ `8 k9 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, l8 E6 o3 w% J' ato the new routine to execute (hangs computer...)
' a& o$ f* o2 M( H! F
! O( y: H! F" \% J1 | mov ah, 25h
- I J0 b z2 u% ]' L! f mov al, Int_Number (01h or 03h)) n# J* D) F. t* ]; J9 Q N$ B
mov dx, offset New_Int_Routine
R, m. l- u# d' J4 `; s int 21h; [0 Y1 g7 C" `0 t& ]+ H8 x8 x
% V: E/ l' V l8 T5 Z" e__________________________________________________________________________9 G n8 i* ^2 g: \6 ]
: m+ Y. K* Y8 S6 |! |: _% ]
Method 09
2 H% c% B) u- t7 q3 z$ X0 C; z=========+ H8 P" q& g8 Z8 v9 r3 ?
7 f) J% Z8 K8 A8 G2 S/ Z6 |" f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 @" X% _5 ]6 z0 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: a% `0 R2 T7 {9 m/ }: V% T/ A/ v. rThe Get_DDB service is used to determine whether or not a VxD is installed; `/ N5 k+ R1 d3 Z9 ~- v
for the specified device and returns a Device Description Block (in ecx) for
; P0 Z3 {( t; [$ u2 Y) Nthat device if it is installed.
% z7 Z6 Z+ r1 J+ o0 L/ Y1 A
7 Q& h9 j8 j7 u; p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 `8 w8 W( s, z7 N' q mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, h- N# l. D8 S3 Q5 \& G VMMCall Get_DDB
+ f! H9 X* n' h/ d, f7 x }. h mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed1 v1 M5 {3 Y2 h" e
6 F8 D, g0 C0 V; K5 c, U
Note as well that you can easily detect this method with SoftICE:* j8 `' q* ?- b% E+ L
bpx Get_DDB if ax==0202 || ax==7a5fh& v4 E6 } G O5 u
2 P- ]3 X4 o8 F) {; e; H5 B/ A
__________________________________________________________________________
" g% X$ h; W4 w, N, q( M S& p A+ e. Y! _, E
Method 10
+ H' d. T0 w. F0 Z3 C$ P2 z" g=========6 o9 X# d& m- T* Z: ?
" q! n# x5 \+ m=>Disable or clear breakpoints before using this feature. DO NOT trace with0 }7 t0 ?; D- o% m# v# w4 {& A* p
SoftICE while the option is enable!!7 c! y7 N% U( P7 z D
* s( Z3 Q% s( }1 W" V' G# ]1 Z) r
This trick is very efficient:2 U `6 x( R$ z1 f* s# V* t: y2 t# j
by checking the Debug Registers, you can detect if SoftICE is loaded
1 f3 U9 D L& T- g7 w9 `6 r' k1 o* C, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- @+ O) C) K8 L0 u$ F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 ?' Q+ w6 V5 Y7 Z7 |2 c$ J" nvalue (in ring0 only). Values can be manipulated and or changed as well
/ n) ~" E8 Q' w: `(clearing BPMs for instance); G; \0 r5 M( p5 }
& c4 G5 a* n# P' r__________________________________________________________________________
, ]& V- {# n/ z% r* Z
8 L Q0 l3 m8 e7 vMethod 111 n/ ?0 t% }7 c4 M' O
=========
4 \2 b n/ ?9 M8 G4 v* C# B" U. U% N/ G4 \5 Z9 R1 k9 w+ y
This method is most known as 'MeltICE' because it has been freely distributed3 Z1 ` q: U# t' ]) N
via www.winfiles.com. However it was first used by NuMega people to allow( s. l: b# K) y3 G6 F- ~) v& m
Symbol Loader to check if SoftICE was active or not (the code is located
. L' O' \# n: G+ J- n8 B) tinside nmtrans.dll).
5 C8 j# e: K0 ^* I! U) `! q2 t& e3 a& R( ^) b
The way it works is very simple:9 t" T9 I B; V7 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! B* P& P( f# |WinNT) with the CreateFileA API.: h4 d9 b- P- B: @0 _
$ {# U$ f5 x7 C) ]- [+ | k* R8 {
Here is a sample (checking for 'SICE'):
$ F: S$ x3 _5 O' Z* A3 n# N$ j [ S/ p* `/ W0 T1 m$ U: O# r
BOOL IsSoftIce95Loaded()7 _+ o" o6 ~& [( Q. N5 P9 j+ A0 D
{0 z, R* ]3 k0 n4 A# `
HANDLE hFile; ; }& a8 D; u) c2 R. h% V
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; h9 N! t. h( T* |/ q$ W' Z* s
FILE_SHARE_READ | FILE_SHARE_WRITE,
5 r/ C6 ]- d- l. w Q7 ^ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ X) \4 D% w! d6 K: e
if( hFile != INVALID_HANDLE_VALUE )- v8 u; V# \1 e4 f/ ^
{# t u2 T$ j" w5 M
CloseHandle(hFile);9 v" S; [! b- ~& j' V
return TRUE;
" B7 G: g1 g% T7 m d$ R7 a }
% j; g3 y1 g0 t* r9 ] return FALSE;. x8 t; n. u1 A& c$ O9 m: ?
}6 x( H: B# h5 B
8 m- [! u1 C; J% E; @0 R& v, JAlthough this trick calls the CreateFileA function, don't even expect to be
: f: d7 L* U8 I" w7 f! g" Eable to intercept it by installing a IFS hook: it will not work, no way!
4 w: }1 ]' U$ ~7 ?" z mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! @9 q5 S. G1 D+ c0 O' h- Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), ~2 O" T: I; ^$ a$ e, B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- m' q' [3 G& n+ @! _; z$ ^$ sfield. c) Q; A4 z9 @3 S1 _/ D* |/ Z
In fact, its purpose is not to load/unload VxDs but only to send a 3 e+ d3 e Q& e f) d/ x" ?2 z$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) L0 `2 y! y: Z8 z6 t8 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( U+ F, i8 L- E1 k, _1 ~ n: |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ e4 j7 n; J o' f7 z) DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 f# X# a% T. z# j& qits handle to be opened and then, will be detected.
6 @- L4 S( W: j* J% g% q8 P* P7 w& CYou can check that simply by hooking Winice.exe control proc entry point
5 s2 \6 w1 I/ n8 k* Fwhile running MeltICE.
* o5 i- K! u. X$ E( ?$ x- ~1 L5 a7 R7 p3 ?5 @$ U' M+ L
7 m! D" c9 Q) ` 00401067: push 00402025 ; \\.\SICE
# s( G7 q/ V7 w8 P4 N# | 0040106C: call CreateFileA
% w+ C4 {% P- @2 q" s 00401071: cmp eax,-0013 K j; F s- t1 m0 H' Q
00401074: je 00401091
1 c2 I0 W; b1 M& m# {& T3 k/ I. L2 \) z# r" W
y6 I P/ k& C4 O% uThere could be hundreds of BPX you could use to detect this trick.
2 G5 \5 E! @, B- w+ @" ]-The most classical one is: _ k9 q7 S& Q0 ?
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( V& b/ E2 A; _8 H' @
*(esp->4+4)=='NTIC'- s1 e3 r6 ` p% @" J6 v
, Y6 `% C0 F- n2 C% ]! S: N; a; M-The most exotic ones (could be very slooooow :-( ~: _' ? T" O* n9 |. \8 j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 a7 E- o7 F3 W# A* I U4 } ;will break 3 times :-(
& H, P7 h/ n3 @) J
, {6 Z2 x! ]6 W-or (a bit) faster:
: ]) U( ]8 G7 V1 D BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 s2 F& ]( u7 H9 K/ s! S0 n/ s
. \5 H; _+ q' U4 x, i7 s/ ?% M- a$ d BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ g- h' m+ _$ o0 S ;will break 3 times :-(( E4 w! Q6 h5 p+ a6 u* d, ^
$ n5 x0 _$ |; b/ y h-Much faster:
9 v( d; v% d6 m& e0 [ BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'1 r7 N. E4 [ q" z
, s; e! k; [+ V" e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 w; V G6 j3 X2 E, \" M9 W
function to do the same job:* E7 s9 I; x- v& Z k5 i; L
8 |4 y' Z5 B* K% e( r
push 00 ; OF_READ# p2 g+ ]* m& O* R1 J$ ^# t
mov eax,[00656634] ; '\\.\SICE',0
4 T1 C1 g# R# q- u push eax
( }5 a& Z/ D" ^" g5 w+ R% L call KERNEL32!_lopen. a# P, D+ L( `' ^: M! `
inc eax W9 k" l/ [" `1 C# _& n; \9 D& d
jnz 00650589 ; detected
" h/ i2 u( L# |) |6 o+ V3 [ push 00 ; OF_READ* M% Z& i& v% N4 ^, q2 h
mov eax,[00656638] ; '\\.\SICE'
3 T8 V b/ Y& x4 { push eax
1 a- [+ S1 r8 r/ _1 W5 s* S9 n' _. }, P call KERNEL32!_lopen- F- w) A: c* Y2 r6 c5 [
inc eax0 d% ]- p* v3 Q$ ]& L( a/ d1 X
jz 006505ae ; not detected* ?' v- Z3 s* m2 b" F" w* s+ Q
3 g# k* C, `+ o; @0 g
# K. Q7 t O2 Z/ w0 U# a3 H8 ^1 w__________________________________________________________________________1 O& `4 x1 \, c: A
. P( i: V- N( \% c @! B$ p
Method 12
( J1 y/ x F1 J=========
6 r" r) \$ L; @; r- r
0 q7 _- s& Q; T0 f# XThis trick is similar to int41h/4fh Debugger installation check (code 051 b3 D X$ o& \* u s
& 06) but very limited because it's only available for Win95/98 (not NT)& H! r* N8 z& }3 u3 q# l+ ~8 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 f4 y: Z: J# k- y2 j, m9 K$ U
+ M, F9 |) X: w$ f$ u) \: t, l push 0000004fh ; function 4fh) @! e& ?4 S" {9 H O) t
push 002a002ah ; high word specifies which VxD (VWIN32)
! S0 d% M- A) |5 m( @5 Q5 L- K ; low word specifies which service5 V! [ q8 G+ s, J# [ L
(VWIN32_Int41Dispatch)+ K! @; E# Y" Y: G) o' ^+ x: W
call Kernel32!ORD_001 ; VxdCall
3 }+ e- |2 y! p& a, O7 P: C cmp ax, 0f386h ; magic number returned by system debuggers8 X0 p# Q1 X$ m$ r( D
jz SoftICE_detected
6 k( b" f2 N7 _* k+ m$ u
; u4 C! e5 ]$ ]3 y; CHere again, several ways to detect it:
- V9 I0 l# t' A: y" K* E! f2 E+ d2 Y
BPINT 41 if ax==4f$ x- O1 N) @/ j. k8 q* g
$ c) }, n F8 Z: l/ N+ E9 M, \
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one% O/ i5 G3 U& |* f
% J' n4 l ?0 B! [& p- Z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A# j3 E) q+ @1 @$ T5 S
8 I4 D9 h1 v0 V8 Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 @6 [+ Z! [2 n4 J/ h+ }% ]( |1 }' W8 D' F
__________________________________________________________________________1 p+ }# @: Q' t* P. J r
7 s( _( x, o5 h* ~
Method 13$ ^9 Z' S/ D& [- @9 `- D% u
=========
% a a/ v1 U' S/ o) N, k9 D* H. M/ B) a. B" R* D' i
Not a real method of detection, but a good way to know if SoftICE is
7 }' P& x* U& `2 c* S( Sinstalled on a computer and to locate its installation directory.# r7 e/ U" \/ J2 a$ \4 d. c" c- \
It is used by few softs which access the following registry keys (usually #2) :, B: Y1 M3 x- w" p& k: d( N& I9 z6 a
/ u8 a, j9 C- W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; i( W+ ?6 A/ D- I' o5 o
\Uninstall\SoftICE
5 F8 M" a$ t( y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, m. ?7 C2 }& @( {! n0 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 V7 o5 s( T8 R
\App Paths\Loader32.Exe
- p9 x. V+ E* \/ `$ \0 T. I+ k$ J* |- f) U D4 }
1 @; U$ t m6 u6 z/ t
Note that some nasty apps could then erase all files from SoftICE directory. [. E( R ^5 e* ]4 ^( P* K3 F
(I faced that once :-(; V0 d ], ]2 m' K$ b& J8 R
/ ], g7 M9 J8 T! S5 k, _8 KUseful breakpoint to detect it:
) p7 O! ~( w4 Y- z/ N( D
5 a, d9 X* U8 j( J BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
6 [) y& u- P* `0 Y( L
& B2 }" l! d$ ?" o/ _1 S- n8 x__________________________________________________________________________& ^2 h, ]0 @1 W+ L$ s
+ g- z, n' s e' m' G% D
. v9 L7 i9 `% F! A$ Z
Method 14
9 u$ d% M) k! b( T* x=========* y# n6 t' C$ ]; _+ [2 i
: K% x% w7 R; ^% A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 {& x3 K, N8 g. H* F. X5 }
is to determines whether a debugger is running on your system (ring0 only).; J1 A! p# s; \
, x+ k8 w( m G: C
VMMCall Test_Debug_Installed
9 V& ~$ g0 \6 b1 [% ~9 d je not_installed
1 i8 e% Q0 p% \' n! [
" E5 h- \, j) y. y# R3 O) d- eThis service just checks a flag.
- w7 Z2 e$ K0 P+ B9 w</PRE></TD></TR></TBODY></TABLE> |