<TABLE width=500>
4 D* s! v! X1 G" }/ t v<TBODY>
% O0 x: ?0 i; Q* p: v1 `5 R<TR>1 ? k8 r4 o: k6 O! l2 {3 e0 c b
<TD><PRE>Method 01 ' ~! M+ T5 T, {( h
=========
4 Y! Z/ A, k: ~- P
/ f1 U% d% M2 P4 H' p* R# N9 A' i" V; ^# pThis method of detection of SoftICE (as well as the following one) is5 H. w9 o, Q/ y" Q) ~
used by the majority of packers/encryptors found on Internet.
3 U4 A x. L) ]$ |. nIt seeks the signature of BoundsChecker in SoftICE
" R' Y6 r, |; A4 {/ g& L( }
! E) z: j& V4 N$ c+ Q, E mov ebp, 04243484Bh ; 'BCHK'+ `) G: Q/ W v9 |4 b6 a
mov ax, 04h
9 G% e3 R# j2 ~6 C- w+ x9 J4 r int 3
- R( D" Z; f; {" N' H/ ]4 l cmp al,4
0 P% K5 C( ^; i jnz SoftICE_Detected
% U: S+ Y" [5 g' L @/ L4 K5 Y! k: C P5 }4 b/ I
___________________________________________________________________________7 A2 i" z/ {8 K( j1 U( Q# U
: D& ]0 ~- F, k9 A( c5 W
Method 02
$ a# z9 [% x5 r7 l=========5 e! t' P. j( Y1 Q
6 W! g$ W/ _' L4 z( U1 Y
Still a method very much used (perhaps the most frequent one). It is used ~# J/ o8 [. j$ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: u4 @' ~+ h6 x" Y: m. W' ~ @8 e E8 q
or execute SoftICE commands.... o& R- [& F$ j, o) P, a: T
It is also used to crash SoftICE and to force it to execute any commands: @* O/ S' D( l c
(HBOOT...) :-((
$ _/ Y, d' F I h. V" m6 g$ i) f z; J" m }8 _/ D' `
Here is a quick description:
, _+ O$ s/ o- O6 j* E: G8 t-AX = 0910h (Display string in SIce windows)
: i1 s$ i0 Q4 H! F-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)5 W! f: ]5 k- z" [
-AX = 0912h (Get breakpoint infos)
$ S' t+ t/ y/ ]+ M2 h-AX = 0913h (Set Sice breakpoints)- g1 e! |( h" `. U; }' }6 m
-AX = 0914h (Remove SIce breakoints)9 q9 D5 ?1 Q1 a/ B$ R6 d6 T8 c
/ b8 l* U: Y1 X+ R$ \Each time you'll meet this trick, you'll see:
5 s* ]' B; r; |" n$ c" E9 [* m-SI = 4647h/ V- C8 Q& P$ C& y% W; X6 v
-DI = 4A4Dh( s, G( H; o/ U: U, T
Which are the 'magic values' used by SoftIce.4 B, `8 r6 ?+ t1 ~1 D# l5 l: ?& p$ O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& m3 l0 m- ~8 t
/ i) O. ?8 b a$ ^2 m8 hHere is one example from the file "Haspinst.exe" which is the dongle HASP7 ~; p4 `0 v8 F3 B
Envelope utility use to protect DOS applications:& R$ |. f _0 ~& ^
( ?) Z% Y/ \1 v" Z" _1 n: M
: W* \7 J" X: T8 p# {( Y6 S' l S4C19:0095 MOV AX,0911 ; execute command.
% M- r; Q, E0 o, ]4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
9 X! T# Q% T! Q; N" m2 h4C19:009A MOV SI,4647 ; 1st magic value.
9 n3 N; E% d4 X# ~ t4C19:009D MOV DI,4A4D ; 2nd magic value.
0 @9 [6 T& X+ V. m. w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ J6 e4 k, W7 m4 e F; t4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute5 e4 \+ r7 w3 t
4C19:00A4 INC CX: e: u. P7 n" i. O9 l) n
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& L3 y ^5 K5 Z% K, q
4C19:00A8 JB 0095 ; 6 different commands.
& [, S9 e$ ]" k( j4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 H' j' S1 N: V2 c/ ?
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
0 I$ `6 W/ s4 r) I; X! N$ F& C$ G% F+ N
The program will execute 6 different SIce commands located at ds:dx, which T, f4 J+ l: z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( l7 M( G2 W% x0 G2 d1 d- L* }1 c
. R6 I- w3 d3 _4 o4 X/ x2 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' y& j3 Y6 h; }3 j P- s1 G4 ~
___________________________________________________________________________
+ r$ }) J+ D x3 }! }$ _3 g- C; c1 ^* r( A- E
! M6 i- O7 H' N9 @2 mMethod 038 e5 g$ U( @( X1 c
=========
0 t7 S' q- A3 ^/ {! H6 F/ s% i6 N2 a
6 j+ V R/ L" O0 Q' m$ HLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! z# }5 o+ m6 ?8 K& ?' R! Y
(API Get entry point)2 J$ |' G2 {" A8 f
3 P+ E% ^, z+ g" p6 v7 Z& R* K' o# O' U. s
xor di,di, u( L& }; F6 g$ c* t$ X
mov es,di, J: J4 j: f3 h' K a4 }
mov ax, 1684h
# Q, a! c8 q( x3 l+ [- r mov bx, 0202h ; VxD ID of winice' J# s/ ^9 D% `& a- t3 h
int 2Fh5 ~6 ` W4 _4 Z& U9 L" E" m, V% c
mov ax, es ; ES:DI -> VxD API entry point0 f' t2 d9 ?8 l; I
add ax, di
) j2 u3 u3 v) d2 X4 c test ax,ax, Q" e ]. R" l! Q
jnz SoftICE_Detected
+ f. j/ s& t3 L a! }% j" D( f0 i; l1 ~8 `. p* j! X
___________________________________________________________________________& m( m$ K9 ^# Z) t
4 X& i2 s$ c) C0 j8 ?: dMethod 04" e' H7 P- O4 H# g3 G V; O
=========9 q$ j9 l: ]/ w
$ _, I4 w8 S# l. |3 W+ o; l. E3 ?0 H
Method identical to the preceding one except that it seeks the ID of SoftICE
& F7 ]; z- r n' T: ~' KGFX VxD.
/ O$ I& n. m* U+ C4 J8 w T& Z5 @" k2 ?9 a" {) b. L
xor di,di, y9 q* [ v3 T0 o
mov es,di" _2 }( Q* T$ s
mov ax, 1684h
& `/ C/ ]2 I- w. @ mov bx, 7a5Fh ; VxD ID of SIWVID
; p0 `& `# Q" K0 m: B1 } int 2fh, J) J9 M0 U4 i) h
mov ax, es ; ES:DI -> VxD API entry point
; b- D1 j% n9 K) _ add ax, di+ C5 B' s2 i* h* _$ _
test ax,ax0 e- r$ {* e, D4 p; Y
jnz SoftICE_Detected
% O& Q# b) H7 V, ~' P
& H$ Y h9 h1 S__________________________________________________________________________
/ n% _; f# a' t. `" m
% I5 L9 Q7 x5 j" s3 z0 H$ W& T6 @
* o6 x. A1 X# n7 u( t0 q& ]Method 05
9 u- U C' A* Q; c! `/ s* K0 V; Q=========" x/ A! V+ F9 x% Z S) x! R+ U; _. z
2 h. H0 i. E# i% f, z) d* |Method seeking the 'magic number' 0F386h returned (in ax) by all system
* p$ }$ S# F% n9 s% Ddebugger. It calls the int 41h, function 4Fh.! J5 ^! \5 T# \
There are several alternatives.
4 Y/ V# W L: @! Q, W" z8 x# g5 f! l, {1 [# p$ t
The following one is the simplest:+ H# {4 U! D# q ]( x* Y
4 V: q8 u9 \0 ^4 N
mov ax,4fh
) p. `- _: g! {/ ^$ c4 J int 41h; |. C: |% O( Y J+ ^& a' h1 s* u; d
cmp ax, 0F386
; g8 o& s2 J3 _: g! }2 J. P- o jz SoftICE_detected
* q; [5 a, a% w9 F
, i2 o; }6 c+ N1 s, ]; f. \3 A! u( m" V. L2 f, @. e# f) u) [- k
Next method as well as the following one are 2 examples from Stone's
4 M9 m3 ~: O# D"stn-wid.zip" (www.cracking.net):
1 ~" {$ o9 |$ o0 }' n0 W7 ~
6 i4 b- u; m5 q+ c* Y mov bx, cs
9 N: m4 L$ r0 j" w) K3 G7 S+ ~7 a lea dx, int41handler2" @3 S$ @* q n; x
xchg dx, es:[41h*4]
$ K9 Z7 e/ D! u" e1 q xchg bx, es:[41h*4+2]
0 Z# v& d2 k8 A mov ax,4fh
; \3 b1 V9 G1 w) @ int 41h- n, h% v+ W4 A+ _+ ]- W; w; L/ l
xchg dx, es:[41h*4]1 L6 r2 x& x6 Q: B" a$ M3 V) p, h. [
xchg bx, es:[41h*4+2]' t @7 V6 y# s5 d. e
cmp ax, 0f386h
& g2 d: H }; G: I$ E; i' b jz SoftICE_detected7 }- }4 l7 I. X+ o5 F [8 n" i: S9 g
9 |; F/ u! `" [: g6 X- E
int41handler2 PROC: w. r5 p- o+ @3 Y( j
iret
! h j3 d O+ L+ _ Xint41handler2 ENDP2 r) ~ w& h- f- ?2 Q
3 i* T3 u' I$ m$ L4 A0 V" Q
2 @* m3 j3 n; g_________________________________________________________________________
' l1 g1 F0 b, E& N' h. w9 V% {- H0 y- m
4 h$ m& P) }& d' C- f0 q
Method 06
- ~/ }# M5 d, A V, y" S=========3 d% o" m2 A$ |$ ]
, j% D+ Z# V5 u1 B Z+ I% h" {* \# y! Y* k H" y e
2nd method similar to the preceding one but more difficult to detect:) v1 j) K$ ^# D
4 T5 q! E& y+ e: X* H# E
; _6 m' } J. d4 V& k# s! T
int41handler PROC1 E, _1 x' w$ |
mov cl,al
$ \! B) s4 A) W1 Q& b4 c iret
1 j, w3 r n8 H& \: Kint41handler ENDP
+ ^. L! Y9 m# M+ B9 e" A
8 l! G9 t6 B& F1 ~' a8 p. N
' M7 p$ ]/ Y* k6 y* M O% F3 F4 y xor ax,ax
! [* c% p/ f, H# N4 s mov es,ax
% ~3 B4 T& K+ _ k" [+ U1 t) h mov bx, cs
/ H& e f3 ^1 @6 o lea dx, int41handler
) X( H5 Z" w" L4 \0 s xchg dx, es:[41h*4]
% Y. T. j. u9 w xchg bx, es:[41h*4+2]/ Z3 e* {9 M& F' d2 d
in al, 40h
; @6 Z c7 z; b$ e! }% K8 v0 v xor cx,cx8 x5 u: r5 ^2 u& M# `# C
int 41h9 \+ c# ?& ~& q$ Q" N( Y
xchg dx, es:[41h*4]6 ]- n: A/ ]6 V7 F
xchg bx, es:[41h*4+2]
, `# q7 j$ B. Q4 C3 }9 Q cmp cl,al. b. |" I/ N; z i7 Y
jnz SoftICE_detected
8 a2 y U$ w6 X" N/ h- q
8 E6 a7 _' y) S( T( N+ s1 e* Z_________________________________________________________________________
3 g- q) g1 ^& E$ @ e4 |- u: ?3 b7 H Q, o/ w
Method 07$ F+ j5 Z" B) q! o( g; ?) O
=========# O b E/ n; @* p
+ O' o$ W5 @9 n3 _7 A; Y1 f7 _
Method of detection of the WinICE handler in the int68h (V86). Q5 e: T3 z" W3 F5 j
1 o5 c2 N( _2 A) A
mov ah,43h
5 J* m. O5 ^+ {) G( i* w, A+ c6 O int 68h% t1 W3 m2 p; q" a& X
cmp ax,0F386h% r2 K/ q1 q& V/ X$ D
jz SoftICE_Detected9 a3 L9 F. x9 a# b1 w, ?; ~$ x$ Z
6 |. Q5 O: a! F& Q
& y# [; f; f }0 v=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* b! d. ^: o+ D& K app like this:
. u9 u7 Z6 n6 g" k
! ?0 y1 y( Y3 y& p. U8 {! L BPX exec_int if ax==68' x! c4 i9 n* L, Q
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 j/ U, ^7 b" }" t5 y located at [ebp+48h] for 32Bit apps)4 x8 T0 m X6 k" R
__________________________________________________________________________
3 I" d3 |" R# x) O! u$ Z+ R8 q7 o J& |0 A6 M8 ~% R$ m; r: J
! p q" _7 e5 j9 R- G- z* Q) ^
Method 080 p' Q* P, k) i
=========
: m: Q! v, l7 Q/ ?0 ~4 Q- N. Q* q: Y" a1 C8 a, N9 Z
It is not a method of detection of SoftICE but a possibility to crash the; K& e" [$ `, C' h2 M, _7 k) x
system by intercepting int 01h and int 03h and redirecting them to another) g+ o$ L. Q) _6 q7 b- \0 }# B! N
routine.
+ z; Z- G5 r5 Y' l1 I' A( CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 K* G8 \5 P, a! ?& O( Mto the new routine to execute (hangs computer...)
/ d0 ^8 ~: L3 [5 W& Q. p' q7 X
' M6 I! N @, r( N X& T mov ah, 25h) u \6 a1 @% ^+ ~4 y+ z/ {
mov al, Int_Number (01h or 03h)2 V! j4 t: N$ g7 @) e) \
mov dx, offset New_Int_Routine
7 M3 O" `* Z0 c" D int 21h0 j3 B1 _$ i, d' S
0 D9 ]! T; B* z2 G. N) D# `$ h9 s__________________________________________________________________________
. k: ^3 r" e: D5 R& J k3 T% M
. _3 J" Q/ q# K o2 D/ k5 Q* ]Method 09
7 k( T6 F. p# \: U$ l: \7 ~& B+ ` s4 f=========
+ Q. g; [5 } Z$ i0 d: i6 j- y) P- T _+ E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% n$ H5 z' z. {4 p- w8 J1 T, A
performed in ring0 (VxD or a ring3 app using the VxdCall).+ L+ u1 b+ B& L, p$ N1 K
The Get_DDB service is used to determine whether or not a VxD is installed
( t3 z: a+ B& W! `for the specified device and returns a Device Description Block (in ecx) for: L4 J+ b1 f- A3 t' p2 @* Q" L
that device if it is installed.; z' r( U/ Q% e- q% b% Z% ]
% y0 G1 I5 U: g9 @- i3 M! ?" p' i
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
k, h# ~9 }; Z2 I- S mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 m$ M' Y* w# x7 Z* ]) K
VMMCall Get_DDB9 e5 U5 f4 ~4 C4 _; Q. f6 _) _5 R
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
1 T# q Z$ k1 J/ m$ E/ B* _$ x* f9 O. q7 {
Note as well that you can easily detect this method with SoftICE:
9 ^, m5 U: Q: S. G7 i1 m9 a/ r3 @ bpx Get_DDB if ax==0202 || ax==7a5fh
+ }; R& A& {! @! i! Y- d5 f2 u0 y$ T3 I7 W1 i
__________________________________________________________________________
# s Z+ U3 G4 u B; J
) f. j2 N2 T6 f7 j: oMethod 10
! e* ]5 B3 l0 Q, l6 c! Y1 t=========
1 m# _) g# A0 s* q8 G4 r
) Y) T, B1 G4 P2 b! Y- i; z=>Disable or clear breakpoints before using this feature. DO NOT trace with
+ b8 j: o7 u' M! Z SoftICE while the option is enable!!) i, N7 B! O- N. r2 m( h+ U' _
8 Z( R+ M! o( v) }" V* N, o" fThis trick is very efficient:
( S2 x4 z. e n: mby checking the Debug Registers, you can detect if SoftICE is loaded- C3 b& T6 p! H2 ]# R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; e5 Q- K" h: _8 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 D0 x7 U. I! u
value (in ring0 only). Values can be manipulated and or changed as well
+ y% i4 \! k5 s$ V6 u0 r(clearing BPMs for instance)
7 I& v& F8 ^# A+ C4 x" J( Q7 j
& W# N' P) b6 A__________________________________________________________________________
$ |% O4 b7 c& x
8 S. k# A5 h. }" f' wMethod 112 j3 A9 [, r& d) S/ W
=========
- Z4 p3 U8 s4 G, c7 s3 t$ L$ i& e9 h. b# W5 S
This method is most known as 'MeltICE' because it has been freely distributed7 L+ q# }* [: q' @& o/ M* [) q
via www.winfiles.com. However it was first used by NuMega people to allow
! ~+ o" K- W1 h3 u0 G/ x+ jSymbol Loader to check if SoftICE was active or not (the code is located
+ B7 X3 Z) T" Q; ninside nmtrans.dll)., M! O; _( b1 Q, } q7 ]
+ v' [( u/ Y; {+ d
The way it works is very simple:, V, a# H) o# G' J! {# j7 ~! i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for I. E5 O. p% T5 M
WinNT) with the CreateFileA API.
/ l" z! I, D6 P! A4 @
. q, K1 |) h% e! {( C5 Q0 `Here is a sample (checking for 'SICE'):) ]% M D# A- ?" Z: B
6 z4 Q6 j; m1 a( I" y2 Z. y2 G
BOOL IsSoftIce95Loaded()) Q4 @8 R# l b( I6 v }
{
& }6 O8 d+ r' ^1 A0 T( q/ L9 J HANDLE hFile;
4 a& G1 C8 R( K/ V# W hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# }2 A2 v" T: K h3 ^
FILE_SHARE_READ | FILE_SHARE_WRITE,
2 D, b. ]1 j# K( V4 G NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. ~- C! @8 @' R4 C b' w+ T
if( hFile != INVALID_HANDLE_VALUE )- c$ o, N& z) n( @
{( F( O, V' m5 X0 O7 F
CloseHandle(hFile);
& H4 D: E7 S5 t B5 R- z return TRUE;
& ]) k! Q5 j0 q& E" K* { H+ N }2 D- G5 r8 e1 q% J
return FALSE;1 ^6 { M9 f+ {3 k
}
, N5 M* P9 H0 q. m# \( ]
8 D4 z K. M2 P* d; X# G8 ^Although this trick calls the CreateFileA function, don't even expect to be
' r2 G) n3 E8 c" j: x5 iable to intercept it by installing a IFS hook: it will not work, no way!7 R: {3 G! P# z0 ~/ n, p! C! m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. y) h- G. q0 j0 E2 E8 J, N+ Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! m# {6 [' h# N3 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc1 x. [$ I2 J/ {3 l- e
field.
/ |) W$ f x3 i2 X* r7 o9 jIn fact, its purpose is not to load/unload VxDs but only to send a
0 @( Q1 l3 c: U8 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* V3 ^. E9 p2 I- F9 x6 ^( u$ zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 z0 M+ @4 @2 eto load/unload a non-dynamically loadable driver such as SoftICE ;-).# j4 o& u4 @9 Q2 L' ?4 n8 b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 R8 g1 @" {1 n( \: H' ?its handle to be opened and then, will be detected.
% s5 Q6 b0 c* a' R. U/ v) [! QYou can check that simply by hooking Winice.exe control proc entry point
" U; V! J" V5 ] ^+ C/ W8 m7 F6 Nwhile running MeltICE.( ^, M% d! @1 x' ]0 ^- j- p) }! T6 q! a
$ x7 g, A3 }4 x9 U; b' `
5 i' C% G& f" E6 ~. w0 r 00401067: push 00402025 ; \\.\SICE
! ~4 P7 ]$ }) l ? 0040106C: call CreateFileA0 Y3 e5 r& {" d: p! B4 ^
00401071: cmp eax,-001
- d9 Q/ ~- |$ M. Y' t# T; Y 00401074: je 00401091
' K- w; r+ ^* @ e# W8 A6 D, E) q x9 [ V2 @/ w+ l6 F
( ]/ ]! l. d* F% MThere could be hundreds of BPX you could use to detect this trick.
- d/ [* d/ q. D1 {# q2 }-The most classical one is:- t1 X4 D& Q) ^
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||; X5 ~7 j1 @/ a( ^& ]8 d: [
*(esp->4+4)=='NTIC'7 J* K( J" w2 s% K; B
- a$ C* O* Q c
-The most exotic ones (could be very slooooow :-(. ~, M4 N7 e. {1 Y1 h9 n
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') . W! R0 K- S( T4 l* G
;will break 3 times :-( N a+ t4 T6 ]/ Q7 m' h% p4 A
u: e- x) v8 q1 `$ ]
-or (a bit) faster: ; W5 R" H X; R/ p( V
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 T% ]) p, ], ~4 I! g% [3 O5 Z
; E& R5 ?: g J5 ~) |6 f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 2 i% i, P& y8 x U! H% O5 g1 R# J% h
;will break 3 times :-(
7 i0 o1 K* X, `9 c w$ B8 e, l5 m; |5 {" r8 O
-Much faster:
% N/ v, p3 b$ @4 n3 i BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ e. e+ w& x( w3 c, L% ^0 T f' I6 I9 c u4 ]2 U5 ^6 t/ ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! L5 c7 [* h: l4 |function to do the same job:8 q6 ^% {' v2 `' o# k" x; x5 h
4 \" _8 n8 V g% y
push 00 ; OF_READ
- ~! [( b* \) y( k% T* n mov eax,[00656634] ; '\\.\SICE',04 D' s2 p2 \7 L! H
push eax* R% K q* J; o
call KERNEL32!_lopen
7 |9 C P7 ?$ M+ V; V+ L inc eax
7 x! P& ]/ ?2 \" s p jnz 00650589 ; detected
' }" W. H/ r, S' r3 ]5 z push 00 ; OF_READ
2 s* G5 O/ Y$ U7 a" C( ` mov eax,[00656638] ; '\\.\SICE'
6 _) f# U/ X; E& o5 g! p0 C push eax5 P# e. p/ u( T Z
call KERNEL32!_lopen6 C# C& S1 y# @& L3 T7 f
inc eax
6 ?4 o4 x6 B% N4 O, ?/ E2 S' k" e jz 006505ae ; not detected# P+ x& W+ r) v# y
: y# d5 F% |) y" V7 C) y5 a( b
! R3 a/ D7 L `6 t; p__________________________________________________________________________
) j a) t( x; a$ K9 d) b
+ W- _- w/ l% xMethod 126 L9 g* L: {: g! O" }/ W. c
=========* M v! ~$ E" {1 H- V0 c
% R+ D' \, |* \
This trick is similar to int41h/4fh Debugger installation check (code 05% B! |+ v* P3 C2 w3 Q9 k& C p# u
& 06) but very limited because it's only available for Win95/98 (not NT)1 Y7 C. b4 x6 a) I/ J I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 x d8 q$ F+ O; B
" ^" i7 k3 s6 Z1 m push 0000004fh ; function 4fh% C7 L( N4 f/ D0 ?. K4 b
push 002a002ah ; high word specifies which VxD (VWIN32)
" b E# A) a7 z, E. p ; low word specifies which service
, W8 ^! A% ?* o' k- v$ }8 [ (VWIN32_Int41Dispatch)
7 x" o4 G5 @& r call Kernel32!ORD_001 ; VxdCall
( b& a6 m q7 k0 |! H6 B cmp ax, 0f386h ; magic number returned by system debuggers" V9 x; D2 N2 k: U& t6 n8 ?
jz SoftICE_detected
: `# V* e" `. Y1 z& G& f0 }' z4 ]- ^) E) g: o7 X' t. L" e
Here again, several ways to detect it:+ k, U9 I+ j R: N
9 L4 w3 v& ^5 K4 S, Q' H2 P. `# E: k8 f BPINT 41 if ax==4f
3 v- R( T- W3 G, A) n7 Q! D" i
% w( ]' _4 q0 f) w5 \ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one; R$ v3 a8 l& p: @, s# d+ N
4 p) P! [2 [& H/ p$ O BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
/ }6 D4 h) J8 ~( m( f |! r$ }) G& \2 t9 }
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
9 i( Y% B+ S% b) Q+ R* v) A# ~ H4 K8 y2 `, J
__________________________________________________________________________2 m, d( o9 w$ k
7 w3 k g4 _6 N" _1 h7 X8 n
Method 13+ }1 S3 j5 h' r
=========
; I( C+ S6 e! s& y( j: N5 P% R
0 R3 G" U- E4 H- bNot a real method of detection, but a good way to know if SoftICE is
6 _2 B" M5 d2 X5 L1 Finstalled on a computer and to locate its installation directory.7 e9 z9 \# ~1 P$ b
It is used by few softs which access the following registry keys (usually #2) :- h( b* h9 G$ W9 Y; ?6 B
5 }+ f: ~0 d0 K" l' A: w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 p/ a; V7 l j) ^8 y* q, c
\Uninstall\SoftICE
2 h6 B; r. H, q! W7 W7 T; }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 M2 ^8 W0 p D2 g; Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 j" @- Y$ m% M; l
\App Paths\Loader32.Exe" v, _, O5 o! c5 U
- ]3 J2 D" o9 B) h2 t% Y3 D B- l. x0 X1 R5 j! Z I
Note that some nasty apps could then erase all files from SoftICE directory! H) `) s) a: y a& ?1 Y- j
(I faced that once :-(
+ {, a: z# k$ j+ d2 w/ \4 U8 e8 `# H3 X$ |5 B; F# ]
Useful breakpoint to detect it:
( J; [: `: J5 \) ^0 {0 q+ J0 H- h0 v2 [/ l; B6 Y8 w/ g
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 @2 Y/ m- \% ?6 `/ X6 ^
$ M N4 y% X/ Z" m; W
__________________________________________________________________________
3 B' u9 [8 d5 p$ S u5 A$ \
( _" y3 A0 b0 F) Q! a+ Q$ r( C3 d+ u
Method 14 # g2 h+ P: e& e7 i% w5 l& ]
=========9 P5 v8 p8 U; c8 |
4 S" s( e' Y8 z; x' Q5 Y9 m6 d! ~- CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 s' J9 Z3 [; Q2 C, r9 zis to determines whether a debugger is running on your system (ring0 only).
: N) I! b" U! b1 ~8 F
2 ~$ l' e8 @- h4 E VMMCall Test_Debug_Installed/ O( D2 Y" q; H+ a) n4 G
je not_installed
7 c: V1 \3 J- _& U( W |
: r0 F* z# ]$ QThis service just checks a flag.
# Z: A6 g! E7 d9 T' v, d</PRE></TD></TR></TBODY></TABLE> |