<TABLE width=500>
( n8 G3 y }. [" _: I! G- G2 R<TBODY>" [+ `; n9 u/ J3 q1 F& {) v
<TR>
. H6 b; j% m& X' `<TD><PRE>Method 01
$ F6 c* G/ u1 X6 U=========6 g, ~* c# P8 P
( `8 f+ U; v4 ]6 f& D
This method of detection of SoftICE (as well as the following one) is. A4 x) P% w4 S
used by the majority of packers/encryptors found on Internet.
6 X- @! O" O. [/ G0 j# JIt seeks the signature of BoundsChecker in SoftICE0 J2 \1 s! B* W5 l
# j8 c: o8 c" Z2 b/ ]2 p* T6 `
mov ebp, 04243484Bh ; 'BCHK'2 R, C& y( c! \! _, G3 F1 u5 y
mov ax, 04h
' D- }6 L5 v8 F5 g) u int 3
2 E- y- D% i9 {* K4 ?/ M cmp al,4# w3 P" Y- q. ~7 @) }5 h5 U% B& N
jnz SoftICE_Detected1 f$ ?8 E U% z5 S g- D( [5 c2 c5 Y/ I
4 |* D) c3 q, F2 U5 G) {
___________________________________________________________________________
7 p& x. R+ m0 P% `
: Z! @4 E, q. E1 u7 x+ f( @/ tMethod 02
- O( g+ l/ [9 U2 O9 R3 ]* \=========! M& X' B" `9 t2 ^: q' X$ d5 R9 `2 s
. X* m- s2 J1 |& ?$ ]Still a method very much used (perhaps the most frequent one). It is used
5 M, ]! z0 s+ X1 _7 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 X$ E: v/ F* N' I& F8 v7 p/ E) m
or execute SoftICE commands...1 i C& H! V7 K' E; I. X
It is also used to crash SoftICE and to force it to execute any commands; L \, y- M( U3 L9 i( V
(HBOOT...) :-((
' p- v; p$ J5 a& U1 a+ v: M9 H2 \, ?
Here is a quick description:/ m) v# S$ k+ u3 \% O& V: {
-AX = 0910h (Display string in SIce windows)
5 Q. i+ C) R( F/ Z4 E7 P0 e& ~-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)% n$ p/ O8 Q. [; a; ^
-AX = 0912h (Get breakpoint infos)3 B; B% o% D+ h# R7 E+ U$ T
-AX = 0913h (Set Sice breakpoints)/ q6 r" h u. h6 m7 p" J/ @
-AX = 0914h (Remove SIce breakoints)2 ]4 I+ g1 J7 p1 ]* L
# r$ N5 b/ w- U& m9 J5 TEach time you'll meet this trick, you'll see:; I- z4 d6 b) ~. s* I" I( q. o
-SI = 4647h% K e7 J% a5 T8 o9 ~4 f2 D3 n
-DI = 4A4Dh$ c4 G3 K, B$ w# \" t
Which are the 'magic values' used by SoftIce.
1 G+ c* t: R a0 v( V2 n; c, BFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* s0 U: |$ g0 K2 E* M& c* B& H. ?+ }$ n* G3 M* i8 W' W
Here is one example from the file "Haspinst.exe" which is the dongle HASP. f! e/ y0 O* [: n* c! V' O6 s
Envelope utility use to protect DOS applications:
! M; \5 H7 d5 E% l7 [/ v `, j( _ e5 K
+ ]8 C# i% q/ L7 m% s% m$ W4C19:0095 MOV AX,0911 ; execute command., g$ y7 l5 Q4 K+ ~7 b
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
, G6 `0 N( C- g4C19:009A MOV SI,4647 ; 1st magic value.
5 [: g6 U! t( [# M+ X( o! T& A4C19:009D MOV DI,4A4D ; 2nd magic value.. E/ ^6 m" r0 ~ E& S4 ?2 s
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)7 R/ ?3 D0 G# u
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute# y7 o+ G2 E2 Z% Q$ r
4C19:00A4 INC CX
0 f. g* h5 x5 X0 e D3 q# _' f4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- }5 h8 A7 ]4 o7 ^4C19:00A8 JB 0095 ; 6 different commands.1 R6 ?2 i- M. q+ B) l8 J$ |
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
3 I1 b/ J6 @" A2 }$ o! }4 [; V4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
' q1 {3 V+ x! \7 U
" `- x/ |( x$ @2 T' [4 ~The program will execute 6 different SIce commands located at ds:dx, which
G" [5 r& d% zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ H% }, f( u% v& z/ N# i; ]9 `0 r+ k4 y3 b+ W' V& {# @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, }$ q o1 C T) v___________________________________________________________________________4 ]6 W! B" u1 r9 S3 v4 U6 n, x! J, I
* s- L" v7 S8 l1 _- i5 t$ w( H. f6 m6 h+ e7 a! {; `
Method 03% D7 K6 X9 {- h4 x5 ^
=========# k7 }3 f+ [$ C2 m: {: |1 `7 {( N
$ }) @" z* ^6 v( U: c
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 _, E/ K4 y' n* @# Y- M
(API Get entry point)
0 Q# H0 y, L% _
% K* t4 a" T! E0 G
( I2 u2 O3 J2 g3 n0 C7 v2 v6 W xor di,di
( `2 _9 }4 {9 i: e' ? mov es,di0 m" [2 p2 V( [
mov ax, 1684h % ?0 U3 s( Z( K. y
mov bx, 0202h ; VxD ID of winice
. l/ z, U7 j# l8 T9 Y int 2Fh
- s% y2 r! N/ ~# s* ~) s mov ax, es ; ES:DI -> VxD API entry point" ?# E" p6 l% h8 O) L; R% d. l
add ax, di
, e0 _$ \9 ] b0 p9 s+ T! a' V test ax,ax
$ G4 q( ]9 R8 Q jnz SoftICE_Detected
& g5 X" e0 ~3 z( o# I7 g0 Z* }8 _# @# I) ` k O
___________________________________________________________________________# F5 w+ R. s1 b; C- ]6 |- j
' e2 }$ r. D% ]* M; NMethod 04
: A" m" ~" L9 j/ G=========4 Z, X; l+ O+ h
/ s0 y( ^& R. X# |: r
Method identical to the preceding one except that it seeks the ID of SoftICE
; d% R2 ^6 f3 W( s' n0 f7 KGFX VxD.
/ r: P" P! B9 h7 u4 n4 D" B% ?/ \2 ?. @4 s2 B$ X( O
xor di,di
6 a+ m1 f6 w7 l/ z/ V mov es,di
# P; s) C# a* @* h) @# G mov ax, 1684h
& w) {9 S& Z9 p; d+ B# S+ }8 S mov bx, 7a5Fh ; VxD ID of SIWVID/ j2 Y; k; j! c! @# i' |
int 2fh
: a! H4 j5 q1 v1 N$ {9 n; u8 ^ mov ax, es ; ES:DI -> VxD API entry point
# t% H7 A8 y' W' Z4 c' F0 | add ax, di
# G5 C2 ^& s( t2 s test ax,ax& B+ g$ L: P6 K4 K, M w
jnz SoftICE_Detected
% ] w- i* X& Y% h# ?
$ I1 q; v" V2 }$ t l% E: H__________________________________________________________________________
4 A/ F4 B- |* k& ~2 }
$ q b: B# ^8 f" o" H- M7 X
: \! m/ }. ?5 X4 AMethod 05+ Q e4 L& L9 n( I1 c
=========. d( h, O, V) C1 N
, `: I6 e2 j( b6 v( wMethod seeking the 'magic number' 0F386h returned (in ax) by all system& W3 t9 l; {7 j4 l( l# b
debugger. It calls the int 41h, function 4Fh.1 h# ?" b" b, z. C2 z4 A# |
There are several alternatives.
5 x3 P- b# M& B! N& e
6 P4 t0 B. g. o. u* ]8 i+ vThe following one is the simplest:! F, _, |$ b6 Q& R. ^1 C
8 e; s- h7 q% a% |; @" h
mov ax,4fh' q% K0 w5 [9 _! _9 w: Q M
int 41h
W/ h1 F4 T9 z5 V6 u6 h3 R/ {% ~ cmp ax, 0F3868 ^) ?# u" q( u- |
jz SoftICE_detected
: |3 ~, t- |6 R- S( z6 e9 h
8 Y" Z! K. d; C, k8 ^7 n- z$ L- _. Q& |: L2 \
Next method as well as the following one are 2 examples from Stone's
6 y% n9 m8 X6 V- T4 L1 l"stn-wid.zip" (www.cracking.net):' \1 y; ]) d4 f6 A( B& _
q) t) N2 F+ {8 y) d! u5 V mov bx, cs
7 {* a1 {, g! b lea dx, int41handler2
9 ^1 j% @ ]$ Q6 O# \ xchg dx, es:[41h*4]
% M* K4 m8 N3 ?: u" e7 E xchg bx, es:[41h*4+2]
/ n: A& g. z2 Y1 ] mov ax,4fh
# x; V0 k3 ?: J2 Z l1 u int 41h
0 p, P) r/ I, q0 I; |+ s- }- d0 ]8 B2 |( V xchg dx, es:[41h*4]
c6 N4 y- ?" ^9 N& P! w' j% A4 T5 ^ xchg bx, es:[41h*4+2]
$ r, O( L& F# q' Z cmp ax, 0f386h" `" a( t/ j0 l, Q5 F/ M7 B( J
jz SoftICE_detected
$ A8 k( f& f1 T f1 {) I, n2 Z+ C
/ Q/ f* U, M4 h8 W" sint41handler2 PROC
+ I6 l7 Y* c$ W1 V% c iret! R1 c& Y- h6 g1 v. x
int41handler2 ENDP3 Y, W* s6 \4 L, k* |- e+ c) _; L
6 F% m( \: I4 R1 c$ {1 F6 F# N
2 G. V' p. N9 X. }* r% u$ K) u' s6 d_________________________________________________________________________$ ]' r# V* ?& j! L
& b J# G' k( {" U6 X1 t
# ?) Y0 z# J ~0 d3 O
Method 06
2 f$ l0 ~6 y0 v! Q1 v=========7 A! ` I# |7 d; |" i0 h
t5 z' S5 [' s3 V. s
' w) K) D* q1 y( W% n2nd method similar to the preceding one but more difficult to detect:
; Q5 p6 ^9 [' a* u: I4 T: h0 R- f
- L, z6 |* M/ ~$ S2 Q/ }& h, e) Y* S7 g1 S. U/ u" @5 \
int41handler PROC: T2 b( T1 f( Y8 y" Z) Y
mov cl,al5 _% v' m/ R0 {5 J% u
iret
' R8 K' Y9 }7 i j( hint41handler ENDP- {! e" u |. g* F7 D2 p% }' l4 i6 Q# z
( ]1 q0 W E% y& [1 T# v. Z- t( c' e' Z1 }3 c8 r
xor ax,ax
& z% J& z/ V( | mov es,ax
) Q- g7 M a* \/ I8 J3 ~1 k" }% R mov bx, cs
5 [4 w; j0 j9 k1 N# e lea dx, int41handler x: {: Q+ D8 _' Q
xchg dx, es:[41h*4]+ `( S. H2 Q U" s1 r
xchg bx, es:[41h*4+2]9 ?7 W$ h5 t# r( N, R
in al, 40h
( j* _7 N) {, W9 ] xor cx,cx
A8 l, L$ a: A int 41h
% F" j- }& Y4 r |) j4 J$ f) {" t9 O% C xchg dx, es:[41h*4]2 z6 G: K. ~% E) @0 J, ?
xchg bx, es:[41h*4+2]3 s8 `8 {3 a+ H9 o6 o8 C
cmp cl,al- D6 q6 j- M2 E7 O
jnz SoftICE_detected
! |! b2 v" F! f, ~2 j" p& {* j) {2 E" ?* {8 o% _$ v
_________________________________________________________________________
% G+ @8 ]; U, t. a5 x" ?8 w/ P
* F, } t+ \. _3 w7 I1 @3 Z T9 r- eMethod 07
* ]& I3 m q+ O: c r/ ~0 Z X=========0 G6 `5 k5 a1 |$ D% j" [5 Y+ X
/ i: [4 A; K% `. B. R H, MMethod of detection of the WinICE handler in the int68h (V86)
) F4 A1 N2 p: Z8 F. G0 R
7 }5 w" n x+ F mov ah,43h, j0 B( G' |0 G& ?+ S& D1 a
int 68h; {- z" f1 H6 n+ s3 F0 M
cmp ax,0F386h
6 `" \9 p+ `' f! D jz SoftICE_Detected
, ?* {" S, V. q* E
1 N/ c6 M0 K8 ?( T$ W, V! u
! G: [3 v- G! O6 x=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 Q! n: R/ F0 t$ W app like this:* {" M( ]" ^$ k9 |' v! `3 ^
/ d! c8 E! e1 B0 e BPX exec_int if ax==68; V4 ~( \( h8 R+ @
(function called is located at byte ptr [ebp+1Dh] and client eip is% O; k1 J. S% z/ B. Q
located at [ebp+48h] for 32Bit apps)
( C8 Z8 h- Y' u__________________________________________________________________________
# l) K, P0 n- l' N1 U y
7 u, L6 u, H9 l( d8 f! [, a. h- w* r5 s# R3 C" S9 K
Method 08
" e! G. T3 s+ k+ `0 C1 d0 X0 z! E=========/ z1 P: r+ R+ h" L4 _
1 c M. _9 L0 k: B
It is not a method of detection of SoftICE but a possibility to crash the
4 j4 T1 y& f- E/ _4 p3 P! fsystem by intercepting int 01h and int 03h and redirecting them to another
$ c: C2 q0 w/ U; x! p6 x0 |routine.( A- |. W3 ?4 A1 @* }' w3 |: }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
q" _6 u9 O/ w3 D/ w0 y8 dto the new routine to execute (hangs computer...)
: r2 M+ B7 T# [. P) v
' G" ~4 Y. z- ^/ I' P& p0 o. a/ d mov ah, 25h6 j; x* @. ]0 y3 c
mov al, Int_Number (01h or 03h)
# o O" e1 C& G; b mov dx, offset New_Int_Routine' A, V9 O2 a% l& f6 J- J6 u
int 21h
( t+ G; f: l' V6 t
0 M* W) B* O& q3 h6 I8 E__________________________________________________________________________0 N: V+ e; b9 S/ S
( q# P- p/ J& k) }7 r+ \, g
Method 09! U' Y" H- H2 `
=========
8 t- J p4 @8 S6 e6 W$ }7 {, Z7 W2 p# C8 j+ U$ I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 J1 o) A5 ^9 o$ }+ C) R
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 t9 A/ {) O8 e, j4 h* G+ q* x% k$ {The Get_DDB service is used to determine whether or not a VxD is installed
% H. s8 F. b% a0 V! afor the specified device and returns a Device Description Block (in ecx) for
4 |# d# g* w( u+ `& k* qthat device if it is installed.8 K. J( A' w, ^% ?2 S- u
, X0 q) [. O8 H; D! t mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 M9 |2 ?' A F
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( V! n0 ~3 r, x8 X0 z, X' u$ h VMMCall Get_DDB3 g& E; E P3 l4 P- G
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 ~8 Z9 i- }' F1 q" o
- T, F4 x7 m& h0 d# [1 j' ^Note as well that you can easily detect this method with SoftICE:: X7 ?. ?- Z/ E; [+ j* k/ E
bpx Get_DDB if ax==0202 || ax==7a5fh
+ M$ t$ a4 F. M8 `5 Z0 @ j6 I9 N+ d
__________________________________________________________________________$ k1 _( R/ G2 x: U
" d! s2 J9 p& `0 Y% z5 VMethod 10
5 @, l$ V( A; _5 o2 y6 {=========
- q( K2 q2 Z- ?% E6 [% `
2 B4 i5 ^" [0 U r=>Disable or clear breakpoints before using this feature. DO NOT trace with
r3 f+ l+ f' |& } SoftICE while the option is enable!!3 q4 t+ B7 I, ], ]% ?
, |/ Y) P( Y2 t+ p* R- a* pThis trick is very efficient:, d2 ^4 E. w. H4 _3 m- p' z
by checking the Debug Registers, you can detect if SoftICE is loaded( v( D& n9 u5 C2 G) T5 Z9 D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 v: Y- B2 o" jthere are some memory breakpoints set (dr0 to dr3) simply by reading their& f5 x7 n4 M0 \: ?- L
value (in ring0 only). Values can be manipulated and or changed as well8 ]( f+ _. ]" k0 M' ?
(clearing BPMs for instance): ]( H! B; @) x: D
! C5 E) t# l; ^4 f__________________________________________________________________________9 ~2 w) H* Q Y
4 I; d" S% j; N0 rMethod 11
" O& d- |8 n8 Y8 }& c=========: y; O* ]! i9 o$ ]! z" k
( [ r; z2 [7 g6 tThis method is most known as 'MeltICE' because it has been freely distributed: Z4 Z5 C7 k/ E1 ~; S# t4 k$ `! R f
via www.winfiles.com. However it was first used by NuMega people to allow* @, v+ c! m3 |. O1 C& A4 u% L
Symbol Loader to check if SoftICE was active or not (the code is located9 _. Y: y; S! P
inside nmtrans.dll).% i! y4 N0 y1 H7 D5 z! `6 O
* \1 ^% _8 U+ n& N# p
The way it works is very simple:
# z$ Q5 a3 w. w3 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& H1 w( h" n% ~- q lWinNT) with the CreateFileA API. Q; v5 u! s4 U
) |+ c2 n) m. c. w3 n+ p; iHere is a sample (checking for 'SICE'):0 Y5 A, P0 X' x c, [- H+ T3 \2 y$ V
( a0 }' z/ h$ ]) A& v
BOOL IsSoftIce95Loaded()0 B( J. r# Z" y: |9 t3 N7 e" k
{7 y/ W( n' B# C9 m
HANDLE hFile; * E$ q5 A& f) n, i" w+ w
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 o% E# W( X# C; r |4 J
FILE_SHARE_READ | FILE_SHARE_WRITE,6 p/ ^! i1 Y0 k" O3 h
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 m, y l: c, ~; g* P/ H7 [ if( hFile != INVALID_HANDLE_VALUE )
* }" P1 I1 O' Q5 c6 Q V {/ D8 W9 J2 p+ x0 r/ S0 z
CloseHandle(hFile);- A% R" M3 D2 K. ]+ a/ W- X& W# p
return TRUE;
4 x5 g. T; P) }/ H2 w$ z! } }
N. Y- i1 i: g5 D return FALSE;
' N' E" U2 h) E( f4 O" {}7 Q/ T' A6 ~: _+ V
6 u7 c' W8 o: F3 Y
Although this trick calls the CreateFileA function, don't even expect to be a3 c0 \2 h$ R1 y; A0 N
able to intercept it by installing a IFS hook: it will not work, no way!
* p. d( N) W. x$ q% a7 A: uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# y) [$ T; \3 w6 eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# n' O5 k" X2 W' [7 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ o% \, G9 T; L: X2 \# _field.
7 ?, r1 ^3 a. m2 ?0 l% W4 q/ {# g& {In fact, its purpose is not to load/unload VxDs but only to send a
c9 @' \! }7 X0 G! j2 Z6 y5 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ J, _0 G" \4 f2 d6 G3 O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ s" e1 t% A. v3 n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 s# y# W M: [) Q2 G& e6 ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ q7 D% i0 j% }* m2 `" rits handle to be opened and then, will be detected.
7 H; T2 \* f6 x% GYou can check that simply by hooking Winice.exe control proc entry point
* }+ I0 b3 e: N: Xwhile running MeltICE.
* Y a |0 g: A
, j( R0 ^; N* K- N5 ~) i
1 S+ [ R! a* X% E( f4 u 00401067: push 00402025 ; \\.\SICE
% T/ _) m2 a+ Y) @/ T 0040106C: call CreateFileA. _# K6 F7 u8 j8 C9 P7 B+ i
00401071: cmp eax,-001! U7 r- q. A+ r- v8 }
00401074: je 004010913 ~/ [" w. s1 p$ S- Z; i) W
6 |; N( t# F% i8 {. F
E3 T8 e3 Q+ p8 U. K! Z# Y H3 WThere could be hundreds of BPX you could use to detect this trick.6 ~1 c4 O/ k1 _' |2 A
-The most classical one is:
1 l7 e3 ]3 m. t% k X( p+ F2 x BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||$ j- f: t. v8 Y$ Q9 c0 s
*(esp->4+4)=='NTIC'5 Q0 E! X8 _% @) N2 ]$ g' Y( x
( C3 O; H7 E5 y
-The most exotic ones (could be very slooooow :-(
+ M$ [7 Y" r8 S# |6 \ d BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
5 i9 B7 m8 T7 u5 Z, T3 p# N" P ;will break 3 times :-(
: L; g2 }9 m& j. I
% ^- X, I7 o5 e" m-or (a bit) faster: . C# a! `9 j/ c9 I/ }- t* o9 a
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 X% F9 P+ U, h( ~! p# X# x4 p1 m
5 f0 v0 |5 v' o+ i+ T9 z BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' / ~( g7 j5 x! Y. w1 v$ e* o
;will break 3 times :-(7 v( n, S; B N! R$ l
! e1 j& K: ^6 e0 G; F
-Much faster:: Y) f' V) s4 K2 i3 T. M
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'0 W1 B& H0 Y* j- j z) k- B
5 l. q1 M3 T5 k9 y1 M6 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 X7 f: s, \/ _1 `function to do the same job:5 d" _- W) S& [
/ Q. `. Y1 i+ u% ^
push 00 ; OF_READ
2 u+ v" N2 S% P8 x! S mov eax,[00656634] ; '\\.\SICE',0+ ]0 d4 E7 f% s! O+ i3 E3 {0 f9 k
push eax
# [' @" p! L/ b2 u9 o call KERNEL32!_lopen! s! P% x4 z* r5 b
inc eax6 c- a! `3 r4 D& g* |' n
jnz 00650589 ; detected& d+ d0 C! a/ v
push 00 ; OF_READ
# Q6 ] J/ ~1 h+ \! U mov eax,[00656638] ; '\\.\SICE'
) c! B: m- }, R0 _5 r. X push eax% U7 N- U, u, U2 U& O6 J6 i) n
call KERNEL32!_lopen
2 U8 R1 p" Z& J0 K5 D% } inc eax
4 R- \$ u1 X2 ]* X jz 006505ae ; not detected
: ]. p2 n- x4 D! Y3 m% E
% ?- w8 g T: _; X$ d' i! h
" h7 f+ g; n- U: r2 r- C__________________________________________________________________________
4 s+ U5 J h. N. v, s: D5 b
& Y f! ]; e+ d( Q7 S/ f7 r, vMethod 12
# \: k6 j, }: e1 W! ^=========: g' v! }: Q/ H) g
( o- l7 G" C, j% M& |
This trick is similar to int41h/4fh Debugger installation check (code 05
+ H$ N4 O; d. ^8 u6 s7 o. A& 06) but very limited because it's only available for Win95/98 (not NT)0 a% \$ i% [( j4 \) Y* S) V- x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
]( G L& D" e; Y8 _& T
( Z- w) i ]# x @$ x" A4 H$ k push 0000004fh ; function 4fh
9 {5 L0 E( j5 X/ h- R# `! ] push 002a002ah ; high word specifies which VxD (VWIN32)
& y8 g' g9 w0 a! _ ; low word specifies which service! f4 p* e& z4 ]0 Z
(VWIN32_Int41Dispatch)
9 f5 Y' R( G, } call Kernel32!ORD_001 ; VxdCall
* r: f, P4 D+ @; F7 {' O+ s2 ^ cmp ax, 0f386h ; magic number returned by system debuggers4 u5 m: K0 `& O+ ^5 {
jz SoftICE_detected
* J' d! F e( F9 K/ k8 B0 n7 m8 h# D. C3 i4 H7 f
Here again, several ways to detect it:
% a' M" s- E# S( V/ }: e3 N: \& O9 N9 V
# D' {9 C" N8 ?9 T( L( Z BPINT 41 if ax==4f
0 x( o1 {& `* ^# t1 {5 f/ i$ D% C3 D% R7 Y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one5 X0 _! n9 U) A4 M% l
: E+ d; y. j6 L8 p) G2 q6 x BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 b, i( E' u& K
m& R6 e t1 Y- n4 H# [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 ^* W8 k5 ]4 n) G% S
1 _, @1 _7 V* N# R* w1 y__________________________________________________________________________" ]5 ]0 I" S0 v+ {
# C3 O2 a8 G1 \! F
Method 139 U7 ]! |# P$ x
=========
3 E, l) Z2 ~. [# _
! W, P, h0 M2 M( fNot a real method of detection, but a good way to know if SoftICE is: j7 b* R2 e+ A W. H p9 [8 Y
installed on a computer and to locate its installation directory., ~% h0 x/ g& @& n
It is used by few softs which access the following registry keys (usually #2) :/ @2 Y/ M; ?, G: \! F( V
9 g) l8 P: ?1 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 |' W/ q* r! d( V. K\Uninstall\SoftICE
5 U D A+ ~( }' q$ t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' [1 n8 w% e& v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 h8 A& ]" V6 Y3 H
\App Paths\Loader32.Exe! b8 d+ @' b6 B$ \. u& a+ Y
8 j$ i# g) D9 }# M4 ^
' @! {+ j! C, I& N3 c" \0 QNote that some nasty apps could then erase all files from SoftICE directory/ l( i6 v, ?( A8 k* o: |) q
(I faced that once :-(0 e6 H0 x1 f: S# z! K
j, P$ r/ P% D7 j, r! x
Useful breakpoint to detect it:! M/ ^5 ^1 h- v7 t4 D8 i
4 ^% Z" a* W/ u3 H% z
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
5 s+ z' }! W& k$ [: Y; F+ |. _
* `1 Q L* g' a7 d! N7 m" H__________________________________________________________________________
0 R1 y( I8 P) b$ C. b( A7 f# x# x7 _* x- n" R# _6 R
% _! ~9 _; S3 J/ e; F
Method 14 $ F: s, _" E1 H3 V, D. Y) \3 y
=========
2 K1 J" c) K/ c5 d5 B3 Q7 [$ M1 {
0 [1 L, h6 V+ V, ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# k4 j3 A+ T" i2 vis to determines whether a debugger is running on your system (ring0 only). ?% N9 ~3 e4 e7 W7 O4 F9 c
+ j9 l2 w. R, k4 M! B7 O VMMCall Test_Debug_Installed
( {3 a. y: G6 A& `: {* `' R je not_installed
4 m4 a* q0 y) J" m5 z, ]0 E k/ H" e8 \8 F( |6 U; e* G7 t
This service just checks a flag.
( f) ~/ M; Z; P, i- z+ Q3 C" Y</PRE></TD></TR></TBODY></TABLE> |