<TABLE width=500>7 t9 T: j; W+ M: L8 d6 M2 m" ~9 A! e
<TBODY>3 \+ @+ K+ D0 w, ~) }9 K. I
<TR>
: G6 @5 H+ A) Q/ p, A& E<TD><PRE>Method 01 ( \+ b* c; U! m- s) _+ Q
=========
% c/ G$ H2 B3 k5 _! S, B
' d2 Q+ y4 H5 ^: SThis method of detection of SoftICE (as well as the following one) is& v2 Z, r) v6 k/ w$ n
used by the majority of packers/encryptors found on Internet.5 U- ]/ H& b4 Q/ Z. N- s
It seeks the signature of BoundsChecker in SoftICE
! t! s1 m5 `$ O$ B; X
- o* K6 q1 I X- T8 W mov ebp, 04243484Bh ; 'BCHK'
5 s: r( Q* i3 o5 C. e, E" v mov ax, 04h7 c& t* L2 Q/ D/ R% }5 _
int 3 , W1 j" C8 V, K
cmp al,4
& H' t4 j; w6 R8 ]; }8 @ jnz SoftICE_Detected
) [' {- ~3 p2 P; E" J
0 H$ O) F3 b. \4 y6 j___________________________________________________________________________. k* I k; Z% ]0 _2 ?
) s5 ]7 {8 x3 ?: e8 AMethod 02
" e7 k% v d; A2 H=========6 u3 m/ ?% w4 N( d# p/ u- G
" v% }9 Y* X- N3 q' s3 [Still a method very much used (perhaps the most frequent one). It is used
, [$ _6 w- P* n' ]6 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! \" n/ S7 z; B [7 ^/ l) H: M& ]or execute SoftICE commands...
1 w: A4 p# w6 k9 o! G3 k' K' O5 |It is also used to crash SoftICE and to force it to execute any commands
8 q' g' [, y9 n4 Q/ {6 @1 g(HBOOT...) :-((
: u% K# P# `& {4 V& j( C2 }8 Q& `2 B
p! f+ k1 k' v% b* w7 SHere is a quick description:1 e2 M) A* s4 }: r$ i0 O% T9 _) V e
-AX = 0910h (Display string in SIce windows)
7 k1 Z, c- F d: n. R% p-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)4 k* R5 Q$ ?) b
-AX = 0912h (Get breakpoint infos)
7 u+ a6 v) ]1 E9 p+ H-AX = 0913h (Set Sice breakpoints)
* c7 J6 e. n# Y4 l-AX = 0914h (Remove SIce breakoints)6 u' D5 K# f1 b4 k
' Z2 }( J3 d6 T6 w( X6 R& l
Each time you'll meet this trick, you'll see:9 W7 F/ d/ |# i1 v2 V
-SI = 4647h! n1 x) T: S# U4 X8 @! `+ u, L
-DI = 4A4Dh* w' E& T) b7 d* J$ w
Which are the 'magic values' used by SoftIce.
U7 e- ?' b4 q! }7 aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) ]1 F. s8 b3 W8 U9 \6 C: z! c& b7 A4 o& @" R2 w& J0 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP( R. B: A$ e. S- V2 \2 x
Envelope utility use to protect DOS applications:
6 Z V6 W" U! c' M2 f0 K* f$ @. R e' T2 N' |) n' \1 m* V* Y8 v' k
& R+ S8 B9 J: `' }: Z5 o
4C19:0095 MOV AX,0911 ; execute command.6 O8 ?$ @; N* ^
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).8 n3 c8 X. C; m. Q
4C19:009A MOV SI,4647 ; 1st magic value.6 D( [# f5 s3 r9 C( d1 I* N0 h" B
4C19:009D MOV DI,4A4D ; 2nd magic value.
- M8 F; x- b9 z! ], U4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ]5 j5 ?" |# O% [& g0 V- h2 K& X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; ?1 F" r) M5 a/ I6 L: Z
4C19:00A4 INC CX2 K8 J$ ?3 p6 ^' V2 U$ {
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
; ?' N6 O3 {' X$ o4C19:00A8 JB 0095 ; 6 different commands.' U: m+ Y9 T( Z4 M0 P1 P9 t
4C19:00AA JMP 0002 ; Bad_Guy jmp back.! D& i+ \/ G. s1 A- ?2 J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)$ g4 V6 } f# x) V' V- Y8 s
5 z) z' w' e* @( Z& MThe program will execute 6 different SIce commands located at ds:dx, which
/ {* `1 z; H( R7 R2 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 C$ C0 {* C- S& n- n' i) {' ]9 m( S6 v
, R* t8 A& G+ _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" S0 ]" \& l0 C% g___________________________________________________________________________- O: @# Q; K6 `8 ?
) p4 c- @/ l% m3 O! V
3 C2 V9 i6 O7 b w- EMethod 03. ~4 d# o' m) |$ I% y# l
=========7 o. g' ]( S5 S" P/ H+ `8 b+ }6 z' K! t
, K3 U/ S. m H! g( y* s
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* a) h% i6 Z2 o3 e4 f! E, {(API Get entry point)
8 M( ?5 e+ J2 V& H8 X, A
7 t) K) q" R5 i9 P
7 a7 A8 l! U; G4 j! D& T xor di,di
[: X! R6 z7 l mov es,di* T" f6 W# ~9 y' V% K, {2 q0 S
mov ax, 1684h
+ @! W+ O5 o9 b6 o mov bx, 0202h ; VxD ID of winice( h: u; ^# B0 ]( D. A0 n
int 2Fh! G! r8 _3 y/ f6 _8 q
mov ax, es ; ES:DI -> VxD API entry point
. I1 |4 m0 u2 a% U8 m add ax, di
1 u: w# z1 Y: L$ }! V8 j! i2 v test ax,ax
1 n( q# @, _( \8 d; H, B( }, i# Z+ ~ jnz SoftICE_Detected
. ]* t* }- c0 C8 \1 R5 C
" Y6 D% ~( G1 P___________________________________________________________________________
3 S1 }9 r% B5 B4 I" K
- H, A5 X) O# I& `% k* L) @$ VMethod 04
, m. A+ b9 v _$ ?; e: k5 T=========& S6 j0 x8 K# G, G; s3 @
: Y+ L% a* J# @" S: M8 R5 TMethod identical to the preceding one except that it seeks the ID of SoftICE
! T3 P. `; M$ \, tGFX VxD.
( Z2 R2 b1 {. n# C4 A% g/ ]$ R) [# h) Y9 k b/ o2 `
xor di,di
) b4 i7 w( l- h2 s mov es,di# P u& i6 p& K P3 B8 R% z6 C
mov ax, 1684h
0 U. K: k# n/ V& l7 q$ Z9 H( K) ~1 T mov bx, 7a5Fh ; VxD ID of SIWVID/ i6 a& h, \1 H* Y* r
int 2fh
! }! E& h# H" Y! V- ? mov ax, es ; ES:DI -> VxD API entry point$ c$ [3 c1 N$ `. k" `
add ax, di T" l) }1 |/ f/ M. P: `
test ax,ax6 z6 _: l6 S' R1 f
jnz SoftICE_Detected6 y0 F3 U+ u# V+ r3 O4 Q4 S& e' j" Y
8 S3 I1 y/ m. C1 C2 E9 I
__________________________________________________________________________& _1 ~! k/ Y% p1 W2 f3 F
9 x$ J& }8 x0 Y) a" m3 m" C
M+ N+ `! n& j' N9 R: p' }9 QMethod 05) U: v- U9 M0 P6 [) h
=========) J D( l' C3 H; I
/ S9 [8 c! x. h1 q1 AMethod seeking the 'magic number' 0F386h returned (in ax) by all system& I5 S* x- Q$ k3 A b$ E8 i
debugger. It calls the int 41h, function 4Fh.
* N+ z4 e- E1 t) g- ^9 qThere are several alternatives. 1 R* i" S, K- d. ~% T' ` b5 Q8 ?
" Q8 V: N4 J" e( q) [5 ~/ @0 ~
The following one is the simplest:* L) L' L7 H# c5 R
, a1 [) [1 c* p( ~9 Z, r# w4 ^ mov ax,4fh
7 S. l" }; v7 [( ?( A int 41h
, }, J& T+ P$ K( K cmp ax, 0F3863 r& P) f7 g- [4 S. H; i* P
jz SoftICE_detected/ y! l2 S$ m) N3 I. p5 Z
* A0 o: n) ~; i
' U, H$ p# c/ \4 pNext method as well as the following one are 2 examples from Stone's
% M: s. u5 @3 G4 A8 u: O"stn-wid.zip" (www.cracking.net):/ P( J9 r% B, S& m. f4 {
2 j& ]- j2 m4 D$ H5 w# p, h5 {# m
mov bx, cs
% `5 e* }' c: s* s& |% ]* ~. G lea dx, int41handler26 r" z" f" L/ k! g: _0 v7 j
xchg dx, es:[41h*4]
7 O# g5 t) A# |8 ^" |' V# a: A xchg bx, es:[41h*4+2]9 S2 E& w, W: P M U/ n2 P
mov ax,4fh
$ O" n5 a+ w0 N' z+ P- }* o int 41h' X3 L8 s# N7 A: W. V
xchg dx, es:[41h*4]4 @! G2 }# |' Z3 B
xchg bx, es:[41h*4+2]4 y- M, N9 @/ t! m
cmp ax, 0f386h; Y% X- h. y6 m- A: s1 K0 d
jz SoftICE_detected/ c8 _; L s1 }6 ]
( e" e$ F+ O' Z% c, b. u/ Lint41handler2 PROC
I7 I- J% L `( A D iret! c; ^! V, o+ l. j5 |
int41handler2 ENDP2 u( q, I8 S" n L/ R) o
3 q# ?2 s! [) W/ ]% b' T$ [2 O; E* Q) W! z6 O
_________________________________________________________________________
& ?; G' V# k7 K0 N$ y7 P- M8 h; u4 k) Z- l1 ?+ {7 c
0 }+ _+ r1 I& F; N# e/ A
Method 06% J3 t; W) W2 p/ U4 |
=========( K% A- V' @9 d# B
1 h3 V; a$ D+ g0 n2 n8 {
9 F" l5 m9 y/ i2 C
2nd method similar to the preceding one but more difficult to detect:
* \3 O! T! }2 y% i- H8 L: L5 L+ K# X! I& o# V: u
) B8 z& o$ h6 l' h/ C
int41handler PROC
. Z' r* R. }5 U mov cl,al
% P0 ?2 r2 w2 H, I" B3 S3 v8 f iret& ^- `5 d$ Y9 H
int41handler ENDP
: N G- _. Z1 w+ ^8 K
. z, f9 Q- M- ?, n7 R9 w4 z1 x+ v8 m1 x: l& ~, V5 F
xor ax,ax
0 w+ T) |+ C" U& F mov es,ax5 J) J( m! B1 z% G: s+ E
mov bx, cs7 ?) y& q' s" R1 q# Z* N5 T j; U
lea dx, int41handler6 W: T2 O% F% t: J" [# J
xchg dx, es:[41h*4]
! O9 {: g. U3 j$ y) x xchg bx, es:[41h*4+2]0 p, P# G- `$ o4 K
in al, 40h
* P# m" `, ?: C* n xor cx,cx% z* {. z9 z1 T1 i( j
int 41h
) b" Z2 J' h6 t4 Z8 x/ Z xchg dx, es:[41h*4]
9 V ?7 e/ N4 n. i( e xchg bx, es:[41h*4+2]1 |4 W$ @# ]/ W! V' e) k) p
cmp cl,al
7 ~0 d% g+ X1 o2 n1 V/ Y jnz SoftICE_detected1 b) F. P" h" U
6 \2 T! } z+ l6 c8 C3 F9 [( D P/ N
_________________________________________________________________________
: t% [- Q3 x6 ^4 n/ ]/ P7 m5 ^* n; v' W% W
Method 078 R" x& G( T; S5 j3 ?
=========9 S, K0 C9 S4 d) @4 j: H
Z' _. C, M( l2 w4 ]' i1 [& B' d
Method of detection of the WinICE handler in the int68h (V86)
, G+ {5 M& {! R0 h+ S! G2 [4 k9 q* b7 U
mov ah,43h
+ H7 c1 U1 Z! W# ~+ b* { int 68h8 R7 G+ C {+ o; q* \5 c
cmp ax,0F386h( s C) K+ t: e9 L' V
jz SoftICE_Detected
) X: \. r3 t; c5 W! S0 t5 ~+ T% v( S0 s& R
2 c- | M: J* A. f=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 M- V P c" C) D! r# D; X app like this:
' {+ o2 N0 s' g: u$ t3 H- j, c4 h, J8 x! d9 K
BPX exec_int if ax==68# g, J5 N5 `1 \8 Y
(function called is located at byte ptr [ebp+1Dh] and client eip is
% ]% t9 U/ X3 d' g3 {! S' A* S located at [ebp+48h] for 32Bit apps)5 r r' P) R) n- i4 n7 Q
__________________________________________________________________________+ F1 p5 ?& N$ J5 U4 }2 q7 ~4 n
% k8 Z/ j$ j4 v& [! x# N
2 Z! I! L- K' L I- b8 k& L# K
Method 08) ^! w7 c7 X4 b( M3 d
=========
4 k+ E- B1 R5 O
& P9 _$ W3 ?. I" g- O0 i2 r& UIt is not a method of detection of SoftICE but a possibility to crash the
, x0 H4 J. V/ a" {system by intercepting int 01h and int 03h and redirecting them to another
2 q' w8 `7 b$ d2 j, r" Croutine.
2 V+ |6 I, V" u( g) ?% @2 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 l' p* V$ h5 m! {2 l
to the new routine to execute (hangs computer...)5 Q7 z. Y& r, |( t" t/ f4 H/ O! v
6 Q" a6 u! e# B; Y) {
mov ah, 25h
9 j; T9 P# i$ i3 z" T3 h/ d mov al, Int_Number (01h or 03h)
4 J& v0 H: f: X4 E; B8 ` mov dx, offset New_Int_Routine' b7 \- i( L+ W" v
int 21h
; Y7 R/ O# N1 A" Z. I7 s! r
7 l- D/ _1 z5 ^ D2 }; Z__________________________________________________________________________5 x4 _2 U5 Z4 p3 M- h0 t# I0 F) e
' l( v0 T1 }# s- V/ _8 ^6 R9 e
Method 09
b4 l4 O" W X7 {0 l" q+ h# t=========
2 |& s3 r: F. I: X7 C V ?1 y2 t& o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) |! B( z$ Z Q
performed in ring0 (VxD or a ring3 app using the VxdCall).' k8 R0 X/ v: a' @. U) s
The Get_DDB service is used to determine whether or not a VxD is installed
+ j1 F5 c @) e# d* W6 g& W% r4 sfor the specified device and returns a Device Description Block (in ecx) for
. W( N- t8 T8 ~6 q$ h2 @; K5 `that device if it is installed.
* c. `9 `6 ^% w% F2 H/ ?+ L
* R; O F" o" V; U mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID, `/ D% Y3 t- F3 q& s' W
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- `# y: p' p2 C( g! v, L& D5 Z0 C) i) p
VMMCall Get_DDB1 p$ X: V! m0 h, V' u5 U9 t, p
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ p& `+ x2 @* k$ _; C5 k M$ H
, Q; L8 U/ r& M6 t0 z* F0 ONote as well that you can easily detect this method with SoftICE:
& h4 J! j: k. |1 q% s$ A. R bpx Get_DDB if ax==0202 || ax==7a5fh& ~/ a# Y7 p5 r& T4 }& A. r$ m
, c. d& b' K( @7 b$ z0 N# ~
__________________________________________________________________________/ A' N& I0 f" e$ }
5 J7 R% Y5 a3 z" E8 K. aMethod 10
, V$ m) i; C7 D. u8 A3 x=========; M2 [ O1 x6 ]9 z
2 S+ b4 j7 n1 q3 ~) s=>Disable or clear breakpoints before using this feature. DO NOT trace with/ ~) \7 G# }! j2 X4 w' _ x5 ^
SoftICE while the option is enable!!
9 k0 l+ Z2 C$ u& R/ Q6 P
8 N8 F3 E- @2 a2 R: g0 J' }. KThis trick is very efficient:- h; g( t/ H7 k9 I0 Q( V4 L
by checking the Debug Registers, you can detect if SoftICE is loaded
}- y& t6 x) e, \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 H- p, D d( ] y2 }" V' K/ tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ x( [: j8 n' Q7 X& H$ Z; svalue (in ring0 only). Values can be manipulated and or changed as well
2 E) c( C" X# Q(clearing BPMs for instance)4 b2 r! ]! A- F
1 T) r V9 }/ ^9 v2 q__________________________________________________________________________
, T; L. ~7 [3 j' k
) u; l7 f7 a! d% eMethod 11
$ Z; Z P/ x1 Z4 X" Q5 U=========# X* M) [$ V- m5 q$ E7 [& `
. r0 q: Z. s$ k( _( n+ J# J
This method is most known as 'MeltICE' because it has been freely distributed
2 C! ]$ e6 [% w% s6 Dvia www.winfiles.com. However it was first used by NuMega people to allow
" q" }& j3 X! c% k( ~# Y" @. ~/ ~/ PSymbol Loader to check if SoftICE was active or not (the code is located! w. U7 F; ~( e
inside nmtrans.dll)." r( B2 Q7 @$ S/ y
) P3 p' B' F0 G& gThe way it works is very simple:) U$ U1 p: O* ?/ v' ^2 V3 f0 W, y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 h! @7 A8 x3 x; b
WinNT) with the CreateFileA API.
# k6 V w! u) F2 P
+ c' @- V$ Y( R2 w8 b' O m s% b! oHere is a sample (checking for 'SICE'):
8 g+ H5 \* G# q
& q& J. m( p& T9 u9 N9 Z+ nBOOL IsSoftIce95Loaded()
7 a, s& S, e, @ y{
, k% x8 }* a8 i/ P+ h) f" W$ Z HANDLE hFile; 8 Q" R6 g* M. B! K2 e
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 G* v7 _1 j+ ~; E! E- D FILE_SHARE_READ | FILE_SHARE_WRITE,3 V- [# e0 D) I
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# U1 M; y" \# w; v; J* n if( hFile != INVALID_HANDLE_VALUE )
; B) U: ^5 f2 b5 |0 \/ J* K4 E {
d- i- u; f1 s% T* p/ n6 ] CloseHandle(hFile);2 F! g7 [; U+ y/ P
return TRUE;# G8 p( N$ N" J- P
}9 @ H3 E5 F' `" D! N% o
return FALSE;- v' g1 h% W$ V( ?- H
}& u2 T" I" R9 n ]" R8 J% {
4 k# k* Q) n4 Y( k3 O" N' @Although this trick calls the CreateFileA function, don't even expect to be
6 C2 T/ h; S& |2 h8 y8 D. Rable to intercept it by installing a IFS hook: it will not work, no way!, F5 H k) p* A2 G* e6 _% W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* y& J$ H6 r/ R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ], E0 p9 n" C7 V; m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 z4 O- G* z! x; gfield.
+ x% P# a5 a. I$ V8 ?In fact, its purpose is not to load/unload VxDs but only to send a ' H- M. i% V; A+ L, j2 c6 P9 Y: e* Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 l2 `1 H4 l, V% f$ T8 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% Q0 x! D( e) r* s+ m3 s1 n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, k! I, e0 z" h; m# _If the VxD is loaded, it will always clear eax and the Carry flag to allow. N+ l4 Q, P/ g3 }' i
its handle to be opened and then, will be detected.8 B7 |- {0 R) S6 `% c! `3 a
You can check that simply by hooking Winice.exe control proc entry point
1 i4 s9 F# g! ^; V \while running MeltICE.- {3 M% r3 ?( v- }7 u0 ~! d
$ K0 O9 g( W* {* m& K/ I
9 `6 ~( }) b7 [ 00401067: push 00402025 ; \\.\SICE
, r# H, P) O2 R1 ^ 0040106C: call CreateFileA
/ ^, _: ?9 F( ?' u! V2 j6 l 00401071: cmp eax,-001" V' L9 ~" a Y1 n% A8 b9 D/ \: `
00401074: je 00401091
. h" H: W" k8 y- \; y
+ d" A- ~( a0 `7 W, [; E6 b: Q: ^' {% E& W3 G
There could be hundreds of BPX you could use to detect this trick.
' |# }" B2 h r0 z5 s9 V2 U-The most classical one is:5 x2 p( }# k, R# A# M6 Y. T! f5 q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 a5 J& x+ H' Z2 {' ~ *(esp->4+4)=='NTIC'
! g9 F" Y7 ^1 x$ O9 P5 X0 N* n2 [' p' ^' S! _
-The most exotic ones (could be very slooooow :-(
! v4 L. T8 C1 a0 }* h BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
: _ H# Z G% l! J! C- ` ;will break 3 times :-(( k) `' g6 u$ d$ e
4 T+ T1 k5 ]: j i; O) Q' o( G3 I# \
-or (a bit) faster: ; ^, m* _6 q, |5 r/ n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' B, [. H$ e& J( e" @ B0 O) ?
8 m& P5 O( B6 x$ O; k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
( A1 x2 z. a0 u- F2 z8 ] ;will break 3 times :-(; _5 p$ u4 p+ z p5 k+ _. T. u
" r: R' K+ R1 s) d6 O
-Much faster:
. S* Z* ?& [4 y BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
% U n$ P- H7 V4 ~+ w4 e D8 U% D. a6 `+ c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# f% P) I$ N0 o: c! z
function to do the same job:! M7 Y; b' L0 e f9 Z3 e
' W2 T* T: j, a push 00 ; OF_READ: m, r( ~- n! w
mov eax,[00656634] ; '\\.\SICE',0' o* t3 C: K' k9 O F9 w
push eax1 b0 v- U% E7 E- B* p' |
call KERNEL32!_lopen
6 R% W7 J' H) v inc eax
, ?2 w, ]' `% @/ @% ` jnz 00650589 ; detected
* F3 I5 C' k' U push 00 ; OF_READ' P7 N( P/ S7 R# |( c2 w
mov eax,[00656638] ; '\\.\SICE'
! A/ X4 {1 u c push eax) ~5 @) m: e' C$ C i" T
call KERNEL32!_lopen0 n1 e5 r, {% J
inc eax
! ]6 N; p- \2 s jz 006505ae ; not detected
- m/ u) c- _' r) `3 V+ a. B; ~6 m" H3 r
1 p3 P* c1 x( V' E$ x1 }0 [__________________________________________________________________________
3 U$ V! J: P/ U
& V' a6 M) N* u* p1 gMethod 12
$ ~' m2 d, d- U7 x3 p=========
" \- l7 s; x: ?6 [: K! O$ r: q; L2 k Q/ J: y
This trick is similar to int41h/4fh Debugger installation check (code 05
) b( m( |$ t6 b9 D/ n: ~& 06) but very limited because it's only available for Win95/98 (not NT)0 V; g7 S! J9 B' ~( _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! P9 q* Q; k$ b. \% E
- c8 L7 I# E# C! u Y2 n push 0000004fh ; function 4fh
/ k0 S/ V0 b0 U+ B5 k! u% r. w push 002a002ah ; high word specifies which VxD (VWIN32)
' U- Y( Q. x( V& T! V6 u ; low word specifies which service9 B- ^3 M1 K g* E D
(VWIN32_Int41Dispatch)9 h. Q; O$ z1 c( i
call Kernel32!ORD_001 ; VxdCall) t0 h: l# G* p6 ~6 ]$ J
cmp ax, 0f386h ; magic number returned by system debuggers) m9 Y. O" V3 R b
jz SoftICE_detected$ U5 u9 u9 w n) t& w
3 y1 I, I! q/ G" V4 m: k t$ d5 yHere again, several ways to detect it:! ~( s0 k- H: d( ]; S& U0 e
4 E _, z3 M# v5 \6 Z& j" l0 n
BPINT 41 if ax==4f) E- e! Z" J$ N1 Z0 {6 q
* S0 Z, T0 [% M6 t BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
" @* k5 ]- z6 b6 K0 o1 e& @" j. N8 c* p/ i, B4 x/ n+ b( d: p
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# f3 d% n7 b/ }- `3 L) X- l/ @1 L% t# }% M, H$ h @8 B: _2 g
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
. \5 Q. d/ j9 I$ v9 T6 v* |+ H& ^& H7 K! Q' h
__________________________________________________________________________) u6 b8 a: M$ q8 Q* O
7 N3 w0 n, @2 M4 tMethod 13
$ B0 X/ b8 v* W=========
9 {* X# P4 e; w0 K6 O2 U: M8 b6 I4 O) y/ v
Not a real method of detection, but a good way to know if SoftICE is
+ ^0 ? @( @+ W' G. L$ y* Einstalled on a computer and to locate its installation directory.
~ N* K1 {+ K5 tIt is used by few softs which access the following registry keys (usually #2) :$ [4 C2 S+ ^; ]% Y# P/ @
! P! t! Y9 [) Q+ f4 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
O* Z; {, v& c3 o\Uninstall\SoftICE
0 D% [; v9 k# w8 g/ [% d5 v% e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 i7 x8 T' K6 h7 {: z5 k, g! K2 l6 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 G, T$ y3 _9 D. } X& U\App Paths\Loader32.Exe7 X* J. u" j( C! s3 Y. y5 G
r8 ] k7 r1 }! ]) {# k: r6 f9 [# |3 ?" G6 N4 m- L# b
Note that some nasty apps could then erase all files from SoftICE directory
7 l7 ^1 K/ S4 Z) }8 Y# [(I faced that once :-(5 H# s/ Z% H) j+ Y! f( U& |% x1 v
, `9 P9 j% [) W( L, ^2 A6 T1 \6 rUseful breakpoint to detect it:. v% H0 }2 u- \
; T Y: J# D5 D( w BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; R+ X9 U6 r. v/ h% w6 `8 _; s4 o- I) M8 K# q% P ~+ [
__________________________________________________________________________
8 Z0 f! {: G9 a8 `: S; R) o( f8 T3 p+ v8 l* s
7 b' X# V7 |7 i& t8 X, a2 SMethod 14
* K$ Z" y7 u) W7 T2 {* x9 w3 m3 |6 F=========) _( I& E7 }( w5 ~7 |
6 \! Q! {1 r9 n6 r8 d" P3 YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: q4 x* Q6 Z1 k( ]* {is to determines whether a debugger is running on your system (ring0 only).
7 c# r/ D: x0 {- [3 z5 K0 E3 t% W
: }5 S0 {; p" \ VMMCall Test_Debug_Installed
* l% B7 w. h5 m. I. p4 Q2 w je not_installed# ^2 I. v3 ] Z3 r
1 y8 S& m. G sThis service just checks a flag.
2 X. T N0 {3 n# z: U" D0 M) a% \8 N5 E</PRE></TD></TR></TBODY></TABLE> |