<TABLE width=500>! K+ p3 X4 ?# J
<TBODY>
! E' x$ F: o$ {& k/ I<TR>
, U+ s8 e k( n1 \, j4 Y1 {* g<TD><PRE>Method 01
' N8 e; o9 Q. H5 Z=========7 W. m, C% K; r+ I8 A1 [
9 O1 W9 E" \5 q
This method of detection of SoftICE (as well as the following one) is% K2 n6 q0 B' |7 y' x
used by the majority of packers/encryptors found on Internet.
; c- \# i/ d8 b9 Z3 C( eIt seeks the signature of BoundsChecker in SoftICE
8 D& Z" M. x$ c1 Z/ p- e1 j5 W5 I) L `
mov ebp, 04243484Bh ; 'BCHK'
& v0 d2 a2 c2 Q4 p! W mov ax, 04h$ I# L, D6 n3 Q9 t% S" s
int 3 ( x% n5 `( ~8 i: k: S
cmp al,4" T5 ^) Y. `: `/ t
jnz SoftICE_Detected! O4 l) P7 ~3 V* G+ W& h) s
- Q0 l1 t D$ C, ^, i
___________________________________________________________________________
" n6 J( d5 D: m$ S3 y
( W L: h8 F, K( g4 `( y8 `: a jMethod 02! I: f: K# o6 A( {; |
=========
: q" [7 Y5 d+ u% p. u$ m3 _2 M$ s `% u, g( D7 a# O/ T; q0 R I0 b
Still a method very much used (perhaps the most frequent one). It is used' \3 f+ e s6 i- I1 l( _# `8 F/ r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 H& j0 ?. q4 \0 h% ~$ _
or execute SoftICE commands...
/ j* i. v, {# L3 z4 z! ZIt is also used to crash SoftICE and to force it to execute any commands
# x/ ~2 E5 |' [; ^5 w3 w# X(HBOOT...) :-(( ' E8 L4 \$ p- x: P9 R( k
, E0 i: q& d& @- N3 y, O( FHere is a quick description:- p3 P4 w- S6 [7 f, s
-AX = 0910h (Display string in SIce windows)6 `, L# ]0 S3 @! A' \6 L
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
8 ?/ X+ S4 Y. o7 g! ^( k# p-AX = 0912h (Get breakpoint infos). G8 v: `; d* X+ a3 V7 x
-AX = 0913h (Set Sice breakpoints): m) X* F1 F! W0 }: H% P
-AX = 0914h (Remove SIce breakoints)
3 A" y0 S- D9 Z2 B8 \7 Z X! ^0 c5 z/ S! h' w. z7 E
Each time you'll meet this trick, you'll see:
; N4 O3 Y7 a# U3 z* p6 t" J-SI = 4647h }7 K* w. V2 M2 ?* `: O6 p0 O& A7 p
-DI = 4A4Dh0 V2 ? r$ u1 ]- h$ z" s
Which are the 'magic values' used by SoftIce.8 E4 Y. \8 R1 g$ j& ~# p- C* q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ D0 }& U& i. I9 N& a' q
# s( o& n/ h, k; A% S% t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( R7 G) h7 k. a$ }5 I. M9 a$ S( `Envelope utility use to protect DOS applications: K) n/ g( Y% U1 i* U( s
( u' O' @& ]8 V- U' C
, b/ ~) r$ I2 p8 Q: N4C19:0095 MOV AX,0911 ; execute command.% d& ~' o, e+ N
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
6 f' f6 Z/ e* \( O6 ]* {4C19:009A MOV SI,4647 ; 1st magic value.
q( v7 s4 ~# O0 L" i4C19:009D MOV DI,4A4D ; 2nd magic value.
! T4 u* t3 s1 l$ U) w4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)0 [ s7 G `" g) g% j H% @# k' A
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 W T/ k4 @8 r7 R z0 F4C19:00A4 INC CX
9 N" y0 Z4 u. X4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ ?: e" y4 l8 Y/ u* _: ?0 k) a9 c4C19:00A8 JB 0095 ; 6 different commands." Z" F+ f# p2 v5 S m5 h" q
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
; f* e9 K# v- f4 r; x' l4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
4 r. y/ R$ @ f- m1 }4 A1 u
8 j: f3 V# O0 Q1 e9 W0 sThe program will execute 6 different SIce commands located at ds:dx, which5 d( f& e$ ?! E! W- @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" N9 ]. k7 {. n% x
) x" y' ^+ l* J/ i, z6 z0 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. m" m' ~# m7 k1 [# ~; a
___________________________________________________________________________
/ Z6 J* t- H* o" ^7 K
4 M, Z, [( H2 b( r( X7 t2 @
. V6 [# R- w1 cMethod 03
$ x/ f8 I9 y8 X) ~=========
3 _7 Q, [& f* e0 H! S& f2 S4 Y* o% F1 ~
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b* |* O8 _- J" i9 v2 `' X(API Get entry point)9 ^( W8 \0 J/ F0 u+ w' H
& M$ R T; ^' o9 M( _0 ]* R
/ q9 [" p$ U" b/ Y xor di,di% a0 N/ g+ @4 I% w) u
mov es,di( A0 Z4 I% f% q, C
mov ax, 1684h
% N) H' u: T8 x: z) u3 p( I, k0 q d mov bx, 0202h ; VxD ID of winice
2 R& u: P8 _+ j% l int 2Fh6 r. W$ \5 h' F
mov ax, es ; ES:DI -> VxD API entry point
& O" A2 t+ D' ^* Z) I) }9 n/ \$ w add ax, di
% E8 S: u# o3 f f% R& I1 T test ax,ax
S( y( t& ?! ?' q5 O. z" i jnz SoftICE_Detected
0 d% w: E6 e* E5 G8 e7 F1 I! z: z* A# ?& j
___________________________________________________________________________
( B5 h( r1 O3 j( h/ E. G# ` ?5 J9 g
Method 04
6 l$ I P/ Z% q$ L=========
* h {3 c1 X: g' q+ ~/ P+ v7 f# l
/ t" B$ F( m2 R; ]& {# Z* P& k3 o0 y# ZMethod identical to the preceding one except that it seeks the ID of SoftICE
/ W4 R0 S. l! s( WGFX VxD.
4 i: a t! K& L! D {9 O+ }
' o2 D: t, y# U0 N9 ^ xor di,di
: U# ]2 D4 N' c3 z$ ? mov es,di( m9 s/ l; z0 Y6 ~: j+ V
mov ax, 1684h
) y7 r( n2 O1 U9 ^5 [% ` c/ u mov bx, 7a5Fh ; VxD ID of SIWVID
, E7 @4 r7 x6 q, L( { int 2fh
; ~" ]% h# @" d3 g mov ax, es ; ES:DI -> VxD API entry point
& ~) A# J @: Q" v7 i add ax, di
! {6 r0 C$ S4 ~2 x; Z1 a4 t test ax,ax
9 F* \, x: o7 T/ M/ R4 N5 ]4 N jnz SoftICE_Detected
3 B b* [+ Y+ N, C! E) h# \7 k% n' d
__________________________________________________________________________, C) D* y& q3 |& r* h
0 P4 k" y" g4 {& a
, h# f4 X' g6 l# k# ~' F
Method 05' Z8 p+ O1 x* u) U
=========" t: v( I, y( L1 N. A
4 g8 X2 Z- L) T0 m/ X3 l' B2 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 \* ~/ \" N* |/ t
debugger. It calls the int 41h, function 4Fh.
+ b1 _% M3 d- a1 f4 E: fThere are several alternatives.
% e7 `1 a; J! N; y/ _8 B3 x7 p% r# N0 `/ Q0 ^ y
The following one is the simplest:
/ f. ~: B& L3 e6 R$ r5 B$ d6 c4 c4 Z! f" o# }5 c7 j5 S, p# A
mov ax,4fh
3 R/ N/ J, A" e int 41h0 j: E, r" O- P; O! b$ l" I
cmp ax, 0F3866 }( F: V# l' K# X# ]5 C
jz SoftICE_detected
6 n, l( _! r$ s5 V
0 w. y" w: a( }% P
3 p7 B4 V, u5 @% g* DNext method as well as the following one are 2 examples from Stone's
% h2 u. Z8 Y. A5 ]7 a y ^"stn-wid.zip" (www.cracking.net):
" R- ?/ W& H, H" U2 t. B2 y( A6 C K' [: H4 A: h1 C* W* T2 A9 o5 @: b! z+ Q
mov bx, cs
) \! m: X' C3 B4 z lea dx, int41handler2
% z w& P' M( \* c: v xchg dx, es:[41h*4]
7 F$ _$ |0 n4 \4 h xchg bx, es:[41h*4+2]" ]) ?9 Y, v: N- j/ k
mov ax,4fh
3 A5 a) `- s4 s& g int 41h
. Q2 X: } D( I6 `* S/ i; z xchg dx, es:[41h*4]
4 O. `) B& j" U* l8 x xchg bx, es:[41h*4+2]
0 I% }( }3 f$ E9 @ cmp ax, 0f386h
0 N4 k4 [/ X- e# c jz SoftICE_detected
4 z8 I1 N6 [2 k- e- X- [3 S; V: ~3 K: K0 V% R0 l ]
int41handler2 PROC/ ]" r& T4 \ j) @/ k9 K
iret
# p! z% S* X4 D" x! D J; z- d# ~int41handler2 ENDP+ S# S4 B) p I' x2 x7 v* N: Y
1 ?$ J* }1 a& P+ R- M) ?/ v: G+ O! h" x
_________________________________________________________________________
# l5 S2 M$ N9 Q+ D, H @" x, m8 }- h) \2 F: C i, a& _
2 s( S; c2 J4 E% h3 a; PMethod 06 o3 E2 }% f/ ^$ F1 _# b
=========: ?6 `6 n2 b3 s3 O$ r% }
( v9 q3 K( F" q4 u$ [6 G v6 n l) a3 T5 ]. L* ?) R+ s
2nd method similar to the preceding one but more difficult to detect:+ H2 I0 R7 ~4 L
2 g4 s1 x- @1 D6 |
$ y5 f/ {6 z" E F2 L4 jint41handler PROC% ^: ~. u1 p# B7 S: c0 r6 y
mov cl,al. F' s! `5 H! F V8 l& S
iret; F& B1 Z1 i9 r: w+ d5 G
int41handler ENDP H j% W1 i7 r7 L1 I: h- K1 ?) A
1 M: i, p4 Z: _8 l& C2 q
$ F! I0 L ~% V; H
xor ax,ax0 n; I) _5 B9 _/ E6 R
mov es,ax
- v h3 j0 g* U6 d! V: H mov bx, cs
3 _7 ?# `. t, e+ o, C lea dx, int41handler
* V& c& H' L2 \1 E7 X xchg dx, es:[41h*4]8 |& ]' Y- f, N. |
xchg bx, es:[41h*4+2]
1 A$ a8 Y: S5 g3 c: v in al, 40h4 u! {3 J% L) r, y" \
xor cx,cx
) H! u$ h' G' o; o9 }( e; i int 41h, r7 M* r, I- m- W* o+ r
xchg dx, es:[41h*4]
% [- c- ~( t+ S xchg bx, es:[41h*4+2]
9 w9 ?/ c0 v( n% U8 f5 v cmp cl,al2 ^+ g5 W; x* J9 ?3 n! b
jnz SoftICE_detected* n ^/ V& W/ a1 q1 t i
( I J( l6 T9 ^! a5 h( e, o& r
_________________________________________________________________________
I7 a* N# _0 V9 k+ e; T9 A5 S
/ L- s9 P. Y/ d, TMethod 074 r0 c3 W; m5 Q, Q2 K) `
=========; m" q% U# P/ ?6 P5 ]' N# _
. }6 C, `% L* I
Method of detection of the WinICE handler in the int68h (V86)6 ~* ?5 H3 T7 t/ L9 P. G6 g3 U' @$ @
7 A$ p$ s9 ?* H4 l$ F
mov ah,43h5 j0 o# D: P9 x1 a/ O
int 68h
, l3 w( y, Y5 f2 ^$ f, j' e o cmp ax,0F386h3 s+ T# e8 M1 x" {
jz SoftICE_Detected$ M+ `$ R& q$ o8 q
1 j6 Y1 J, F) B) {0 d& u6 H" I, |
5 ^5 Q* O# q2 ^# [& n=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) i: ^; Q x# E8 @
app like this:
9 x9 G( S* g% [8 X* c1 j" J' {+ o
: T0 Z1 `2 J) B' H0 r) `6 b9 K BPX exec_int if ax==68
4 K' u* b- g1 O# Z4 i (function called is located at byte ptr [ebp+1Dh] and client eip is
+ R# H4 X" ^* _# u located at [ebp+48h] for 32Bit apps)! k3 k+ N% ]4 |4 S* e
__________________________________________________________________________- O0 q: M, u, h$ ^
) c& T+ k' }8 A& E
4 ~1 o, l$ |4 r7 V) o
Method 08
! P8 H% H0 E/ I# c7 ^3 C$ a=========
' a B0 `' \: |# `8 V6 V, q1 U$ w% K* G7 v, L3 | ^/ q# U
It is not a method of detection of SoftICE but a possibility to crash the, Y! |- g0 G4 [: m! d
system by intercepting int 01h and int 03h and redirecting them to another$ D# q4 |5 e* \$ N" `7 i3 o
routine.
( v; f' B, U6 T9 M' S9 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% S6 i& y4 p( L0 [' P2 [
to the new routine to execute (hangs computer...) P8 P8 z( ?1 T4 C# n( [
o0 A- y- {' O
mov ah, 25h4 \+ p& s. x$ |3 u# t
mov al, Int_Number (01h or 03h)3 q# s0 ^- k8 Q% I4 D3 e
mov dx, offset New_Int_Routine6 i# s1 D/ u' H: H7 Y8 X
int 21h
' g7 _* {" {7 x5 `6 J R7 {7 U' j5 D+ H1 a
__________________________________________________________________________: T2 C3 v6 E/ n' C, S7 l$ _5 q
% m+ Y* ^9 L$ ^, n3 A3 y
Method 09
1 i% o: D' A+ U- D=========& a8 Y* l8 X4 P' N
1 t; v7 V" _) l0 Z1 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 M4 X1 m! W# j. \+ e
performed in ring0 (VxD or a ring3 app using the VxdCall).
* C- L7 o o- Z& c/ g. w9 IThe Get_DDB service is used to determine whether or not a VxD is installed; f5 A3 {8 ^. c8 R l; L2 F
for the specified device and returns a Device Description Block (in ecx) for
1 F2 u+ @# ?8 P+ a3 ]7 {* L, hthat device if it is installed./ f, Y% N, F' j9 D' F! F
, h& p# ], v3 E h5 G( o
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID* m6 p/ B6 i/ s& _0 u, G
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-); n3 q; E4 M3 B0 E& P# d1 @4 q
VMMCall Get_DDB/ |! L9 w$ {$ G- o- n- L: F: g
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ ^3 y1 V, \* H, J0 S
* J8 ]* v/ A R5 g+ E4 |
Note as well that you can easily detect this method with SoftICE: d' n. A3 g' K
bpx Get_DDB if ax==0202 || ax==7a5fh( |% p. n+ R3 @$ j& C
! A# h, Q7 }0 E1 P# s! n1 b! K
__________________________________________________________________________3 C/ W$ A& J9 Z$ D% ~: Y9 k
W0 ], x2 b4 L( Q% k4 H! k6 f( g
Method 10
! E. ^# c3 H. S% z- g j=========0 |5 D9 j9 D/ D
9 A: }, D8 g8 x: @+ [=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 K# C% T7 [! i! ? SoftICE while the option is enable!!% d, }6 c, |3 ~1 o6 l
* l8 _9 A" O1 |0 a0 B
This trick is very efficient:
7 C+ f* G" `! D! c9 jby checking the Debug Registers, you can detect if SoftICE is loaded S5 \$ m( B$ t. ^: _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 T( H. O, ]$ P5 N( |- Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ n& \4 E9 }3 x/ h2 V
value (in ring0 only). Values can be manipulated and or changed as well
8 h( y+ M. k9 a5 T; o(clearing BPMs for instance)2 }& x @9 [$ j+ i6 o$ O; X5 s
7 _ D. } r3 M" d: Q+ z" x__________________________________________________________________________
; A$ P% B$ T& ?' g9 t, i/ i+ C
$ A. u8 E0 s; D- u* I, a9 N+ O6 HMethod 11
5 k' x9 g: x2 U. r=========
' G. R1 b' @- E4 b$ ]1 d* J( R* h' ], b. h$ i
This method is most known as 'MeltICE' because it has been freely distributed! _ h) X. h, v- n$ ^
via www.winfiles.com. However it was first used by NuMega people to allow5 p: ~% T( a7 B
Symbol Loader to check if SoftICE was active or not (the code is located
' |' Y3 C5 z5 Yinside nmtrans.dll).
# o% ~, z2 P" o" ~( x) _# u2 c% d5 K' m1 n( |- [
The way it works is very simple:
9 ?- E t- E# q$ C# ^: v' OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- L& W# g. \5 P1 W) \# R
WinNT) with the CreateFileA API.
* b- D4 v, ^6 W: d8 P+ t {1 ?3 _; p, F) ?# v
Here is a sample (checking for 'SICE'):# v1 c7 w1 E. z- L {7 \- e8 J
/ H5 x3 A; \# F( F3 ]% f/ T
BOOL IsSoftIce95Loaded()
, i" ~) M5 \/ R0 o" v f{
{( h- ]7 G. ^" @ HANDLE hFile; 8 p/ T0 d+ K# m4 j; u0 ^/ S) ?
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" V9 g* y; O7 p `8 T7 T FILE_SHARE_READ | FILE_SHARE_WRITE,' o4 h% I x+ P |
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 b7 F$ I" w | if( hFile != INVALID_HANDLE_VALUE )
: {9 {) Q0 D2 d, r) \3 I {
$ q5 W W9 C# ~- F2 x! t7 h CloseHandle(hFile);( ]& X% R, n4 Q+ q9 K% b {, M6 S
return TRUE;. J c' @* w, S. j9 l9 q
}
0 s# i, A0 Q4 Q return FALSE;9 _3 N l4 s4 |" l8 e3 |3 R6 F7 g
}
; C; @ n' ], N0 D d. |8 \* Y' s3 v
' t# y/ E7 `/ w! u2 _3 g0 |Although this trick calls the CreateFileA function, don't even expect to be8 F( o- `, _# q$ s- J; y% X
able to intercept it by installing a IFS hook: it will not work, no way!
" }) u0 ?' @# G; M% r2 A% z, L3 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F. I( h) e' Y! a) u b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; y7 K' N5 n! kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) t2 w$ H/ w# z3 l$ s+ V7 Gfield., Y4 M2 }3 w6 l/ ]- _6 U
In fact, its purpose is not to load/unload VxDs but only to send a
& l$ Q+ g& _; TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ s6 x* W1 b: K- j: \" K2 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! D/ ]' ?0 g1 S& q8 _4 ~; C; T! dto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 s! D; I* o- v$ y& Z. |
If the VxD is loaded, it will always clear eax and the Carry flag to allow L" V4 z+ {% c+ B: U2 }! T6 q
its handle to be opened and then, will be detected.
/ ]1 S/ c9 |' l. M) @0 D1 l* C5 zYou can check that simply by hooking Winice.exe control proc entry point
3 K* Z* W+ w( d& a+ E, Hwhile running MeltICE.
5 b9 o) n( h& h* H7 ^7 w# b# x3 e* H L5 z; x) a# I4 c% e/ G
0 A; D, s! H3 \; y- P5 \9 f 00401067: push 00402025 ; \\.\SICE
$ Q" `# A5 ]9 r8 q; y 0040106C: call CreateFileA
/ ^. J- d9 D+ V" p+ t' ? 00401071: cmp eax,-001
, n* r( ~1 y& @ 00401074: je 00401091, F8 { c5 d Q; J1 @
$ A& s/ f( }# A3 P, ^
+ i& C/ }1 s' _* W S" z3 m2 {$ AThere could be hundreds of BPX you could use to detect this trick.) {" E3 U. E/ U4 T, N
-The most classical one is:
' q. E' `1 m& S, {1 O BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" _1 B% S5 G& }2 s
*(esp->4+4)=='NTIC'$ L: l) F; o% x7 X0 j7 \
$ z. R1 b9 x- v- I0 q, I
-The most exotic ones (could be very slooooow :-() `4 |* v; D& u* e. G6 a+ D+ g0 U+ w2 j
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % `7 _' H3 S+ O2 z; {1 G- e. ]
;will break 3 times :-(/ p' I- e5 }+ I0 V0 ?% z
+ C; u) w% O2 c: I S% \+ j9 d. t
-or (a bit) faster:
0 Q0 U" Z. N# _" @0 ]1 w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 g; x( m) x8 a. q) r
# d! |% K# h+ ^, x u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ( `$ i+ D8 I. g' g3 M( |
;will break 3 times :-(
* L" [- p4 D1 u. C5 m% D& _" y% e& B H+ Q% s
-Much faster:9 M- N8 K k j1 M. \' ?$ q
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV') T! S$ M, p7 _& L; K* K
. @& g7 e& I" k- H1 j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- ], V: b4 {, y7 ^' Ufunction to do the same job:+ P& l3 K* Q7 B5 M/ h* d
2 j3 K$ P9 U2 d6 D
push 00 ; OF_READ( R0 q l7 z0 D' \
mov eax,[00656634] ; '\\.\SICE',0
6 m F/ x7 Y* R. `0 K' L5 U) l push eax
; b$ [6 J7 i+ s' ^* C3 g' } call KERNEL32!_lopen/ e! }# Q2 B1 |; h1 s
inc eax
. `. B w i5 |7 M# |' k: [7 e, Q jnz 00650589 ; detected
3 L$ }: P5 p1 D9 S( } push 00 ; OF_READ& K: `9 E/ F9 J
mov eax,[00656638] ; '\\.\SICE'
+ X7 `& Y" }2 |1 E push eax
: l8 Y% o- ^( i, O9 s3 M call KERNEL32!_lopen
7 Q% G& g4 [5 w* f A$ ] inc eax
- M: B* r: u, N4 v. T+ H jz 006505ae ; not detected/ k5 M m$ c7 ~: O
- U* ?+ v2 x: g, M1 R
; o$ }! P5 M1 i' E8 k- n2 w
__________________________________________________________________________
' ? `# f8 r; j2 x
7 A6 G; J5 @# s, w+ x; yMethod 12
v4 C+ g5 ~1 x4 g3 \) T=========, e4 F: R/ q# j" H! B" T7 q3 Y
" j# R+ e- r8 G t0 ]7 H8 XThis trick is similar to int41h/4fh Debugger installation check (code 05
) Q+ U7 S7 s; J& 06) but very limited because it's only available for Win95/98 (not NT)
0 O; M7 I* L% Y% m, ]# z8 l: [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% Y& g# }8 U0 u, w. n* u4 a# M1 {; X% q `; `- W
push 0000004fh ; function 4fh
2 _( F& C/ f* u- d push 002a002ah ; high word specifies which VxD (VWIN32)0 a0 V; I B' p- E& \( ~! ]
; low word specifies which service
& f/ w* V2 B+ s* n (VWIN32_Int41Dispatch)! E9 O/ _9 N N" U' ]! y/ }
call Kernel32!ORD_001 ; VxdCall
/ z+ n6 O, ?! I2 b* u" m/ Q. S$ m cmp ax, 0f386h ; magic number returned by system debuggers
4 y1 L( [ Z9 \: L, C! W1 x$ h$ S+ c jz SoftICE_detected; g0 y" g3 f9 s. p, J3 J4 S
5 f: }4 @) G; q2 q" @, g& ]
Here again, several ways to detect it:* @. G3 C! E, t3 R$ Y
) ]" K3 [* j' a5 W# T* ^ BPINT 41 if ax==4f
. K/ y& Q, ~1 |2 o6 o
: P/ {5 s) y5 H& ]8 A' r BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one @! [, b, {! R1 m
' v6 z, ]- D, z) c
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
# o+ G/ S$ b; q" K/ Q, @( H' T3 c; c( z6 a" W- \% _! {
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!* m5 k4 e. m8 [. U# R" Y
+ F3 {6 V2 a+ H4 ~) A7 Z8 x
__________________________________________________________________________
$ p4 c- k7 F; H: w! T" H l; P* f0 a
Method 13: M8 U2 ^+ Z! p3 k! c5 ]
=========( l3 p1 \# d" [9 @
' X8 {' R: D% N
Not a real method of detection, but a good way to know if SoftICE is+ `3 V% f8 ~6 e+ `" A( @
installed on a computer and to locate its installation directory.: V1 `' X3 _) J0 W
It is used by few softs which access the following registry keys (usually #2) :
5 Z* y0 S( L! i0 p% ]9 d$ R: W
/ N" m8 N4 a4 P/ R! G3 A" d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 U; I) [6 [6 s. W# x7 V\Uninstall\SoftICE
& Y% {' ~6 m/ H5 x' S$ g f+ v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ m6 t" i0 M- ~) [2 Q* a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L* g3 Q9 y* _3 m# s6 i0 }, g( ~2 v( ^\App Paths\Loader32.Exe
, S0 h( ?1 x6 X ^/ K
l+ d( j4 R. ]& x) A L/ ]/ C8 X& j J) E# b. U: c- G K2 J6 i0 O: K
Note that some nasty apps could then erase all files from SoftICE directory* O3 F$ M* ~1 Z# I" B9 m( x! e" R
(I faced that once :-(
* ~& Y: Y% a1 }" X0 _% J: R" B% X7 x. }( Z% L1 D9 _- s
Useful breakpoint to detect it: U( R# b: `. F, l( k4 }) E$ L! A
% r, v, g1 j; m6 P: V
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
; I; \6 A- i, e, Z$ ^9 a& b9 P& m* H& E6 H9 y
__________________________________________________________________________+ D/ s- ~ h. h4 z
. j$ y ~ b, \; f, H' b- y3 j0 N* j- P* e
Method 14 6 w: L+ s1 V& r4 Z l9 y$ c
=========
- ^) D1 A/ H9 p7 E4 g1 H& s* {4 X" ^! \# {2 z* S; Q8 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 z5 W8 J& `/ P% n: @5 C$ a3 F
is to determines whether a debugger is running on your system (ring0 only)., D. [5 [% v" h7 T
7 [- |5 R2 O( j# U4 Z
VMMCall Test_Debug_Installed" e k( \8 [* M- H. g
je not_installed
1 I* E* P6 v% K2 a0 t7 M( G; |$ p( t+ f+ ` c; [
This service just checks a flag.
" V M& X& u4 G, |$ u</PRE></TD></TR></TBODY></TABLE> |