<TABLE width=500>9 H: ]$ c' R5 q& h4 [$ O
<TBODY> r; [( p: t5 y2 z
<TR>
: x! S0 v; J; |3 Y/ i<TD><PRE>Method 01
1 _) E7 n9 g: n8 n=========6 \4 @7 i( q0 Y9 w; `0 `5 I) P
. Z- k$ C4 y6 l% w% o- g
This method of detection of SoftICE (as well as the following one) is
) u+ c3 E7 c9 B* \% o* bused by the majority of packers/encryptors found on Internet.
3 w8 Q# \1 R$ t8 t" e# uIt seeks the signature of BoundsChecker in SoftICE% A# }7 e: l5 q
) F% {: R7 z6 P1 ~6 Z7 B/ ~
mov ebp, 04243484Bh ; 'BCHK'
# E1 U3 c: h0 Y, R4 Z! W% s$ Z5 a mov ax, 04h( L) m Q8 h" U) t- ~
int 3
w9 T7 t- O, `( J" e, ]) U& u cmp al,4" I4 ^' ~- m' R
jnz SoftICE_Detected4 U s' [* q3 F5 V4 o
; n E) p) T: J) V: S( Z. V
___________________________________________________________________________
! o( M' h+ q4 ]/ Q
! H4 a( E/ R3 [* z1 d$ W# p! G2 sMethod 02
* a/ m1 x0 w* m=========% b3 Z9 t N0 [- ?2 u# y6 e) h; O6 P1 g
. v2 G" |+ T7 v. P, P: ^
Still a method very much used (perhaps the most frequent one). It is used, {% m O1 R; g5 l5 w2 R1 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 x& j! `7 o. \ ]/ l; G5 y: hor execute SoftICE commands...6 K1 [$ U7 J' ?' \
It is also used to crash SoftICE and to force it to execute any commands
0 `) n) a6 i6 D: L& Z @(HBOOT...) :-((
4 C! N0 { P, g9 U: ^1 \) J2 f3 s0 z) X5 m$ p
Here is a quick description:( \6 \! Q: e3 F8 R
-AX = 0910h (Display string in SIce windows)1 r+ S, s Q/ \5 d
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
3 |. s: ~+ f% K$ ^1 K-AX = 0912h (Get breakpoint infos)5 X4 a. x# I/ j! F2 _
-AX = 0913h (Set Sice breakpoints)
) o+ F$ E8 I" h( e; U-AX = 0914h (Remove SIce breakoints)
. Z f4 u: `9 o. f" f/ Q5 G1 R0 R9 g& o( g# K; ` h \
Each time you'll meet this trick, you'll see:/ n; R' U& c, v& _1 r
-SI = 4647h
3 a4 V8 ?5 X# D5 v-DI = 4A4Dh
. n5 p2 N5 J* B! RWhich are the 'magic values' used by SoftIce.9 F% v) J' z# O W; r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) b Y, x. v) F( K+ s9 x% T
6 V& `7 o! [+ A, V: nHere is one example from the file "Haspinst.exe" which is the dongle HASP
. w0 V. W1 m7 GEnvelope utility use to protect DOS applications:% ~3 [ o! y0 ^
( |7 \2 m5 R9 l& Y7 Q$ @
7 ^7 W1 P- `5 C) L1 D4C19:0095 MOV AX,0911 ; execute command.
* ~: E g" H9 k# o7 S! O4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
; o1 i* Q9 h8 }0 p, K9 X4C19:009A MOV SI,4647 ; 1st magic value.
. C" f( f: F( o9 `2 X5 a7 ]4C19:009D MOV DI,4A4D ; 2nd magic value.9 q5 I) _# m) n9 |5 E1 f. M
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 ?; G( S/ |% b" A4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
6 `" s4 G, m( D3 y2 E3 ]7 ]4C19:00A4 INC CX
+ I, d0 g2 v7 I9 k& C. w" s4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
' N: U) ^8 [. D* O4 o _! i4C19:00A8 JB 0095 ; 6 different commands.( y9 c3 V) B, d$ I+ q0 i
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
B+ R! [; O* e0 x4C19:00AD MOV BX,SP ; Good_Guy go ahead :)5 n) x; _0 Y" Y, d$ j) b
9 H8 [6 U9 e5 d9 P" R" qThe program will execute 6 different SIce commands located at ds:dx, which
, c0 L0 g0 z. V; o/ Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. C* F# i+ s9 g+ T4 U: |' [
% n% p- Y' u; N) k# Z2 e9 q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& W c' o; \/ c5 |3 b___________________________________________________________________________
0 H! m' j6 Y( b T- Q
5 X. I- S- o% g/ k
+ m ~' W/ n/ S4 y9 ^- iMethod 03
; Y$ Z, `1 j- |* X- a% i9 J=========5 [+ W! p! v$ z" g
" \: J& }# V: x% }4 \: ?8 ?% uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ Y" y' L+ |2 H Z" u6 S3 ]3 u9 j* m(API Get entry point)3 J8 H: I+ f) }- |
2 ~; q8 h' U" s6 t" [: J0 @
! U! b( e0 r" Y) e+ f( z xor di,di% x* Q# h. j8 k$ ?. _
mov es,di
% W/ H: g; A& a mov ax, 1684h ! L; s2 E0 k% G. Z# J4 ~! U9 k5 b
mov bx, 0202h ; VxD ID of winice
3 k6 J" c* |1 H1 ] int 2Fh
! ^0 {# q' X5 G; ^5 m mov ax, es ; ES:DI -> VxD API entry point7 t. {$ Y% E2 I9 R( j4 A$ [. W
add ax, di
" q& M1 r) G3 L" c; c1 Y test ax,ax" ]& f, X; v# Z2 Q* W+ H6 n
jnz SoftICE_Detected
7 e( d4 A+ ?" w4 e: Q3 ~% {5 U6 W; t6 x: v5 W
___________________________________________________________________________. ^7 `6 F' F! \' i3 l
9 M `* `/ [8 ?+ @( v1 S. a
Method 04
+ B+ I: y5 d3 X- {5 k( Y2 s5 G$ }$ F=========; V) l. m4 G4 x' E# i, ?* x) i
4 ]. O" w+ _0 G9 jMethod identical to the preceding one except that it seeks the ID of SoftICE/ B! I1 Y" C( O+ V j* U) A5 H
GFX VxD.
7 k( Z. {4 Z) }7 K3 D2 A" n ]0 F" Z& ]
xor di,di
2 B& V; u! K: F3 |2 R n mov es,di* b' o: R H/ [2 Y1 Y7 v
mov ax, 1684h
7 J* i- w7 I& _% u$ z t q mov bx, 7a5Fh ; VxD ID of SIWVID& _8 O3 s4 `; _) S
int 2fh
" P- [. Y$ P3 G! m6 m+ Q mov ax, es ; ES:DI -> VxD API entry point
3 @$ Y* C6 @$ R5 e* f add ax, di
3 x/ D8 g* f( a/ E3 ?! d' ^. l% o test ax,ax0 E2 A$ s/ r: U- Z
jnz SoftICE_Detected
/ s3 G1 |6 n" s0 c- z) H: ?# A1 o4 ?
__________________________________________________________________________# t" k4 Y$ O+ g6 i# s
4 c& y( ?& B J7 B9 q
: g4 `% L3 r, z; i% X
Method 05
1 F* K" X) b* |5 Y7 x4 E4 a9 I=========$ h8 W: a+ u& H' o' K6 I
% S& [) J) v5 {. M
Method seeking the 'magic number' 0F386h returned (in ax) by all system- |# I: N+ W$ \4 {4 A
debugger. It calls the int 41h, function 4Fh.( t: O, J! o6 I2 T8 f/ V
There are several alternatives.
+ G1 M4 j" i; ?' l* t2 Z) J/ H% _" ~2 Q% ]; ~$ E: d, C* D* t
The following one is the simplest:
1 G" Q9 D u. K y
& n6 E9 d8 J$ w; K7 f2 t mov ax,4fh
; B" X: g% W$ D ?* _ int 41h- }8 ], V3 e& ^1 i1 K9 l- Z2 p
cmp ax, 0F386
. c c) {' Y0 P9 i2 W3 p jz SoftICE_detected
& B6 D+ m4 N) E! V8 s* e/ b4 o! h7 k8 Y, @. ?( w
/ T6 h' [7 m6 q+ vNext method as well as the following one are 2 examples from Stone's
4 r! s# ~8 c0 y$ N8 }- p"stn-wid.zip" (www.cracking.net):8 D5 h" T" B9 O3 P7 v
b% u; u6 O0 ?) F G
mov bx, cs" g$ a2 s: x7 z$ c
lea dx, int41handler2: |$ u# f1 [/ M5 j
xchg dx, es:[41h*4] i0 `8 c# o! W* k
xchg bx, es:[41h*4+2]0 @4 w4 L8 l$ b5 T# n( x! I9 ~, i
mov ax,4fh; Z: g! R- Y+ A' \% T, o9 ~6 I( G
int 41h
4 {. X: E6 a; U" O5 p/ u1 a' ? xchg dx, es:[41h*4]( k. \1 N5 D4 T5 l' B( b L2 B
xchg bx, es:[41h*4+2]
) r$ | r5 ^* O9 P cmp ax, 0f386h
# g2 B: G7 r. I8 }+ b jz SoftICE_detected# ?7 _ ~; O! A+ V* ]! h5 \
. U6 d, s! H2 x% G( m
int41handler2 PROC
( p6 F; o% ^# S Q" |' D0 @ iret s# e6 I" v7 L5 H2 F) \
int41handler2 ENDP
6 { t- v- h& Q7 ^1 [& O4 X( ?% i
/ ~2 u* l2 n4 A6 Y( i3 Q
_________________________________________________________________________6 k- j' i3 `8 \; f
9 N, `( ?+ t7 z0 V2 \$ J; @4 Y4 c# f; t1 Y
Method 069 Z. g9 k) y+ h P1 ]; g$ X2 n
=========
1 h/ L3 g& @) w4 e+ k" `7 U
4 K' n# e1 N; } M
4 ~5 I( U! z( m. w B" e* o% U2nd method similar to the preceding one but more difficult to detect:9 l# N* \! l. @& A0 a) B0 c& ^
) i" d6 X$ M0 e% [$ l
2 k" R( Q4 D- e6 j" {
int41handler PROC
! Y4 Q. ?5 j0 O" ~ mov cl,al
8 |' X& \" s+ A$ s5 i$ A7 V. w iret
* C/ k3 k8 W4 H# d" Iint41handler ENDP& T0 ?/ V& l. ]5 `' M8 s1 |) n
5 m; {, o, R) W& b6 |6 E; ~
3 d$ z" n/ V* }" R' k. e6 v xor ax,ax
7 }# \0 |- q9 z3 m mov es,ax
g. u' _* y$ D- Z" q mov bx, cs
+ S$ Z' P7 S0 t0 d lea dx, int41handler+ E) m: @! K+ a0 _; c
xchg dx, es:[41h*4]
8 x% J! y. o' ~8 L) L! D xchg bx, es:[41h*4+2]# Z0 b& C( l& L! Z
in al, 40h6 T5 J5 k1 E' l
xor cx,cx. ~( k5 U$ S. e ]# T: _' _) Z
int 41h
% `$ ]0 ~- M9 H4 \' I xchg dx, es:[41h*4]$ k; H, k. |5 C7 P( M8 v
xchg bx, es:[41h*4+2]
0 s( a e/ Q" y! o, H' o cmp cl,al
' @& i! i0 Z O, v' y" |( g jnz SoftICE_detected0 F; [2 F; Y4 ^- v' q
1 v" D5 J- B. x4 E
_________________________________________________________________________
+ \7 n5 o* x& y7 P& O0 _
* x3 S( u- o. N( z! v1 ?- ?Method 07
2 A9 A, P4 o9 q2 Q=========! P F% S+ O0 Q4 w! K. z5 Z. ~
! x/ e2 X, I0 e6 s# J! {, g
Method of detection of the WinICE handler in the int68h (V86)0 I* D* Q8 G, z8 d& ]- }6 ~
0 }2 g. e. Q" c5 h/ g L; v mov ah,43h9 n) S+ |1 w: W+ Y- f1 d
int 68h
( c) o' V, Q { cmp ax,0F386h3 o9 V8 o3 n% s( d) T
jz SoftICE_Detected
) C/ r" f5 c2 @6 N+ B* J
' h8 t b: ]5 Z' |1 c* p$ Z0 l+ Q: `4 Z i2 Q- `$ h
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! r- [$ F" ~$ P4 O" D3 _' S app like this:
8 s+ a' q& x M" C/ X" U0 A5 w# ]. K( z+ Q
BPX exec_int if ax==68
' n1 V6 I: |/ ] t6 R# t8 v7 q5 ~ (function called is located at byte ptr [ebp+1Dh] and client eip is# r5 K/ A4 ?6 j7 |0 G$ N: t% e* d% R
located at [ebp+48h] for 32Bit apps)
! A- ~+ Y1 k/ k" W! r2 A: v5 x+ ?__________________________________________________________________________3 I. [8 E0 a0 O% |/ y
6 Q; k8 ~4 z1 H+ D
. @: V! u; K0 a& n" \
Method 08- V( T9 x/ p4 W U0 P+ h' y, ?0 g: a
=========
, c4 x* A5 b- {: Y+ H; z4 o" @3 |3 Z- c4 B+ I
It is not a method of detection of SoftICE but a possibility to crash the1 O7 Y; ~& w9 D. C: E6 N
system by intercepting int 01h and int 03h and redirecting them to another
1 o [7 n! F4 L0 A6 ]0 U0 aroutine.
3 v1 c2 |( Q' xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% f5 i* b; X. ]to the new routine to execute (hangs computer...)9 [8 _! B$ e- n0 J/ k6 U
! m" f/ f5 j7 m& A3 I! q( T
mov ah, 25h
# E: C$ V: f6 R2 n9 s mov al, Int_Number (01h or 03h)
8 b, @/ X/ C5 A mov dx, offset New_Int_Routine
0 K4 B* I9 n% \3 ^- P int 21h
9 b7 o% V2 g! I4 h$ ~' [: K/ J4 S4 i4 Q' a% [0 a5 r
__________________________________________________________________________7 v$ m# _( o; [0 o4 P) ?+ o
' x$ z( T, m; R JMethod 099 m( e4 H. ?2 x. H+ V$ |
=========
. S7 }: O* b3 y' F( d0 \1 r7 ~- c
( v2 u1 @+ L$ @* X- t" XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n" `! p7 D, v' z+ H: Cperformed in ring0 (VxD or a ring3 app using the VxdCall).
$ q( D0 o# ~. @9 A$ n7 q* {9 ^The Get_DDB service is used to determine whether or not a VxD is installed
g* M" D0 g1 |! pfor the specified device and returns a Device Description Block (in ecx) for
, u* ]0 s0 ?0 U! p z! \that device if it is installed.
7 o/ [: z8 Z4 z e, c
: q; r+ |$ G: c$ u& i mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ \# g, T" A7 t' c0 X! e* `0 h
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 `4 U: C+ {0 N. z9 @ VMMCall Get_DDB. F% l/ m; ~0 b
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
7 \5 r+ B8 o8 h+ n ~1 I7 C2 d' U$ z- a1 g4 T1 }
Note as well that you can easily detect this method with SoftICE:7 Q6 Y' {+ m: i
bpx Get_DDB if ax==0202 || ax==7a5fh) f6 `8 }+ d7 G; K- X
6 r% I# v% K3 {" O1 ]! V
__________________________________________________________________________
7 P- s7 M' r" A# t+ a1 s+ t9 {3 i$ P, t
Method 10- a5 @) Z! i# q8 w+ i Z# @1 e/ r* q
=========, v' ^$ i$ e3 w, u @0 Z% S% N# Y
# ^: I. v" V- E" _- j
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 m( `5 H5 f, w9 Y8 L SoftICE while the option is enable!!
5 y- [5 w1 A# [. y* |% ?7 _% }' x7 ~8 U1 h# K/ y2 N& v' {
This trick is very efficient:% o- T, [% A6 M7 T
by checking the Debug Registers, you can detect if SoftICE is loaded' Q, `9 N5 H! y% U" D% B9 j! _" `. v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; L; g/ T$ G" O. a* `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 v0 J! D& C- s9 U- ]/ ^- @value (in ring0 only). Values can be manipulated and or changed as well# [7 E' V- s _( a% W( X
(clearing BPMs for instance)
. l6 u% o. M6 s# C- Y
5 t, W; T* X, F8 B+ ___________________________________________________________________________% {3 s Q& o+ X5 f1 j
8 V$ Y! Y) y: k4 o& L# z
Method 11
6 R/ |( T9 S9 p; }=========
: |. O, M7 P$ p# r: ^( L) z; L8 F5 p
$ `3 m" L1 [' c- V- \1 }1 rThis method is most known as 'MeltICE' because it has been freely distributed
7 }* B, c, P! v: k+ ivia www.winfiles.com. However it was first used by NuMega people to allow
3 h) I# B- }4 Q; x+ ]6 b% m. gSymbol Loader to check if SoftICE was active or not (the code is located5 h: c4 d/ f+ H" {
inside nmtrans.dll)./ a2 I) {, U- Q7 z
' q2 B3 U( O& j& X& oThe way it works is very simple:
1 ?3 _. |4 s9 ?! q" _7 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" }+ }0 D& i% B) w
WinNT) with the CreateFileA API.
6 L7 [7 {3 c _& T8 L% x# R8 q9 J
}8 Z. E2 @+ y- a6 Q- p: WHere is a sample (checking for 'SICE'):9 @2 x! [, X" H |; m1 V" X4 D
8 B1 K4 |1 l( V% X4 D ^+ }3 gBOOL IsSoftIce95Loaded()
# L0 o; A1 S# b1 s/ w, s, w{
4 @+ r2 @ S0 U' j# s# V% Y1 G HANDLE hFile;
0 E7 G' n+ { t; r- O hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 m+ d" [6 q: | FILE_SHARE_READ | FILE_SHARE_WRITE,
0 s$ c8 f% w6 Z3 h; W- Q' i' \ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 `7 h% R! U Z. a3 j1 F if( hFile != INVALID_HANDLE_VALUE )
: O+ e6 V n- E5 x: U( j1 H! z {3 S+ g2 y0 m* F4 N+ @# L
CloseHandle(hFile);
8 M( C( k- w# a8 O return TRUE;
( m: K* z: K! ~) c }
Q5 f' _/ U1 { return FALSE;
/ _0 q( h( t0 s- W& U( I}% E1 N+ e# G& d4 f8 I
8 n* r. C$ ^+ g2 [- @9 {
Although this trick calls the CreateFileA function, don't even expect to be7 G% t* e: L& z7 r( W# x( O
able to intercept it by installing a IFS hook: it will not work, no way!8 g" X2 k- r+ u9 X& h# C; u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, {% q# g" W$ T& P7 ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- {5 O0 @6 I' ] F# Z/ z3 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& y0 | y0 i1 B6 ?9 }4 G1 C! G1 Z1 T6 e
field.( q# Y* ]0 h' i0 G! ] ]) h4 c
In fact, its purpose is not to load/unload VxDs but only to send a
; P( C6 {! s* h& H8 G3 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
u) \) z" c, eto the VxD Control_Dispatch proc (how the hell a shareware soft could try% @1 B) R: }' r$ i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. @4 f6 |3 ]8 Z9 G0 w% K; [If the VxD is loaded, it will always clear eax and the Carry flag to allow1 N! ^7 P/ ^5 a$ `
its handle to be opened and then, will be detected.8 L+ R- H( C0 R* E6 [1 T7 k
You can check that simply by hooking Winice.exe control proc entry point- o4 ` Y9 n1 n' P& O
while running MeltICE.1 A8 ^1 Y X: L/ {- e2 u! {$ k
, B: A4 h" u J% S
* ?4 b; U% M5 z. [' M$ C: V 00401067: push 00402025 ; \\.\SICE
* g5 x' s" D& I6 N) R 0040106C: call CreateFileA
5 z" {7 q* T2 ~5 ~ 00401071: cmp eax,-001
* q# Q# D9 k+ h$ j9 u6 c( y. i 00401074: je 00401091
" \5 c1 e! X: k! D
1 K3 |8 J7 d: X: J) S/ R- E( L' |1 `, }
There could be hundreds of BPX you could use to detect this trick.
6 C' W' D/ i3 ]$ _+ e-The most classical one is:' I1 }1 x4 [+ y$ y7 v
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 o- [: I( f# L! K7 f8 v0 _2 R *(esp->4+4)=='NTIC'
6 {. a. [; x; O! ~& F4 z& p; O2 a. Z9 u6 c
-The most exotic ones (could be very slooooow :-(
1 F+ z9 P# n. j/ a5 V# T4 R BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') $ C @, P! }+ }8 I$ p
;will break 3 times :-(
9 B N5 `5 ^% |9 o+ W" b! v0 `; N# z* ?$ T! M
-or (a bit) faster:
& S: S! P I: e BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" F5 r$ e' a+ A2 N( z. F
% e1 S8 Q, W& H5 u- t
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
3 J% P" ^# K ?5 @ ;will break 3 times :-(* B: F% A7 W' N( ?
- m; ^6 l8 o! ^4 ]* N" G-Much faster:7 t- n$ K" t& u6 @1 `/ }4 _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', f9 x) ] U& t' }
! z! _ s2 \% ]) w% ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 {( }6 _/ F# ^, yfunction to do the same job:' W/ a# B3 o; d* D, g. s/ A2 h
: @5 U0 X6 V5 A! e3 k, Q push 00 ; OF_READ
0 w$ e$ F/ v' _8 u7 ^8 W7 z: |3 C, w mov eax,[00656634] ; '\\.\SICE',0' Z6 n5 l/ w0 S6 {! l# _2 O
push eax
* R4 K$ e2 e# t& A" ^* b call KERNEL32!_lopen. c) G6 \. Y0 `4 f y% i i
inc eax5 d# \8 Z* d3 ~. [6 z r
jnz 00650589 ; detected( d7 X" E2 G2 G7 r% k- \+ e
push 00 ; OF_READ
h8 Z1 {# [( r; a( F @1 t mov eax,[00656638] ; '\\.\SICE'
" g/ i5 N! H! o' P T& o push eax/ w* ^) K8 _% B
call KERNEL32!_lopen
) T, F) _$ v. H1 a* c! A0 }. C* w inc eax
v9 k( q3 A) o' ?9 F1 ~ jz 006505ae ; not detected/ a: v6 l( F$ `" `/ V, h- q
7 z1 p; y9 g2 Y+ @# O
- a1 [) j' N8 U0 r+ y C__________________________________________________________________________
! g: c$ p: D+ Q$ h" a6 M( Q$ }0 r" w7 X% y9 d
Method 12
$ q. u @6 V% \8 |6 Q3 h+ v=========
$ @& m) }! i+ S/ w
- Q3 v* ?, u/ R! l! l- G7 y: y2 {This trick is similar to int41h/4fh Debugger installation check (code 05
5 A! a3 F1 y- U& 06) but very limited because it's only available for Win95/98 (not NT): x3 b9 D# M1 W+ `8 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 J7 p4 u: d* M0 |; j. x! G' X
+ F- `$ d4 t; c7 @# y push 0000004fh ; function 4fh
" ^; B% V% p+ H2 X push 002a002ah ; high word specifies which VxD (VWIN32)" h- J) h5 B0 A' D" o/ ~7 x2 A
; low word specifies which service
5 G$ B8 {* a; j8 H/ J (VWIN32_Int41Dispatch)! C. N% [/ S9 I! {+ Q" g
call Kernel32!ORD_001 ; VxdCall8 {& q1 u& K/ @' T* z( U! ?. [+ [
cmp ax, 0f386h ; magic number returned by system debuggers
" k% Y: r" m% b6 h' t) M; i jz SoftICE_detected
3 c z+ r' B) T# ?6 _* o* d
: A; a! [8 }6 I" N9 V f8 T& @Here again, several ways to detect it:0 M2 N: Q5 p" `
9 R0 C7 n0 r8 w3 i9 ]' F BPINT 41 if ax==4f; S: a: [2 x$ [% L) @* J/ o) t" a
; e+ d/ o' P3 x0 T: s" m BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
# Q$ ~5 K2 z" b2 P- p9 B. }% \& w; u( ?# F
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' J8 Y- i6 ~& }9 a
% w5 S& t2 g* R( P5 t' ^ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
6 L" \6 w' D- A* V o5 N9 o! Q% A1 ?3 I0 c4 J( k
__________________________________________________________________________3 ~, H, `1 Y$ T7 Q( |8 C) \
8 d5 R% C h, ?9 V4 C9 J
Method 13
4 b& D, b: S9 L' ~: {5 C$ g=========
! k6 I1 L: t3 P% f; f5 d5 z
3 I9 T# Z: z( ~- ZNot a real method of detection, but a good way to know if SoftICE is# m, b; `$ e$ u, ?6 a
installed on a computer and to locate its installation directory.
' _- C0 {1 c$ X( EIt is used by few softs which access the following registry keys (usually #2) :- Q8 ^0 L' {. `& i( A |6 t+ K& X
- p; o4 v4 R- ?0 T* q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion `0 [% g3 J1 L- c& g) z8 x* |# L* W$ G
\Uninstall\SoftICE; X8 r6 r" D" M. i. G a
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 F/ `) w! p. B! @/ F3 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# \" o/ W0 P5 L( h! W8 s/ |1 a\App Paths\Loader32.Exe
& W$ v# J( P" z' i6 v
! q+ j; w9 B8 g# X0 a
! W" f r" D# ?& O' H) U3 Q; eNote that some nasty apps could then erase all files from SoftICE directory
t- @$ [& U: I/ x(I faced that once :-(# y y5 o6 Z9 v" F( O e
6 K; R- b6 S# D7 C- hUseful breakpoint to detect it:# O; ]" e4 d. V i0 |* Y: |
% {- z N; e1 {6 S+ ]/ t BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 D2 B7 \8 W6 @0 k" Z4 n
! a( {0 C6 ~8 C, `8 e1 V% S6 G* A9 U__________________________________________________________________________/ E" |3 n# v3 y. Q: l; n! X$ L" \
) Z. g1 H# m( f9 W( D. N
* t5 X( e" j" g
Method 14 : p9 M, l! B- F& P$ s0 Z
=========
1 J: L5 G; f& H3 G/ v- H( j! C7 ?5 E5 U3 O0 e, {. n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% v* T9 g6 T: }1 i3 X8 e! ? P+ Xis to determines whether a debugger is running on your system (ring0 only).5 f" _+ ^& z0 q/ F ?9 Z# Q
7 f; i3 q$ ^. @/ p6 X/ b- \0 Z
VMMCall Test_Debug_Installed
& F# ^$ d" ]# c je not_installed
# Z' d" `& c* \0 ]
0 f9 M7 e$ [' b& lThis service just checks a flag.) X3 @6 p! M' k- N6 W: q( g' J# h
</PRE></TD></TR></TBODY></TABLE> |