<TABLE width=500>1 I6 E) l5 J1 i j% O1 C1 L
<TBODY>% a5 E% {& ]# F/ F
<TR>; N1 r& S% `: R" Y
<TD><PRE>Method 01
$ B0 t1 f! M2 h$ v3 x=========
% r$ o2 [& p# j, x6 G" d/ x3 M! g& Y+ ?7 l) E2 q
This method of detection of SoftICE (as well as the following one) is
* G* N- Z5 v6 ?& ^7 [: [used by the majority of packers/encryptors found on Internet.+ j$ X- A/ r" z; P( Q' v1 _
It seeks the signature of BoundsChecker in SoftICE
( Y/ ?0 X5 L, l2 h5 x! H: _. |# ]" \/ f# Y' q( y
mov ebp, 04243484Bh ; 'BCHK'6 E6 J U2 ?5 ~
mov ax, 04h
R( v6 N# X0 ~ int 3 " o/ c& l) Y. C# D2 [. A
cmp al,4 Y, x6 A8 O5 H/ E2 y+ G; C c6 K8 p
jnz SoftICE_Detected
9 n/ E @0 G# \: q) V+ P9 [6 M1 f5 Y& m6 \" n
___________________________________________________________________________
6 {; E$ y- Q0 z) M* l
8 {7 n" R H' W+ L5 | l0 q. P4 EMethod 02
! e% P! o# I2 n }: x2 i7 x=========
$ y1 ?9 m$ @. l5 l6 k( d& B! |. y w8 \! J
Still a method very much used (perhaps the most frequent one). It is used& q9 N. H8 Q) @. {" X3 S- k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& \$ G% q; f2 bor execute SoftICE commands...& K7 Y S0 i* y( D$ e& d
It is also used to crash SoftICE and to force it to execute any commands
0 _! T6 K( y9 {; a" |: v(HBOOT...) :-((
7 [2 v7 \2 A* z8 E$ ?3 h* }4 P2 A
( u ?& [: j" x) wHere is a quick description:! J$ p2 a6 i! h" e9 O
-AX = 0910h (Display string in SIce windows)6 Z' Z) [/ I& {/ _5 {
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
! i0 L9 Q$ r' f' L% N! H- u$ ?$ L-AX = 0912h (Get breakpoint infos), U8 |8 D4 n7 Y7 s4 z
-AX = 0913h (Set Sice breakpoints)5 F# [" g0 W3 Y0 u9 P& |
-AX = 0914h (Remove SIce breakoints)4 a0 n( @2 ?. {) Q
) ~* j; V ?& Q; T* P
Each time you'll meet this trick, you'll see:
5 y4 m/ X7 }4 O- ?9 g) X3 w-SI = 4647h5 A; H: V1 H: k I& ]
-DI = 4A4Dh, N/ v8 u: y, b* {' [: x9 O
Which are the 'magic values' used by SoftIce.
7 w4 [9 Y- e1 u0 k+ h; ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 \' V5 e+ i0 q$ d& s" O. x
5 `$ F0 ?6 n) g0 W% [ y" h" H5 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 [8 w3 K$ K- ZEnvelope utility use to protect DOS applications:
2 F( |3 ^4 p6 X" X0 ^$ ^# A( `8 B3 a) T
4 d- @, } W8 y. ^+ O4C19:0095 MOV AX,0911 ; execute command.0 z& b: r7 j& Z! h: o
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).( y# L8 B) k7 c1 g" {
4C19:009A MOV SI,4647 ; 1st magic value.
7 I) w1 ? r% V. \6 ~3 a4C19:009D MOV DI,4A4D ; 2nd magic value.3 m+ \! j! A* Q# J [
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)8 G* k; e2 N" W6 M8 W
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
. F2 A& ~6 E Y: T2 B+ ?4 }# q4C19:00A4 INC CX
+ \- {! _, e$ U+ R; ]2 k4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ a% w( P; o% F* B" ?) m4C19:00A8 JB 0095 ; 6 different commands.1 O( a( h* J9 g! B& ?+ o
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 ~0 ~) a& o# Z; a- c4C19:00AD MOV BX,SP ; Good_Guy go ahead :)9 w# g; z* t! ?0 A) ?; y) l2 d& Q
- D: ~) \% O% F5 XThe program will execute 6 different SIce commands located at ds:dx, which
! _$ @- ]- d. D' D+ P ^" iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 g: `' x, r3 w8 Z2 ]/ u8 L4 r
7 z; X' }( J4 U5 ^# |+ C0 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 Z+ j( A3 m4 G5 h___________________________________________________________________________
- y. K1 V) g, h. T3 P0 Z, N
. a8 u) `4 y- s% C3 J1 m8 D# B# _, Y1 d# D. d) Q
Method 035 y. B2 }$ P( Y \- S) i
=========/ W2 }/ ^+ M3 t- j4 R
% }1 m0 F. f- c, ~5 dLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h- ^" r, J5 z, X- D+ i. Q/ Y
(API Get entry point)
& S& [/ q" J _3 b4 p+ V, ]. H 7 j4 g9 y y Z7 l
1 U# U) V' E" X
xor di,di2 a. \1 W, v* U" s( V/ B
mov es,di
- Z5 t& ^1 } s3 k mov ax, 1684h
+ y3 {: M' `! J2 [5 m. k mov bx, 0202h ; VxD ID of winice2 B& W0 u3 ~( ~' ]6 S7 J
int 2Fh
! C. p* o$ {1 n mov ax, es ; ES:DI -> VxD API entry point
! F7 N0 O6 v D, N F. R1 H add ax, di
" G% C. ^& c6 K ^3 U test ax,ax
+ e2 ~# r7 J O4 I: ~2 _ jnz SoftICE_Detected' h3 u5 E) @! F7 _
& h8 F+ }3 T' e. O4 ?___________________________________________________________________________; T& A; M' {& N5 U
; E/ l* p9 E6 M/ |! b7 u
Method 040 @! s4 x& k. P0 d
=========' B& }9 [$ r9 v5 Z6 j9 I1 \
% n+ c* `4 K$ z, P5 ?) q3 ?) bMethod identical to the preceding one except that it seeks the ID of SoftICE
' L) _- D" w1 R- n9 H i" \GFX VxD.: V; k9 ^* }/ M( l q9 E1 C; q# f
% j4 ]/ t& K# p" [' {' E/ g xor di,di
0 e6 O4 s7 C4 ~1 M& _, P mov es,di u* Z& m- q4 t! u6 r
mov ax, 1684h
2 B- I0 G) Z: i( ` mov bx, 7a5Fh ; VxD ID of SIWVID
. s5 |) |% O2 F# i- g8 T1 m. S7 N int 2fh7 ]# g+ K. u5 y0 \
mov ax, es ; ES:DI -> VxD API entry point
- d1 ~4 X r/ p- ?) ` add ax, di
9 V |9 N8 q& B5 \ test ax,ax
' y/ V# W9 N- h$ a, r* G jnz SoftICE_Detected
6 U0 k4 e9 c8 r. q7 ^ n6 ^( i
5 ?* ^4 V" q. W; D__________________________________________________________________________
J9 N3 m. Y! a% L1 q4 x. j! m' A) L" }3 ?* \/ M3 y! j% W3 `+ m9 F
/ I7 f1 c8 d0 s5 v
Method 05
% l: a& W3 {! o- R( X1 ^2 \=========
0 v1 E2 K8 c1 T. q, M
0 r- c0 E% r6 O, hMethod seeking the 'magic number' 0F386h returned (in ax) by all system: y3 F( X1 ^. r. p4 U3 y
debugger. It calls the int 41h, function 4Fh.9 N1 A# N4 U! y3 C9 t* J* L! v' ~
There are several alternatives.
% T) v& H% D1 M! C# J C* r. ]; d( O8 h
The following one is the simplest:
9 W% k1 C$ D2 M+ p
8 V$ e- y+ ^3 U% R mov ax,4fh8 r& ^" A! `: I% ]; U- p1 u: M
int 41h' A! |, l7 s$ P) i
cmp ax, 0F386* ]/ k% O1 f& W0 |1 n
jz SoftICE_detected4 e. J2 e* n& q9 E9 w
4 w8 {# f5 E- x1 O$ s7 H ?8 K3 Y5 b1 n, \( Q& t
Next method as well as the following one are 2 examples from Stone's
/ I3 g3 Q, b7 J% M0 F"stn-wid.zip" (www.cracking.net):
7 c4 b0 ~6 x# z0 W1 l
( S. A5 }8 x K& j! J mov bx, cs. m4 Z% e; L- u3 q# M& O
lea dx, int41handler2
$ f8 i: `2 q4 C9 D# o xchg dx, es:[41h*4]
4 O4 L3 a: P4 I$ @# o. T xchg bx, es:[41h*4+2]5 Y8 J5 _6 T; P" Z8 C' z7 c- M0 u
mov ax,4fh/ e8 P/ j: h% V9 `) M" T
int 41h) s+ b- B( y3 q5 ?
xchg dx, es:[41h*4]; r3 c& e8 C5 k6 c3 q
xchg bx, es:[41h*4+2]( r B, Z+ H! S/ f& I; F1 B8 k
cmp ax, 0f386h: _0 G7 F2 W' Z: }3 a
jz SoftICE_detected& h9 M" i7 i4 g# `+ n, `
( `. s; i8 `3 C: a9 b3 }int41handler2 PROC- R7 e( [ ~5 z- Q1 M
iret
: P) D/ ] O) [. I1 u8 rint41handler2 ENDP
0 S8 ^8 T. l9 M! a* [- n+ p2 s5 x/ K% ~: V8 h4 u% C
$ {$ @" H! K* C_________________________________________________________________________ P9 v# [, Q @) N: N
- W5 u$ f5 j) ^6 r* F
* s* t' n/ u7 I: g# t' Y0 ~
Method 06+ ~: D2 Z0 J- ^9 J3 n; M& Y! i
=========, j+ y" P* y7 b
2 l3 k, \9 ~* w) z$ Q+ w1 ^( n5 q6 y
. U8 `7 K) T* L; }% }) r& k2nd method similar to the preceding one but more difficult to detect:) A+ h5 `2 e' B5 w
9 ^0 B- }2 ^) ^" u2 c& Y8 y1 r3 N% p% c% Q* G& ~% F6 {+ K9 a
int41handler PROC
: F, b; Q# Z c. D mov cl,al
& Z, i- F! q6 H iret) V" l7 b2 H2 [0 B
int41handler ENDP
# s, c, b( T$ i. ^! |# A, L5 C
8 L" D* O5 q+ d9 R+ E7 {$ o! Y0 |* V5 O1 s
xor ax,ax) [- f4 q4 L. c* z( |* k
mov es,ax4 l3 O( S! w$ U, N) y- r* O
mov bx, cs) r/ C* {6 a1 {4 ^, v8 M/ n0 R
lea dx, int41handler% m. Y& j) U( ?: h' J6 J3 ?" p" ?
xchg dx, es:[41h*4]0 ^( r% u! F' X* o' j3 z# ]4 i
xchg bx, es:[41h*4+2]* x2 q0 E- k: x& \9 \ U3 c: T9 Q
in al, 40h: N+ x7 B+ F& Y) m' o Q
xor cx,cx0 `2 D6 }! g0 H% c% m/ `! S
int 41h0 P; \) ?% F. w r
xchg dx, es:[41h*4]
: N" q( B9 Y/ L8 \/ w8 M' [+ P xchg bx, es:[41h*4+2]
9 h7 Q7 l8 b* Y, s; S cmp cl,al
( n# w9 k+ z- h9 u8 [( a, @ B- ~ jnz SoftICE_detected* ^. l" \: s1 C" _
( O3 y& K9 g5 r; }6 R% E
_________________________________________________________________________. v' t+ N' c0 O0 k' P! ^" M& H
4 w* Z" g& E! F4 T; c) Z% A
Method 07
! Z, d* _5 [* j# B" p/ j=========
2 J1 }! C1 X: P0 u! w4 a$ H6 q3 k) Q
Method of detection of the WinICE handler in the int68h (V86)* h2 ~3 e# b3 t# B
# C: u( [+ q% F' P mov ah,43h
) ~ A, j& W: ] int 68h5 W; f. y P, Y8 K$ M S
cmp ax,0F386h
; i: n# z E& R ~) K& o jz SoftICE_Detected9 R5 \5 D2 T# Z1 ^8 }* H
* F, e3 H6 i4 V' }/ P$ t
' D7 I6 Z" A- s( D4 d/ y/ u2 {
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 W w+ u/ V6 L! ]$ i app like this:
# `9 c& } C4 K# T/ M j( i2 @3 g, W9 i' A, N \6 `
BPX exec_int if ax==68' M( n+ y" g4 q$ h
(function called is located at byte ptr [ebp+1Dh] and client eip is+ ^' r- G" w6 F
located at [ebp+48h] for 32Bit apps)" ?. y2 D. j: ^9 o; H8 [
__________________________________________________________________________1 g; `% f$ j# W$ d" U! B$ f
6 R/ ]; ~ b: ~" _8 M5 O, e0 a$ z' F ]0 R
Method 08. f) y# S) U3 g+ ^1 S
=========
) a b( h" D* ~+ U# l2 E+ Z1 v5 e
It is not a method of detection of SoftICE but a possibility to crash the
- s* [& ]# P6 q" }' `system by intercepting int 01h and int 03h and redirecting them to another# _8 i6 i0 j( b7 G: M4 o2 c# k
routine.
" ?/ C& d4 j; ^5 Q, F' s3 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% ^3 K% o. K" ~. j9 Tto the new routine to execute (hangs computer...)
& ]( l0 x; {; V9 \. T* Q+ U
) @1 ^6 M8 } ] mov ah, 25h1 u5 V- H1 G% d. Y- h9 d7 r2 S* Z
mov al, Int_Number (01h or 03h)& u# h. U! k% S( z( Y, H
mov dx, offset New_Int_Routine) o. W- o8 |/ A: {: V* o
int 21h* X! x- j b, P2 q0 }8 i
; p, @1 J) @. z) i. y+ @5 r__________________________________________________________________________4 ^' z( C, ]+ S5 ]2 g! i
& V+ d8 S4 ^6 t1 V/ B$ b% R M" ]Method 09
8 N6 j' f7 D8 X# ~5 L+ X% m=========0 |/ s/ t* f; G- x" Y, P
7 J' x/ h( j# x7 l, ?# f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- I% c! i$ n' Q
performed in ring0 (VxD or a ring3 app using the VxdCall)./ _- f3 A1 @+ l. Q
The Get_DDB service is used to determine whether or not a VxD is installed/ ^. }- W& s1 U* w6 i; h2 f: F
for the specified device and returns a Device Description Block (in ecx) for
6 a) }2 J. m+ y! P" k" u2 B5 Qthat device if it is installed.( {1 ?- P5 m. H1 p# e! P# d8 i
( ` K' T# }2 K, \& H) U
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ G& R/ y& C& I+ o5 E* ] mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ U4 F& ^! a+ p; m, X# D9 a VMMCall Get_DDB
, r" w2 a& S+ I# B1 o" } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed' m" o6 j% G/ Q1 [9 e
/ w" B( Y* r% s, A# {* O0 {Note as well that you can easily detect this method with SoftICE:" A( y; c0 @) V+ s: O- F9 x' c( q
bpx Get_DDB if ax==0202 || ax==7a5fh
0 d6 E- ?2 V8 Q0 M6 ^7 d. _4 Y4 Z# N ~ y3 j: S
__________________________________________________________________________2 p- t0 m# |, a) W! H6 J# s& ^1 R& W- ]
3 ~7 [2 J% @/ _7 h' E" F; kMethod 10
. E& z' Y% r. q1 w=========2 |$ ^; B. R+ c& D; F
% {" Q1 N+ X" F3 W1 a4 k=>Disable or clear breakpoints before using this feature. DO NOT trace with6 R& J) v) P: t) `
SoftICE while the option is enable!!+ O' f" H9 q \8 W' v7 z' B: e
8 |% r5 Q8 m1 l. t2 z! A
This trick is very efficient:, b2 q: A' O: H' O4 b, W9 j4 k
by checking the Debug Registers, you can detect if SoftICE is loaded/ B: W7 B# j$ e$ q1 C# E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 i- x( H2 H3 R$ m. @) Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their) Y" q* ?0 e/ f4 C# Z( J
value (in ring0 only). Values can be manipulated and or changed as well( x" f1 l+ k9 M1 U9 _1 ?& C
(clearing BPMs for instance)/ v! ?# x5 `" d; x; B/ }8 @( J9 u
0 N! \8 \3 E; I7 e
__________________________________________________________________________9 d$ E& |$ b; B
+ z- {4 f% w7 X, O/ b" Z4 ~Method 11- ?2 a6 G" l' p- o4 y7 \& N
=========6 \( p. L, t( ?2 {5 J( u. E. S' o5 y
* h% }2 v" f; _& }! Z' C: W. UThis method is most known as 'MeltICE' because it has been freely distributed
6 [. d$ [( q, {. I. Evia www.winfiles.com. However it was first used by NuMega people to allow& r+ z! ?" K: V8 U f$ K
Symbol Loader to check if SoftICE was active or not (the code is located
" H, {( s* u7 v9 X' {7 o! u4 J( xinside nmtrans.dll).
! q7 r7 k3 z( p8 C3 q( o$ l! j x @. n, V
The way it works is very simple:1 E. x( J/ j0 G ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* |" _7 R* j) r# bWinNT) with the CreateFileA API. k: v2 K# X5 W( \' s
# c+ r! h; [2 W7 d0 I1 u3 X1 X. XHere is a sample (checking for 'SICE'):. c- O+ m4 s$ B% y
8 J" S+ [" }7 V8 M& S% dBOOL IsSoftIce95Loaded()
; I" Y9 t+ N4 T4 A0 \{6 ?1 @( z, X$ f4 j
HANDLE hFile;
6 O5 }7 a- o/ l* @7 y* P9 E, n* m hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& O0 D) W5 }6 }; I9 l- [0 p FILE_SHARE_READ | FILE_SHARE_WRITE,
3 ?, L; v J) d1 } NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' A3 d3 G7 k- k3 P3 E* G! \ if( hFile != INVALID_HANDLE_VALUE )
- }7 O( N6 e, w" ?& W6 |7 D$ v* D {
% A" \" H& z8 M) @& t6 } CloseHandle(hFile);; D6 x2 j- M8 y, G( d
return TRUE;
, k' a, v! T. n( t }7 i( B( R4 J# n3 j
return FALSE;
/ s* ^, i+ {0 W}
! K% j$ e9 z# g5 R' P" a! D4 \* V; x% K1 j
Although this trick calls the CreateFileA function, don't even expect to be6 T g3 L' Y( p) {$ U$ Z
able to intercept it by installing a IFS hook: it will not work, no way! w# {3 ~4 l: p. @) ]( V' N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 O. h( d$ m3 ~- d/ P( K2 B1 g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* q S# s- A; U) d* n# b6 f+ Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc, Z+ J6 Q6 y( ^
field.7 I: N, @# o& o- S' o4 a/ D p A
In fact, its purpose is not to load/unload VxDs but only to send a
) G: N; T. ]5 C1 I, r) y- OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), B& X( b/ x% b% t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. y- V$ A! k, a* C& w. y1 X( A. K5 w0 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 `; U3 k+ Q) `' M j. W! N8 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% g* l$ u$ I f( j) t9 Iits handle to be opened and then, will be detected.
% Q: o/ D8 ]& K5 P M7 l5 Z6 {You can check that simply by hooking Winice.exe control proc entry point
% ~* i# m/ d d2 _; Ewhile running MeltICE.
; [" D2 [# X+ @" [$ }5 ?' d. t
9 \/ i9 z: Z' h) j8 `- i3 X3 f) l/ P! j
00401067: push 00402025 ; \\.\SICE ]6 b; R9 Q' t/ }) g% x
0040106C: call CreateFileA
9 O1 f7 G% s' _* b 00401071: cmp eax,-001
! M: T8 T0 M- W# G 00401074: je 00401091$ A" |/ }8 C2 F) ^8 d9 g
; p; p+ X, `8 T2 h4 c1 P+ G @" E. r0 h2 _. |) o1 D: _
There could be hundreds of BPX you could use to detect this trick.$ B: `+ n* R, W0 V7 e0 h
-The most classical one is:
) H0 W; `2 ]% G! t: U BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
$ ]* w0 w- i6 E1 n) ? *(esp->4+4)=='NTIC'- e( }! ^1 D- e) g9 s
6 |- _7 \/ l: k2 h-The most exotic ones (could be very slooooow :-(
# V! A8 V7 u2 l) t0 q! f/ Q. D BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 3 @4 L+ n4 q2 u2 D8 n1 q
;will break 3 times :-(' K; u$ e/ j$ d6 o; g( ]5 n
* s3 g/ U5 Y7 q8 Q D8 e-or (a bit) faster:
4 J- a' L0 W+ [/ o% n: ] BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( q {" z. ]5 _8 ^, d, W! h
) |. o" [% F* H$ L0 | BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
/ A+ \; f- v8 c, E, K7 B' s1 S ;will break 3 times :-(
1 s: } [* O8 t. s
$ x8 e0 C. b+ c# d-Much faster:
2 Z) N& }: K+ g( i/ W5 N% T/ A3 B BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'$ X# G: \+ N8 f: n2 e
" \% h) C/ K0 z3 Z6 [$ l9 o( \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 Q; Q' x" U; jfunction to do the same job:4 H$ N& L( H y; v) C
/ N1 S/ j D/ }) v% _; M# y' S$ q
push 00 ; OF_READ
5 c/ _/ X1 c% r9 ^ j) k( c- S mov eax,[00656634] ; '\\.\SICE',0
. U2 \5 \' ?; \$ [, S. b9 k push eax
1 \/ r: `8 u$ z ]. [4 ~ call KERNEL32!_lopen
; _* Z& Y4 ?$ A* V; z* { inc eax3 ^! t/ M) J$ w
jnz 00650589 ; detected
) z4 I$ q& r# G push 00 ; OF_READ0 F, W; f- i1 K; o
mov eax,[00656638] ; '\\.\SICE'
8 t$ f3 s* r% j9 @ push eax8 S' ~2 `$ M! K
call KERNEL32!_lopen& u1 y4 `, I# y# S; F1 W
inc eax, s+ ^# d8 c+ Z+ X0 C! ~. R
jz 006505ae ; not detected
! R+ E. u% ]. n4 o" h0 d0 b: m' |, }/ l
9 L1 M( t/ V, a& U: M" ]" r# f
__________________________________________________________________________! W- z, l8 I g
9 h# j8 F2 Z5 z1 t, p: `
Method 12
( d& z. |7 j9 b+ e2 e. y=========
. _2 G2 r8 ~# V
, J7 ]6 {4 j0 `& W: Y w0 U1 l T) kThis trick is similar to int41h/4fh Debugger installation check (code 05% H/ e. v; V' J- W7 [& S& C) ]0 u
& 06) but very limited because it's only available for Win95/98 (not NT)
# x; p6 H2 i3 ^ c. L8 x, Was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 W- H$ O1 x1 a
& w8 z" B; O9 D6 U3 A0 Q; F( I' n- c push 0000004fh ; function 4fh
+ M! v$ i; g3 j3 |- V7 y7 x" W push 002a002ah ; high word specifies which VxD (VWIN32)8 d& T0 t6 f% x1 D# c
; low word specifies which service* z. O. M a, d( L3 H
(VWIN32_Int41Dispatch)
2 a. z1 P7 G* }; ]0 G+ \" j. k& I call Kernel32!ORD_001 ; VxdCall9 x/ C/ B+ I% T7 M4 q/ q* n
cmp ax, 0f386h ; magic number returned by system debuggers
- [/ a* W4 I! H+ S* k! z( l jz SoftICE_detected+ Q: }# f& `8 \" l8 J7 ?
; k$ l/ A) S4 m* t* h
Here again, several ways to detect it:
" N- n p. F% J. C
1 l! @& U$ M% Z! C8 ?7 v p' G7 A/ o7 x BPINT 41 if ax==4f) u- g! j9 [6 h, l
5 _" J9 O4 N& y
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one" e! P* |% t. B" t
" F9 Y$ j& _+ _: E7 N BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
4 H- c0 m; m# L# }! Y, c" x( F
: Q' @$ F/ b: r6 G BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!1 b4 S7 R8 S& x# v0 j6 x8 Y2 ?$ c
" S6 \! [0 ]* W) C z5 R- a/ L4 r__________________________________________________________________________
8 ?$ S, H0 C/ |7 D! p+ ~* ?+ \7 R4 a d
Method 13+ ?, H5 o& M7 G% b3 K
=========
5 a8 S! O/ Q- i6 Q
, s4 M8 B9 C! b5 M! ~# lNot a real method of detection, but a good way to know if SoftICE is
9 C4 O# v* \3 Pinstalled on a computer and to locate its installation directory.
- |% i O! ?/ i, k1 O. `( jIt is used by few softs which access the following registry keys (usually #2) :9 |- d8 o2 H2 O: A9 s3 C
* \+ O% A* N7 M% ?
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ]! N8 L5 K# |* I9 |3 x, f+ W
\Uninstall\SoftICE
6 l2 P% ?3 j; S+ w y8 r1 ?2 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( s% _% w9 X6 x% z/ t0 a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' J$ z, e) G/ `5 |* ]$ F: ]7 i7 \ t6 W" y
\App Paths\Loader32.Exe/ Q# ~" g5 r3 Y! T) S! P1 q
U$ L; `2 Y3 s4 |- ~5 g3 I% u' b' C; q8 e, H# b4 o. o! k' v
Note that some nasty apps could then erase all files from SoftICE directory. n/ }% o# \! y" Y, B) t- k E
(I faced that once :-(
5 ~4 B; \- M9 P3 V$ X
5 I D$ {- W3 I2 S5 _$ rUseful breakpoint to detect it:' ?+ T; o2 T: P
' _; M- g2 }/ d- M BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 y9 g1 P. {: \5 d: J# [
- Z2 y4 @9 [+ Q( C, A__________________________________________________________________________
; I7 }: d$ i; f0 i! W9 q5 C$ o) W9 Z9 \2 @8 M
$ }! Z3 }5 |: H+ H5 \Method 14
6 S/ h; ?( R9 _( @( q: w g=========* h7 \, A) n8 E! h- w# \0 J8 V
' M3 D# T: ?% ~5 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 S. @( i, a' H2 f4 ~, w8 Q
is to determines whether a debugger is running on your system (ring0 only).
0 g5 U. V" y. c k2 O" f$ M1 l- F0 I' e5 r0 r7 j, N6 ~5 p+ p
VMMCall Test_Debug_Installed/ b$ p1 t+ G# _1 W' P
je not_installed- y- I1 R0 W s/ G# p: U1 |! a
+ ^/ n: h- o+ d& L) |0 f P
This service just checks a flag.
2 u4 E& a3 ~7 \# Q+ u+ e; R4 N9 X</PRE></TD></TR></TBODY></TABLE> |