<TABLE width=500>& c: w* T- q& ^! G' o0 G9 i
<TBODY>; P- Y9 X8 d( q9 M4 o5 I: B. v
<TR>
1 v5 [* G R3 O) J<TD><PRE>Method 01
' p) K3 _4 P# o& Z8 u( I* J. U' }=========
- C7 ?- C9 v3 _, s+ d8 V% ~+ N: u( }4 w4 f G, h" \9 l; |4 ^
This method of detection of SoftICE (as well as the following one) is* p% A3 Q/ [6 B: D
used by the majority of packers/encryptors found on Internet.
, F, K5 u8 c [# E, ]4 iIt seeks the signature of BoundsChecker in SoftICE) B/ m) A' u$ q3 P
4 p$ I3 E! d. k- S
mov ebp, 04243484Bh ; 'BCHK'! n1 r. w, @7 K; y
mov ax, 04h
6 H: t) y) q3 T8 B% V& O7 ]/ E int 3 # O# C" F1 i0 u
cmp al,4
- {/ D+ w4 w# E) q( W" q jnz SoftICE_Detected% B" r0 r. a( H) t. {
; l5 Q. \6 y) e7 @: Y4 n2 \5 F___________________________________________________________________________
8 {) ?/ L' H3 L8 ^
7 L+ a" w5 w, }" V2 `2 ^4 UMethod 02 Y# h+ e6 C. E+ @1 M, |$ g
=========; z7 G) ^5 S% i8 t0 w+ C) i% {
; V$ P$ k" X' N2 Y( ` z: _
Still a method very much used (perhaps the most frequent one). It is used
6 f5 I- x3 `' e7 u; X! N$ \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ W1 u( f. x$ ~
or execute SoftICE commands...
; P1 D g: Y5 o# iIt is also used to crash SoftICE and to force it to execute any commands7 k# Q- ]6 m/ m5 p5 N, T
(HBOOT...) :-(( # t- X; x9 [, _' |4 w9 W4 X* o
1 Z1 D5 |2 A4 g% \& oHere is a quick description:
5 D& H7 t- Q0 j& z) G-AX = 0910h (Display string in SIce windows)
1 r. t" a; M8 U6 r# |8 n-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
& A, I7 l$ N* f, n6 [8 q* @7 U-AX = 0912h (Get breakpoint infos)
4 \* m* v' p3 Q! q+ I7 Y-AX = 0913h (Set Sice breakpoints)
$ Q6 v! v8 y3 Q6 \0 F+ X; N-AX = 0914h (Remove SIce breakoints)7 V I( N! f, p7 y H+ O
4 P! `9 ]4 [2 r5 b; z* O8 KEach time you'll meet this trick, you'll see:* V- Y6 h, U( d) ?7 ~, A& q
-SI = 4647h( S+ O9 n% w% A, j. O) v" r/ _3 Y
-DI = 4A4Dh
+ N" h1 b- U3 x0 R3 aWhich are the 'magic values' used by SoftIce.
5 O, J" z$ ]8 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: q% j9 }9 X+ S4 O- \. R5 ~
, W6 ?8 l2 I8 S3 e- C+ R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ D. z7 V5 E7 K" K" T/ Z cEnvelope utility use to protect DOS applications:
_/ [) Q: }. _! n, C1 P- L$ K+ U' O. Q$ w2 t
$ T/ U! u5 D0 K+ j; V H) u" o" a
4C19:0095 MOV AX,0911 ; execute command.7 W# k6 A* m# c+ W5 ]
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).+ Y) U0 L% ?' R+ t% D% H
4C19:009A MOV SI,4647 ; 1st magic value.
" v5 b+ ]3 P7 n4C19:009D MOV DI,4A4D ; 2nd magic value.
5 _6 ?/ u X: J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
" f/ X* y$ W) m" D. u* F' l4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
3 f: U/ ?% P4 {/ j: t4C19:00A4 INC CX5 }8 y! y/ V6 u; o) I
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute0 r# ~, Q H6 {) Q0 ?, F
4C19:00A8 JB 0095 ; 6 different commands.2 t' @) H; Q, _8 T& h; ?
4C19:00AA JMP 0002 ; Bad_Guy jmp back.0 F% ~; @2 @6 f$ f E: _
4C19:00AD MOV BX,SP ; Good_Guy go ahead :). R$ ?; w! d- b- ]$ y
3 k* o: d% k- y. M1 c3 mThe program will execute 6 different SIce commands located at ds:dx, which$ s A2 t0 N8 ~6 D! Z6 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 }7 @# z! y+ d! v/ N5 |" E1 {2 a2 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) }! k4 _2 u1 T" z___________________________________________________________________________
# `) \3 t5 C: k1 x( N- J8 V( Y8 ~, x. f: e4 J) u
& x( [2 w& `* Y
Method 03# M8 L, i( i/ A! m
=========
1 s X3 X2 s H3 r4 @- T
$ v# L" F, ?3 Y$ f9 l% fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# k7 U" y8 b' J) ^8 h" ?(API Get entry point)+ y- n& F, t0 s) ^, n8 \ B7 o6 a5 a' ^
2 z. [6 S2 t4 }
2 u8 n- n$ K* B. o; C$ }
xor di,di
. ?% s/ r' @% n mov es,di
n" q% |. }. `# ^ mov ax, 1684h
, [" P- Y; y; X7 V! J mov bx, 0202h ; VxD ID of winice
# U& [- e1 ?7 a! P" U int 2Fh, v0 r9 @# y# m5 e
mov ax, es ; ES:DI -> VxD API entry point: G# G8 P3 \7 n, M; V, V
add ax, di
" l" L' |8 [& W$ W# g8 _ test ax,ax
# ]2 P% N; R5 q6 H$ r: m1 l jnz SoftICE_Detected# u% r- g+ E, N% y5 T a5 T) A
8 y* m8 u6 @6 G$ S+ I7 h___________________________________________________________________________
5 b" Q; [% ^, O6 R+ h& \
0 Z' U# H. t$ |& ?3 p/ r/ v2 f: QMethod 04
4 l _. O0 B& s: \% X4 ]! T2 I=========
& H: _. f! s% j! Q% b' f' F. o m/ h; U/ y* d/ M& C7 U7 ~2 o* V
Method identical to the preceding one except that it seeks the ID of SoftICE
% c9 Z7 e9 m& GGFX VxD.
; u4 O0 `" q) z( U( u* a5 O. U$ }% A8 O& j4 Z: E$ h+ j- O1 j/ ~" l
xor di,di. y$ }6 C, S+ x$ E4 n# z
mov es,di4 h, y7 ]. [' A: u8 u
mov ax, 1684h / j. Z# r; @5 e
mov bx, 7a5Fh ; VxD ID of SIWVID
# M3 v/ `/ r; B) H7 l# n4 T5 I int 2fh$ ~1 E$ F) T# ~" _( B& [ h# e
mov ax, es ; ES:DI -> VxD API entry point
) M( o! D. p. A( Z; m add ax, di. g9 p2 x: n$ m8 N% `: f2 Q
test ax,ax7 S; S0 @ b0 Z" i! q+ \% M
jnz SoftICE_Detected
. H3 T$ b* @, B7 C$ m" p/ }+ s0 g9 ]+ N1 }6 `
__________________________________________________________________________
! C8 C( I# x8 S- r* j& _9 v# `$ t- i8 g& R
, ~% M2 p" x8 S' q6 I$ t4 M
Method 05
) [4 g Q( [ [1 i1 ^# e& E) g=========, w A, \3 J2 s( k8 r6 m7 \( B
, _7 Z0 n+ A3 H# z, h8 Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 B8 y2 J6 F5 g9 w6 v7 J/ z
debugger. It calls the int 41h, function 4Fh.
; f( p( `! q7 G1 ^+ w/ kThere are several alternatives. ( o7 b0 V. f) e' p ~: K" S
5 F( U Q5 J; D* XThe following one is the simplest:
) V2 \. a: o; `
. [' D% O# j( P9 B) Z3 l4 m mov ax,4fh
$ w$ a0 [/ m" C( x9 V int 41h0 D$ I0 r3 }) t; Z. [$ g/ |
cmp ax, 0F386
, h+ h3 k. G7 m6 f* m0 e+ t jz SoftICE_detected$ Q! }) e( q/ [/ s1 t% z
{5 `) j/ |3 H
4 i0 ]2 O; O# W$ U0 u" \ DNext method as well as the following one are 2 examples from Stone's b4 B8 n! {* \8 Q6 Q8 n7 F
"stn-wid.zip" (www.cracking.net):
3 M) W: F2 m! Z a! `4 V9 n# U1 }1 D. Y" C# V* ]3 H+ |
mov bx, cs' Z% c8 ?- Y/ @' l
lea dx, int41handler2; [+ z& y4 a" ^$ a* z7 r
xchg dx, es:[41h*4]. |3 s [8 M6 V+ D- S( L/ J; h6 E
xchg bx, es:[41h*4+2] p3 r8 E. q! K9 f9 s
mov ax,4fh
( M+ {8 n9 }/ S8 t0 R9 O+ l int 41h# f/ E' {! h4 M# h0 n
xchg dx, es:[41h*4]* Z0 s9 H/ G9 k6 \8 H: P
xchg bx, es:[41h*4+2]
% ?1 O7 x0 J" l7 e* T cmp ax, 0f386h
+ u) m5 v/ ^+ ?9 z: u jz SoftICE_detected
- n. ^6 a9 E) s& \
( ] Z/ F) |' J/ @; A8 L- w5 Aint41handler2 PROC4 F% W7 |' n* U3 a
iret$ W" ]3 A7 k: x3 T# s
int41handler2 ENDP+ Y( P/ j9 t5 `& J6 O, w( X
& K* ?% I, U! j5 p7 [' \
. T# Z) R7 f& u, P# X% d_________________________________________________________________________
: f- B: }+ e; {) w3 o
$ W8 U$ v) D2 Q
/ f. ?% b; [/ m/ o' E! O% uMethod 06% Y3 k- w4 K& C' Z- f
=========0 U0 \* l/ a! l' M6 M+ i" T
& ~+ ^6 E# ^8 V% @* `# R5 d0 R
2 Q7 N& O" a' g1 e! x5 t2nd method similar to the preceding one but more difficult to detect:: m+ a O; a- h3 q5 }$ {! z$ A3 N2 g
. t* b; v: l( f5 O3 H
: b' `' p6 {' Y4 B
int41handler PROC
3 ~; P/ h7 L& G! F mov cl,al
; r% L) R' q1 N# t1 F: I& J iret1 H& y% Y- X4 k/ M1 Z
int41handler ENDP
8 U# m1 a9 t0 y" ^4 v5 n" l/ [1 u% ~. ~6 q
& p0 m( G% `# ^, f' T: w
xor ax,ax' J N2 M D3 q( ?8 \ A2 E- I
mov es,ax
" L0 {2 q8 g9 l7 r mov bx, cs
/ D( }* T h+ i0 w( ~ lea dx, int41handler* S1 n5 V4 a2 K$ Z
xchg dx, es:[41h*4]
# M" v: }9 H4 G' q! p1 R% y- _ xchg bx, es:[41h*4+2]) |, ^- o4 s- J2 y. O
in al, 40h- X8 a6 F |- M; x; L6 C
xor cx,cx' G! t/ H* g5 L* _5 j
int 41h
& m7 L4 s$ i1 N7 [- c: s3 ` n& O xchg dx, es:[41h*4]
+ b" T, `9 |; P8 n xchg bx, es:[41h*4+2]
+ z/ ]8 t2 l D& ^: W2 Q cmp cl,al
, ~0 A+ E4 | | U jnz SoftICE_detected
+ G( o; M; r; x$ S/ ] h
3 L4 B Q" e$ E. {/ d6 y_________________________________________________________________________
R9 H; Y4 x3 F9 [/ {
; \3 n0 X$ U* ?- w9 O$ c' FMethod 07& }) n2 O4 Z1 }' C/ {# @ C
=========. X: X Y' n- E1 d, X6 P
+ h" K# y3 s+ s2 I$ V+ m" ~Method of detection of the WinICE handler in the int68h (V86)& R0 o# D" Z; M! T" L
$ K& c% \ U' Q- e+ b
mov ah,43h
8 Q7 e( `2 U$ n2 q6 [ int 68h
: ?, A- U( G' N$ _5 P cmp ax,0F386h- ^- d& T$ H4 k7 c' O0 @
jz SoftICE_Detected
+ A( O: c0 x& {2 N
) K# Q1 ?2 P& I( g7 U: T6 ]/ E t1 m Y
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; [1 @3 [+ `7 j Q; k) |; w app like this:+ z3 [, p5 s/ i7 {" v3 A
, j; a/ ~$ g- R$ ]) B+ G
BPX exec_int if ax==68
! V6 ^9 Y$ `- h/ j' ?5 n' s (function called is located at byte ptr [ebp+1Dh] and client eip is
2 \( k" d" y5 n( z# G ]; U located at [ebp+48h] for 32Bit apps)
9 T2 `: c; Y* \) g) C2 x__________________________________________________________________________- Y0 \* u) }. }8 W8 h( h9 _
7 W# S0 {6 O5 Q9 Z/ e
; @5 K6 |1 D; \7 u! P) D7 SMethod 089 Q6 u7 K2 ?4 i- a) n5 `
=========9 N7 X! x6 h( ~. d1 `
& c; [0 A; {! w7 R+ X2 MIt is not a method of detection of SoftICE but a possibility to crash the# l) ^/ ]+ p, l1 s3 V; U- z/ A
system by intercepting int 01h and int 03h and redirecting them to another
% ?4 d) Q6 E7 U, n* `routine.% W i8 [! x. M$ {1 g1 I7 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ _- l) i( K: [' D' p! ]; p
to the new routine to execute (hangs computer...)& v: ?' I* N$ Q( W; V; [
0 v' H8 |+ S; J. H& N/ ^, W
mov ah, 25h- T j; g! z/ y% s4 e# ?
mov al, Int_Number (01h or 03h)( v6 `% Q3 k+ T" { B- a* ?
mov dx, offset New_Int_Routine
; g- z2 r# v) R, Q int 21h1 y/ g& m+ x/ u, ^- m% |
2 B6 a3 b) a- X% k/ \' M" g__________________________________________________________________________
& u3 N! v/ x4 f1 ~
& [. `' W" y+ c2 A* w$ i* HMethod 09
. g2 G& E% x4 Z; M- M, s=========3 ]% U0 m2 q1 O
; n& i, @, D2 k2 m9 u; _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 P* P4 z6 o7 v& Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
, I: J4 R" M/ }$ ^+ dThe Get_DDB service is used to determine whether or not a VxD is installed0 X1 n8 V5 S: y, B" c& H( |
for the specified device and returns a Device Description Block (in ecx) for
* v- s M8 I/ X- {$ ~6 Y$ mthat device if it is installed.' l, `! L9 Z e6 x1 l1 R
" R/ J( C8 F( D# R/ H5 b
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 n* ^% _) w9 C3 X! _+ A mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- ]; j0 J0 j5 B. |+ r0 L
VMMCall Get_DDB8 l5 J: e, m2 J$ m
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
# p6 z) h7 ^; s% e. B
- R Z W- v* x: [Note as well that you can easily detect this method with SoftICE:
- x4 M0 Y; U1 w, S8 t* i bpx Get_DDB if ax==0202 || ax==7a5fh" Z1 E; y+ A! ^/ ^* ]
- r* c8 w; W |" ?__________________________________________________________________________# m$ s7 d: V k. \5 [
3 y# Y- i3 z/ A; n! {Method 10
6 M& E1 x& ~6 f# {5 U=========& `4 [, E9 k- L. ?
6 t( d4 o5 m& F9 b# `* X/ K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
* g6 G- {6 D% _4 ?# |0 p SoftICE while the option is enable!!
- i9 u% w$ ^( A P
& U% u: G$ U: l6 BThis trick is very efficient:3 ?. u# S& f) K
by checking the Debug Registers, you can detect if SoftICE is loaded" c8 l; V5 |# H6 W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 [& A) ?( L) W: T) zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 \: p' P0 \3 G. x0 W1 B3 Bvalue (in ring0 only). Values can be manipulated and or changed as well
: Z( E- ~0 O( c) z$ E& B(clearing BPMs for instance) }6 k: \: o" |, D- }. x# I% r# o
7 D* u$ e8 {, q0 \7 C; o+ L& Z2 X" G__________________________________________________________________________- u+ y1 g/ ^9 s, e$ |0 w
7 p% T+ \# `% f' C5 `2 V
Method 11
" A4 R7 D4 e2 E* {9 E {" k4 q=========& c/ R9 ? b# F" a/ O- D8 T% @
" z9 L$ \/ q% y5 h; u9 iThis method is most known as 'MeltICE' because it has been freely distributed$ a- H, J7 p& D
via www.winfiles.com. However it was first used by NuMega people to allow: B* L4 Z- ~) l) K1 {- g6 D5 v2 j, |
Symbol Loader to check if SoftICE was active or not (the code is located2 E1 l0 p: r3 R$ H* Y8 |
inside nmtrans.dll).
: Q2 T$ A/ X( z. P+ I; `% b% Y8 J* E: U: Z- X
The way it works is very simple:( P' A2 U$ K0 h, n6 w' _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* q0 L- {# Z6 ]# H' {4 G+ W
WinNT) with the CreateFileA API.
" z' I7 j& m' l- }
1 B% P0 a3 M. tHere is a sample (checking for 'SICE'):
+ x% @" k5 h2 j+ J* x" {! L- g+ a# @/ Z6 y5 ?5 k! ]
BOOL IsSoftIce95Loaded()
! F$ G4 n8 `5 f' i{
$ ~1 m- b! D% ^" n- _5 N HANDLE hFile;
/ Z% b6 z! V+ R% U2 @+ A% P, }# ] hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," |0 @7 A1 A2 x! j
FILE_SHARE_READ | FILE_SHARE_WRITE,
! }. l; k* x4 [& s2 l2 i* h+ q0 ? NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 \0 K6 b; ?$ S3 m/ B if( hFile != INVALID_HANDLE_VALUE )
3 O! x- L6 V: O, V7 ?7 K {
" e8 j7 j0 L* ? CloseHandle(hFile);. F: C7 ?# k6 }) D Z
return TRUE;0 J$ E6 G/ b: F9 N9 \0 b
}' _( O# R9 U. ^" d' h3 D
return FALSE;0 r+ c& d+ [" S
}3 U1 E5 D4 e( S
- [0 a! z9 \8 U1 Q ?Although this trick calls the CreateFileA function, don't even expect to be
* B$ c! P0 J5 {3 t( f% s6 H$ D- Pable to intercept it by installing a IFS hook: it will not work, no way!$ ]. _) l" Q% z$ {& M5 m# _ ^- q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
r! H0 |7 L9 j" Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 p+ t6 Z5 m3 O2 v9 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ o" B; T7 d9 Pfield.
5 ?0 i) t! n, Z7 x8 v7 F. z4 G# pIn fact, its purpose is not to load/unload VxDs but only to send a * `5 j' C# y3 x2 B o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE) d+ k- w! o) b. ^ z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 }- W' Y* \- p$ c! E* K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; O# s5 y8 O2 {; Y2 t, gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 G8 t$ D! p; S5 U4 r# pits handle to be opened and then, will be detected.
) g7 M- ~! p$ U2 G4 A, cYou can check that simply by hooking Winice.exe control proc entry point
2 |+ @8 f6 \( t4 w+ M6 n1 Iwhile running MeltICE.. l8 Y. @' Q; d9 g
. Y/ k5 Q. N4 g
: G9 P( z; s- p, ^; s0 F
00401067: push 00402025 ; \\.\SICE7 ?7 u! a" [6 i# J5 C8 \- H
0040106C: call CreateFileA
9 G1 {; ~4 }8 ]+ c6 `2 A 00401071: cmp eax,-0014 ~+ `+ z% z# q
00401074: je 00401091' G. @' c% g+ j* A7 R6 S8 H7 d9 t
7 t! L6 I' O# R9 }
" @6 E, n; [2 w9 ~0 |; S( J5 HThere could be hundreds of BPX you could use to detect this trick.# b# h6 y/ l1 ~, G; V5 @1 a4 b4 U
-The most classical one is:
% N+ ?9 ~3 Q4 E! E- \- t( d! f BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||" F3 T) K. l! X% c
*(esp->4+4)=='NTIC'4 V0 _# Q( F7 I7 |
& [4 W3 m A# C( o1 t6 r-The most exotic ones (could be very slooooow :-(
. a) w! ?% r; B1 A+ y5 _! A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
4 U; ?$ e% _0 j; k ;will break 3 times :-(
, E1 d. B1 m8 r5 W( H: B' K! x
B' s* R' J4 n) V8 {-or (a bit) faster: " S8 H" K' u; e* S9 r' v
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ D6 l' b+ v" A0 {
$ Z5 V- D( m- X% `5 t! w+ I+ f BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
* [/ J. g6 q) T ;will break 3 times :-(3 e& }: G: ?" z- o$ A
+ |1 L$ x; Y+ z5 U+ a, r+ Y-Much faster:9 K. m; v6 Q4 r; s$ T% }3 L4 I- x6 j
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'# _$ P+ W+ @5 P. d8 N, K
* d- o$ M9 }4 |) s# XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' }5 a" \% f; Q4 Z5 `
function to do the same job:$ L5 z6 |/ S7 Y, |
( h6 J1 }4 e8 X; v
push 00 ; OF_READ% p! u$ K9 {0 I0 w+ e. m. D. m) I
mov eax,[00656634] ; '\\.\SICE',0
+ f, Z$ S$ \1 ?0 l. Y& q2 B push eax/ Z' |# ]2 g, n1 c
call KERNEL32!_lopen; R/ f z9 ?7 u7 @6 a2 \1 O- }
inc eax
4 Y* f" }& W7 }. R jnz 00650589 ; detected
. ?+ L. l! H1 p/ { push 00 ; OF_READ
; f( Y) X" P! T# R: }& J2 N# h) @' \ mov eax,[00656638] ; '\\.\SICE'% n, W8 J& E l( j
push eax4 J: g: T4 l9 J3 ]9 l
call KERNEL32!_lopen
% j0 I7 d! C, W' z& _2 t+ I* ` inc eax6 R% o/ B9 W) h$ G6 l' `$ |- Z }
jz 006505ae ; not detected
9 ^( Y, E b/ O1 v; U3 Z$ o& u
; Z- M, Y [ G T2 h$ x! z0 |5 s% k% r' a! w) w
__________________________________________________________________________
( y3 H3 ? a$ p2 X9 F; q- B% v) p
( V8 ]" j% p. ]- \6 f- J. YMethod 12
. l3 @' v+ X* l+ B K7 F( z; w1 p2 f=========- O4 O" H! i8 g+ A2 U0 S+ g$ E
7 }1 n) z+ D. W9 Y- @
This trick is similar to int41h/4fh Debugger installation check (code 05
3 x$ q, o' \* |% f) @3 _- e& 06) but very limited because it's only available for Win95/98 (not NT)
/ J/ w* I2 L a' z c/ U1 _: Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ X1 Z M" [5 i; k+ O; s
* f8 l" w+ B' j- x" n* h; z push 0000004fh ; function 4fh
; O4 U3 i( s) Z' R* w& U4 E push 002a002ah ; high word specifies which VxD (VWIN32)
, ]( l' c% a# K2 K& U: z/ Y ; low word specifies which service
$ e2 s- Q2 t/ z7 Y (VWIN32_Int41Dispatch)% |& Q# S9 e; G$ p3 h6 a" N% r
call Kernel32!ORD_001 ; VxdCall' `: _) ^! y) p% M
cmp ax, 0f386h ; magic number returned by system debuggers
" f" G2 C6 E1 b5 t! B3 ~ jz SoftICE_detected
# @1 }4 l6 l" F, T: t+ F. F/ @/ E: i- J* @ P; W" b/ y
Here again, several ways to detect it:! Y1 q6 q' E( @$ K9 b+ s
. O* ^5 M" \( {8 {) D BPINT 41 if ax==4f4 h% y: u) X' d% E. |* D8 N
1 r4 E; @4 o0 G/ U BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
1 D6 f5 F k% [! F4 K0 H0 W- `; n5 i1 l' m" ^% D+ G, R
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A4 Y2 ?, s' {8 b4 {! Y
) W3 C4 e4 f" L2 u2 I1 h$ `& G' _
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
O% b4 a- f: G. d3 L& t; r `% P' c; q3 n. Y' j* Y: D1 k
__________________________________________________________________________
7 Q ~: H( c5 P3 ^6 b. V1 i% i' U0 a2 Z" D8 q$ z0 f- |
Method 13
- G! J+ W# |: c- `=========0 f/ k/ T' A3 q+ u+ J. O
( A2 W: `" L7 [( M
Not a real method of detection, but a good way to know if SoftICE is
' j$ ^9 m; K, _1 M; V$ Ainstalled on a computer and to locate its installation directory. X" Z+ E3 k; Z) R
It is used by few softs which access the following registry keys (usually #2) :9 a: z/ e# n9 P( \
# u9 [1 d; c% q$ R, F" k# M* \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 u8 R7 k) r7 o1 h
\Uninstall\SoftICE
& t3 b9 e' C% O, ^& d, u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 ~/ P( z. N- U" C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% D1 r. S% K. w6 u\App Paths\Loader32.Exe. K- E! E7 `% _- D6 a% t/ b" m
+ V4 A: I& P8 B' g% e
h2 Q& ^: E. U* {; o: |
Note that some nasty apps could then erase all files from SoftICE directory9 S1 e: ]7 k9 j& a# F: c
(I faced that once :-(% |: ~' a4 x% n, l( h$ n5 K
: Y# W& b* _) E3 t& F% U% C
Useful breakpoint to detect it:
6 m d8 O2 b3 a) X, c: ^8 x+ F5 D. ~% t1 P5 @ @3 H& n' ~
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
0 L1 g* _3 r& Z- o. ~& d, L) N/ @0 W$ s" J9 J
__________________________________________________________________________
% r2 h1 L! u C3 o. H
3 y# _, {7 ?5 q
1 J! V7 M2 e: T; S! eMethod 14 ( ^& e" L) G2 s) O
=========7 ]3 Q0 Z* d" x/ ?+ U
, N t9 j! h0 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: @" K4 v5 Z2 M, N- e3 z" cis to determines whether a debugger is running on your system (ring0 only).
% m3 t1 r9 J! e( Q( w: f! W% Q4 [3 n4 T- \2 L/ ^" F0 O/ C
VMMCall Test_Debug_Installed: M3 r Z; d% E) P3 _1 E8 e5 e% H1 z- Z
je not_installed
! L$ o, ]7 w2 j6 F1 ~, z- l+ F1 ~- U
This service just checks a flag.
% ]. d4 l8 w9 f2 Z</PRE></TD></TR></TBODY></TABLE> |