<TABLE width=500>
" y+ _0 G1 h; H/ ^* O<TBODY>
/ Q& C. w/ N' \<TR>
9 X4 G; m/ Z7 A% S<TD><PRE>Method 01
" g; q/ s) z' s( |5 D! N=========! e6 A8 B" @+ ?, \, _1 ~
5 {+ F; L, Z7 }4 Q. i* r$ bThis method of detection of SoftICE (as well as the following one) is) I# |9 w7 M; h+ s r& Q, I; D7 s
used by the majority of packers/encryptors found on Internet.5 N7 d: j1 `$ Y! s- A [1 {
It seeks the signature of BoundsChecker in SoftICE; v# ]$ r2 C% S
6 \& j# y# W% _& m/ y1 y$ \
mov ebp, 04243484Bh ; 'BCHK'/ U/ P$ I9 \ w' e. G7 k" n
mov ax, 04h! E. e) ]' l: S9 y0 | a; X& A. j: D
int 3 ( I1 Q+ f: L, N/ w
cmp al,49 @$ s0 F4 N3 C
jnz SoftICE_Detected. ?& Z o' z+ K! ~. {
1 k& F) N; X% X! P, R2 S___________________________________________________________________________, r3 B; g9 k4 H% z
- C. f) m" M, y
Method 02 o$ O1 ?/ t, t& u' s6 z( q
=========
' i4 E% \; Z$ U+ |! ]" t/ l/ {! R4 m/ Q \* V3 k8 M
Still a method very much used (perhaps the most frequent one). It is used
" V! \) l* J6 f* r) P, kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, N/ O; y$ a ~7 ^4 |or execute SoftICE commands...
. }8 p% N& W5 M1 D/ ^7 M' EIt is also used to crash SoftICE and to force it to execute any commands
: y. W( d" C4 R& A& }. }(HBOOT...) :-((
7 n8 S) u1 [! a3 Q) N& f6 n, H0 p, c
Here is a quick description:( O! X3 Q) x9 u: ]& d, o
-AX = 0910h (Display string in SIce windows)# `; A$ N( p$ H0 s, e
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)- `" S- u$ e& P" b3 Y
-AX = 0912h (Get breakpoint infos) T+ Y+ f9 f) p2 V$ L
-AX = 0913h (Set Sice breakpoints)7 E6 q2 q% D H1 c- e
-AX = 0914h (Remove SIce breakoints) G% H1 t. B; ?$ Y6 l* I
8 Q: H3 V+ {- e0 G* i
Each time you'll meet this trick, you'll see:
7 M# y' E/ x2 J+ K; `. _7 O$ V-SI = 4647h
! b# U1 S6 E# e2 e-DI = 4A4Dh- B8 ]; y3 g$ x# z7 B! R, C
Which are the 'magic values' used by SoftIce.. ]* M/ _( u6 G9 J" |$ ?4 S$ V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ~% D8 v3 v1 A7 F. c7 p
9 A, L! R) t& @ c) {9 VHere is one example from the file "Haspinst.exe" which is the dongle HASP+ q8 f8 s* l1 R8 b, @9 b
Envelope utility use to protect DOS applications:" B; G2 A( p/ w6 w' F8 I
* Y) G9 M+ Q( {% X- @
0 Q/ O8 `( ^; j( T' y4C19:0095 MOV AX,0911 ; execute command.$ _8 ~( Z# t- Z
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).; h# w7 Q) \ l2 }/ v- ]$ v
4C19:009A MOV SI,4647 ; 1st magic value., [- W1 a- N) I& {& W
4C19:009D MOV DI,4A4D ; 2nd magic value.
8 e4 l, {( L7 w6 y2 Y4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)* E: ~) a: F0 q4 @
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute; ?! S# k6 X1 h k& |. W" t
4C19:00A4 INC CX
. Z9 K6 `( L7 I3 U4C19:00A5 CMP CX,06 ; Repeat 6 times to execute& H, _: T" J- e* @ R9 O% G
4C19:00A8 JB 0095 ; 6 different commands.
' V$ s5 v( G' c3 T4C19:00AA JMP 0002 ; Bad_Guy jmp back.; b T7 u, Z, a& i' D% J
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
; s/ ]+ a6 N8 @
; }& T3 p/ k" d l8 c2 N6 \6 ]The program will execute 6 different SIce commands located at ds:dx, which4 J4 n! R5 y* V3 b! A7 b! [2 ~" G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& w# ^# k9 V) U0 e: |2 I/ m! X# P+ J' |" w3 [2 |$ C E+ U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# S8 {; g& Y m! @" j0 S+ s" G8 r
___________________________________________________________________________
$ t# A1 K9 y! N/ v6 J8 B' E9 q* Y9 A( A5 Y$ |, n. o: S
. h; c0 [8 a6 N! E3 y! F) yMethod 03* m3 O/ {0 |' c/ D1 H0 Y/ Z/ y3 `
=========# E6 T5 p; `7 C" }+ z4 J, X4 N
3 c( H. V9 |9 ^! F- \" t
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ]. Z+ o2 s: M6 n# T4 f( r3 g(API Get entry point)$ U" {! b2 n) k Q# ]+ }7 a% w2 @6 r. L
J C/ _7 B3 S* N8 W4 T- Z* _0 d
: x8 A/ K+ p: L: L xor di,di7 `4 X# P& q7 O9 m$ z4 W
mov es,di& z; v% w1 S p% E7 M
mov ax, 1684h - k8 V! K: z% O5 D# _% B; O
mov bx, 0202h ; VxD ID of winice
* E' ]3 J/ X: @' @; X5 n# E int 2Fh" b6 F7 G' R$ G1 m& m; M1 _
mov ax, es ; ES:DI -> VxD API entry point3 G% B5 ~0 g1 U1 H& g+ i
add ax, di' t3 F+ f1 }) I3 s- Y
test ax,ax. {" o- T) \8 t: d
jnz SoftICE_Detected
9 i# a7 A1 l- {/ [9 C( r4 `0 e/ |) }: l# d* |6 F2 t# t( C
___________________________________________________________________________9 v" [( E0 c( }
2 e4 M1 d: A& H8 \
Method 041 Y" v; |* y: l3 K$ y3 k+ V
=========8 O# j0 r9 _( w9 v/ {, R
2 _8 i r/ F! d* V' {! hMethod identical to the preceding one except that it seeks the ID of SoftICE# X/ T1 S8 k4 k3 R% h h
GFX VxD.. ~; ^6 R/ t. R1 i, P' v
6 U" N! F" N3 L1 I" |( u; [
xor di,di0 {6 p0 B8 i' I# n6 c
mov es,di
% `$ m) B, e7 d) f mov ax, 1684h ! F1 G6 j: j6 s# Q
mov bx, 7a5Fh ; VxD ID of SIWVID
' H4 \5 A( \! U& E int 2fh
$ I' x! K" q8 w/ e9 m- T mov ax, es ; ES:DI -> VxD API entry point+ ^) _8 O: L( Z, e
add ax, di
8 ?) F' [, Z7 u: | test ax,ax
, y" v4 G; @5 K* b1 V/ | jnz SoftICE_Detected
" ^1 X/ d6 l; d$ d1 T# w1 h
" h8 n) [; z5 L8 T0 m# ^. H__________________________________________________________________________% I+ Q+ T6 j. ^1 S9 s8 u
# u+ @" X. `/ `9 p
. x2 ]3 O: ?4 U( x. _
Method 05
( \$ V( z1 t, ~2 Q0 L. l" l* Y& _=========# j6 j. K0 ~) O, ?1 T1 A! W9 U
' B! z# P" x4 x0 n H9 RMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 z* o8 n; w6 {; n
debugger. It calls the int 41h, function 4Fh.
# i" A; P9 M- C2 ?0 r! {/ DThere are several alternatives.
& M; \/ \0 t# \4 @8 D. K8 d" G( @6 O& f9 T# D& d
The following one is the simplest:" n) M4 p) p2 H9 B# a
7 ~: \: m/ `" _" X+ H
mov ax,4fh9 Q- w5 f3 u7 B* r* s5 l
int 41h
3 Y: @/ y! b: F, d cmp ax, 0F386- A- M. b4 {$ g( K
jz SoftICE_detected
: N2 F' {% k( Y4 @! y
) c4 y2 u0 Q4 g, l6 u8 A$ [2 t
8 f1 U% J4 \; y9 QNext method as well as the following one are 2 examples from Stone's
$ H- F+ J+ v) a3 F; V# t" r"stn-wid.zip" (www.cracking.net):
: O% U3 E0 X/ M2 O+ f i- y
% }- J3 R, n0 m7 s5 ]% m) s mov bx, cs
( r0 M# X% G" S5 L: W# H lea dx, int41handler2$ a1 R7 S4 p0 e! I& e! E
xchg dx, es:[41h*4]
3 \6 Z- {: A, E4 X) C! s. n: V9 s xchg bx, es:[41h*4+2] m! f/ V. G8 L
mov ax,4fh
' L- ?0 x: k9 O7 X9 Q# y int 41h3 a7 n/ y# F8 T( C
xchg dx, es:[41h*4]
6 p3 L9 V% d1 @+ H& J xchg bx, es:[41h*4+2]3 H- y# _; G: Y# [8 o
cmp ax, 0f386h2 X8 m' x8 `" t: p# A( D
jz SoftICE_detected
5 W( H5 I3 H+ v5 f: Y
: ^4 O# T' O' c* _8 g9 ~! Gint41handler2 PROC$ F" z5 S) ?4 @' I' g
iret
5 Q# V0 z- q; a! U% V; Wint41handler2 ENDP
; H) S& K. W. d5 m6 |6 P- }5 o
, @0 o7 m; I% g! `. z0 e! D# \1 @8 T: `7 {
_________________________________________________________________________
$ O, s8 m+ [; A2 b# D. w& i; k% F( j8 W; j, p' \! H8 H
+ j' q. k% L* t3 F! p
Method 06- {% f& d) R7 k
=========% Y. U: o7 K) e/ M( x1 K: N6 @
j3 ]. W. E. j" j% j3 M+ Q! k3 O. g v. `0 Q, ?
2nd method similar to the preceding one but more difficult to detect:
1 e2 |& P: |4 D2 W6 U% _9 [0 A3 l; r1 Z+ y
8 @6 ?- E3 W/ L+ L' v8 C& J2 C- nint41handler PROC
/ \! h: C8 ^: n) \3 l8 w mov cl,al
7 g6 s3 b6 D; n: | iret
% ?$ t$ T6 S$ c3 A |, D* jint41handler ENDP
3 v9 ^; `% G- ^7 g- U4 {3 {
5 r4 \+ E0 o' ?( z, s$ f. F" E. L/ y( Y. Z" X4 W. o5 m" Z
xor ax,ax( S3 j' Q1 a" N) \; T
mov es,ax
, z \, }" a( `1 ~/ h% P$ B mov bx, cs, N9 k9 W! Z/ {) [; ]+ E* {
lea dx, int41handler
5 R! V+ |/ n8 m W xchg dx, es:[41h*4]
/ h) @7 f7 M: D( c U xchg bx, es:[41h*4+2]
_/ p% B; f8 l2 F! t9 A in al, 40h, n# G8 u9 U v, a6 L% R* m6 e, @
xor cx,cx
) K H3 V2 B( A4 A' Q int 41h5 D8 n3 Z. X, o6 e/ ]
xchg dx, es:[41h*4]0 F5 r" C- U# {1 v! J
xchg bx, es:[41h*4+2]! {; F" c$ `# {4 l% b% {& x, F1 M
cmp cl,al
+ G( A C+ {$ k+ u: A/ N1 \+ h jnz SoftICE_detected4 I9 M+ M1 `: b
0 M! U1 V6 [- ]& Q' E- Y; t_________________________________________________________________________- q9 h) a" S& {
* q$ ~0 D& y% Q1 @8 ^+ q
Method 076 P, {$ M4 M. J# z* p* g' k
=========3 h. K5 V( m4 j2 O8 ^
z3 Q( o M8 N* Z- D) L
Method of detection of the WinICE handler in the int68h (V86)
" X* J& s" [7 `& c) X* ~& s
0 K0 _% ~) k3 J/ ?) X. L- D0 ~ mov ah,43h$ D2 m# ?. t. A+ I( y F
int 68h Z% y; @! L/ v
cmp ax,0F386h
4 a5 ?6 f% y0 q jz SoftICE_Detected
. j. A; k" C+ x; Z: ^' ^: u* F% w1 K$ P. u# O
8 W3 V( T$ I* j# B+ N, _& d% ~
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 W) ~$ w4 n7 E/ N2 F) x& n& l app like this:
! [' }$ L2 x H, u5 [, j4 Q+ ]1 `2 X/ L8 ^5 R, P1 Y
BPX exec_int if ax==68
& N% X: |# J9 [& {% e! ^ (function called is located at byte ptr [ebp+1Dh] and client eip is: z& T* @5 c/ Z) Q0 n
located at [ebp+48h] for 32Bit apps)
" Q' f" O7 ~: I- \ A+ e__________________________________________________________________________ w+ ]+ _, p+ z
6 w) u% L# G7 e6 I5 I& W# f4 z" B- Z
% `+ C# I' M4 c4 \. nMethod 080 l- R3 l0 ]: m2 f! u: C4 ?
=========& ]/ v& m# J9 s$ [ E
8 V; a0 n7 H. t4 x. ^( }# vIt is not a method of detection of SoftICE but a possibility to crash the
7 C! p' L. I5 q! @system by intercepting int 01h and int 03h and redirecting them to another
9 B. b$ W3 R% Q2 N* Lroutine.
/ K$ N+ Z( v- G2 I# EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 G0 X: G' O6 R3 W0 ?
to the new routine to execute (hangs computer...)9 Y* H# ]- R: j, l8 Q. V
' s& F# e, {& E4 b0 K& J& d. X5 M0 v mov ah, 25h
7 v W! t v) B1 |" B mov al, Int_Number (01h or 03h)
* q. x n" Q5 N mov dx, offset New_Int_Routine* C7 ^6 k, U+ c" z7 q. N$ S# g( w( `( I
int 21h
/ G0 b1 X9 G+ y( {/ w7 s5 j! _2 B+ M" {
__________________________________________________________________________! s: I) [" K2 Q
0 D6 l9 f- f* n3 Q$ {3 A" U. I# v0 GMethod 09
2 K& L( a% ~6 ^=========
6 b7 w0 J; \& x. F6 [. }
# d& ]# y. O8 o' \$ j2 D1 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* V' P3 v5 y2 D0 d* R k; K2 R
performed in ring0 (VxD or a ring3 app using the VxdCall).' C! i% T! ~" s$ R- E+ q
The Get_DDB service is used to determine whether or not a VxD is installed
3 P3 @+ ~/ s qfor the specified device and returns a Device Description Block (in ecx) for
( z* |) h& b: v" R* ^1 ?that device if it is installed.
/ a3 m; V8 K& h1 _
0 _; ?' k+ f$ N- q+ w0 {6 S mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' \5 A+ I# p( z mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 Y. ]8 y% |( D0 q: F) o
VMMCall Get_DDB) h- }4 @7 R. f6 s2 D
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed0 E2 W5 m2 m |/ j" T; w
3 Y, y6 Z# U: J/ y. A) h, V
Note as well that you can easily detect this method with SoftICE:! R# `8 f% j, l3 H$ F
bpx Get_DDB if ax==0202 || ax==7a5fh& _. l# _% d' q. g- ~
6 w" c& B- v8 |* h__________________________________________________________________________' @8 I1 e$ e( E& d3 [9 n+ ~/ ?
7 H. s' _, z4 F1 v
Method 105 _: G: P; p% h2 |) g
=========
) n: J: C& r& p Y4 \5 J/ \
; k& L% p3 G# e& @3 a=>Disable or clear breakpoints before using this feature. DO NOT trace with
8 v" y( p: {4 a( I SoftICE while the option is enable!!
" G _1 N9 M3 e9 P
8 {% j$ q3 p7 L& nThis trick is very efficient:
7 I& i) p. S I& Q9 L) C0 W3 [by checking the Debug Registers, you can detect if SoftICE is loaded
4 _* t+ j6 p2 Y7 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" s# O' ~$ j# y; H& B
there are some memory breakpoints set (dr0 to dr3) simply by reading their, b/ k( Z3 F) [3 l( Z' Y* E6 L& U
value (in ring0 only). Values can be manipulated and or changed as well; |- V' T. T+ w1 F" Q
(clearing BPMs for instance)
/ j$ v7 U7 w/ i- W: n3 \: V! w
) t9 S6 m! U* I+ E7 z, G, ___________________________________________________________________________" {3 v' ~. U+ G* |/ G
; H* b% T9 y; [( Z4 q
Method 11* Q ~1 w! {. J2 c- ~% r- d
=========
8 E# \& T2 Z4 I6 ^
; b |5 Q, k/ [8 ~; j/ z9 V+ c4 m5 {This method is most known as 'MeltICE' because it has been freely distributed
. W+ W0 z& N8 X5 t# |# G9 Vvia www.winfiles.com. However it was first used by NuMega people to allow
' V( O+ O6 i4 sSymbol Loader to check if SoftICE was active or not (the code is located6 a9 U \: Q$ l
inside nmtrans.dll).5 O8 P8 ]1 }" B
) Q4 I$ r# I1 E3 RThe way it works is very simple:* Y" O. s1 y$ u1 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* a4 a; `9 {. A/ W! Z9 @WinNT) with the CreateFileA API.
+ K. Z: q C3 s) z% g2 ?, s6 @8 O Q$ l) D* G' N
Here is a sample (checking for 'SICE'):
. N* q y: u+ R0 `* {# k
5 ^- P. _& a3 c( _3 {/ H1 dBOOL IsSoftIce95Loaded()
/ N M# m" ^8 v4 W4 a, O{3 ^6 S! a1 G6 r0 ?' m6 E$ ~9 x
HANDLE hFile; 8 W, C9 o4 M9 ?. x# {8 e2 E+ l
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 k, z2 b5 ]. u$ `% k0 Z, u FILE_SHARE_READ | FILE_SHARE_WRITE,
. H2 m# a0 n. ^( r2 N" S" y NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ N1 u o8 i# ] if( hFile != INVALID_HANDLE_VALUE ), c1 A6 L4 b/ u" y( L+ S
{+ D: d' a ~) u! `5 n9 h8 A) |
CloseHandle(hFile);
" Y$ Q0 N( N0 _1 T6 F return TRUE;0 V5 f" Q7 e& f9 B; d
}
2 {' S$ {% Y N* M R4 [* A return FALSE;
1 Z4 k2 N5 W* S2 N* e R}
4 K) c8 z, F. A2 y
# h- g; T! N7 E3 t: X$ E- xAlthough this trick calls the CreateFileA function, don't even expect to be
6 Z; y0 `) K& o/ B# O7 zable to intercept it by installing a IFS hook: it will not work, no way!
! e: I2 l2 L& x! L7 Y8 m0 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( `* P, P, T+ ~0 F6 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& K2 J/ |; O: O! ? d4 S# K' D' U# o6 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 b+ d% I/ p" Y* H6 Y' u4 p
field.
/ Y! c( q4 n) m5 nIn fact, its purpose is not to load/unload VxDs but only to send a & ^6 e# A" W8 i; B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" Q5 Y3 {' J2 {3 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 S; f! S! g: o7 p* A) g+ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) W% x: B1 s1 Z. I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" I$ T4 A3 @7 D( U! ]its handle to be opened and then, will be detected.
6 u/ a- l' `8 ~) \- K+ @ H$ x( tYou can check that simply by hooking Winice.exe control proc entry point7 Q9 o }- [$ ?+ x, q, K+ n4 d- w
while running MeltICE." b5 O [# z/ ^$ _) a' E7 |
k& c1 w$ z7 T
( b, u1 z* n! H! w( ^ 00401067: push 00402025 ; \\.\SICE
* p/ E. A5 g ~) Y6 b: C 0040106C: call CreateFileA/ k0 p) l3 U$ c- J( k2 H; p4 f% ?& b
00401071: cmp eax,-001
4 |5 ?* Q; m8 X6 k' x3 U$ W S& G 00401074: je 00401091
" K, K! F% @6 l1 M
. d; l& [0 m, b& I, t+ ^: m1 Y. I$ a) f" R* e. L) z' g
There could be hundreds of BPX you could use to detect this trick.; J0 ]2 a9 r. D* S7 D
-The most classical one is:6 M/ Q4 V" G8 R" D3 x: U1 y' f
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
f0 X N! Q: f7 i *(esp->4+4)=='NTIC'/ p9 M& g* O4 J
. |; L" S+ a# v6 t" j
-The most exotic ones (could be very slooooow :-(" i" y4 T/ Z, l: k1 z5 `9 s
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
- G* f% |5 O4 G- J ;will break 3 times :-(/ w n6 r5 {/ i) v/ v
$ u* h* B. b. [& @
-or (a bit) faster: 5 J$ T% Y! d$ s3 ^( [" H& y! z
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ A6 A4 M- p, h7 k- o
+ O/ H- e" g9 x# U& s6 C
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ! Z3 n: z# W' Z1 {+ P7 c
;will break 3 times :-(3 {; c7 i' T7 v$ \3 f! d1 f; ~
" R4 S h C" G4 j, I, l! D# J
-Much faster:
& x9 L6 o# u( d8 W6 _) e& W BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
7 X9 g1 e7 K4 d
) A9 l* r0 j& h6 }5 r9 h# g) GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# t$ Q! o$ t7 H8 P1 `6 p
function to do the same job:
6 }% Q1 z d H5 h' A7 V# m4 l; P1 k
' U; h6 W4 }" j1 a: Z6 H5 f) b push 00 ; OF_READ7 x. X2 I7 P# c" O1 y8 O/ C& W
mov eax,[00656634] ; '\\.\SICE',00 h+ u9 A/ b& N
push eax( _( \, f2 I' S/ O) _
call KERNEL32!_lopen
/ x' y) C; Z; Q9 c; V) S inc eax
* b) n4 `! `, K8 M! y+ d E) n, x+ L jnz 00650589 ; detected2 A( G7 N% v5 |2 @4 F1 D
push 00 ; OF_READ3 ^4 w6 q2 |: a0 {9 T# G- c
mov eax,[00656638] ; '\\.\SICE'
$ C% v% b6 m' h, G4 W- B9 @" ^2 g6 i: L push eax% i$ [) x8 g& b0 z+ l) S+ S! N+ N6 |0 w
call KERNEL32!_lopen
. L, l* q. |( N X9 S h( K8 T& n inc eax! `9 F0 K6 l4 O/ ^/ b2 u
jz 006505ae ; not detected+ m3 f+ Q+ O! @: f f1 U1 O, E1 @
' E4 J. a' y+ J/ i+ W; ^: Q _& [+ v- c2 c6 D
__________________________________________________________________________
0 X" K( f# H7 F1 W5 B5 ~0 m1 N8 ~' ^- L/ ]; m! B x) E
Method 125 n& c% y- V. E1 h: j6 J7 @9 Y
=========
6 ^' f3 S( l) \* D) R
7 G ]. u: H% k0 uThis trick is similar to int41h/4fh Debugger installation check (code 05
4 O" e' U* n) b) s) I9 M7 E& 06) but very limited because it's only available for Win95/98 (not NT)
% ]- Z, l# V3 j: J0 k# Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 K) X1 s- C7 |4 F
* H) X. v! C+ U push 0000004fh ; function 4fh
9 q& j( {/ S* s# u) I; N* B push 002a002ah ; high word specifies which VxD (VWIN32)
$ f9 q, G$ D u' g3 [/ H5 X ; low word specifies which service
+ S% P$ U8 g1 d; Y9 u. D' r2 G (VWIN32_Int41Dispatch)
9 d. H4 \2 G5 a3 q2 r call Kernel32!ORD_001 ; VxdCall# S9 s1 U* t8 B" ~) m. c* l
cmp ax, 0f386h ; magic number returned by system debuggers# T9 G B$ N! T- S0 g9 ^
jz SoftICE_detected9 P% h: ]" ~/ @. }
7 e0 \2 j5 w8 J5 x5 uHere again, several ways to detect it:
$ g9 y' t1 q" q; P0 B8 F
; O0 P5 U! Y" A) ]$ ?" h2 { BPINT 41 if ax==4f9 x) ? G8 g8 i) `
+ e, F' B1 x8 v
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
- v. s$ ?2 I: A: O
8 o! h7 ~8 f/ b4 a0 a# z' F. p BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
' Z( }: \5 Z2 I) G& E, m% q$ A; W& [
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!0 \: d5 J' n: S& G! L3 G& S( }
9 f7 c# e' M7 Q4 I
__________________________________________________________________________
+ e8 O3 s. o6 d. X1 q5 n( ~8 I# O! C8 O: U: c- q
Method 13
' r7 t% _4 j7 L6 Q- B=========- m2 O# s4 h! ~" x3 d5 ?
! _( H+ T+ \8 M" s- ?, I, x9 R
Not a real method of detection, but a good way to know if SoftICE is
4 u5 ~0 M- f, yinstalled on a computer and to locate its installation directory.' w, [8 s; W7 l; {, @3 [
It is used by few softs which access the following registry keys (usually #2) :
& w1 C8 A% }; k) }- l3 t7 X; t. c Y& r2 y) {/ S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 t" m/ B8 }) Z; i, b
\Uninstall\SoftICE! A% ?5 e8 Z' v/ w" k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 W) v* K" X' M4 }; ^( Z) B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j8 T6 C" C3 Y* h8 R
\App Paths\Loader32.Exe7 g3 F# M- Z1 i8 y# N5 ~* H ^
# D) Y5 V' j8 ?6 o' n' i
O& e+ V3 G) W& c) j' O
Note that some nasty apps could then erase all files from SoftICE directory
9 z+ N! q2 M }(I faced that once :-(
7 Q$ R2 Z: P1 h- Z/ _8 A5 a. o& j. a" {* y. |) g
Useful breakpoint to detect it:
, Y9 d1 z! B5 H, |6 f
6 {' t( t4 v: F" g6 M: b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
! B5 t3 G, o K% q- N/ o$ I3 M% ]2 g( ~0 f% `
__________________________________________________________________________
* R" r$ ^8 X0 g: G* \! Z% r
# l- D" b* b* p
# b* o2 Q) H& I- z3 f2 SMethod 14 ' N; E3 P u- b, U( L! [2 v: P' y
=========0 N# r7 n, m n5 U% [! T$ y9 j) B
' S% ?+ g- ?7 l) x6 F. U$ F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, q$ N9 a7 T. \, r1 a4 ^* E$ C
is to determines whether a debugger is running on your system (ring0 only).
; _* f! e! z \* I" I x% s/ b) d9 r. E+ S' Z5 ]
VMMCall Test_Debug_Installed
% R( h; N! o$ r0 R je not_installed
3 S( u" G, h6 K) j3 J- J' @+ ^9 V: |9 `
This service just checks a flag.
, W4 N, J* c U* Y2 \1 ]% ] v# r</PRE></TD></TR></TBODY></TABLE> |