<TABLE width=500>8 B- L. }1 B4 ~7 j7 u$ G q% p* I
<TBODY>( K, K4 R; ]8 C2 l7 ], u
<TR>
5 {, w3 h3 m2 B5 \' @3 J' F8 s<TD><PRE>Method 01
/ N( N6 c$ j& T2 o; M=========
/ _+ @2 _1 b& E! w6 ^. X6 l0 f4 C( I# z
This method of detection of SoftICE (as well as the following one) is3 O8 R% u0 ?/ y7 \% f. ~
used by the majority of packers/encryptors found on Internet.4 Z0 B* }1 Y( C" l
It seeks the signature of BoundsChecker in SoftICE5 _/ [7 l2 S2 h- p# W( }
* G/ ?/ C9 p4 M' Z mov ebp, 04243484Bh ; 'BCHK'3 m! r; {/ l/ j) W4 m3 T" @7 s
mov ax, 04h! M9 Z; @! o* c, t) H
int 3
7 l/ l; i1 q6 e/ j' c% Y cmp al,4% x# s% a# I/ X- o3 L
jnz SoftICE_Detected
/ r4 M7 g; f# A e; n) i. s4 v
G2 b; e/ [/ R/ j5 i/ |___________________________________________________________________________
) W; W/ G& ]9 K" t+ U* A# N" w9 ^2 M' r S8 ], ^
Method 02/ I# Q+ J$ c* ^7 i ?/ }
=========
$ H6 Y$ f: K* `2 a/ ]+ {: _, s0 z3 ?9 V2 Z5 }7 w N8 j- x
Still a method very much used (perhaps the most frequent one). It is used
6 ~. d' k# N6 x2 D) ~8 O+ G9 B% a, Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! L! K) G8 Q! Z4 ~+ ]$ Aor execute SoftICE commands...
1 O$ Q5 z: B2 @$ n% ZIt is also used to crash SoftICE and to force it to execute any commands @2 S; o9 G, V: v5 g
(HBOOT...) :-(( 9 T+ ]/ }0 ~' V* H
5 a1 y5 \ k$ V9 q: |" A
Here is a quick description:& A1 i8 z6 z$ u1 A2 w
-AX = 0910h (Display string in SIce windows)
- m8 O1 [1 S& q/ m; c1 U-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
; d, ^" Z! F$ _" f1 I5 o& O& ^-AX = 0912h (Get breakpoint infos)
6 k: W: b' J }8 j& ]$ S+ N-AX = 0913h (Set Sice breakpoints)
( B5 n: X: \! _* B5 I! j-AX = 0914h (Remove SIce breakoints): _! {* ?/ c5 d5 a x5 F3 Y
2 U) R! M2 w$ {4 k) J+ Q
Each time you'll meet this trick, you'll see:
' y* m7 B( o G q9 |1 x-SI = 4647h
) |9 T/ b) M1 L9 ^5 Y+ s5 J6 e-DI = 4A4Dh1 C9 z4 d5 q! v& N
Which are the 'magic values' used by SoftIce.6 ~: H0 V0 j* L9 [& x
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. |+ p% `6 w2 p, Y( x
: Y8 y" t x$ wHere is one example from the file "Haspinst.exe" which is the dongle HASP" O: `3 F$ h( R- N* p3 M
Envelope utility use to protect DOS applications:6 y+ B7 T% z; q) Q8 ~' s
, l3 |5 Y, A. O7 M" O
6 n w+ C9 y' e) Y) e4C19:0095 MOV AX,0911 ; execute command.
+ }* {$ I6 W% c$ |; h( |4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).! h/ s* o- M5 Q% B; K: W0 e( g- g
4C19:009A MOV SI,4647 ; 1st magic value.5 @9 V% k& R$ R+ y( V h/ P; N* G. T3 x
4C19:009D MOV DI,4A4D ; 2nd magic value.8 a! m4 g# O @
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 F8 N6 k3 Y- p4 A7 W/ i) }4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
9 v+ X0 ~3 N( J& s8 g9 y4C19:00A4 INC CX
4 C6 g, r/ y0 ~& J0 `3 e4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- a% j" q5 ^1 N5 O# Q4C19:00A8 JB 0095 ; 6 different commands.
* e2 ~) N5 A: o( k) ~4C19:00AA JMP 0002 ; Bad_Guy jmp back.$ i. C' x) k, P
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
6 k# f9 J2 |2 S c2 U/ U" D$ ~0 m: w/ u6 N7 B* s* T" ^# K% ?
The program will execute 6 different SIce commands located at ds:dx, which# c5 n" n+ w e# a: O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 f) c; r4 \/ s8 j
8 I) C8 A1 Y5 r; O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* H* M8 I" @4 d9 z3 C___________________________________________________________________________ ?+ q2 E1 I0 d5 C9 l/ R
! p- K. \* ~! R3 A
) X; N1 i6 j# K4 W; dMethod 03
* l0 i# V" E: P$ m& O+ M=========/ Z" x5 H( k0 u6 a$ v5 G
I+ @* H1 Z; P: _0 R- uLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. D4 L. H9 x# y% {5 Y% ]" j w: V
(API Get entry point)5 N# X$ l# q4 S6 c. Z% K
# Y8 T# J2 @5 n& m1 K4 u j- \ k
5 T+ j9 j8 P8 S$ ^& l9 d xor di,di
) m3 e. U- B5 l) `- |/ E# U; Y mov es,di8 P" X& E5 @2 k
mov ax, 1684h
9 l p2 o" s. o; y! P, g7 w mov bx, 0202h ; VxD ID of winice
2 t6 o7 }! ]( d$ _: K- e* c" O, r" L int 2Fh
) \8 B1 q- V: c4 v% s; u2 D3 |! z j mov ax, es ; ES:DI -> VxD API entry point
4 Z. K/ o) M5 a- X! `5 l add ax, di
}. p6 Q( M# Z' n" J/ R test ax,ax
% \: F# t6 [: ?4 } jnz SoftICE_Detected+ R! A1 f( x% ?' Y
8 J" V* Z+ |# Q
___________________________________________________________________________
; i6 D d3 }: T$ U) T
6 Q! Y+ t; n; }* n& y7 KMethod 04/ y4 t& @6 |; r# @) [
=========) `! J7 \- m; q
. b/ u' N% F/ D$ L/ ?3 f% v
Method identical to the preceding one except that it seeks the ID of SoftICE# n8 @8 p$ ? g; X5 X
GFX VxD.4 s+ K; f% D* U3 A: T& O d- f
0 m, L6 U8 _3 ~& @5 z9 s7 R3 c xor di,di3 g# U4 j r6 i$ B1 C0 Q( T9 k+ b
mov es,di
4 i* f& C4 |( r+ a& R mov ax, 1684h
) \9 r% b+ k H# ?- `, |& ~% d mov bx, 7a5Fh ; VxD ID of SIWVID
' w/ K- N/ a" h/ N5 @ int 2fh
1 x' _5 D/ }% W& T mov ax, es ; ES:DI -> VxD API entry point
* \: F9 k" {2 A l) o add ax, di- _9 z. i* t& R' o" u! L# k" m
test ax,ax
8 {1 a- b' {/ k- F' Y1 Y, p# u jnz SoftICE_Detected' V- e: M! K* G' T& n
( i& @4 O) p) m/ i# k* }__________________________________________________________________________! l: F; F# K. A: z" [
" I6 s3 v/ f* V3 v
/ f2 O e9 x5 l4 o& s3 R- ^1 q
Method 05
0 ~0 v- m5 B+ n/ g" R2 r! i=========' p2 x/ Q* U% n! @% q8 m
! u$ Z+ h" ?2 \5 I8 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 h7 f' k$ a4 t/ O; ~
debugger. It calls the int 41h, function 4Fh.6 T" m" E- K- v: `5 R4 Y) s0 {8 H" h
There are several alternatives.
}- q$ S7 ~- }# t0 s8 b0 ^' Y- n4 ^% ]0 F
The following one is the simplest:# p2 I1 t) t# p) M- |. C5 V7 D% `
, j% v; _5 r* |* Q: E3 Z4 D! U$ i U
mov ax,4fh
& ?. T! M' \! X5 p p int 41h3 u7 `8 x3 e( v! r0 M% A) Y3 N5 X3 M' Y5 A
cmp ax, 0F3864 W! n+ A) \/ V3 j
jz SoftICE_detected
. G3 J2 H: _$ W( s/ e; M$ `. L& ]( d8 N7 T7 a% D3 V
: s0 B* V/ ^; Q; F! S
Next method as well as the following one are 2 examples from Stone's ; x. a5 \0 G4 d
"stn-wid.zip" (www.cracking.net):
4 }$ H( c- G- y) v7 _, r' P& b2 j1 G( a x; o. T3 a
mov bx, cs5 M$ B( A0 H7 Y
lea dx, int41handler2+ g% n* S9 t3 F9 R7 B
xchg dx, es:[41h*4]$ N! I. J$ }. C. t7 F' c6 U
xchg bx, es:[41h*4+2], N/ K) ^. a; z/ W
mov ax,4fh; p9 D" R: ]3 a0 j" c
int 41h0 r* K5 W0 A; W! [2 r
xchg dx, es:[41h*4]
/ t v9 h- M+ N: M, e xchg bx, es:[41h*4+2]
0 k7 ]+ T7 P4 a- ` cmp ax, 0f386h- ^9 Q4 _0 z2 w8 ~6 R+ I9 v# o$ |' ?
jz SoftICE_detected
# }# J4 O6 s1 K0 k! h& D
' f( T/ X0 N6 ]int41handler2 PROC9 Q9 _& d7 [& C. i' f. n7 ~
iret
g) l7 l0 y3 a, y! q- Q% ?3 Xint41handler2 ENDP
6 g3 `4 _/ O% F9 ]$ z( n) N" T6 x; I, @. i
( t# t, T0 i5 D/ _0 D; k_________________________________________________________________________& ^) ?' U" O6 N) e
( L& d2 }! o5 ?" q7 R; i; R; O" I( v# {$ ]! h
Method 063 _. l& B; I l% @2 q
=========/ i+ v$ }+ ~9 F
: L" J! G3 E4 I [) L% a4 Q* ?
6 z8 X) z6 Q! d5 w. U& Q2nd method similar to the preceding one but more difficult to detect:: ]+ o% H- g- ` o- _7 b# i: _
7 s; i( q/ | ^; ]# T- S i6 Z! W9 \) g! v' `9 |' u. X. L- s
int41handler PROC
/ K- \! {# A2 q8 s' M8 F9 \7 I mov cl,al9 V8 L5 w+ V/ Z, n$ D1 w
iret
& S. F$ z3 |6 t U1 f( _4 ^; qint41handler ENDP- a) `5 @2 ]3 T% a3 s
! K4 O9 z: B' X$ f) j8 e7 B% E) k5 n% Z3 E6 |
xor ax,ax
# ?7 q; u( F8 N8 j. P mov es,ax
5 U8 k0 D( `" x" L mov bx, cs# F* n, J# W- S- ]- s" F
lea dx, int41handler9 R" U. M, b- `5 I7 B; T
xchg dx, es:[41h*4]1 E+ S0 F; ? [' r% }0 G
xchg bx, es:[41h*4+2]- x4 ?, n3 u1 y% f0 r
in al, 40h, X! w3 `1 X- F {
xor cx,cx
# H. r0 q M$ J; B int 41h0 `1 c7 O* b+ A$ U" h
xchg dx, es:[41h*4]
& F# F) i% X; b xchg bx, es:[41h*4+2]
) e- b K' F; h8 G: E' h cmp cl,al5 ~) r* ~% I, C$ p# R* }5 V. H0 |
jnz SoftICE_detected3 I9 x( m' U' z4 X$ f: a
) B; E7 p% W6 v9 w_________________________________________________________________________
% h2 _6 z: }" k, r: ], v3 Y7 H& @6 P6 W
Method 07% L( W( |' H! Y. P
=========) J+ V6 G' t- j4 Z
; I( m/ h# d$ {) D+ E0 L2 @9 P1 N6 |/ a' YMethod of detection of the WinICE handler in the int68h (V86)2 D# E7 K& |2 S$ y% p% m% B: L
( p5 z7 O* u* T
mov ah,43h
! Y- @7 G' R# H0 E# ] int 68h3 q3 ]4 g' f% u/ L
cmp ax,0F386h
: {4 k5 V9 j7 B; V# S" {. {; c# k jz SoftICE_Detected1 _! X( h& }5 e# w" H
6 {$ [4 b% E' e0 T% b0 H& I7 \3 d1 ]0 b6 r6 o
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. a/ ?; o+ I ^( q0 N1 \+ J app like this:5 o; n# b1 R4 j9 P
& n g8 _9 N( f3 z& w1 m
BPX exec_int if ax==68
9 I* L5 X' ~$ x. a( |: G8 _! I (function called is located at byte ptr [ebp+1Dh] and client eip is" ?2 n% \$ E' d$ Z+ w
located at [ebp+48h] for 32Bit apps)3 t7 v. T9 I. ]( g; s
__________________________________________________________________________0 ~1 H; }" J/ H* O) R" X, W% s
' r# z. T- c( c1 J; _
: w4 j- u0 u( v9 U: q
Method 08
- u7 o) D2 l, _; }=========) l4 c+ S! U6 I! n& A
/ F; H" l7 _" a, dIt is not a method of detection of SoftICE but a possibility to crash the% u" u) a. n+ N! l8 I5 x# \
system by intercepting int 01h and int 03h and redirecting them to another& S. G( @( y( k7 z$ ]) ]1 Y+ r
routine.
1 h' g w$ y2 o/ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 m1 o B, l, i6 o9 l% G: j
to the new routine to execute (hangs computer...)* X5 N3 E# G0 H, c6 d- I& d
" G( t$ _% y) q0 c
mov ah, 25h+ k( }9 H# d' D! E' h `
mov al, Int_Number (01h or 03h)! K6 I$ {9 j5 ~" {4 h
mov dx, offset New_Int_Routine2 H, b& P, [1 l, u, w% j; T
int 21h$ V& W! F- p( D! c
6 D* k% K$ O# A, ^2 [# |7 J__________________________________________________________________________0 I, B& T" }' y, ~% B/ s0 c; W
8 U/ x( k0 p' |, b( \$ J+ fMethod 097 M) L* E6 O& o, q. i" [
=========
! D6 F6 [$ L0 v$ V0 r* e: G
' |0 J6 [8 @" Z- T; }, `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 l- a, Y0 l0 |- X. M0 C
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 b! c/ Z6 N4 Q5 [The Get_DDB service is used to determine whether or not a VxD is installed$ M2 P$ }, t, `; B+ t4 O
for the specified device and returns a Device Description Block (in ecx) for9 R( V/ t8 {& { a
that device if it is installed.6 V+ U4 h2 a9 D' |% l! \
1 v5 W* i+ l' J" N9 ?$ k& }
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) b) e; c( Z) F4 L9 Y mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& a n' O; l: L# f
VMMCall Get_DDB
- W/ `% C+ D" b/ u8 B- N! }, ~ mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
; c2 D) d e/ L' J* Q( Z* n K
& U; [ S- T5 ?$ f) ENote as well that you can easily detect this method with SoftICE:
9 f' t0 c2 X' T) N bpx Get_DDB if ax==0202 || ax==7a5fh Z8 p+ h, Z* t
: Y& w2 x4 i" H$ ^2 `( I& u; }__________________________________________________________________________
; C: h1 x8 V) u" s! s# q& Z6 }) s' W: `% ^, b
Method 10
6 ~7 z! U" N0 [7 l2 k=========
+ n+ ]8 K. C4 y1 x
& y) s5 O. c5 o, a=>Disable or clear breakpoints before using this feature. DO NOT trace with, x/ l: `1 L+ j4 _ Y- i
SoftICE while the option is enable!!
6 O3 W* Q( }7 r) V: V% ?+ q
" l$ ?$ M9 M0 w* t- z0 uThis trick is very efficient:7 {: g# @6 n7 ]6 z
by checking the Debug Registers, you can detect if SoftICE is loaded
3 j$ E. b1 V: Y$ B4 C' n2 n(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 L" h. T) p. w1 r! g2 z5 D( W3 n$ Q3 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# a8 k' G; j* e" c6 h! Cvalue (in ring0 only). Values can be manipulated and or changed as well
- @) _0 C! T' D) U! c/ `(clearing BPMs for instance)
) E6 u6 m" w b) r2 _% Q/ ^1 V8 z& }
4 @, `& Y" P' G: b+ z; z5 F1 l$ e__________________________________________________________________________% @( y- {4 g5 x `6 V
% K2 ` l! o9 N3 LMethod 11
- _# n- B' r# ]; c3 l4 K+ _4 `1 l=========
! X( |) k) }" `& U) a3 z/ r+ t9 b$ z
This method is most known as 'MeltICE' because it has been freely distributed* \& p( J+ o# b1 B
via www.winfiles.com. However it was first used by NuMega people to allow
, U* g* G7 c! W8 HSymbol Loader to check if SoftICE was active or not (the code is located
2 G% X( |' p; @* ?inside nmtrans.dll).1 _, \4 ]1 a/ U* a6 _. \
4 i, V9 T8 o! J* L4 H& c% ~The way it works is very simple:
$ a2 o7 l% V/ F6 l8 g$ rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" Z# _$ f; n; D7 ?" S
WinNT) with the CreateFileA API.% R$ Q x7 u7 E3 f
5 k$ n7 m, k# O5 k# A2 L
Here is a sample (checking for 'SICE'):
/ d: E- p' Y$ o' z2 {# g4 z
( x$ }7 U m f/ TBOOL IsSoftIce95Loaded()
4 m; c* y' q \{
( l7 A4 i3 z) x4 r HANDLE hFile;
' ?& H- D# ^. B hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% H, H" ^4 \9 a FILE_SHARE_READ | FILE_SHARE_WRITE,
, ?7 N$ w' x* n8 J, p; j3 c& H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 g5 Q! s& i+ X* l if( hFile != INVALID_HANDLE_VALUE )
4 m! K% T0 i) y6 i' N' D6 m {* R. _0 `0 z- t! X2 T A
CloseHandle(hFile);
9 { V) S$ |/ \5 j return TRUE;' x( Q, d9 h5 ^8 a3 Z' Z
}5 W5 ]( s* n. n- S9 c* I1 n4 O8 ]% f
return FALSE;5 \9 N" B4 |; o1 |6 x+ C' u% U
}
' K7 m6 q2 g" X3 n. H/ J! y
5 T1 q2 G, q( {# t" s# j7 N# vAlthough this trick calls the CreateFileA function, don't even expect to be6 L& N! A9 \7 e+ K% H# O
able to intercept it by installing a IFS hook: it will not work, no way!, @, t) i- b. X. Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# e) g+ N0 H2 V' l7 k5 a" lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& c& s4 ]5 H2 ^3 D" K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 r) p) u0 k% {$ Y# Z, Yfield.
# B9 n# } p4 Y2 z9 rIn fact, its purpose is not to load/unload VxDs but only to send a
- N" [7 ~/ `4 y' Z5 a" Z& XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), F3 l6 d4 p$ M0 b! H! Z2 I. P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 M7 S; Q, `. Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
' l/ a0 ~; e4 T$ ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
" c9 P# U6 |5 p: [+ M" C) e& I( qits handle to be opened and then, will be detected.( S3 O0 @7 x( E9 O5 t: i
You can check that simply by hooking Winice.exe control proc entry point! V+ r8 }, o- t3 f) I6 A% L! b
while running MeltICE.
+ O7 ~/ B' ~# [# X6 ]. j
: b |( P+ v" Z: ~# M5 o& h% J# U0 Y4 I
# U+ i3 W6 f6 i8 T 00401067: push 00402025 ; \\.\SICE
9 a; B0 q1 F; {+ a/ n 0040106C: call CreateFileA: ^- Z" l, O# |1 I3 l+ Y: d, S9 Q4 K
00401071: cmp eax,-001
3 x% q* G$ Y, |5 h2 a! x5 j 00401074: je 00401091: I) E! G; m% k& C6 |. z2 T
9 o* d( K2 D" V, k. ~
' P3 R$ F0 ?, E! C5 V* K6 v" v% y5 w
There could be hundreds of BPX you could use to detect this trick.5 c9 `9 V1 a8 a, {$ E
-The most classical one is:8 M! M1 z+ p2 q2 d1 z- X! b5 }
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# {; E/ U3 ^: q* h9 D
*(esp->4+4)=='NTIC'& z+ f Z+ E. z: c
! w' I$ i, W# O( `- d7 K7 U
-The most exotic ones (could be very slooooow :-(
. M9 S! l0 z, s* ~ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
0 L; M+ r& J1 L! o7 L8 D/ \ ;will break 3 times :-(
3 \9 @* _* O; C% q# y8 T2 J( |7 w5 |& U: U
-or (a bit) faster: 5 N9 U2 w \1 {8 h, ^) H A$ ]+ W
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 U% n- a F1 [/ t! X0 l, ~3 w- a
* ?" ]+ Q& `: ~7 Q0 m# p BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
1 ]: o( t1 u: K ;will break 3 times :-(
( H# i' ]7 m' U1 f4 v* `! w8 d6 V* {) X; b- s, s
-Much faster:, u Q9 f% Y4 D
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
8 U1 [4 o. ?! b4 o* B+ H i
( R1 w+ i2 a5 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! {( U2 A6 S, d8 o. k1 I
function to do the same job:
; E$ H2 k7 j4 K x. ]1 S3 [; R" [. x# [. H1 {: p( f1 p
push 00 ; OF_READ
+ E4 \7 k- D. a mov eax,[00656634] ; '\\.\SICE',0
; v; N) s& _6 V* W. l7 A push eax
' l" m5 Q- h' Y F; s call KERNEL32!_lopen
0 I- F H! Q* P" u inc eax
" j* P: Y- {+ w jnz 00650589 ; detected; R W# J: Q! Q; ~1 D6 s
push 00 ; OF_READ& C0 A# q$ c8 ?. s; r' Y
mov eax,[00656638] ; '\\.\SICE'# P( _- B m2 R, L, F
push eax3 {( ]6 |0 J, c& x- y, f
call KERNEL32!_lopen
0 J4 Z( p7 }- s: u. \ inc eax% Y3 H6 D- y1 D. i" n
jz 006505ae ; not detected
4 S" f! I- [9 U
. e, Y4 j! G$ j: {7 W) x5 P( T7 i/ O3 f
__________________________________________________________________________
) y- V1 Q3 |3 S4 U) y$ D! T3 _1 u. M; y
6 I" b; U' v/ O- B$ }( \2 F ]Method 12
8 D/ k: g5 H4 B3 d/ f; i E4 X=========- r6 S- j+ N; `4 @
: `, j. B4 q; Z% {* CThis trick is similar to int41h/4fh Debugger installation check (code 05
# F1 ~: ?: ?/ M7 c. ]+ C1 p B& 06) but very limited because it's only available for Win95/98 (not NT)7 m. F# [( L6 F- g0 V) r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, b) @9 d' |; o' I- w
4 @4 l) M: w- h/ x4 t push 0000004fh ; function 4fh
( }- y% G- _7 a' y. E: c0 z% E* p push 002a002ah ; high word specifies which VxD (VWIN32); f2 h/ X7 Z$ m% C6 C
; low word specifies which service2 V' P1 R! G( C/ t
(VWIN32_Int41Dispatch)
0 W, A/ Y1 v3 b9 v, A7 k7 H5 z5 n call Kernel32!ORD_001 ; VxdCall
+ ^' x/ C7 b- m cmp ax, 0f386h ; magic number returned by system debuggers2 D. w9 \0 u) Z } y) j* s2 E
jz SoftICE_detected
$ x) x# b$ I4 _) s1 S* R6 g% M- j1 Y H3 v/ h
Here again, several ways to detect it:2 l# x2 x* Q! z$ l/ g) F
8 x) l# }4 y5 y. h2 b BPINT 41 if ax==4f6 Q9 D( x/ K( G
4 @' z! w2 F# Q- ?: }9 k# L$ D# Y BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- m$ `* [7 I. n+ w7 g" g. G
# r. S4 O& x, W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
% ^3 S+ ~4 T( E7 W1 | y: d& `
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
* a* W% d; M& `+ V! B) u' R" n8 _/ Y9 i
__________________________________________________________________________
0 _3 t6 Q* i' i& U
; y0 c4 p/ B/ U1 g; xMethod 13, G2 u; H/ ~9 \' h3 a! Y$ L) W8 Z
=========
4 R ?+ j. Z0 J& U7 t
) A9 l, [8 c+ R! J2 n' F( fNot a real method of detection, but a good way to know if SoftICE is
% w0 m8 e" J% b- D$ h. P4 \installed on a computer and to locate its installation directory.
2 p* r' x' n# T( E3 b, m' u2 XIt is used by few softs which access the following registry keys (usually #2) :
. e7 O N B1 q X8 k/ g$ ?5 T6 o% o+ E9 |; z6 s
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ^/ t. w: Y) }$ v
\Uninstall\SoftICE. g$ w4 k ~# W4 {% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& y) J9 e( L+ E9 f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 v- S5 v6 W8 W4 \6 z\App Paths\Loader32.Exe# `& o6 T6 j$ o" u5 _
+ V. D+ y; {' c e* \& E- _
( c5 w! w# C# {. }Note that some nasty apps could then erase all files from SoftICE directory7 f/ y1 V/ v: _) l5 |$ h7 O" }9 ?- W. O
(I faced that once :-(3 h# J/ @$ s" u- k) v- q, M: _
" { x/ W% {& T- [: m+ g5 kUseful breakpoint to detect it:7 F, t' S. h8 }& J( O5 z! b! U" v
6 B: c( H* n2 P, X9 W0 p7 Z% o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'7 n4 D9 }8 n. I( _! a2 s7 w8 L1 n
) f8 ` l% v8 |+ k A4 a o7 N a__________________________________________________________________________
3 ~# }) J2 S/ O9 b, u& j8 B5 ^' X, ]) b/ k) F+ b
7 v' P/ d. }' M7 N" Z0 B3 LMethod 14
: U o/ D$ R0 B: X9 @=========( o5 P4 r/ r" _# P7 n
0 _9 p5 N5 x6 t; c* L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( y" C& O/ N7 d" [' t. Ris to determines whether a debugger is running on your system (ring0 only).
9 I# x' G1 L; |1 G
3 F( n: P" O% s8 g; Z, x# j VMMCall Test_Debug_Installed$ c/ l1 Y9 s- l8 y: l$ x- @
je not_installed
: P: v5 [3 s% \/ ~
$ Y1 d3 W5 k; jThis service just checks a flag.
8 N# E% |1 g0 C2 W" B</PRE></TD></TR></TBODY></TABLE> |