<TABLE width=500>$ e! ^1 Z. U7 @( ? t) U+ R% T
<TBODY>. j: ^4 ?7 F2 |7 P
<TR>
; D- L9 y4 U( M<TD><PRE>Method 01
6 M+ A9 D% w! h9 ^3 y5 s=========
6 w. ]) V$ ^9 x1 S d% ~
; Y: U0 Q' \* r+ `7 b9 v* x1 C$ `This method of detection of SoftICE (as well as the following one) is
4 t. H. \1 O$ j! e9 ?; r& Q) wused by the majority of packers/encryptors found on Internet.& [% N- Z5 m; c7 ?
It seeks the signature of BoundsChecker in SoftICE
- [0 ^' S/ c' K/ U# R+ b1 m$ ?! J7 A6 m
# J M d' z# ~4 N; \( d mov ebp, 04243484Bh ; 'BCHK'& M" s8 ]. A0 `) w- z6 O8 z
mov ax, 04h6 Z0 S4 h" Y; |: H* k
int 3
A* X: m' @" @/ a cmp al,42 v& V: [1 u* ]1 `$ R/ S8 v
jnz SoftICE_Detected
$ J5 R4 H% h* B$ M- u( ~3 W* i' t1 W( |
___________________________________________________________________________
/ S' R; z8 A3 m' S- ?8 K9 X4 u4 Q: b: d
& O% y" h! v9 iMethod 02, O( R/ L* k% M% a: z: J* Y L4 s# ~/ o
=========
9 |: p, {( [9 [1 f$ I; ]0 E' m6 b6 Y. N7 g
Still a method very much used (perhaps the most frequent one). It is used! A# o+ ]4 {7 R% M. D, ^7 T/ e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& i- W' h& W. x2 u' p. i! K8 u
or execute SoftICE commands... X0 l% f6 P1 [- c3 D& s7 Z" @
It is also used to crash SoftICE and to force it to execute any commands
: ^7 L; ]/ X8 p2 X( V+ {4 q(HBOOT...) :-(( ; b0 X! K w9 C! A6 s. X
; A! l7 {3 R/ W3 w6 _
Here is a quick description:
! U) w6 }* S S5 X3 B-AX = 0910h (Display string in SIce windows)1 a% B% s/ T) }/ i5 W6 u
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
' b" ]' @! O v0 T-AX = 0912h (Get breakpoint infos)
/ {! T& a" {9 K9 y3 B& a) X" i-AX = 0913h (Set Sice breakpoints)/ c9 }, B7 R' p, o$ A6 B
-AX = 0914h (Remove SIce breakoints)+ K& h$ G: x3 E8 E4 @1 s
* q9 I. v7 i" U0 W; z" KEach time you'll meet this trick, you'll see:$ `8 S/ C! Y# S( b& T- N( v
-SI = 4647h2 ]9 P3 a! ]- a. Z1 H! s
-DI = 4A4Dh# i0 s5 e0 `. w/ K# B- u
Which are the 'magic values' used by SoftIce.9 x f, c. k' K2 U% H$ s) {) L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 V0 G# y6 K: b8 ]1 N0 i8 `' T' C7 E) S; ^8 r1 D+ s( x, l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 h6 ?' }, ^( ]) GEnvelope utility use to protect DOS applications:5 h: t" u. _! ~) \1 V7 D _0 t! h9 [
+ B1 Y) I7 H- r$ q& \3 Q
. j/ J( |8 X) u( N7 e, e4C19:0095 MOV AX,0911 ; execute command.; F5 `; J9 O9 J2 }% Y! r' a
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
_3 v; i- l! ]- d" f: X4C19:009A MOV SI,4647 ; 1st magic value.
, F( K) Z/ k. E4 v/ s2 M; M# y4C19:009D MOV DI,4A4D ; 2nd magic value.& G& a! l) L- E
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)4 I; }) M( L6 M0 A# n9 u1 U3 @4 F
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
/ ]6 I0 W$ N2 i- j5 @4C19:00A4 INC CX
5 d4 X6 j3 I6 v4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ x+ p- a$ s: ` b& C+ \- ^4C19:00A8 JB 0095 ; 6 different commands.
$ ]3 m5 C* C6 f; l: F9 |4C19:00AA JMP 0002 ; Bad_Guy jmp back.
F3 h# _$ n9 d% m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
1 ]: A' q* o3 {2 ^2 G7 m8 T+ L8 j+ @/ p& x2 S+ m
The program will execute 6 different SIce commands located at ds:dx, which7 @7 @: R0 q7 l- D9 `1 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& \3 ~ m; E. r8 s5 [* U& A( f; k% \& W. x, b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
p, R+ f. Y0 {0 Z# n! v( m& _$ ?___________________________________________________________________________
+ R$ e$ o8 K8 ^, Q" {* k- e- y
0 j- e0 O7 |4 v; ^" ?) @* W( B/ W$ k3 R4 W
Method 03: ^2 X5 C# L- R2 H% ^6 V) D
========= |2 a1 s' X3 I" f
4 b, b7 v* ?" q( kLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" g" Y# i/ T8 F1 U- s(API Get entry point)
# U7 P: Y4 V4 ^3 s2 S% Y3 i ( `9 A$ s" t4 q4 L' W; ?2 q
) v: [9 s% S# J, v
xor di,di" h4 G# u( Z5 Q, l% s9 j
mov es,di
' k! Y6 l6 X9 b" l) U mov ax, 1684h
- N6 S4 n6 U' \$ x mov bx, 0202h ; VxD ID of winice% D- F5 `1 ]7 c
int 2Fh
" j! z" C5 |, N m) ]+ _9 w2 O9 [ mov ax, es ; ES:DI -> VxD API entry point. ~7 q _" i$ b ]% @: Y. a
add ax, di
s2 o% C# C. }/ ?9 m$ F8 ] test ax,ax
- f8 \, ~9 S4 m' v+ s, e4 [# }. w jnz SoftICE_Detected2 J6 j: p0 W3 f/ J4 Y. h
; H/ W3 R- V8 H: n, `. J- C' _
___________________________________________________________________________5 ]0 q5 X0 C0 b \2 V8 M
/ k2 ]% x4 i+ A
Method 04
& ~' K! C! A9 \: P=========
$ c. w9 f, W. t8 K3 H* D
6 |4 w/ ~) c/ r& U; {Method identical to the preceding one except that it seeks the ID of SoftICE
) L& z. ~' z5 N& R4 ]GFX VxD.
% l0 b$ w, D( ]& }5 ~% m' x( M. e) l, w R: T1 H) ^
xor di,di2 p# q4 F6 Y5 @' B' h
mov es,di
! K; Y7 W& |# X$ o mov ax, 1684h
# Z3 v9 r& C! ]7 O5 f mov bx, 7a5Fh ; VxD ID of SIWVID3 D% x8 [/ q& \! A: ]* c
int 2fh: a0 Z7 O& i7 u7 [
mov ax, es ; ES:DI -> VxD API entry point' v0 |4 K- K! r& o
add ax, di
. ~3 i1 w$ | Q% T test ax,ax/ S, W1 {9 O7 ~/ G$ @6 A
jnz SoftICE_Detected
- b) i( ? P7 J# \0 l1 d7 W0 o1 S( q) R8 W$ ]
__________________________________________________________________________: n3 f4 O7 G3 P2 L m
- D0 w' Z4 t" ]6 _: v. g3 V) ? s/ q8 ?
5 M7 O) v* R+ uMethod 05
4 o/ w/ f" [, Y=========( U- |+ X. ]( B. t
& }3 s }, {* g# W2 w6 Y% Y- p& R$ DMethod seeking the 'magic number' 0F386h returned (in ax) by all system g; r0 D- X4 ~2 i% z% L
debugger. It calls the int 41h, function 4Fh.* l& {' j5 ^2 k+ l1 H
There are several alternatives. - d( f7 N5 b! H5 | E4 ]
5 X2 L! }% W" Z9 p' A
The following one is the simplest:
" ? [5 K2 S2 v6 K' s
, x) C# _! ~1 X' I# X V6 e T mov ax,4fh+ a! a( l1 |9 D" z
int 41h ~/ W# g) \( T2 H) K1 l4 O- b. k9 D
cmp ax, 0F386
/ W* f0 q' z/ @% \1 C jz SoftICE_detected' w6 p9 ]0 q4 P+ l. u7 X
1 h8 e" z8 u4 v6 x& k9 O, c
3 A( ~0 Q1 q' a; ]4 C
Next method as well as the following one are 2 examples from Stone's 6 D" F2 I* @ g! s5 _( v9 k" T
"stn-wid.zip" (www.cracking.net):! q B9 I9 H3 A% `' S+ d5 N
+ w! r! b# P# U. y mov bx, cs* E: W: Z% z$ u4 s! a
lea dx, int41handler24 y# t4 Z$ p! O& g: P- ~! O
xchg dx, es:[41h*4]5 @. t4 ~$ Y5 D5 v1 ~% [) U
xchg bx, es:[41h*4+2]
( K: b. j# r$ p5 h- D! u: r% @ mov ax,4fh' F1 ^& T: E' n7 ]6 w8 |
int 41h
( f& C, H0 Y. F4 H- x4 O, r. `' w9 S xchg dx, es:[41h*4]
: Y4 E! _' {4 ~# i9 C! c& [ xchg bx, es:[41h*4+2]2 {# M0 P! ?: J0 E2 u
cmp ax, 0f386h R" _/ @ X- }$ b
jz SoftICE_detected
$ b1 Y0 \% p7 Y& {# \ [! `. h k5 c9 O: ? e; v
int41handler2 PROC% S% O; j) H" D0 b" I
iret9 S2 D- p4 t% j5 c t
int41handler2 ENDP
0 g+ t/ j. \# M% U# u8 E1 c% e" i$ a+ F3 f
2 t, k4 e, ^8 n_________________________________________________________________________
" v# ~! U/ P# ~8 `8 j/ _# L: D6 Y& h$ a' M4 Z. b
" a% ^; V F5 y( n
Method 067 a5 [$ Z; l; t1 q/ F2 k, H7 z0 z
=========
2 [$ @0 q4 X" ]$ `7 z$ e5 N' e+ b) }1 m9 ^& a. I& y
- C( T7 i# S/ U) p; v2nd method similar to the preceding one but more difficult to detect:; d" \1 O* H& d! a+ U
6 {+ p4 E; f" x2 [/ K" V2 C8 d! |% p1 S e/ R; \3 E2 h
int41handler PROC* f+ M" ]) @& R* P) B8 w3 j7 n
mov cl,al
. y$ y4 Z6 F3 _5 i0 m0 y$ H4 H- w iret
* v4 F+ L% \; d* U8 ?" q, C1 {int41handler ENDP
+ s- _: Z6 I$ E) t' v \* f R+ M7 ?& u: ` t
) A% X# D. I( v: k# l/ o
xor ax,ax
. f( o5 y: X% K9 e8 a+ T# K# G- v mov es,ax$ Q: x* S+ X) i" k/ L8 g' Q* Z
mov bx, cs2 j# F& @/ C4 M; O2 G: G0 N
lea dx, int41handler
3 o7 \0 P6 a# f2 }7 p xchg dx, es:[41h*4]7 v2 j4 Z: O: V# X8 S
xchg bx, es:[41h*4+2]" o9 G+ c6 C8 c
in al, 40h
2 u* `' q. |4 N; ^ xor cx,cx! B# O+ _2 a# J1 U. a8 p/ @* ~
int 41h8 e' o. T x' U% n& q6 B
xchg dx, es:[41h*4]
/ A9 G$ ~# g! X- S xchg bx, es:[41h*4+2]7 E; O/ _' x0 x ]3 s4 T' C
cmp cl,al
" X; D/ I7 F2 M/ S! \6 @ jnz SoftICE_detected
4 }6 m! D% u: C% b
7 q. k* ~( c/ R_________________________________________________________________________6 @- B5 R Z9 G) u
2 F$ Q4 S9 L& ~5 {6 K Q7 zMethod 07
4 {4 _# u2 X/ i2 Q=========
; L- E$ u/ X1 T4 M' L- I- t
6 R( Q. k, h# @8 c8 ?; B0 dMethod of detection of the WinICE handler in the int68h (V86)" ?+ e. k' L, G" h, L
: n. U7 t" M" ]4 \ h+ @ mov ah,43h! ^# P6 ]5 i9 c2 x( {2 e
int 68h8 A6 k. j% H2 k# D( b2 ^- K
cmp ax,0F386h
$ M3 w% y" \5 S6 a jz SoftICE_Detected! b8 Q7 a) W. C
$ ^2 b) Y r# _7 R6 b0 S: h/ c
) t. F* }. k: |% D: e8 j7 Y=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 E6 y1 o% X4 C/ }7 C7 l7 V- D1 w; V app like this:. L7 }4 T2 j# P1 u. h. B% I" M
* @6 @, p. I! I& q BPX exec_int if ax==68; A6 p; f; r2 E! o2 h1 h! ?4 V# c
(function called is located at byte ptr [ebp+1Dh] and client eip is
# q' y. u! U/ w7 U* L2 C% |; a located at [ebp+48h] for 32Bit apps)
1 k* D7 t& l, Q0 i' \4 v__________________________________________________________________________
- L# |% x& G# u6 m! q3 U* R
. A2 k$ a5 q* `/ Z5 U0 ~- X) T- G! p) \. o% e, g
Method 08 n; ~2 B1 s* ^6 n6 O- B4 t) v
========= h3 u8 t- j4 ^. Y" k
0 o3 Q9 i, ]; E2 m0 y; n4 ?It is not a method of detection of SoftICE but a possibility to crash the
) C# Z( D! R( n( F% F/ `8 Osystem by intercepting int 01h and int 03h and redirecting them to another
) z8 z" z( t3 \8 Proutine.
2 ~0 O6 [' c/ F" K0 C; aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, I6 W5 ~% [; s5 u* d7 A2 J2 c
to the new routine to execute (hangs computer...)1 \5 ^1 E1 D# i
. L% I6 O. C: X; d, v: K mov ah, 25h; H4 Y; _, a: [5 A
mov al, Int_Number (01h or 03h). x& h8 x, ^ R- f) E
mov dx, offset New_Int_Routine7 C4 P6 |) o* G0 @1 W2 m
int 21h
% K0 V5 X" Z& d) }8 o- r
! g; a7 |- d0 |5 }0 E$ f! j4 X__________________________________________________________________________) c( d8 s. Z" j$ O
! h. [1 P% P6 G& }3 R% g0 x1 h
Method 094 h4 i! O- i1 `3 D- V
=========, k0 u$ F2 }! n) X
2 T% n8 x4 j" r3 P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 f7 ^6 G* i9 I% q
performed in ring0 (VxD or a ring3 app using the VxdCall)./ h+ `+ L l. P+ Y! S5 ? N
The Get_DDB service is used to determine whether or not a VxD is installed$ C' I: e# P9 x; f/ l- S
for the specified device and returns a Device Description Block (in ecx) for
! [6 D4 p& x! i5 {. e6 E; i0 Z/ ]that device if it is installed.4 D, | |. A; t
0 y8 O- z# Y/ c" p& P- e
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! b2 E, {: B( }7 ~9 c8 e1 b/ [: _7 p mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 ~1 F' o0 ?7 m0 g VMMCall Get_DDB
; `: O6 S% @* U& M mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed$ |9 P+ U2 P9 m6 q2 ?3 [, |6 n1 m
/ y! [9 ^/ \# u( Q/ n1 S" Z, VNote as well that you can easily detect this method with SoftICE:
, \; z2 E. ]+ {% S/ v0 n5 ^+ w bpx Get_DDB if ax==0202 || ax==7a5fh
1 {3 x, m6 ]: o& V" Y: Q! A8 \+ D' c, S5 J
__________________________________________________________________________
. g6 L9 j6 c& O
' F9 V+ U+ q% x- R8 Y: W$ `( e4 i6 PMethod 10! R9 [1 [) @8 E
=========
3 K) T8 T; y; v9 \: S3 k5 G9 k! N& J. R* K5 h5 ?
=>Disable or clear breakpoints before using this feature. DO NOT trace with! Q6 Q- ^( T+ R# F! s# q
SoftICE while the option is enable!!
, f1 D' Q4 e1 o6 e& p+ m' `5 F
- I+ S( Y; G' \! PThis trick is very efficient:& o% P& \: \- O5 |, w$ }
by checking the Debug Registers, you can detect if SoftICE is loaded
9 W) |% S m5 O# h3 h7 w8 t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" E( L( w) z* @. i1 B: s
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 }% H! Q. p- K* {
value (in ring0 only). Values can be manipulated and or changed as well
2 L9 c0 `3 [2 d2 L! c* M, r(clearing BPMs for instance)
/ E9 E4 O: R# E2 g: D9 ]% n! {
. r( ^* T5 W. F. ~__________________________________________________________________________/ y0 S9 ~( ^0 O% D# C( @3 o
- w' D9 B0 S% A9 Y
Method 11; B1 `7 u1 E- m# H" x) {
=========
, U R2 g: q/ k$ S+ O/ `8 ?5 P" |% E8 o
This method is most known as 'MeltICE' because it has been freely distributed
7 {8 m! M- l a% C7 ]& ]via www.winfiles.com. However it was first used by NuMega people to allow4 s" l: t8 F6 T% ?9 E8 l7 G' o
Symbol Loader to check if SoftICE was active or not (the code is located
1 {+ T n' s* e kinside nmtrans.dll).
% r) d& v! G( J) n" i) z' y. H; F; ]* e7 u7 I7 w
The way it works is very simple:
+ ]4 f* Y Y, p5 _3 E8 W+ G) HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. u: U6 d( M5 ]
WinNT) with the CreateFileA API.
+ I3 T! t! Z1 F; `2 E$ V0 x( r# _5 S. R7 X. R# G# q
Here is a sample (checking for 'SICE'):! O, f! O1 p9 C! l: ]4 R& s
: c, Z f- r3 k7 F$ o
BOOL IsSoftIce95Loaded()4 G4 A- k5 r- d" g
{
( h) g2 ~' [% m7 s2 @7 r( q HANDLE hFile; & l$ D) J. W2 Q- Q2 @3 l# C& F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" q, ]) n0 X3 J$ B FILE_SHARE_READ | FILE_SHARE_WRITE,5 G! Q+ y& C! r/ p, ^, S
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# ]3 K; k4 A& Z% f( L if( hFile != INVALID_HANDLE_VALUE )! n$ ?* a! Q9 Y. l: c
{
# x9 }; `' E7 o- h# y7 p& P; i CloseHandle(hFile);
3 F7 L, _1 R$ ] return TRUE;
- A+ N7 T% l& A0 G }* ]4 @) a2 D: E
return FALSE;
5 B- C1 ?- o8 M& ]% b}
8 ?3 W* s$ O- h, T* D, [% r8 f
4 H6 d7 O% B& l n% Y, cAlthough this trick calls the CreateFileA function, don't even expect to be
1 |) {* b9 w5 Cable to intercept it by installing a IFS hook: it will not work, no way!7 t0 i8 b: k4 N0 e) y& X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ?/ O5 w! e- I- l5 Jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 @% K4 v. y. j$ J' \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
j, `7 K5 e/ d9 nfield.
, {: ]. `6 v6 q! D, ^1 MIn fact, its purpose is not to load/unload VxDs but only to send a
: i/ z* n- Q& H. \2 u# gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( o4 V s+ {% O+ Q, x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( i) A% R. m" q0 @ t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 M/ u; h) x+ K$ a0 t8 Z$ Y! }/ e- n4 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ W7 e. h- [/ U
its handle to be opened and then, will be detected.
! e3 ~4 ]) F. C. [; lYou can check that simply by hooking Winice.exe control proc entry point7 v c8 ^/ q" ?
while running MeltICE.
& H* `& t1 \$ [" W0 y9 D- h7 j5 m8 t, v- l3 Y
/ W$ p& ?# r; s9 H3 i( E- ^
00401067: push 00402025 ; \\.\SICE! Z# L B+ U. m* }- b Y3 l' N( N
0040106C: call CreateFileA! \3 a- ]. o7 M9 d9 U
00401071: cmp eax,-001
6 {# D a0 N4 ]: Q4 w 00401074: je 00401091
8 Y2 ^* x$ a* Q- _ _
8 w# j8 B: j7 l
/ h2 q4 \* M% Z# ]/ \5 p& ]7 eThere could be hundreds of BPX you could use to detect this trick. i" m- R) `/ p' W* p
-The most classical one is:
3 b( f. ^" i' S$ `3 |1 H BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 p' c( I. G) l9 c( r5 L *(esp->4+4)=='NTIC'
3 J( T S6 M; ^4 U* C+ Y {- a' F1 n* W/ w- L% {
-The most exotic ones (could be very slooooow :-(% M+ [$ H4 A' r6 y3 j* q2 t
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 v# }8 T# H! }3 h4 i
;will break 3 times :-(# `) j+ D: M1 y) T
) @: k# i2 y7 A* S: L
-or (a bit) faster:
0 Q" E/ f3 v" f+ }1 ? BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. x' T3 Z9 Z$ f" F1 X, k3 F9 x6 D% t9 P% s8 }; |; E/ E
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ; L6 ~# ]; C4 X2 P+ l7 u5 D- {/ c
;will break 3 times :-(. z( w+ L- {! j
. e; z! i! x p
-Much faster:. G" w. b; s0 x( X6 ^8 p% `
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'! w9 K1 e; J3 V2 m4 J
- |( h6 P6 {% k$ c- t4 L! z6 Q' CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen. N- V. Z/ S) s3 A: U# I
function to do the same job:
_- l h0 |( P& ` O( n& L# w9 k- Q# o2 x3 r
push 00 ; OF_READ
: m+ F6 |: I* d% Z* @ mov eax,[00656634] ; '\\.\SICE',0
* g/ Y. q! y8 S/ e" e2 @ push eax
; E6 w+ y( `9 J call KERNEL32!_lopen
! A1 \7 U# l. ~4 D! L- |, [' { inc eax- i& w! R8 p& Y
jnz 00650589 ; detected
# b$ V; L& f J push 00 ; OF_READ
L/ f0 B4 L7 _: m! \5 _ mov eax,[00656638] ; '\\.\SICE'
" z$ k% J* U# `7 ` h push eax7 ~, b6 \6 Z8 ?0 p$ J
call KERNEL32!_lopen
8 r9 L T/ w% a2 C. F) t1 P inc eax: c; s ?( h/ Q5 {
jz 006505ae ; not detected
9 P& K+ F0 P) Z: i7 c) V( W: g9 `" [0 R# v5 ?
& v% g8 E$ j# W8 w3 j. c! k4 Q
__________________________________________________________________________4 r) _% u9 U. b! N4 @$ F' l
6 U& v) M3 z* C- t
Method 12& f3 c; ^- V$ X3 m, f7 b
=========
2 m, h" o; r; J0 m8 V% u4 q$ u3 r# A. l. z
This trick is similar to int41h/4fh Debugger installation check (code 056 o& L) s( w4 |# `
& 06) but very limited because it's only available for Win95/98 (not NT)
. J9 i" S1 [# O/ \( Q8 Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.; ^* p& V/ b9 a s; Y& M- c
# z- {, T' t' g push 0000004fh ; function 4fh
@( F, c. x0 w8 J push 002a002ah ; high word specifies which VxD (VWIN32), g; V: l* V7 H) j. }5 b! ^
; low word specifies which service0 ^& U. ^5 T( ]
(VWIN32_Int41Dispatch)
5 q5 m3 `& m: _ call Kernel32!ORD_001 ; VxdCall
7 l( P/ r5 `1 ?9 O% q cmp ax, 0f386h ; magic number returned by system debuggers
; {; ] U+ ?+ V* W$ h jz SoftICE_detected7 m% G0 m8 [6 f f5 C
+ e0 i& C4 v! T+ x* iHere again, several ways to detect it:3 h) f; v1 O" A5 ^" U
/ [* F8 G# L7 ~9 Y0 h5 u( r; w
BPINT 41 if ax==4f
0 {8 t' _% P8 j/ y! `
* D- H. g7 h% Z5 a8 @ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one1 E) V; b1 q6 n
9 f# ?$ \2 ~# b+ M BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 e$ n7 _2 n7 U) X6 [3 G
9 w* {1 r; Z. t+ P; a
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!- ~4 V- R: [% H2 D2 z5 m: K* Z$ @( ^
: e+ M: |4 ]3 m+ m; j( @7 [
__________________________________________________________________________
) _5 z2 n. X# B* \0 ]9 O1 [/ F) b6 R
Method 13; f+ r: t* a0 s7 P2 b
=========
& M* B w0 ^0 l6 s9 U/ w) b1 k$ x: s& E/ @4 n8 H) A
Not a real method of detection, but a good way to know if SoftICE is
# Q7 h, a/ D, q4 winstalled on a computer and to locate its installation directory.
2 g! Q+ m; {- OIt is used by few softs which access the following registry keys (usually #2) :& t8 O, L! V3 v6 X3 ]7 @' _! p
- G) U; H1 U/ ^. Z- V0 S- g# A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 t1 p% g7 K7 V8 `\Uninstall\SoftICE, N% M; b- d* c* ~# k( z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE O! X* k% p$ ]0 z/ c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% Y5 Z. g; e7 O& P\App Paths\Loader32.Exe6 h" M: W" T, X) W" ^5 a
; C' O0 O4 k/ C; z) @/ V) r1 O0 v* ~
Note that some nasty apps could then erase all files from SoftICE directory
$ O5 E; x: J; a! R(I faced that once :-(. ?* i2 t! O1 W: E. f
, B% t) _+ s O0 Y- l1 _5 f
Useful breakpoint to detect it:5 f) x. H E/ \' {8 t$ L7 v2 w$ l$ ~2 l
2 v1 t. \) P6 B BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
8 n! w1 v/ R. N0 o0 }$ o% A! R' \; K1 b+ Y6 |- y" I$ o; Y
__________________________________________________________________________, B5 s$ r/ C5 b% m
& D( [% u+ f0 l' F6 J
) A/ k0 ?" K( z1 ^9 OMethod 14 7 b3 J, X @; L6 f8 V. G. G
=========
- g, B" _$ t6 k
4 B0 b5 j8 O h9 K. |3 w# PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( {. A8 @) B% e: \: iis to determines whether a debugger is running on your system (ring0 only).
# y& F5 |( M. X; s
- b$ K1 w: j% v6 C* \ VMMCall Test_Debug_Installed
5 ~+ u9 X6 S/ y je not_installed# f8 y% t' ~& G9 A4 @
W1 U1 g7 }8 e5 XThis service just checks a flag.# W$ I! O( D ]! x
</PRE></TD></TR></TBODY></TABLE> |