<TABLE width=500>
4 X z* g: t7 G* f( ?- }<TBODY>5 d) r+ q# i# d' c0 E& @' X* }
<TR>
, y7 F6 x% F( X<TD><PRE>Method 01 3 } {" W- L& A" D
=========
r8 }6 `( O; T. P w6 A4 @9 B7 ]. k, q6 }& l8 t; v
This method of detection of SoftICE (as well as the following one) is# J* j9 ^$ O) \5 B5 f
used by the majority of packers/encryptors found on Internet.
% G0 G/ p% }9 x0 B$ X- M- }6 |It seeks the signature of BoundsChecker in SoftICE6 Y, |) e$ k9 J7 {0 }
: N7 L! y. ^4 F7 N; a mov ebp, 04243484Bh ; 'BCHK'
% v1 p. Z+ D& z( t! V- } mov ax, 04h! G6 t3 Q! |, e) w2 Z8 L [' d7 A
int 3 * G8 S4 P$ R+ L) Y0 h
cmp al,4
& a% ? i. x. t. s' A1 m jnz SoftICE_Detected; a' s7 T8 F7 W `. @+ p# t
# v# i8 Q4 A, N2 G6 u___________________________________________________________________________
; s' ?! F9 w9 M) X0 m, ?" w+ C
/ L7 l& d+ p. f5 T2 `8 d6 q& Q; a8 uMethod 021 b7 {' y/ T# U% X5 m+ V
=========
1 o; {3 g- [) Y$ r+ a% G9 j5 L
' _. f% M8 O: q( V# y* Z# D0 JStill a method very much used (perhaps the most frequent one). It is used
; q' \: X/ S$ l) J8 W }$ sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; `! L8 D4 ]3 c* Y' C3 o! r
or execute SoftICE commands...6 d$ b2 Y* G2 U. e$ u! }- n
It is also used to crash SoftICE and to force it to execute any commands7 v: j" X8 \; }6 K
(HBOOT...) :-((
2 s6 O) W3 e% _2 w0 T+ o H( o, A: E$ T
Here is a quick description:
. b% V! [1 }" C-AX = 0910h (Display string in SIce windows)
) G7 ?5 B& C1 b8 o6 D-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)( y) G# @$ J9 {4 a6 K: E
-AX = 0912h (Get breakpoint infos)8 R7 y8 g4 I7 a2 Y0 g; g. s Y
-AX = 0913h (Set Sice breakpoints)+ \8 [* Q+ }& o4 b! [; `/ ~
-AX = 0914h (Remove SIce breakoints)
! ~. E0 {4 v( b% P& V5 Y$ \# k4 G0 T* k p
Each time you'll meet this trick, you'll see:
! F0 }' z& ^& O$ |$ L1 t) B" }-SI = 4647h
7 }1 X) P: ~$ i0 j( B+ X-DI = 4A4Dh& k n K0 @/ \
Which are the 'magic values' used by SoftIce.
; P) Z8 K6 U+ Y1 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 ~5 h! B# @% [( @2 k5 Q2 p! Z9 R% k% T& Q# s
Here is one example from the file "Haspinst.exe" which is the dongle HASP% w$ [* A0 a4 E) k6 T$ |
Envelope utility use to protect DOS applications:$ \$ j+ x: t& L
; E( u2 S/ u) e$ m
, A- v) S3 ^+ l' T1 p% |4C19:0095 MOV AX,0911 ; execute command.! Y9 w( d) v! X& K' _
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
% N& o' P! \% C; \; i4C19:009A MOV SI,4647 ; 1st magic value.. j4 F. O/ P: ]6 |9 q5 a
4C19:009D MOV DI,4A4D ; 2nd magic value.
6 Z q& y7 ?9 T' z9 b, J3 v4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) s7 M" R- x" h+ x" }5 m
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute' |, S% _1 V* y( l8 G
4C19:00A4 INC CX# a- H+ l7 D- c0 y3 ?
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute" Q8 j q2 U' W3 {1 P
4C19:00A8 JB 0095 ; 6 different commands.
# e7 j3 ^, Y4 F6 F6 t. X7 Y; K4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ C) A4 `/ e3 M5 @: {- E; u4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
/ C9 X0 ^& l/ e* y z8 M7 q0 U" |9 \
The program will execute 6 different SIce commands located at ds:dx, which- n2 n+ c3 e' X+ s2 G' ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; a; S s; G) `! o! j
; @) m% ~- ?: C {( |8 _- }, N/ |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! W3 M4 }9 t2 k* d6 r2 w% b___________________________________________________________________________: `+ T4 A, Y( ~8 X# B% {/ [+ x# ?
( C6 k8 A0 ]6 U$ v* o, j
- Y( H! C$ T, yMethod 03
; ]" |; K1 n' F9 d. ~=========) \3 G6 i# h4 U* e. A5 j
( }' M' O* X- b" j1 F0 jLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h% o, M0 v! T2 G
(API Get entry point). C, E" a7 G8 d& V
9 h2 U; \. y8 o9 I) _9 r
d1 \. _7 z2 o& @* y
xor di,di/ O# c) U1 c/ w% ^/ |
mov es,di4 P+ D0 x& J5 M f& b* l5 C
mov ax, 1684h 0 d4 D8 y$ V7 R) l8 S
mov bx, 0202h ; VxD ID of winice
) h; n* W2 V" \* j# q0 t; l. ]6 k int 2Fh( B+ l6 m$ g" x
mov ax, es ; ES:DI -> VxD API entry point9 |( \. ~6 a* h+ O/ l
add ax, di% r+ Q0 v% H* @4 g: s1 c" u) F0 S
test ax,ax! x c$ E1 U' b3 ]
jnz SoftICE_Detected! S% d1 X' R, q% w. I
0 r* u; A8 `0 ^, T7 k+ w
___________________________________________________________________________
2 `% k: d% R5 b% i0 v+ y, g- F+ N6 [5 ? b; h0 j5 q
Method 04 U& z2 f+ e1 N" \- d- X$ t
=========2 F/ m/ b$ |: y, a7 r
' ?8 d$ F4 B9 _! w k& ZMethod identical to the preceding one except that it seeks the ID of SoftICE
5 z6 O6 U- {( }% A, CGFX VxD.
; t' V( ?- {% X1 r& J' Z% \8 t( z4 a: [- L; U4 U
xor di,di& m6 U5 A, c Z
mov es,di
. j0 C+ m4 b9 a w2 ?+ P3 a8 ?+ o mov ax, 1684h : u$ E( t4 G7 U5 _$ |
mov bx, 7a5Fh ; VxD ID of SIWVID8 i: r, g- u1 O1 s" v r
int 2fh2 k, \/ h S+ D8 }
mov ax, es ; ES:DI -> VxD API entry point
/ ?, b% j$ N, m/ h% y! g add ax, di
6 P. a1 j; z8 |" ^( m test ax,ax
4 _3 |0 R$ V* _5 T7 }9 F' ?2 I jnz SoftICE_Detected
7 N% l L7 p) i5 j) H7 J& W! ^6 p# [1 D5 y% Z3 {5 e9 p
__________________________________________________________________________" L c v8 W |$ ~ I6 [
4 `8 k- h+ T: d" f- k1 k
8 c8 b8 U. [6 q! @1 x D+ G1 u& D& eMethod 05
8 h# H. [2 a* a, W: k6 [; b$ c4 l=========. d) ^0 r% e8 L' V# C2 v
9 L$ n1 ?5 O! w6 C) h9 C. |Method seeking the 'magic number' 0F386h returned (in ax) by all system
" T5 s5 P r- x1 X) d0 ?1 Ydebugger. It calls the int 41h, function 4Fh.. W1 J3 K F% c& Q2 ^9 I! M8 w: u
There are several alternatives.
' ?$ S: {- A* {8 n0 s
) K# V4 M8 O4 @* u: v) ? s lThe following one is the simplest:9 {3 I* i6 @: ?9 x' c* S3 q& P
( x8 H0 V" d$ J/ ]; g9 M6 v& v7 x mov ax,4fh/ c/ F2 ~$ y7 [# U0 |" f8 e4 p
int 41h/ ~/ `) W9 [' K0 a% ^
cmp ax, 0F386
& h) V/ T2 H7 o( O! [1 q" P jz SoftICE_detected
6 ? p R5 P) i
6 m: E6 A) f% X4 ^; m% k; V1 Y' k, {4 V- r2 h" l4 p1 R5 h* {6 {
Next method as well as the following one are 2 examples from Stone's
~/ v2 J( h0 t- t% Y"stn-wid.zip" (www.cracking.net):
% N1 \5 v, |$ m e9 g3 f* T1 a5 p" i# B5 d0 r2 E7 `
mov bx, cs6 M/ p8 A% S3 g1 o: |0 A+ k# d0 D
lea dx, int41handler2
S9 ?! T4 u8 Z% ^ xchg dx, es:[41h*4]
* A$ \4 o) r' z q. ` xchg bx, es:[41h*4+2]( H( {. N" V% g
mov ax,4fh' y. B& |; r- p6 x. C1 q
int 41h
0 |8 _+ r$ p; n, x xchg dx, es:[41h*4]
$ p* c, [) c( P( z ?# o' F- P xchg bx, es:[41h*4+2]& ^# X. U' m. ~+ e6 h" M% T& h1 `
cmp ax, 0f386h3 R* D, z# {2 Z9 D; f! E7 {
jz SoftICE_detected
: V* z. f4 w& b) {' L3 o8 w, N+ O. \" p" O* e l
int41handler2 PROC2 z4 D" O1 L1 B$ n; w$ n
iret" m6 ` E) p" n- V9 Y
int41handler2 ENDP
3 s' b! g' |3 \ C+ L0 ]3 [( [: _5 y+ D, I, z7 @! E
+ I0 f9 w' j# O3 f0 n5 j3 n7 `
_________________________________________________________________________8 }# b* b o9 u& X% C: ?: U2 o
5 P: q2 y! M+ M
) |- C' g7 {4 O$ }: q V |1 mMethod 06
" }6 Z: N$ O2 r" ?, C9 i=========
0 ^ N/ k& Y7 E! R; l. ^+ h+ {; b( l
0 T8 \ O7 V( H. H# x
2nd method similar to the preceding one but more difficult to detect:, h( S- K% m; _9 l6 k5 d. W
. Q" I/ P) T _) H# H2 N
& D# I6 Z& ^! p* rint41handler PROC. D( t4 d3 K2 I" G% a* y5 y: ?
mov cl,al
}3 v5 {- M. j iret- P' s5 r1 O3 o) I& _8 G1 }" E
int41handler ENDP
6 d7 {" M, p$ P4 u! u$ ]5 g$ X1 ~0 @/ e0 h2 `
$ K/ _, V: y: k- K; d( F8 _ xor ax,ax
! I7 V* N( {; z mov es,ax9 [0 p- T& S: P) H( ?
mov bx, cs! L7 u' h5 k- v r# a7 M9 E
lea dx, int41handler
# O7 V( m/ ~" J3 g xchg dx, es:[41h*4]
- F: j: p* C3 ^- `; ]6 D0 p! b xchg bx, es:[41h*4+2]
0 Y5 @% [8 \$ O: Q/ i: Z% h' l+ K in al, 40h
5 {7 c F/ B3 Y1 U xor cx,cx
9 Z8 I. t8 k0 ^1 z. C7 w- b7 g int 41h
4 m$ j" |, e; o1 F1 \& ^- f xchg dx, es:[41h*4]) R6 I s7 _+ e# n0 }
xchg bx, es:[41h*4+2]
Z; b9 O* w1 I' `9 |; K cmp cl,al
; A3 D6 h$ G4 y$ A/ a3 h jnz SoftICE_detected; ^2 e. Q% F" c. a( q: {
* S: I+ n X& _" Y6 w$ [_________________________________________________________________________# _* ~, k$ Q3 X" f" }
( B4 N# j8 U) u7 s
Method 07
0 p& O% |1 u5 D=========( V, F1 D6 ^- {% }3 q. y1 i! l
3 z \5 ~1 B* W3 B% k( o, Z# W' FMethod of detection of the WinICE handler in the int68h (V86)8 L4 _- m) a- I" z3 E
% V& {3 Y5 G- _; p mov ah,43h, _- Y! E% S* n j
int 68h
$ b' o$ p* F9 z; o2 t3 _5 H cmp ax,0F386h
# ]$ G8 }$ ^: V+ m jz SoftICE_Detected2 w. |* T6 T% G! z
' N/ O" C+ t# q
6 n9 Q0 f2 X* m8 u' V, n3 r2 v+ R: C=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- J. o3 ^6 t; P: A p& B app like this:( N& |" ^0 y# z% s# I
m1 V ~8 m) k9 Q
BPX exec_int if ax==68# Y& w; J* Z- P4 D/ _0 c
(function called is located at byte ptr [ebp+1Dh] and client eip is6 C, L D8 h2 @
located at [ebp+48h] for 32Bit apps) |- @* Y# O; [4 ^5 q
__________________________________________________________________________% @' L3 [' N' g* A, O% o; ?
' B, X+ f K; ?% L2 ~ s
- `! F+ S! T4 t' _; s# [& _6 A
Method 08
$ Z& u/ y8 K4 P) r=========
4 X6 c K1 e% f* M" Q4 o& f+ ]' e
It is not a method of detection of SoftICE but a possibility to crash the+ D5 n2 g( ?, O
system by intercepting int 01h and int 03h and redirecting them to another
/ j4 A1 g( O. M5 E) jroutine.
- \* Z/ s/ r: ?& M/ U* X9 j. BIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# D E+ a+ n5 C& y6 ^# Ito the new routine to execute (hangs computer...)
7 }# g8 i. N0 X# X9 m" w% n$ f8 v
mov ah, 25h0 A& O, |9 I2 }. ~. i/ B$ i& w
mov al, Int_Number (01h or 03h)
$ r& D1 x! G; G mov dx, offset New_Int_Routine8 `9 P. d2 c' q, p8 ]% q
int 21h
: h+ W- B: z8 s, l U- a( g: {
0 R$ T9 w) L5 ^7 m9 p9 n__________________________________________________________________________
x+ Z, b4 I6 t+ r: b
$ ]! @3 I7 n9 Q# \; x& x7 u) `4 H, yMethod 091 i0 p) n- B3 u1 W
=========
( F6 h) ^3 @5 D- U) A6 u6 @% w9 J+ Q5 e3 F& f0 z4 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 b2 M: j6 X* f J& Z5 n1 z1 sperformed in ring0 (VxD or a ring3 app using the VxdCall).0 ^. p+ f9 }! x/ G7 `
The Get_DDB service is used to determine whether or not a VxD is installed
$ A' E; y1 r9 U4 Cfor the specified device and returns a Device Description Block (in ecx) for
+ ~# l# v- Y( r, g: U' w Dthat device if it is installed.
) {# p& g' I& g9 W: V' G7 C8 z3 q c- g, z0 n" Y4 L3 J! }- G
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 P0 p, X+ ]6 p" X# { mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- N3 Y' T, R0 A& A4 e$ S
VMMCall Get_DDB
6 ]6 z& i5 B; O+ L mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed2 y7 {$ k V2 ]0 m6 X
B+ c4 K0 G) T0 V4 I
Note as well that you can easily detect this method with SoftICE:
5 Y. W& \. i9 [4 ?/ N/ B' v/ R bpx Get_DDB if ax==0202 || ax==7a5fh+ k4 k" g! X0 s9 v
. x3 U2 }+ c. Y) M__________________________________________________________________________6 ?9 G; Q5 V: o
$ _" b( Q$ V) r4 z3 K. bMethod 10
% g- \# Q+ ^4 K=========( _; Y3 t+ _4 B( H$ e, w
4 P, d9 g$ r0 D ^=>Disable or clear breakpoints before using this feature. DO NOT trace with
6 R" B" @$ A4 k$ e6 d SoftICE while the option is enable!!. {8 ]1 t2 v' [0 Z6 u
. p" g% J& I e# V7 j' I/ H9 FThis trick is very efficient:. d( J% e. D" B
by checking the Debug Registers, you can detect if SoftICE is loaded9 V/ E# i- D# a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 m' ~5 j z+ a- F
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 ^6 r* H. Y3 L7 j7 w4 W% K7 _* o% v
value (in ring0 only). Values can be manipulated and or changed as well. e1 u( G, l! u: _- K3 {
(clearing BPMs for instance)8 x- @9 T/ E& t6 |# _) t
* B3 x; Q2 {. c0 O) G( r" ^, B9 B__________________________________________________________________________
{5 q; S* B* A9 F5 _
2 f7 c! O/ a. A+ K& W. G1 YMethod 11
' K. B+ _# n1 r, J2 c=========
/ e3 V6 Q7 n* a f! J
1 u# c7 W# e: X9 o' k! \1 i9 F( rThis method is most known as 'MeltICE' because it has been freely distributed
; h3 m t7 U- U. [via www.winfiles.com. However it was first used by NuMega people to allow% q- y% \& D' ^* R
Symbol Loader to check if SoftICE was active or not (the code is located
9 K0 D& F5 O# J2 Y# Cinside nmtrans.dll).& j$ c! I# n n
/ S+ B' H$ W. @# B+ AThe way it works is very simple:
! G4 @* n+ ?# AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ z2 Q* {7 t% j# f3 w5 _WinNT) with the CreateFileA API.
0 ?7 _$ T% I! [) d( q9 \$ q: k
7 y% [! k) d7 P# z: g, y! t, K8 kHere is a sample (checking for 'SICE'):/ ^) I" E8 g7 [7 l& j3 H
1 H# @9 M1 G/ i9 Z& Y6 s% f* q
BOOL IsSoftIce95Loaded()" i6 ]8 [+ F" M+ q g1 u
{
5 P6 l+ _( R3 B3 x( \; n! b6 U9 R5 P; S HANDLE hFile;
- b: S* _; q0 e hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ ^' \4 R- T# g+ O: u
FILE_SHARE_READ | FILE_SHARE_WRITE,+ v9 c" J* @9 m$ j
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- u: H8 p( p0 z" W" Y
if( hFile != INVALID_HANDLE_VALUE )
& a7 E1 ]( }$ ?; {8 j {; Q$ |/ @; @. c: R) k" D( {9 p
CloseHandle(hFile);
5 v( `2 z, n6 W0 D {$ k, k* ?6 n return TRUE;+ ^. }3 Z5 c! ^; q
}- C) v) ~3 M% v& k
return FALSE;
" `' ~- r* A% r) F, D: w}
- w' {) I. |- a% Q& Q2 W ?/ }/ D! v+ U
Although this trick calls the CreateFileA function, don't even expect to be0 g# I" l4 F* F# A" [ P
able to intercept it by installing a IFS hook: it will not work, no way!* T# P8 q) U& i8 ~$ ^- {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% c& i3 v2 e4 G% F W1 ?$ Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 i5 o) ]0 O6 `* nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ i) T' Y7 l( I& U: I7 M: Bfield.
2 l9 g' M* L1 I& s4 X( q& c3 R% fIn fact, its purpose is not to load/unload VxDs but only to send a
7 h1 R5 c$ m7 H: b* {1 o7 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 X: ~$ {; ~; ]7 c6 F, m5 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( b- n. j4 D: Y$ Y, ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 X9 e* d/ R: K8 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 U$ i- X: e) c0 ?5 d7 l2 m
its handle to be opened and then, will be detected.
- G" f/ u9 @. b" q0 L, b( r" TYou can check that simply by hooking Winice.exe control proc entry point
- L) X3 R7 [; T6 G D3 ]( g: ]while running MeltICE.
8 B0 X2 a4 ^( z) `6 g! ^$ ~
8 E0 l3 F" i, h1 ], ~ `
f/ @. C1 t, x' I, T 00401067: push 00402025 ; \\.\SICE& q6 r- {5 j4 b, ^% n, i1 f( z
0040106C: call CreateFileA; [, Y( Z' i) e( {9 C
00401071: cmp eax,-001
$ D% q3 h5 k! m9 t; e* M 00401074: je 00401091
8 } f' e: r& E% D7 R. o. h* r; c/ @$ ^( B$ H, A
P3 \! r3 v. H- ?+ ^1 j2 v/ a
There could be hundreds of BPX you could use to detect this trick.) ~1 A) E/ e5 h4 g1 a" |: l
-The most classical one is:0 q. L- l0 S4 c$ W3 j
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
* ^4 z" o" |0 k$ \! m *(esp->4+4)=='NTIC'" M: e/ Y, I4 k! w7 H$ D
% g# G, a: N0 o- g8 K; l-The most exotic ones (could be very slooooow :-(" d0 o% h7 D8 E/ T
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 0 @0 i2 V% r9 i% b `
;will break 3 times :-(; K+ [. \ a1 W: M: N
% k% D( R7 b) l7 F% s/ E, J. ?8 _3 b-or (a bit) faster: # I# Z6 z# k. b- A" n
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- a5 B: R! j$ s" i. Y* G
, S6 z# B+ D+ h' Y/ ?! q; ^ BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
! I' e( K% L3 Q5 \+ Y* u' Q$ y ;will break 3 times :-(* f3 r, W2 _7 Z {: ]; ]9 {( H
$ b2 |; v3 R6 [
-Much faster:
9 M2 {. K( v: P5 s8 ?# { BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
4 y/ U" b7 b( _5 m1 s; \4 _; [2 w7 z, G# j+ ]# X: S% W, d6 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( u- n7 a0 J @7 H/ F
function to do the same job:
1 w1 X4 S& o1 Q, u t3 q8 L, A4 z0 V; B" d2 y
push 00 ; OF_READ8 U( z3 y9 m* v# x. V5 H5 ]
mov eax,[00656634] ; '\\.\SICE',0
: T5 I3 o& R2 [3 [ push eax+ }2 x) a# ]7 e: Q/ ]
call KERNEL32!_lopen$ j. V0 B7 l" u5 z' V( C3 n
inc eax
! c% p5 _. Q: k6 }, T3 _ jnz 00650589 ; detected
' O2 z" b3 F3 X" s push 00 ; OF_READ T. s8 Z: `0 T+ _! s
mov eax,[00656638] ; '\\.\SICE'
% b/ L0 h0 j+ C7 t9 ^ push eax
0 q* S6 J+ ^- V% i; _ call KERNEL32!_lopen" ~3 k. t- b2 z' ]0 d
inc eax
9 P. \0 I+ T( g' v3 N. ? jz 006505ae ; not detected
% R+ _# K4 ?8 I% f5 l( s
, [/ ^# O6 K u# b X- D8 ^# u8 R) s+ @; ~- s! T. j5 h1 m" }
__________________________________________________________________________
5 }2 B m7 z: ~5 [. A B) M! o0 N; O, w f9 ] F7 s) d
Method 12" \! L6 e/ F( D3 p" F6 L
=========
& C. [3 @- D: Y- I3 n- [7 G9 L5 w- @1 ^
This trick is similar to int41h/4fh Debugger installation check (code 05
$ U1 w2 h/ W. B# R" A2 F& r& 06) but very limited because it's only available for Win95/98 (not NT)
8 j/ V+ T; L' d% j" q* `, las it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 X7 q+ p& G7 R9 |1 V
" u @1 c6 {- w, f+ v' O
push 0000004fh ; function 4fh& m! Z8 ?5 O! b& K" ^
push 002a002ah ; high word specifies which VxD (VWIN32)
+ h: l) f X' U3 m" z8 \ A. r ; low word specifies which service
: ]6 t5 ~, X9 J- v0 b (VWIN32_Int41Dispatch)* W! A3 a/ u: {
call Kernel32!ORD_001 ; VxdCall( Q1 u, }# U" y% X. Q
cmp ax, 0f386h ; magic number returned by system debuggers
+ ?3 c& I8 A' g* L7 Y- v& J jz SoftICE_detected
5 _/ X, m/ a) u0 t9 m) v* n9 d6 N5 Z- b0 F1 S/ Y
Here again, several ways to detect it:0 [) s2 Q& \3 r; D" \$ L" w
; p% L& |) x8 C7 o' c0 I BPINT 41 if ax==4f* n0 x) ^4 X7 Y. S# o
9 U% N7 u$ ?4 j% A6 t1 Y# G9 m9 S
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one) U8 @# C* ^# E" j
! f0 z4 `, A: H3 g4 q/ G7 ^ [( e1 e
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 ?% b0 U& X+ Q! g z2 g, f( B) k. C# q
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
7 F9 r" l+ n `3 A, x {6 G0 C
. ?5 F" R, Z2 G2 X$ P$ S__________________________________________________________________________6 ]! n4 S8 |. X7 |0 x
* P7 m8 k$ d5 }, g7 FMethod 13+ [! k- B: }# K8 }
=========% S' W! j' X: N0 h
( l5 z% F: r T" c. A/ G4 kNot a real method of detection, but a good way to know if SoftICE is
4 j$ C7 @- a! ~5 \3 K6 T( z3 |installed on a computer and to locate its installation directory.3 m* D/ o* V, S! x$ e' H
It is used by few softs which access the following registry keys (usually #2) :
' b- U& u# m3 ]$ e8 L$ J
1 `5 Q g0 b" O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& k5 r1 k' S B7 x; K6 O
\Uninstall\SoftICE
. Y# J+ v8 b+ ~) E# N3 P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) s$ i5 o3 L+ `1 t, M) I0 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* L$ |$ j% u9 z% F
\App Paths\Loader32.Exe
1 S) H: \, I, D. K$ e
* \2 @" O: P4 p- R, B
3 [8 L+ [2 M' U$ I# YNote that some nasty apps could then erase all files from SoftICE directory
, y2 M0 |3 ?. A7 @( A- ^(I faced that once :-(
. y; C6 o4 P, O2 m
( k) \) M% k& QUseful breakpoint to detect it:
; p& |) Y) p! p* S# R" Q% z! `6 s, P% N, S
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
. E0 R5 G4 A# K# W( ]( Z- ]
N7 N6 Z' ?! Y2 R' Y$ [+ G__________________________________________________________________________
- k6 T, f# j6 p# S, _0 {3 a! e: y6 q8 v& k- J
6 C: T; C6 |) R# p: l; R" h
Method 14 " G* R- }9 h/ I% Y, H
=========; u0 ? u/ d, w4 R+ S4 ^! ~
2 n; ]/ b$ v% | c0 R* BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
c9 p# ^% {& Y# t& W" f! j; a0 vis to determines whether a debugger is running on your system (ring0 only)./ `0 b# J; ~1 E; @6 X* T* ~
; r7 p6 ]& B' q
VMMCall Test_Debug_Installed
7 D# w& v' X& D( m% y$ Y4 O je not_installed+ j" [: @; X6 A5 t
. m+ y% b7 [+ O$ i8 B8 A& g5 qThis service just checks a flag.
3 K0 u8 Q( W& m$ x1 ~</PRE></TD></TR></TBODY></TABLE> |