<TABLE width=500># t' i+ J. D. @2 p& ]0 `! D6 ?
<TBODY>
# P) e3 V8 E Q/ s" a* O! _2 F<TR>
( {/ p7 ], D) o& t" j. c5 Q! `) |<TD><PRE>Method 01 2 G9 l3 K% H( {" m
=========
; X1 y( C, l% a, ~+ Q
/ X4 C: j8 [# F7 v8 IThis method of detection of SoftICE (as well as the following one) is
( o' N# I2 P! c V' Z5 A2 Uused by the majority of packers/encryptors found on Internet.
5 r' Z6 I( ? ?* k1 v |7 dIt seeks the signature of BoundsChecker in SoftICE
% |# r6 r! n U" e2 u4 L- {$ y
, ` j5 k% z, J4 k, T mov ebp, 04243484Bh ; 'BCHK'
q. F" @5 s4 O mov ax, 04h
0 z9 [# q4 Z# y$ R6 x9 l% d# ~' J* g int 3
- S+ j$ J0 R3 R+ E5 j+ G% p4 A5 L cmp al,45 x4 h( ]9 a' n, [# R" D
jnz SoftICE_Detected
* ?4 G8 U! z: f, \; ?* ^2 z
1 P' p. s" H0 a7 F___________________________________________________________________________& X1 y, j" d3 [5 I
' t! K3 P) c1 Y! L% ~Method 025 P2 c: Q2 Y1 @: Z+ k0 q
=========3 ^) [/ h$ @: k& C L0 i
0 v2 g5 G$ c9 y0 P* X$ g& {' d0 k# d+ {Still a method very much used (perhaps the most frequent one). It is used: x# F/ Y! {+ e: r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 x2 D k; d/ ?0 ?- m8 S5 e# F' o
or execute SoftICE commands...$ L, F# T% o* U
It is also used to crash SoftICE and to force it to execute any commands3 K8 J0 t3 s4 v4 Z' P
(HBOOT...) :-((
/ r1 Y# e' M) b/ c
2 T$ r' P3 r6 d$ kHere is a quick description:5 M c% M! p3 h( q1 u7 g& o
-AX = 0910h (Display string in SIce windows)
0 P2 b$ A. L$ S& f. [-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
0 L0 G+ _; w8 r$ `6 V0 w" h0 K-AX = 0912h (Get breakpoint infos)* z9 `3 @) @4 h. z* x
-AX = 0913h (Set Sice breakpoints)
" s, U4 z- Y( C) `2 Q P-AX = 0914h (Remove SIce breakoints): C, m/ V6 V2 P3 g+ o* i L
# X; l! W$ _# a5 \# r/ g9 |Each time you'll meet this trick, you'll see:; ^# v8 e9 K4 D* Z! n, p
-SI = 4647h! _0 d1 H" ~# N( y; [- N
-DI = 4A4Dh3 L' y) U h! |, t M% c
Which are the 'magic values' used by SoftIce.- n; ]2 u+ n- Q$ w- S( q6 ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h. Z3 N, |2 c: g' Z" v4 A
$ V" H; t& g% A6 D# sHere is one example from the file "Haspinst.exe" which is the dongle HASP
! H) Y) W! L8 H! ?" ?; iEnvelope utility use to protect DOS applications:
' s3 b( F; G# k: o6 U' q; h6 Y+ a
" e2 t9 h* S% G3 o f, j4C19:0095 MOV AX,0911 ; execute command.
! P. r4 D5 L$ _# N4 i% J4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 _2 r4 D" V1 B' C- B7 ~
4C19:009A MOV SI,4647 ; 1st magic value.
" T: V% d% q- }1 |" o# i" [/ H4C19:009D MOV DI,4A4D ; 2nd magic value.3 b) ?3 k$ r9 n! c8 A
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). c4 n/ s( V' c5 W# b* V* Y( I% P0 j/ c
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
( @, U$ N9 c1 M+ K, m) M* `4C19:00A4 INC CX
8 D! N2 _- O+ ~' u' O/ o4C19:00A5 CMP CX,06 ; Repeat 6 times to execute- T" a/ x: Z# T w3 t! j5 S
4C19:00A8 JB 0095 ; 6 different commands.- G$ O' I f/ w
4C19:00AA JMP 0002 ; Bad_Guy jmp back.1 U, p/ O# w9 F0 a- v5 ~9 w9 f: M
4C19:00AD MOV BX,SP ; Good_Guy go ahead :); ]/ O2 Z) i9 ` D# d
B# b! t' R# f/ _# |
The program will execute 6 different SIce commands located at ds:dx, which' l$ v; x, [- { W' L8 f; |/ T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# V m, M4 W- |& z9 c
' q# E" X2 r2 m. g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! _; [1 j/ ] C% ~___________________________________________________________________________
0 z1 t) _* Q$ r
4 M |( T( M( X) A7 `
% o( B( D' h' v* dMethod 03
5 O$ ]: {) J }0 ^0 ]; Z' e=========
* z; @1 |. ^ u% d- I1 N$ ?
* f. B* P7 X, B6 f9 ?Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h! j% j& }3 `' \- P' e& Z2 @
(API Get entry point)2 D* C& ~/ t% ^) c' t
. G% H5 R" P- E1 @
; u7 b0 e! i3 S. W7 N xor di,di
: }: ]& W$ n4 U A+ `0 q6 t mov es,di' s- ?& S' d }7 q5 R
mov ax, 1684h 4 c) A$ ~6 O" B# L4 k
mov bx, 0202h ; VxD ID of winice. j$ ^3 w1 H. A
int 2Fh9 H- Z" ]* w1 n+ r
mov ax, es ; ES:DI -> VxD API entry point
9 W: t9 ^1 y7 R. M$ j. t" P add ax, di" z$ {: D% o S4 V5 f
test ax,ax
1 [1 u$ r( G$ O) G) ~- r9 F jnz SoftICE_Detected
" M i2 _4 p$ ^/ O3 e$ b, c# |+ |" a/ _
___________________________________________________________________________
6 ^2 u0 j6 u( G; f
) e; D. u, |8 n; M5 }: eMethod 042 a. e8 E4 s* S X
=========
7 L9 \: ?) y; O
4 Z& A# ?: i( R# Q/ w; Y$ BMethod identical to the preceding one except that it seeks the ID of SoftICE
0 ?, Z5 B w7 K% n( o: k J8 nGFX VxD.
6 x/ f0 {1 I# p3 t. ]& I
Z' f) I" N6 V. s c xor di,di
1 }' ~5 p/ ?' L- Y d/ j+ j/ j, \ mov es,di
9 m/ Q. b7 D5 B; R3 D mov ax, 1684h
5 K( p r3 G7 |& g$ k mov bx, 7a5Fh ; VxD ID of SIWVID4 U8 J/ V) ^' _6 P
int 2fh
" b$ J8 D& P% n. d1 Z0 b mov ax, es ; ES:DI -> VxD API entry point8 D I4 g p$ j4 b( W- y
add ax, di* e: v8 X1 @" V
test ax,ax
" h7 J4 B% N1 q4 z I jnz SoftICE_Detected: l% s8 g3 M, [2 i& F+ M4 R
4 Z- |5 }2 }! Q2 r' s8 S; c J
__________________________________________________________________________
8 F! X3 N( X% x. B% e5 N
+ |5 k& k9 \: C0 ~$ O( a! x9 W9 ?
3 h) \1 w/ }5 A0 ^' q4 \/ fMethod 05
" U% k7 I7 p0 O7 C4 K- L=========
! _' V0 Y1 b. p$ A- L% W5 j6 H1 D w" u# s3 g: O1 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 Q' {4 i4 z: r9 E0 jdebugger. It calls the int 41h, function 4Fh.
1 i* Z' |8 r) } aThere are several alternatives.
" \& E h1 j/ H' M8 _9 n! C
3 k2 n; s% q9 I' ]- gThe following one is the simplest:+ l3 @9 V: y! c N k
5 k' f, L& y& g. I, m mov ax,4fh$ t, M9 f. |6 h" L3 [; h$ S; c
int 41h* s( ?7 _# q0 h# h- r
cmp ax, 0F3862 c% T3 |, b* b% ?7 r* X8 T8 E
jz SoftICE_detected
/ j" C: |6 \. @4 x k& D# Z% Z! n1 w; P2 ]$ x2 B% n
# O, D w/ J9 U: CNext method as well as the following one are 2 examples from Stone's 8 u$ V) M: H* m$ t1 r8 j
"stn-wid.zip" (www.cracking.net):
1 L3 F' S; Z: ]9 I x9 ~9 B6 h/ d' J4 R# [: t) ]# B
mov bx, cs2 x1 ^' a5 ]" Y: L
lea dx, int41handler2
( J1 E5 Y8 `0 J) G; J xchg dx, es:[41h*4]4 n" e- a8 N; V: Y2 G
xchg bx, es:[41h*4+2]$ a' H" r0 F# Q6 {# D. n6 R( {
mov ax,4fh# @! E% r/ n/ t" {5 h
int 41h
4 v* q3 {- s; p' i2 _6 t xchg dx, es:[41h*4]4 \4 d4 z: _* d0 } G( |8 ], q
xchg bx, es:[41h*4+2]' W$ d3 q" ~; o/ H4 `! p: J: y- m
cmp ax, 0f386h
6 N" ~% N; G$ I' o* ?+ k jz SoftICE_detected0 G" |/ Y1 u# l4 T& Y
; H( u) M, k, e) a" l( X; S
int41handler2 PROC
; d, O& q- ^6 c h8 d* w4 ]+ R iret# O3 z0 V9 G( N b- B; {+ Y1 U
int41handler2 ENDP
- P9 j$ j) {2 P% u) F0 X3 Z# J9 H+ P0 k% i
7 Y* v0 f" `/ `+ x3 x* N
_________________________________________________________________________
. g7 g7 C9 `. W; A; O3 W: B" f9 J; N% l0 @' M% X0 q; b5 G/ j3 ^
# i) M& W0 ]3 V9 ~
Method 06
. w( Y+ \/ ~8 f& b- e=========
2 |/ A1 n5 Y) h7 i( |7 _3 `! G/ j0 r7 {1 t g9 M
1 l3 `7 F4 {" [/ P2nd method similar to the preceding one but more difficult to detect:$ k- ^9 {7 ~/ E
5 q1 I( w+ W$ e
+ T+ Y1 d9 Y/ e) X, Z P9 y, [/ yint41handler PROC, f; e: h/ B6 x7 ^
mov cl,al
! Y0 s+ l% d \6 m: F' ` iret
. H" k# A1 I- D [: C9 h5 Rint41handler ENDP
. S: r e8 t. e! }9 g$ j( B
8 G. }9 Z* B z: V' b+ n/ ?$ @& P$ V7 V7 k% y$ e. T9 u
xor ax,ax$ x$ T/ S4 |4 L W. z+ a- T# U# G6 p3 w
mov es,ax( } I; z* B% c" F9 M9 G* Y6 S' T
mov bx, cs9 V" P+ e6 I h8 [& O( z/ G
lea dx, int41handler6 E- g9 d# H! @6 C( J
xchg dx, es:[41h*4]
+ u. ^" D6 S; {$ z) G D xchg bx, es:[41h*4+2]
- e- c6 h. H7 I+ M, ?6 H1 K in al, 40h
/ j1 z% S# C# b% U# N+ O xor cx,cx) O; l4 a9 n# x* \
int 41h
- I) D K! v0 s& ]& V2 \/ }' F6 S2 p xchg dx, es:[41h*4]' U. u3 X2 V+ _% _4 t
xchg bx, es:[41h*4+2]2 {% u- s& J2 G+ c5 q, E+ B
cmp cl,al
; w$ s5 g+ X6 }) s jnz SoftICE_detected
2 E0 L% Y+ I% k8 Y5 I1 w$ i$ F0 C8 j! S5 l! c
_________________________________________________________________________) I3 Y* T5 Q# p1 r9 ]" S
7 [( b$ P3 Z# z5 u& ^Method 07
, z: i/ p7 f; ]4 ?( W; W( ^7 Q2 {=========
9 X6 w: O+ ^" {- n: T: j3 `: }) a" E$ r- @" f; d
Method of detection of the WinICE handler in the int68h (V86)
- \- Z) y5 I* F" k: `
/ W. E" ]0 L7 @% Z, O. ]. T4 v mov ah,43h3 l6 B9 q' Y. G6 {# K4 `+ x
int 68h2 k6 N' `3 _0 w2 K: [1 Y
cmp ax,0F386h
$ k% T- F5 J6 I# t# ` jz SoftICE_Detected
. b9 b8 G: S; Y0 e8 G$ ]6 f2 k8 a/ d9 C& G' m! O+ W& J
6 O" k1 b# `6 V! ~9 O=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- s7 ]; [% M9 {# P5 p5 G" I app like this:+ }! E& E7 s, v s+ k
5 ?6 [# O! j( T7 J% T" K BPX exec_int if ax==68' ` ?1 B/ @7 X3 K! w
(function called is located at byte ptr [ebp+1Dh] and client eip is
" U# }. x, x D. t6 a6 L; n located at [ebp+48h] for 32Bit apps)) g# k2 W7 ]* A$ ^& O
__________________________________________________________________________* R" H6 Z& Q" p+ g9 C! `8 H- P' `
7 j I* Y; o) l% v/ O( ^& [3 N1 M& q) \% W3 N7 ^, [& E3 |
Method 08 M5 ~9 S4 ]- O6 Z: m. B4 t( Q* v, {( M
=========
) j" O2 ?% F. I: w
8 Y" Q7 x# U9 g F0 ]It is not a method of detection of SoftICE but a possibility to crash the3 J) I2 X7 {/ G6 G t: i7 N
system by intercepting int 01h and int 03h and redirecting them to another' _3 X5 ?( z! e5 q$ y/ d
routine.
9 x4 l w$ p2 F8 m" Q, M. hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 h0 h& A+ h9 ^ [to the new routine to execute (hangs computer...)
7 z) D# g8 r% G* t3 N+ g0 ~7 Q6 a+ k( F& y9 X% L
mov ah, 25h
, I, a ], D& c. p mov al, Int_Number (01h or 03h)
- O0 @+ j3 z" e! S; e mov dx, offset New_Int_Routine
' y6 ?3 f; ~7 [) k int 21h
1 q1 e7 F- _2 g Z" e
7 o. \/ x( [6 z! P. [__________________________________________________________________________
' ?/ A4 T7 _( k/ `; d- m. k ~: a
Method 09
) F4 Z/ `7 f6 b) s% P=========
- I2 i- t3 u. g+ [) o% w
! Q3 _/ I r( v. a7 P1 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, @. `! o8 H8 x# q' u/ U4 N* v
performed in ring0 (VxD or a ring3 app using the VxdCall).
! O8 l3 d, x! q# Y2 hThe Get_DDB service is used to determine whether or not a VxD is installed: {2 A+ b, b* |
for the specified device and returns a Device Description Block (in ecx) for) S5 [ C* z1 b v( U( b4 q* q; ~
that device if it is installed.
! L( \5 n0 z; N7 ?5 L) @
" F) R6 B2 I2 L. |7 o4 ~- R mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 L+ X+ _3 J7 f9 S6 l ? mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 V) J$ d+ x0 N! l% ?& H/ e VMMCall Get_DDB
4 K4 p4 |9 ?5 r1 F$ B mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 I) o$ X/ g2 a( X( E9 ~% [0 L& m3 ] c; h
Note as well that you can easily detect this method with SoftICE:
4 b+ r' }( k3 S7 B6 t' w* f* f bpx Get_DDB if ax==0202 || ax==7a5fh
# h% \; B! z5 Z$ ]/ V
/ E {& d$ {/ _( t4 o__________________________________________________________________________
8 J7 Y7 V8 b% y- H( U- X6 P# ^& s
Method 10
# D1 A% O6 l3 X2 F" j; T=========
$ {" m) V i3 p# q C6 l. u2 B9 {8 j8 A" Q; n5 b9 M5 V
=>Disable or clear breakpoints before using this feature. DO NOT trace with
5 s; A" O) l7 v, Z8 [ SoftICE while the option is enable!!
5 @" _; a$ Y0 W, K4 y8 R# |' S% M( n! z7 C7 T" i& ?
This trick is very efficient:; Q7 X3 P9 O; }- v% E
by checking the Debug Registers, you can detect if SoftICE is loaded
5 J/ h0 z1 Y+ X8 s0 e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" w( o3 z- T/ E" athere are some memory breakpoints set (dr0 to dr3) simply by reading their
' `! I7 q7 Y" k6 P5 Xvalue (in ring0 only). Values can be manipulated and or changed as well- F! w8 J% g4 S* |
(clearing BPMs for instance)2 v, f: D) w& M0 b8 v! \5 g
% e7 m) E$ d" j- V j. s__________________________________________________________________________1 I0 ]) U9 c) S C
. ~1 ?7 C& X) A. F: x, ]& oMethod 11# E- K. @0 a. @- j2 [, }8 s& l
========= D( B( p" z* U8 S) \& p
* p9 g: J( c/ _; eThis method is most known as 'MeltICE' because it has been freely distributed
( H- w0 E* F7 N/ m8 f0 Jvia www.winfiles.com. However it was first used by NuMega people to allow
3 a+ L$ E( w! f# ]) e* n9 e' x9 B0 \6 dSymbol Loader to check if SoftICE was active or not (the code is located z) {) y: d/ l2 E4 y! g
inside nmtrans.dll).6 j2 u$ ~3 G4 Q% H! {5 l
/ }; V0 I+ l0 A3 D4 oThe way it works is very simple:
3 C( A3 x* b- T! fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; C+ s1 ~$ b/ B- QWinNT) with the CreateFileA API.3 G- y! ?' `2 f! R+ v& t
$ m* m7 x$ R+ l, |( X Q, u8 R/ f" e7 HHere is a sample (checking for 'SICE'):+ L5 v7 ~* \5 r( @7 o
M% q: }0 V/ `9 f% m4 ?BOOL IsSoftIce95Loaded()
! {+ R) Q) z. q" T0 f5 Q1 c( m8 b{+ S! a+ e) \3 u8 A- P' a
HANDLE hFile;
. Y& s' Z9 Z! L7 o- ]4 S hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 p( I2 Y: E9 f3 L3 U7 G9 O FILE_SHARE_READ | FILE_SHARE_WRITE,
' P1 F) J% _0 X; z1 @ NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: H0 [2 G+ B. F
if( hFile != INVALID_HANDLE_VALUE )5 |+ K# Y' y% c/ B
{
p5 \9 ~% H2 ~) ]0 T CloseHandle(hFile); M- G8 M3 r( Y/ k
return TRUE;! L& C3 J4 e3 a. }' ] X
}% I6 |( k, s! G* P' O
return FALSE;9 x \# j1 L4 L; {+ a
}
" J8 G# c4 v; @ i( a) ~ ]! F! Q, ]; Z, L) i, i' X9 p
Although this trick calls the CreateFileA function, don't even expect to be! \7 X6 [. L( {3 x1 M' @" A. |
able to intercept it by installing a IFS hook: it will not work, no way!
5 Y3 X. ^+ S2 G2 l* kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 V( c7 u/ v7 j1 O9 f6 z! Q2 s$ k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) t8 C! ~7 J7 W( o* X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% z& b; @- O/ t8 x! N2 C
field.
! ~0 a5 G3 }& L) X1 j; b( O* e8 ]6 HIn fact, its purpose is not to load/unload VxDs but only to send a 9 u6 C1 {2 E8 {; D N( D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# O, g7 V) s1 ~7 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% u3 y4 b5 Z2 u7 j% M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' o8 z" w8 m) W& w& y/ \4 c* BIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ @$ f, T) F" _' r8 R
its handle to be opened and then, will be detected.1 K6 S7 [/ d5 ^. T9 x( t
You can check that simply by hooking Winice.exe control proc entry point2 W: r; @% F0 D5 b2 s4 E- k
while running MeltICE.0 t* y" [. a1 K5 o% P5 f0 Q
* c5 g1 [2 G* S1 \2 ^" J; h
# C' g7 B* v, c+ L3 g 00401067: push 00402025 ; \\.\SICE) [ J* \5 y- F8 N5 k6 m# S( ~
0040106C: call CreateFileA) k+ U2 @2 P* @9 t. W" S
00401071: cmp eax,-0016 g& {& S) \, ?* p0 V3 j
00401074: je 00401091' e4 t; h' N' S! n( l8 F' d
1 {! ^9 D9 J5 t* u; T$ A) D+ p; ~. j5 K% i
There could be hundreds of BPX you could use to detect this trick.9 c5 a* B$ k" ?# y* ]. c( S# i7 a
-The most classical one is:+ |* U; M' {' Q
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||# {; M3 I3 p+ |" [0 V. @
*(esp->4+4)=='NTIC'
: L0 j! y# Y' [% q. d3 l; M- E. K
-The most exotic ones (could be very slooooow :-(! z3 Q, N- F2 c( m( U
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 4 ~4 t' |5 b- V3 ~$ G- H$ \, ?
;will break 3 times :-(5 I1 `/ H8 s1 S
+ Q+ {4 C, d# \4 ?-or (a bit) faster:
( a: S8 R/ A" t8 K BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- @% T, _' _$ |0 y$ p; ?1 O i
8 C) S+ \1 ]! R: i
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
- S( m9 @: b7 u* C# X% u ;will break 3 times :-(
8 {+ W# ]* ?9 I
8 j8 \; o+ D$ {$ b6 T4 c-Much faster: b4 m) _3 a! D X" g. [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'5 ^/ {% w) E" y5 G3 _, g# I
9 ]# n; [: \) u ]; r4 e5 E* C6 M
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 {8 U& h. Q* P! b; e3 H! z) V5 x: {function to do the same job:, V" v' r+ G( _
* Y4 g# [# ^" M& l9 t& z6 h5 u+ { push 00 ; OF_READ! k% m {, j1 k7 o0 z
mov eax,[00656634] ; '\\.\SICE',0
9 ^% I' ]5 I0 f8 f8 k push eax% r4 y) ~/ t/ x% V2 V
call KERNEL32!_lopen
v* y! Q0 P ^5 ~0 B inc eax
! R# ` C3 F5 `* i3 o jnz 00650589 ; detected
% p% c) x7 S# W9 n' n8 T push 00 ; OF_READ
+ l$ q: }; K' B& `) ^, e mov eax,[00656638] ; '\\.\SICE' O4 z+ ^4 E' @* Z) k
push eax
% r# p7 R6 _9 t+ y call KERNEL32!_lopen# u$ T, ~7 K2 K% ]( p
inc eax
5 f5 ?. u: L, @1 g' @0 z) A: U: Y) n jz 006505ae ; not detected8 p0 G" f* X( y- {. t% O
, G9 W5 e3 u' x# F) \5 T0 u$ G# a& v' r
__________________________________________________________________________/ o7 I9 a1 _' Q* \. y
* O) w* `3 Q: ]7 s
Method 12
' I3 |4 E- y0 H: g: ]' F=========
* J( h5 B" n& r5 L$ X- z4 i
8 T' [, `% J; sThis trick is similar to int41h/4fh Debugger installation check (code 05( ^5 X4 r+ n* e9 U% O5 ^" ^* T
& 06) but very limited because it's only available for Win95/98 (not NT)
F/ l0 K; e2 S' T& p3 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo. k, f/ T$ w. l) p; a4 ?2 D
+ A% Q+ X* H: ^$ d* Z) B
push 0000004fh ; function 4fh; K. v, U, j" J. X- F2 b0 |& p! v
push 002a002ah ; high word specifies which VxD (VWIN32)
" A( f0 @" J% p2 V# M- | ; low word specifies which service
6 `/ c' |4 {- q" b. X (VWIN32_Int41Dispatch)
# E# {1 Y% b( x$ l call Kernel32!ORD_001 ; VxdCall
( Q2 x; E; L/ `; k+ V. _( q# ^ cmp ax, 0f386h ; magic number returned by system debuggers4 @- z- L/ y/ R% i+ i
jz SoftICE_detected
# d: {# O' t8 f. k" }4 g9 _4 w/ d: d7 `7 e" X' s
Here again, several ways to detect it:% C7 y- i, Z$ u8 [( N
1 I% }: v8 L/ @, n BPINT 41 if ax==4f0 h, V# D" K1 G6 g, Z) }
" @1 C$ D" z. T. e7 \, u2 g. N/ i( w$ F BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one6 E2 I: v( F" ^0 O* Y/ G
( i& `, [% r8 j: M: [9 I BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A" c( i+ U7 R& }- `! ~1 Y* ]
( @) w# t6 c6 j9 N5 s7 m8 s6 m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
& U# Z% Y9 y# T% ?( ] }# G% _2 Y, Z, ], w
__________________________________________________________________________/ `% p) m7 w4 }# h( H
# O3 d0 M% V* i- N( tMethod 13' }+ Q. M8 K4 f5 D
=========+ |6 ?; z' T" t3 R( S1 I' {# g& H
- U' B5 v% e( D8 t9 i+ HNot a real method of detection, but a good way to know if SoftICE is
7 U c9 x- l8 R8 S m' Rinstalled on a computer and to locate its installation directory./ ?4 m6 b/ E5 k% C5 S5 J% a9 r
It is used by few softs which access the following registry keys (usually #2) :
( D& z7 s% L4 |3 n- m R
2 S0 g+ _, F! j a2 k) I( k5 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ p n. y5 c0 {# x7 b& {3 b& Y. H
\Uninstall\SoftICE% Y# v) [- Z# ^& R9 G8 I& Q. g" y: K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 v6 z7 X3 }# U% C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ `$ u/ M0 D4 s4 o4 Q- U4 y% H\App Paths\Loader32.Exe
i+ K7 f5 }& |% _; [* R! ^8 V4 A: u8 S
& o( }1 X1 F) d: ~/ @, I' a0 DNote that some nasty apps could then erase all files from SoftICE directory
) Y& {( ~6 @/ t* J2 O(I faced that once :-(
H- `. Q a3 i! q( k" k. ]
$ R3 |( }7 \, P2 RUseful breakpoint to detect it:
; X7 `' ~& X2 }& _
+ y3 }9 x( X; Q* g* {* _7 D; Y BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'/ J1 v- \/ G; W: A; ]2 C+ u/ W
0 M8 q- N) v% y% R3 w* Q& h' _
__________________________________________________________________________9 P" r, P! @; E
) R" r8 a) T# j0 J ?+ F h
! d3 V4 j+ I6 JMethod 14
$ ]0 V9 A2 _! B) E& G! {( y# k=========
; a" n! r4 o* l1 H$ r( ]8 p7 \& \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 z2 o/ i8 X) F' Tis to determines whether a debugger is running on your system (ring0 only).) w7 V. }2 \2 S) R( t
2 m" X2 M) E% F9 O
VMMCall Test_Debug_Installed' D, h! G+ |7 w6 L6 T0 C
je not_installed
0 U9 U" g; { `8 d7 c0 q3 W! i6 I
- S w3 T6 n" s$ rThis service just checks a flag.- |4 Y3 ^$ ^1 m$ c
</PRE></TD></TR></TBODY></TABLE> |