<TABLE width=500>+ [9 [2 U4 z9 L8 l1 v
<TBODY>+ D0 Q! R0 I. O3 s& ?/ O- d! D7 D
<TR>
! M+ X6 q, ]( y7 T<TD><PRE>Method 01
' A3 J6 Y7 d6 e+ M- x=========1 k4 a. B+ U- g$ E" H; t
! m6 l& ?: ^% h
This method of detection of SoftICE (as well as the following one) is
i4 z% I8 G+ Wused by the majority of packers/encryptors found on Internet.
- y/ I p; D& _" Q, AIt seeks the signature of BoundsChecker in SoftICE0 O9 ^4 R6 f* s0 @6 R: w, N
1 Y# W' P1 O8 T& E mov ebp, 04243484Bh ; 'BCHK'5 c1 F* n3 J/ N# n. b" D0 X: s3 U
mov ax, 04h
! Z( V3 C* y( X8 d int 3
" _' y2 ^- Q. x/ @" q9 Q; {, Q cmp al,4( C9 b( A0 T: z* D
jnz SoftICE_Detected/ q; E: v9 t* |7 R- X' S9 e
3 U: Q! Q2 ~8 x7 y7 l; B3 l% k___________________________________________________________________________6 F; l9 U* v3 }# M) M$ ]/ f
+ T2 o* [: @8 rMethod 022 w+ I: d, c0 \$ d7 ^: I. V
=========
* q+ V0 B- F8 @8 o3 Z. K) N+ [0 n0 H& m
Still a method very much used (perhaps the most frequent one). It is used9 t# ]0 J# \% N" S- I+ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 n. u8 V6 X+ x4 `or execute SoftICE commands...
9 N3 V) H- x7 H+ j' j( lIt is also used to crash SoftICE and to force it to execute any commands1 T e8 g& ] Y: \( l3 i
(HBOOT...) :-(( . n4 H4 y! T' R- m
& t5 y; B2 n( k. W9 x( THere is a quick description:* _% P+ B, X4 T8 n6 H
-AX = 0910h (Display string in SIce windows)
2 ~) e6 c ?' V1 b1 w* ]-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ d1 P4 P8 N* r: F
-AX = 0912h (Get breakpoint infos)
/ ^* I9 U h9 f-AX = 0913h (Set Sice breakpoints)
2 d* y& J: E& v" N# [% ^-AX = 0914h (Remove SIce breakoints)% Z. g8 ?5 E! \6 t0 ?, C; g
' \; Q; ^) o( CEach time you'll meet this trick, you'll see:
+ _1 O; ^ I; H-SI = 4647h( [( u, O# K2 {# g4 J: e U0 ~* {, U
-DI = 4A4Dh
g( _6 c+ B2 O( I4 n* mWhich are the 'magic values' used by SoftIce.
) R8 ^( A1 S7 b) jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# x6 L2 z; W/ Y5 }1 ?2 G
* H/ W2 D8 R+ _$ @ X5 T, Y; vHere is one example from the file "Haspinst.exe" which is the dongle HASP4 w$ E- _8 ^- H
Envelope utility use to protect DOS applications:
+ v/ o0 U1 s; j4 f4 R c& ~* j' N( w) \: F1 y0 e( x: e; \% P
7 v. x5 t0 `7 C' l& `+ c4C19:0095 MOV AX,0911 ; execute command.
# c" z; l- L2 a4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
1 N! `7 x0 R/ A& n% Z5 c3 N0 `4C19:009A MOV SI,4647 ; 1st magic value.. P6 ?5 m/ } Q9 e" S; U0 c/ Q
4C19:009D MOV DI,4A4D ; 2nd magic value.6 x% `! b3 b% S( e" T" M$ ~
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
{( ]& y- B2 v, `, ~' D4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
& \, f1 G6 R+ Z/ h; Q& j7 b! W& X4C19:00A4 INC CX- E: N: L2 }6 Y/ D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
4 p, f& L+ F) h4 ]( ?- B( Z9 K4C19:00A8 JB 0095 ; 6 different commands.
+ p5 O! Q$ z* x5 J4 Z s8 C4C19:00AA JMP 0002 ; Bad_Guy jmp back.7 ~% C7 A, ?0 y
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
8 X" z( {7 \3 Z
7 e+ p! Y3 U N$ b, o: ZThe program will execute 6 different SIce commands located at ds:dx, which
. o/ m/ r$ G- A0 U9 `4 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' j- C0 h1 {- U
# _6 A6 U6 R: R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; E& B8 u7 v. g6 W8 ?___________________________________________________________________________
- U0 {6 [4 ]/ @- N2 Q+ {' D9 g/ g5 t# f/ I
& F0 H: m9 z0 E! r8 @- `9 g/ t; c- O6 q( N" W3 X. x- x4 i; f7 R
Method 03# f- @7 i, N& q9 I
=========
! M) J: K* y: t' c: ~
& i2 S2 J) { A8 I& @3 `Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, O, c$ c0 W! R. J4 V(API Get entry point) o6 b* _' E) b- v8 [
; e2 X; O/ Z( p% e! L+ P' d2 t2 }" l2 t4 G
xor di,di8 [( o% [/ Y8 |' E& Z
mov es,di( [. P t, Y: g+ |. u
mov ax, 1684h
1 k3 j8 Q$ G2 Q/ Q mov bx, 0202h ; VxD ID of winice7 z9 J j" r) \5 \' l2 O8 |2 Y, q
int 2Fh: [, M. @% ?$ F3 Z4 K
mov ax, es ; ES:DI -> VxD API entry point
) H) s$ K+ c* ?1 I5 r add ax, di
- d6 o$ A q0 l6 A% O; k test ax,ax6 E% i& f" e7 l8 U
jnz SoftICE_Detected) Y6 a& r) @& Q% R+ W
R7 x) q" R8 J7 z9 y___________________________________________________________________________8 Z0 a% b8 |8 {$ q U7 d
) W: C1 `2 ^' Y+ P4 r. xMethod 04
K; F1 {5 J% J' _=========, ]+ S5 r0 C5 Z9 B
8 ]! z: U+ P* X; zMethod identical to the preceding one except that it seeks the ID of SoftICE
/ V+ G1 M# S& i, m8 Z4 Z6 tGFX VxD.
/ Y; C$ F! K7 v( u3 K
: J# y8 @& V4 i2 p! T6 e xor di,di
% K# b$ Z, Z1 n mov es,di; N/ ] Z3 z! e1 v
mov ax, 1684h - x& r. y! L$ r1 y
mov bx, 7a5Fh ; VxD ID of SIWVID
' T4 \' U/ f' I- N1 j3 d; }8 ` int 2fh
2 h0 {0 _( e# ]; D: g mov ax, es ; ES:DI -> VxD API entry point7 M' U! L8 a7 Y' |2 M
add ax, di
' y- L, F5 O! Q2 Q4 r5 a test ax,ax$ p5 ~* }* H$ T, l; z [( h
jnz SoftICE_Detected5 ~+ v2 j; X2 p$ U O
* W, E( r. T9 Y1 `- x% t__________________________________________________________________________
t w2 t `8 J J3 X& i
5 Q3 z7 T% ~3 Z
' r0 `) I3 ` m0 VMethod 05* ?/ c) j5 I! a4 g& l
=========3 q# |" V4 y* N1 Q" O8 L# f
* D( D7 E% ?3 J+ O3 F, U3 _Method seeking the 'magic number' 0F386h returned (in ax) by all system0 _6 d: O. R7 F' D6 a* J1 \
debugger. It calls the int 41h, function 4Fh.* M. L4 N Z0 l- Z/ m* c! b. |
There are several alternatives.
# v- M$ v8 z: {, J8 z" S# ~ G A) ?8 U
The following one is the simplest:& ~: D- G. @( N& Q5 b2 V
7 Q. D a3 }# h6 Z5 G
mov ax,4fh
; ]7 T8 N; ]$ |, \! }* j8 ? int 41h+ Q, [5 ^2 F" f% U2 w R
cmp ax, 0F3860 W! e) J$ U& k1 K0 C: {1 @
jz SoftICE_detected
2 F% ]7 D8 x/ o+ o# A
+ h2 K! i" M$ L4 s+ F1 G, ]3 q$ v
Next method as well as the following one are 2 examples from Stone's
0 z- y- z* t' h"stn-wid.zip" (www.cracking.net):
5 v9 W% I6 `& i3 [0 R3 R& v! ]* j0 V4 n* ~# j! A/ O2 N6 q+ P
mov bx, cs3 x% X+ D( A" A# F
lea dx, int41handler26 A, I. A- @. O# P' n$ f5 H
xchg dx, es:[41h*4]" z7 a6 c' z" q* ?
xchg bx, es:[41h*4+2]
2 _+ H% F4 n9 J- `0 L1 B mov ax,4fh
9 Q2 ]* z' x+ w. l6 q# b int 41h
" k; F$ h, O2 `* H2 G xchg dx, es:[41h*4]
9 H' d; o- H3 E- q4 h0 { xchg bx, es:[41h*4+2]8 i. Y, W+ G/ h) Q2 P
cmp ax, 0f386h
1 T) C) _& x# T" ^$ J! h$ | jz SoftICE_detected
" L( H) C# C" P0 O$ U$ Z9 _" A4 h# e) K1 Q8 X% f9 \8 r
int41handler2 PROC& @0 S3 w0 `4 y0 R) ^
iret( }6 r4 K+ v- ~
int41handler2 ENDP
; D( \6 g/ r- y' _
/ }, A; g' k6 A( g5 S4 ~
$ G D2 K' c1 L( |9 {; F( w/ O_________________________________________________________________________% O; `5 @; {" W4 K" V
& G6 y; \8 l- `/ ]
- U; Q, J E* ?Method 06
, ^- ^2 W9 q K6 c5 W8 t( e3 i( H( |=========( Y/ X4 E7 Z5 t0 u4 p; u
& C; ?1 n. H0 r
b: \0 D8 b, n" k
2nd method similar to the preceding one but more difficult to detect:
# i' e6 l4 T/ s0 U0 d# [1 D4 b5 [# a" D' c# w
) J% h9 }3 {: ~0 u4 Vint41handler PROC" }/ N& l1 _' @7 `& }8 d
mov cl,al
' M. j7 ]0 q ~5 H( g( ^2 ?" ^ iret
W: ]) b4 g- D0 c4 V& sint41handler ENDP' p! [8 A, Q9 l! l
, l, s# v% Y$ ^# z
9 \1 K( t: l# L3 L% i xor ax,ax
, l2 r( i6 \6 h8 m. j( \) P* f mov es,ax" k" ^ K' P; K
mov bx, cs
8 {! T' Q& k- Y. ]3 J lea dx, int41handler
8 b2 w% f9 c3 c xchg dx, es:[41h*4]* W" M) Z% e) O4 |
xchg bx, es:[41h*4+2]
; I' @" |& T6 O8 l! E5 x, | in al, 40h
$ b5 ^( r: a: R$ u4 ~9 E, s1 U xor cx,cx; d; }5 [" C0 t4 _1 |, O2 A$ u
int 41h
+ w' r( T! P l1 m# @( r3 q xchg dx, es:[41h*4]: O- F5 x* ~- Z. I
xchg bx, es:[41h*4+2]
$ Q: _9 L$ Z; ~* G cmp cl,al
2 M% U# ^# B7 `; k- E( F jnz SoftICE_detected* x9 x* H/ o% N' n6 z0 y7 W
9 D* T$ m6 o$ E_________________________________________________________________________- K* _9 r( _; J8 S. t
$ d: P, i6 x; M9 u5 g8 kMethod 07* t# P& [/ k8 H$ M+ T3 T" E; q
=========1 ?. E3 H. T; W1 g) G# I! z
9 K: F- @; @. c) f/ n9 {2 M% kMethod of detection of the WinICE handler in the int68h (V86)$ W5 {+ ~6 [, M/ M% O" [* P
& K( F G/ G) g
mov ah,43h
/ @: G- V5 D+ j1 Y1 P, U9 F1 J int 68h! s3 J+ |; p2 y& u4 }
cmp ax,0F386h
- Z- y% s: o6 e0 p# K. G: @2 _ jz SoftICE_Detected
3 U5 i f: k O# `6 D1 t5 h! o) s% w
2 }$ A6 T. k) X5 C0 e& Y% {
$ N* Y; N" p( ~ ?=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, n: Z% C2 A2 U n( g
app like this:' w7 ~/ R; n+ r5 t2 J6 R' i
6 k: L& m! ^' O6 p+ w, t. C: B4 k$ h1 Q BPX exec_int if ax==68
0 L$ v4 ?! z# d( l (function called is located at byte ptr [ebp+1Dh] and client eip is
9 k& K" R- L" j# o$ s! }; `3 D9 r located at [ebp+48h] for 32Bit apps)
* n# P( X. K9 g/ |8 g__________________________________________________________________________. ^) I* H/ Q6 |3 g' X3 `
- H% M% O& K/ M, x5 }9 f$ K
4 F, N- s! O/ c' [3 SMethod 08. T0 p _( T$ J& P9 L
=========
* h& J0 ^- t* l; `& m9 v1 I2 i) i4 a. B: }, V) {7 O) h4 r
It is not a method of detection of SoftICE but a possibility to crash the
0 U6 M$ ?% A6 v5 d, Msystem by intercepting int 01h and int 03h and redirecting them to another
/ S5 ~8 Y+ c, ~" rroutine.* a& [& m Q* _1 p& i- Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 z( S: G3 g$ z6 W& ], g) h Kto the new routine to execute (hangs computer...)
( y" l5 M& v7 Z' M4 d! k. \7 E! ?& a
' F" l- t: \8 _3 w6 z mov ah, 25h
/ N3 m2 l% n; [! ~, n9 v: ?0 h- ?; i mov al, Int_Number (01h or 03h)
+ y% x! B! G& W; o mov dx, offset New_Int_Routine
$ f& W. D% E$ y3 R* V8 {9 \ int 21h: W$ y% U; F% U& R4 _3 I0 ^. d8 P
4 ` ~7 {6 R( Q8 x/ y1 I
__________________________________________________________________________
7 }$ q- P L" T+ f/ J
% r2 r* n Z% ?$ j6 AMethod 09 [5 [# W2 k! o( W* p. d5 _
=========
, Y: {$ |& i" b1 r2 {2 t! q; D2 v, L$ a+ T4 v- B: `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
W1 D6 S9 s- c2 {- \" m0 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
# j$ k1 v. z( b/ x9 QThe Get_DDB service is used to determine whether or not a VxD is installed' g O9 {$ x k- }
for the specified device and returns a Device Description Block (in ecx) for) S( Y, e2 C2 a' k# b" \
that device if it is installed., k h0 {. t9 U/ a; k) I6 L( C
. J- q) A4 X+ H7 f# n mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" m8 F$ ?: H7 l* F& l( v- I1 e mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, }7 M0 R$ w# |7 s8 |" w* W+ U$ { VMMCall Get_DDB
- Q, p8 T* o2 D& N mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
4 c6 o3 V! u4 C; | X5 H
6 p- O+ r Q0 ^Note as well that you can easily detect this method with SoftICE:
0 i$ m& C5 W8 H7 I) L& _. m' p bpx Get_DDB if ax==0202 || ax==7a5fh. A& E* o4 F) `& h* I5 L, n! ?1 g
4 C: x- F$ h7 s! R
__________________________________________________________________________) f$ O2 h! E4 p$ P p
8 a. v/ t, D8 U6 K; PMethod 10
; J: O5 T( B! l3 Z; } @=========5 {' H- c- b0 {3 Z& P. v7 a
( O. E# F0 ^5 ~7 ?5 V( K
=>Disable or clear breakpoints before using this feature. DO NOT trace with
' r; }5 t( a2 S( F0 t$ b SoftICE while the option is enable!!5 F: {7 d5 D& U; E1 w3 W) l( A
, W" F" q% z2 G
This trick is very efficient:2 D" R3 {8 }- t, T0 Z9 y+ d$ y
by checking the Debug Registers, you can detect if SoftICE is loaded
; u2 P/ T$ L$ w5 v3 k' z& C, j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ E/ T+ S, V, L3 U3 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their- J3 G$ a; G' h2 q4 C* x$ T o3 q0 K
value (in ring0 only). Values can be manipulated and or changed as well. ?+ ^3 J" d9 e8 [
(clearing BPMs for instance)
1 S% X' P$ ~5 r' J
+ M2 }9 [2 i! P7 v; |6 a__________________________________________________________________________
' X& b$ c5 e5 r$ b [) B# ?* N4 {7 e6 y. {
Method 11
# x; d% [" h% W4 U1 ]% Q========= h$ O2 Q# I3 q9 B5 b- E [
* a8 |1 j4 A& T+ TThis method is most known as 'MeltICE' because it has been freely distributed# m. J$ V# ?- |# C) w
via www.winfiles.com. However it was first used by NuMega people to allow: ]; R6 e3 k0 b6 A5 i
Symbol Loader to check if SoftICE was active or not (the code is located
$ e8 D2 m# S, Oinside nmtrans.dll).4 l2 ?- a2 `7 w* m7 u6 [" M& v
* ^1 i; W+ J+ m9 J% t- d |
The way it works is very simple:
: q0 S6 S7 _% D/ g: RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* G3 l! J3 I! @0 D
WinNT) with the CreateFileA API.
( C! L4 ]% d4 f% D6 E6 m' c' b/ i! ^2 o F( C' N
Here is a sample (checking for 'SICE'):
" j9 b1 e* x) a$ @$ j# F6 p3 P6 u) b& S/ Z/ U! ~* a" h
BOOL IsSoftIce95Loaded() d/ W& ~5 g% r- g
{5 V5 g6 d# Y+ H$ `: L4 G' p
HANDLE hFile;
! R/ S9 w/ j5 `. f hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; V8 n! L# c$ k r9 y
FILE_SHARE_READ | FILE_SHARE_WRITE,
( r2 h5 _0 ?7 W# q+ q' R$ k: Y8 O- l d NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: ~& Z, j, {! \' i if( hFile != INVALID_HANDLE_VALUE )
3 A: c! f5 S3 b! N3 j/ |: k {
* q* n+ y/ T# u K3 u2 Z CloseHandle(hFile);7 Q) G6 _7 b8 u7 r6 Q) R! y0 f% c. A( q
return TRUE;
9 ~# N. R- P% u, c( O }
( t$ o! E R/ y; h5 A7 k& O% @+ n return FALSE;6 V/ b. w3 x0 _7 Y9 x; t( e
}
9 p5 K% N$ O: q: |/ W& `/ B# B- G, g' u G, N8 ]5 _& g0 Z6 T6 z7 r, o- p
Although this trick calls the CreateFileA function, don't even expect to be2 V0 ~( Z7 s, |8 F w& S' }
able to intercept it by installing a IFS hook: it will not work, no way!
. ^# V T$ J+ a# O. c6 M1 u: cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; \, r% h. B* s+ {5 hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 g7 w+ e @4 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 B5 A% _' ^/ M' V! f
field.
" ] T2 l6 {. T fIn fact, its purpose is not to load/unload VxDs but only to send a
/ y0 d" K9 z/ ? `2 A( Y( TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 {" E/ V. Q1 Y/ C. N6 O2 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& P" |: @1 g9 [" l0 i. N3 N' t. ^5 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 U& |, K' z) J. lIf the VxD is loaded, it will always clear eax and the Carry flag to allow) E9 z/ L8 w2 a) y
its handle to be opened and then, will be detected.
^& V+ }) Q: P' N5 F# c8 x0 Y. B& gYou can check that simply by hooking Winice.exe control proc entry point
% u7 o* W- N; N, nwhile running MeltICE.
- e, T, B, J" N% V% q. \% Q) w1 x- u7 d4 p1 m! ?; V" Q w
' [9 p$ _" W/ J6 B
00401067: push 00402025 ; \\.\SICE
+ @3 J0 o8 t4 W 0040106C: call CreateFileA
0 H. H a% p1 G8 E 00401071: cmp eax,-001: K) j. y& V) G4 ]( e; v
00401074: je 00401091
+ i5 O: [% @7 l
2 V7 d: Z* L& d1 Z X, @0 o) k$ O1 G8 z9 B2 G. ?- r" M: m
There could be hundreds of BPX you could use to detect this trick.
9 i8 L) r: t |0 d-The most classical one is:
. p8 D: U) B; e9 h% S8 W* j/ y1 v BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||( K) I- \0 Z8 e6 W; X* u
*(esp->4+4)=='NTIC'; g+ M& e A* `& x e0 H
/ G, i6 a' t& C0 b7 D$ V- J, V
-The most exotic ones (could be very slooooow :-(
( k8 N3 v, o* \8 f9 O, X! M& ], ^ BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
( C9 L I0 q1 h/ O# w# J+ L ;will break 3 times :-(; R# W5 n1 t! V1 X7 Q+ k
& i( D* P- s. D d$ I5 ?-or (a bit) faster:
+ V$ O9 d% |( [ BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~: J/ ^' X( D4 h/ ]! M5 C4 H
& u& Q6 v7 \2 |& _6 w BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
y2 |8 U. U: ?) E" l ;will break 3 times :-(
8 y2 {4 J4 U5 W2 K& w; M
1 S! v1 d5 J) b: \+ C-Much faster:
( x! V; w0 L4 f w" U7 a BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
' H3 _+ O: X0 ?! X* K
1 p+ X6 x- Y5 Q$ L4 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! H5 k! ^) ?; ?' d! }' Gfunction to do the same job: h3 ^# w" V: R/ a' I* c7 z" _
+ R7 l$ W5 @7 j y& `- Y9 ~; ?
push 00 ; OF_READ( c% g" N E7 A/ H+ z
mov eax,[00656634] ; '\\.\SICE',0
4 z$ i c* r% }6 A: s& ?/ J2 k push eax8 J& x0 R) @3 K; \( {
call KERNEL32!_lopen
% J! V9 p5 l6 S' \2 |6 D inc eax
* s( g4 o# e% Q, T, Z jnz 00650589 ; detected+ n* Y( q' W1 _
push 00 ; OF_READ) b, Z }9 B( p k# k6 N9 ^8 m
mov eax,[00656638] ; '\\.\SICE'
+ j4 Q/ i2 K6 |% O- E; q push eax) ]7 P! r, n1 X7 k* i
call KERNEL32!_lopen; Y9 u$ D- k( |% ^! ^2 ], _
inc eax
% k% O" z6 o n' e+ a jz 006505ae ; not detected u' A) ~ m8 E9 D1 x; h5 U* E
6 A! D2 U/ ?! P- `0 X
* M7 w0 I* H, o8 t' y( O
__________________________________________________________________________ m" I- q+ `) w1 {
2 s6 y Q: a) n6 _6 q$ pMethod 120 k4 S+ J8 s$ a' ] _# n
=========
% X2 Z1 o$ ]4 ^" j# U2 X+ P! v- ~1 E" d- ]/ C4 W M
This trick is similar to int41h/4fh Debugger installation check (code 05
( Z/ r- Z n5 w5 w5 B: I. E& 06) but very limited because it's only available for Win95/98 (not NT)
: j+ K: }* A. e8 w0 y0 g2 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo., }1 `5 i* A. T) {1 R6 U+ a
1 e( k+ R) S3 j' q
push 0000004fh ; function 4fh! i/ Y8 _3 N7 d/ E/ |8 V( k
push 002a002ah ; high word specifies which VxD (VWIN32)
; f1 H, [7 _' {$ d% n% X ; low word specifies which service; F: }) e5 b# m! g
(VWIN32_Int41Dispatch)
; F/ o& a9 B5 q7 F" V% [8 K2 g call Kernel32!ORD_001 ; VxdCall
+ ~9 T' O/ g0 }! h# B cmp ax, 0f386h ; magic number returned by system debuggers
}! M, j) X9 a5 o4 N jz SoftICE_detected
6 P1 `& y" ] L% Z! ^6 K9 _& {- n* x- U& A1 t
Here again, several ways to detect it:1 g6 q* C" Z4 K
& z: l$ A, q0 G! o4 _( O8 F9 o
BPINT 41 if ax==4f
! G' ?0 D/ i9 y9 @% R/ ^; t. C# R: l/ [6 _6 x
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one9 M! W" l. [3 g: v
" u' W5 \) r) W
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A* e1 c. M! [- d
4 }% i. E2 k7 s9 @' C BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!3 h5 W' _5 }# P8 y- g/ s* w* v
* }8 K+ U! i/ C4 L__________________________________________________________________________% m1 p$ N/ p4 O0 }5 M3 U
5 h Y2 ]. J7 c/ K R% iMethod 13
! v. R. n/ ` r; n8 W- c4 t) m=========; T, B1 t$ A+ w3 k1 V, t
) l+ P$ S: R4 H
Not a real method of detection, but a good way to know if SoftICE is
8 r0 } W7 |: hinstalled on a computer and to locate its installation directory.
. h1 N8 y% ~) r2 ~& H0 d# ]It is used by few softs which access the following registry keys (usually #2) :7 M) e8 m& L4 l1 O p6 `
. ^9 B& S# t5 S1 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: d7 b2 b" _& a8 f( ]3 C/ v: z# @1 P
\Uninstall\SoftICE+ v& G0 d% A7 v# [. E/ b: w: z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- y" b$ b7 ~; Q! @! S$ H6 S$ K# a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 F# G' c9 |& W' j/ m+ `6 `
\App Paths\Loader32.Exe& B$ ]; U1 }! \8 M* _
. e: }+ F4 O9 Y* V& d
3 n" e4 j: M3 O5 N( w, ?Note that some nasty apps could then erase all files from SoftICE directory. [4 ?. R& p6 D) D/ _6 e& u
(I faced that once :-(
8 K9 w. o: x" y+ P8 s0 H0 o: Q! ~) I$ b/ i3 _7 D
Useful breakpoint to detect it:0 z2 Q2 v+ g5 _: d8 ?* t1 c8 ~0 N
% `" f" j4 R$ O6 [) y" Z5 m/ Q
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'- v1 ?: l" y$ s& l, Y- y
, D7 M# W' g1 w: D
__________________________________________________________________________
/ ^. N n" n. v) W' L D6 e! P( {( s' d9 g+ C/ D9 P
- l# F: H1 V6 I4 a% p& ]; m# n$ e
Method 14
7 g. b* ~+ b( k=========/ X+ E$ x3 p1 W( j' Y1 g0 Q/ E0 [
8 D7 b! a7 X9 \ G2 N# yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* {8 ?1 q4 g6 g# B/ E
is to determines whether a debugger is running on your system (ring0 only).$ C6 q, e8 t2 s" M# g. o ~
; W0 u8 _" \! K; e5 w
VMMCall Test_Debug_Installed" h4 x' q5 B/ y4 [
je not_installed
( `% Z1 `) }. ^" N8 V7 ~6 D$ g/ } [' H+ K& B) t
This service just checks a flag.3 k1 n! J( J6 p% B& Q
</PRE></TD></TR></TBODY></TABLE> |