<TABLE width=500>
[8 ~# b- o' V# C- J<TBODY>
4 k* w- l8 r# k6 V$ G$ g7 V<TR>
3 Y' e3 M) c) Q, i# ]<TD><PRE>Method 01
* W+ B- ^9 [. Y% x3 e3 H8 Z=========4 m' |4 V6 e) C/ U5 U1 q
; I2 J7 n* T! K4 H$ g- w1 j, C0 U
This method of detection of SoftICE (as well as the following one) is* U7 P' W2 J% C( h0 B
used by the majority of packers/encryptors found on Internet.2 g$ X8 \- i/ P! P$ X3 Y* p/ m
It seeks the signature of BoundsChecker in SoftICE0 g- H/ w% `% g5 v3 a5 f" k5 G
4 n4 [' V# l6 u9 y
mov ebp, 04243484Bh ; 'BCHK'' ?4 M7 i% H: t- \ I; l& `
mov ax, 04h
( r7 Q# |5 C6 N+ Y int 3 ) p0 K; k0 Q, a0 e) j
cmp al,41 f# r$ s9 ^8 u! D
jnz SoftICE_Detected
0 _! ]- x3 N% Q+ l P# Y P
! E# ~6 k* {, \* C* O2 M, {___________________________________________________________________________
9 f+ {! w9 w; {
: i; O6 A- m, F6 Z- T+ P$ s; xMethod 023 I- r$ X. H6 o5 M3 _8 ~# u" B
=========$ \9 Q- t5 C3 M6 P
6 [: |; s& X: Z3 H" }4 L
Still a method very much used (perhaps the most frequent one). It is used$ l% X( X, ?& \/ P- g/ D) j1 G: z& ?( O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ P4 O; Z1 s8 kor execute SoftICE commands.... f* }$ }" z8 |) T1 f2 K6 v* k- i
It is also used to crash SoftICE and to force it to execute any commands
& ^/ d8 s7 ]. T' K) n" b(HBOOT...) :-(( ; J. R9 J# I( ~& Q# g7 W1 O
9 N1 {3 [# E( O# X# ^8 ]
Here is a quick description:
0 U5 P( A2 d5 Z' n-AX = 0910h (Display string in SIce windows)
L& V2 b& r0 d-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 l0 T3 c% a" e: Z" f-AX = 0912h (Get breakpoint infos)
. @- Y8 G* c5 D3 W- h, V-AX = 0913h (Set Sice breakpoints)
; s: f: c5 D+ i W) \3 u% X3 i-AX = 0914h (Remove SIce breakoints) R9 \, v2 K; g& L/ V
5 s$ k4 ^, G; _, D5 V
Each time you'll meet this trick, you'll see:5 J/ |% G; j% z% v* V' n
-SI = 4647h
3 B2 Z' Q9 V' M- n+ D7 H; r-DI = 4A4Dh
# c% C7 J6 r, r' X( HWhich are the 'magic values' used by SoftIce.& j+ I0 @& m2 g- j) a0 I4 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- D" \/ T9 d7 |; o% {2 `6 u) p! @( q, w
Here is one example from the file "Haspinst.exe" which is the dongle HASP, S( ~5 F( N( T& r* C0 h2 M
Envelope utility use to protect DOS applications:
: X r0 A2 o9 x/ E9 E1 {9 m/ t& Z
" Q- B( g4 B* @
' y% |; k" ?0 V d( ^; X4C19:0095 MOV AX,0911 ; execute command.0 }: e, R* W9 w9 T1 \
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
& W7 H! U/ h" U% ]5 {4C19:009A MOV SI,4647 ; 1st magic value.
3 M# ?- \9 W, z: `5 P, @4C19:009D MOV DI,4A4D ; 2nd magic value.
" G. L/ |3 g$ S% ?% v) b4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*) v# n) t+ \- h$ V" q
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
8 i) f( j% G0 y& b+ E" E) C4C19:00A4 INC CX
/ x1 x0 ^3 f* ~' f. S& n+ B Y4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
- S/ X2 a9 B( z# c0 a3 |! G4C19:00A8 JB 0095 ; 6 different commands.* q* g5 V$ [- F, [5 r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.- `5 d0 f" b% G
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
% \2 M) a3 b& ?2 u. ]% N ~5 @
+ j4 x- ?) S" t+ N0 @7 LThe program will execute 6 different SIce commands located at ds:dx, which* C6 ~3 ~ G) q* W6 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 c' m1 x- r( O6 L2 C0 ?, F. r. ?$ j9 s9 q6 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; @3 ]6 O& H$ f! p+ u1 s# d___________________________________________________________________________7 n) ]8 {1 x o6 o3 L
/ m0 c' g5 K0 v7 ~
" A# ]! a* I5 j" ~/ J# }/ e( ?" {Method 034 l; ]9 B( r8 w( v- m
=========% M. S* R. V& w* X# Q/ O! a
" V z- i; i, ~6 A4 P. D. i9 p
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h& O& u) M1 |* v0 d9 B4 E
(API Get entry point)
5 ?4 v5 Q9 \4 }; v ' g! t+ ?3 o7 R, p/ l
2 x ~2 `: }6 e
xor di,di# I J' S5 D2 z6 r* T, h9 u; V
mov es,di& D. e( F, `9 n$ U
mov ax, 1684h & Q5 |$ o6 H5 m2 }) U/ h, |+ n
mov bx, 0202h ; VxD ID of winice
8 h0 Y7 g0 A! |6 T8 G& D( ~# K int 2Fh
: x! i" C7 q( [# l# K mov ax, es ; ES:DI -> VxD API entry point
1 y4 ]. E6 q7 \5 ^- L2 u. [- a add ax, di
0 K. f1 U% K7 k: A test ax,ax
7 C {) z$ p2 M jnz SoftICE_Detected
+ S( Y8 B) ^- a7 o% \# `/ J
' q0 N, r$ I/ g3 W8 X# g___________________________________________________________________________! u# m: d6 v. O; w0 Y: w6 A! |& ]
5 k) o, C; A; V; p# g' G
Method 04
0 q ?# Z6 a6 d* n5 ?4 l7 L) s=========& K$ E) w, m" V; j! o
, p# R3 E$ j) \; ]! B8 ZMethod identical to the preceding one except that it seeks the ID of SoftICE C& @$ l5 Y. n0 C* t, U
GFX VxD.
6 `: d' V+ A! `4 S% M! j) o6 P) ~6 T" l) o4 _ u
xor di,di
! K: y- o s* a mov es,di: N' Z7 D& h7 P* _4 Y
mov ax, 1684h
j! w! Z' M% R6 e7 X mov bx, 7a5Fh ; VxD ID of SIWVID. K& g* S2 m; z z( S# ^# A
int 2fh
, }: K! g6 ~+ i( |% x mov ax, es ; ES:DI -> VxD API entry point
" ^( H9 R9 ~+ H2 ] add ax, di
6 I; j& `2 r: x* K; N/ q0 o test ax,ax
y# r3 D$ @; a. k9 \% x/ ? jnz SoftICE_Detected
& Q+ p% R) x8 a- a3 g
k9 Y9 Y$ Z5 i% {! L) l__________________________________________________________________________& h9 r o, Y2 d- Y6 m- h
2 H1 [, C, t H7 N; n* Y
, x' \% V' @( E* W7 m+ V. @0 b% AMethod 05: G/ W. b5 ~3 X( }( V: Y$ m: Q/ w
=========0 K2 H; n$ e8 R* p. ]
' m) O' T7 i3 |/ h% n+ p9 iMethod seeking the 'magic number' 0F386h returned (in ax) by all system) j9 {% U1 I& y: w( Q
debugger. It calls the int 41h, function 4Fh.+ E, }2 T( h2 Y3 V* Q& h
There are several alternatives.
2 ^5 m {" X( r" z! L' {/ ~; U+ g' E+ \: L4 ^
The following one is the simplest:; J- y) y, l) }# y
+ O! i8 @* K. [3 x( C) ]4 v2 {5 @+ c mov ax,4fh6 _$ }1 v' W; q
int 41h7 Y/ `6 |4 t7 k4 T- a( S
cmp ax, 0F386' w) H( g/ z; c! y9 B6 @2 E
jz SoftICE_detected/ D+ S; ~: D2 {; {" q; Q# v7 r4 |
$ j; ?5 T, O" h R3 J! @2 x% R
5 i2 \2 V' l9 p$ W6 H" ?; `: F8 o; |
Next method as well as the following one are 2 examples from Stone's
. Y. P' A) R( }. Y b, T; L& s"stn-wid.zip" (www.cracking.net):$ r' c' Y! H; A1 @0 q6 U" t
e0 U+ ^! Q7 t& h! M# _ mov bx, cs) Y5 O7 g. {$ r0 H1 S* V
lea dx, int41handler2" M; Y' c9 x2 \# s
xchg dx, es:[41h*4]
' P- W: b6 W; H6 u$ ]6 l# Z6 ` xchg bx, es:[41h*4+2]- f8 N+ W c1 g* C
mov ax,4fh9 O$ D$ a8 I) y' V2 V
int 41h$ P" e7 e0 s' c+ _/ g
xchg dx, es:[41h*4]$ ]& u# c; O7 @7 `
xchg bx, es:[41h*4+2]
5 m3 H* E* `7 } cmp ax, 0f386h0 k# J$ t! }& q
jz SoftICE_detected6 s2 I& Q) O3 M0 I7 W* m% u- R
& z* @4 K. Z: c! C! U1 Tint41handler2 PROC# |3 P5 f$ Y2 Z% l
iret& L# G X3 d" B+ k. }) {1 _
int41handler2 ENDP6 w% w2 U3 ], I3 Z3 ]! O4 y0 g
3 c6 Z! B7 {; E: a- [6 O; Y8 f3 Z: `8 B4 l
_________________________________________________________________________# T( M. i( v, J
$ _0 D' D4 h3 k8 m# N
3 O ^' B/ c1 b- Z% p9 f$ g
Method 06
% u/ J3 Z ]6 G% n" |=========" G% J" B+ m+ @; v* K
5 f5 r# b' F+ b& x3 c. i' [3 \; D9 U7 a# o9 M; p
2nd method similar to the preceding one but more difficult to detect:- S3 p! M6 ]5 q3 C
9 {% ~% Z; P% o0 L6 L. R
3 L) ?- I) \: p9 M5 E- I! h: j( Nint41handler PROC
2 z# n9 _( A/ ~ P& K mov cl,al! r1 ^# i" F6 y0 j6 o2 X1 `3 s
iret
) A( r6 m3 C. w" |6 qint41handler ENDP* B& N# g: u6 h7 ~: ^, G4 F
; d& E6 _. ]/ ]5 f; N( P+ L/ m6 b* F9 a
xor ax,ax! S7 N |. Z0 f( z. H/ |
mov es,ax; p5 c" B0 k) w, _$ m- i
mov bx, cs4 p! R: I c3 c# [' B% J" G2 c8 e: M
lea dx, int41handler
- g2 b0 M* Y+ g$ C xchg dx, es:[41h*4]
7 \( Y3 F9 ?5 q0 D1 F, c5 Z! Q xchg bx, es:[41h*4+2]
* s6 `5 Y4 Z9 X/ w- E, K; b in al, 40h5 K! e; Q& A# [. x4 H- A
xor cx,cx
9 I, |. G: P- J `. M$ m/ [! _ int 41h
8 L1 Q \+ U- |: `* \ xchg dx, es:[41h*4]7 G& X+ I; i2 C, S
xchg bx, es:[41h*4+2]
; @! x$ C& z/ g, P2 c7 @" [ cmp cl,al/ p& X# G: I- }
jnz SoftICE_detected' a5 ~ _/ o5 `% H' v6 A
7 Q% W" }# L, }" O+ a7 w_________________________________________________________________________
3 u: {& _8 w7 d6 X% p* j" }1 `0 g! O/ j9 I) b: \0 q- \: g; n
Method 07& j3 x9 K9 U* \& I5 f$ c
=========% w3 L8 R% Q7 Y( R, y/ A
5 x- y- _+ s: ?4 T; q: ~! D. Y
Method of detection of the WinICE handler in the int68h (V86)
7 [- g- A0 ?, L1 r* E% ~9 }
. I9 N7 o" h: }+ k1 d2 u1 | mov ah,43h. c0 R( A/ l) Y' r+ Z
int 68h& m" |! Q7 ?! {2 W
cmp ax,0F386h0 n4 f. H/ P3 y) Z0 m7 [
jz SoftICE_Detected$ U! B' a% R5 V9 Z
% k0 c. g7 T, l* Z7 @$ z3 N
2 g# k5 ?$ m. @8 R% D" E! j4 j=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ \: z; Q! x( z% ^ app like this:
6 ?% m& \5 ? v% L% _( \0 [( E5 ^
BPX exec_int if ax==68( F! F" `2 d6 h! c9 R1 W
(function called is located at byte ptr [ebp+1Dh] and client eip is
3 i: x% J3 s# X- x6 d: S located at [ebp+48h] for 32Bit apps)) G" ]( D8 V9 L, q0 E3 i$ j5 Y
__________________________________________________________________________; M [ ^1 a* {* t- ^' T
! n$ n5 n! I+ o) H
- i6 w [- Z0 N8 D6 M& k- c- pMethod 08! G x/ C9 J; P% W1 k* T8 k- q
=========5 D. ?9 n- u6 n- l) e$ ]
6 b# Z) w- F5 o- {/ d/ OIt is not a method of detection of SoftICE but a possibility to crash the
1 L1 y5 @# d: vsystem by intercepting int 01h and int 03h and redirecting them to another3 \3 h& k! I/ a
routine.8 s( M! d3 z3 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 [) U) Q+ H2 ]- @# G4 P& @
to the new routine to execute (hangs computer...)
% _' K4 |% ?! r6 r% s& y! z- S
& e0 d" p1 }5 l I mov ah, 25h
' L; {& |% {/ z% ^2 l mov al, Int_Number (01h or 03h)
3 Y- l5 E& A# O: B: h8 \ mov dx, offset New_Int_Routine
; E% K {6 ]9 Q4 U9 v2 B) j int 21h! Y3 q4 T/ }. D! p) s2 @8 V5 x
1 d: ]7 W1 V s' a. P7 K( o @; k__________________________________________________________________________- T7 q# {3 g# S" k; }
7 a: k7 H, m# \* H7 `5 `2 v4 @' nMethod 09
1 {- z3 U+ `% g' |/ ~0 d=========4 z8 _$ W8 E7 z4 f( W+ D% v
9 ?2 n! G- q( ]7 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 \' G, i" ~ M R2 G; F: Q! S
performed in ring0 (VxD or a ring3 app using the VxdCall).% n% I# B/ E! P9 q/ n9 Z2 i
The Get_DDB service is used to determine whether or not a VxD is installed
! o) ]7 i" t1 z% {! \; M' s1 X4 x7 H0 E( Ifor the specified device and returns a Device Description Block (in ecx) for
) t8 Q6 D$ G5 P! O, Othat device if it is installed./ [; r( m* ~" W* L( R1 R
2 d, M* E$ p {) B' B) r, _% w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 B- N# c6 `6 s; x8 A1 B, n5 O7 B
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% o3 [( k! ?, m+ D
VMMCall Get_DDB& m, Y( X4 |# j& m/ J
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
2 q9 {! r$ T O9 `1 F( o: p& K8 f) r% r5 ?
Note as well that you can easily detect this method with SoftICE:
" v( ?/ C% x1 {9 Z) A bpx Get_DDB if ax==0202 || ax==7a5fh
' k+ X3 q) Q* b5 S' D u& A; X- Y: n6 R9 ~" [( k
__________________________________________________________________________
/ e: X! b: X3 u3 b0 C: s) I! h5 G& g
Method 10
: K' o# q) Y9 e( P; ^' q=========, R) d- W x5 O# S% `
; h& A$ p1 _" X
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 ]! `1 P; [) ?* }+ }0 X* K. d. h$ ? SoftICE while the option is enable!!
" D" H: E! b) }) \. o$ b" }; [2 \" S) ^' p+ ~& V2 c4 }
This trick is very efficient:5 q: f T; \$ s" r* Z
by checking the Debug Registers, you can detect if SoftICE is loaded* X. f, h5 B! t1 Z- A; ]
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ T1 }# Z p6 [. R& J2 Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 L$ b9 ~* ?" q. e) o# cvalue (in ring0 only). Values can be manipulated and or changed as well/ |) u: c) m5 a& ]3 r1 {; a
(clearing BPMs for instance)+ n: Q5 ^, j! n% F/ [+ P- N
3 w6 `# z; J# h; q; v* r
__________________________________________________________________________
0 q6 ~* i) `2 w; G+ p1 q3 e! w2 S: f2 w+ m
Method 11
7 \ t) U1 O2 v! e' I& J( j& V=========
# l/ u) h7 b y0 z3 l; H: p" v2 t; I/ B, g/ d& T. f& @4 P
This method is most known as 'MeltICE' because it has been freely distributed* c1 C e4 s" m5 t1 ?
via www.winfiles.com. However it was first used by NuMega people to allow \+ o. d9 F' m1 L' |
Symbol Loader to check if SoftICE was active or not (the code is located: L* b, A0 G, K7 o8 |4 w
inside nmtrans.dll).2 W$ Q* `/ _$ ^0 M2 a) F
- q1 U }; ^ m5 G8 @/ D
The way it works is very simple:
' X! w) w% { m" L& LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* t7 u: G. g, l( d! t
WinNT) with the CreateFileA API.
8 y5 o! Q$ n) Z" E/ N' d
! a; M. {1 M6 j2 aHere is a sample (checking for 'SICE'):/ X* ^4 C a& J; @
: J3 @. }5 ?$ N. B# |1 ]# v3 f
BOOL IsSoftIce95Loaded()# i; `0 O& [2 t" l
{8 p4 S- y: R3 @0 T6 S5 [) _8 P
HANDLE hFile;
; I9 Y- ?% u+ {" a6 G2 g7 o hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 ?4 @- x3 c$ \+ n5 w
FILE_SHARE_READ | FILE_SHARE_WRITE,
8 I! d; A% U$ ]" [1 H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) t4 k3 B \ b w$ N# A# | if( hFile != INVALID_HANDLE_VALUE )
, G4 A7 D, G+ Y3 n" G {2 H" C S3 Z8 ?+ \% ?
CloseHandle(hFile);$ c4 K) [" Z9 M' i, ?
return TRUE;" v* Q$ L8 h+ W$ o, }
}# Y: \$ _) p; @8 L5 R8 U+ r ]2 \
return FALSE;4 G' V0 c0 S! N a3 }+ b. p
}* Z: a( | U/ E& g$ S. y/ |' f; S3 X
, b# M1 m3 b) L
Although this trick calls the CreateFileA function, don't even expect to be5 [0 I0 U* y+ M0 Z/ K
able to intercept it by installing a IFS hook: it will not work, no way!/ p( U+ I7 H: T: @2 C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 B4 D) ]) E1 A% q: T" {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 l; _. B: c p9 `
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: ?' g+ }8 S& H6 m6 Hfield.
D" y! _0 I; oIn fact, its purpose is not to load/unload VxDs but only to send a
5 V- L ^ d, I4 ^$ l& JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; u7 S7 q; c$ S1 ^2 [2 l; k! Mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ V. d$ T9 R1 y% yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 {) U- w3 F+ `' L$ ^, gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& ?( P& S3 t" R# C. Rits handle to be opened and then, will be detected.
8 D& f, k* q% @7 ?) h% _! NYou can check that simply by hooking Winice.exe control proc entry point
) `' w g$ V8 Z2 S6 wwhile running MeltICE.
3 `, I, N d) K# K" Q6 F9 S" q% O- k9 t9 q: U5 {
$ N8 C' s, ]2 w* T% D4 n# ~
00401067: push 00402025 ; \\.\SICE
$ E& E4 E8 j% \( d 0040106C: call CreateFileA
7 p& ]- r7 z3 F6 L: c4 b 00401071: cmp eax,-001
! _. I: a5 _ E% z0 s* ? 00401074: je 004010914 T" C. b4 `9 [" N. V1 h: T
* G3 f$ c! D- {1 J
; J) ~) K2 O7 B0 j, Z
There could be hundreds of BPX you could use to detect this trick.& L" p9 S8 j% I
-The most classical one is:- a! |; A9 T3 X. t6 s
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
+ u% Y, V+ k& Y2 _: q *(esp->4+4)=='NTIC'
H! ]; e6 M! B
6 t7 @- I5 ?5 P% i-The most exotic ones (could be very slooooow :-(
; F3 h9 `1 M4 {5 { BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') / v1 u4 g0 R" |4 G' W
;will break 3 times :-(
$ s" {9 a+ N# \; S; u
% o% `% y+ v! T& v' F j) p9 ]% t-or (a bit) faster:
4 ~8 q* k! C- Q, i- H5 f' S9 f9 h BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 o, e2 O5 G% v: c& R
B6 O+ ?7 Z$ O, y! [" k
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + C( I/ F. v% a6 v
;will break 3 times :-(
* c3 O3 w3 Q$ d, ^
/ M- c7 C) }0 I. P+ U$ W8 k-Much faster:3 W- g9 B1 z: A# K3 u! f# [
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
2 F4 R9 `, q# D1 a& P0 t: e: x- {2 Y/ R! m ?+ @" z$ |5 ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 J+ b+ O# B& J% ]" X
function to do the same job:
9 i& h" Q1 Y% w0 J( ^ j/ }1 \( U& g/ D" G( D1 r# k- I
push 00 ; OF_READ
& l" Z# R0 x' |, s2 d5 C5 e V% U* h mov eax,[00656634] ; '\\.\SICE',0
" D! I4 o+ ]2 Q% @! r+ z push eax
3 H! K- P4 i, F! Y% K) m$ q$ h8 G call KERNEL32!_lopen
V9 E5 @9 L. z inc eax
2 S; d! x3 ^; N% X. z' I% O6 L jnz 00650589 ; detected
! b& _4 r% o5 O push 00 ; OF_READ( S; B) ]: k6 U; h. l
mov eax,[00656638] ; '\\.\SICE' e$ k0 {* r: C1 n
push eax
8 S5 r0 b, j6 K8 _. K call KERNEL32!_lopen
8 e1 Q2 r3 ^- I: @ inc eax
. K/ n7 @7 l E; A# ] jz 006505ae ; not detected9 [+ W# f" i6 I" v1 k& [
5 z& L: c8 ]# c
7 [7 g6 p9 |9 O4 ?) u7 N1 N" b__________________________________________________________________________" D3 T8 E6 A/ V$ A! h9 M: W8 X* m
5 I6 |% r2 h* f2 s2 u' C/ S1 lMethod 12) Q, v, q+ L. ~7 S/ w4 Y
=========5 c4 x3 [: j2 M% t
9 I. E) ], v* n9 [. v/ C" q/ t) lThis trick is similar to int41h/4fh Debugger installation check (code 05+ W; Y# D: K8 z D3 D
& 06) but very limited because it's only available for Win95/98 (not NT)
3 x; |3 G6 `; Z1 @+ X Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 k0 s1 B3 g) S& e
' z; `1 N# \# d% r v% A, \ push 0000004fh ; function 4fh
. \! y' i: K+ D! X k# {4 { push 002a002ah ; high word specifies which VxD (VWIN32)
1 S6 r5 D) `( c5 ^3 s9 i ; low word specifies which service( r. o/ H" R p$ R
(VWIN32_Int41Dispatch)# B6 v- {" ^4 P9 w
call Kernel32!ORD_001 ; VxdCall$ o4 d- \& m- p1 t$ ?' R
cmp ax, 0f386h ; magic number returned by system debuggers
5 C7 H5 V) u8 T2 v jz SoftICE_detected/ E. r, ~+ `2 p* S' c, r
" P: J" F$ s# Z& hHere again, several ways to detect it:5 S! b4 }: ?0 b5 K, g! h
: W) F1 a$ V- y8 i3 _ BPINT 41 if ax==4f7 G$ h7 s3 y, H* A, q# d; O. b
6 f5 I7 C/ H7 U, \! x( d( P BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- ?+ T! k1 d2 a
3 |6 q& d- g$ |- @( z BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
2 g) w1 u& `( o# c# k
7 P1 e& p+ O" I y' @ BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!/ P2 m" {& H# t8 s7 I& Q* I0 T
: o& X. y( L' L6 m
__________________________________________________________________________; h: ?2 Q1 a" \/ h- Q8 j
6 J) G' C& Y. x- H, K
Method 13
3 ]9 _( p! u2 p3 ^=========& j! E# q+ @5 L* v7 R* Y
: ?% A3 U( X* v7 w" V
Not a real method of detection, but a good way to know if SoftICE is( _1 q8 J9 E6 A; ?
installed on a computer and to locate its installation directory.4 M3 ?4 r4 L" a: }
It is used by few softs which access the following registry keys (usually #2) : I% P; l1 s$ [, O
% m, S" Y- I, ]* @4 P- w2 u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* K. f1 m# o. h# R# Z9 h3 q% F\Uninstall\SoftICE/ e$ v/ ?' I! i, H! A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) L/ N. N. Z) E# u/ N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 ~* l/ _ s% ~\App Paths\Loader32.Exe; b) k4 ~1 v- X9 S, r u
$ [$ X4 L, s5 l" B' K) L2 j
0 O. C( e' e0 D, K e& DNote that some nasty apps could then erase all files from SoftICE directory
1 c# r' s: a$ ?- R; V! h(I faced that once :-(' w2 d; a7 X2 ~# b
1 w; m# j8 w2 U Q2 a& @
Useful breakpoint to detect it:
1 ^% m" r+ |/ c7 ?) _6 l
2 u! T5 |* s5 G+ V BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'9 S3 F6 A: y6 Z) S% j2 `
E$ ^1 ~2 m& s7 n) ?__________________________________________________________________________7 F: M, L( Z/ ~% K1 l0 H. i
+ _/ K8 W+ ]$ b2 R
1 C0 s; Q& |. A0 Y5 u" y8 sMethod 14 3 m: W/ P3 ^3 B+ L5 M# r' R( f
=========
$ O- A9 y1 d; t1 z
# m2 g* D6 k- ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 Y9 q; |# ?& n* P3 v0 z5 T b# U0 kis to determines whether a debugger is running on your system (ring0 only).
2 L h; B7 s0 p# J# ^' I' ]
' u/ c7 N9 l/ |: O+ n VMMCall Test_Debug_Installed
4 V5 d9 f1 ~* C' L ^ ] je not_installed/ f& j" j- I7 T* u( J2 ~
* g2 w2 x+ B8 |* }This service just checks a flag.
; `2 h1 u: M- z8 r: t9 v3 l9 s</PRE></TD></TR></TBODY></TABLE> |