<TABLE width=500>- f& |- Z4 S8 p6 H. x! u
<TBODY>8 n! m6 p7 ~" O. V* ^0 {
<TR>
0 n5 k: z3 W* w) U* B/ X% E<TD><PRE>Method 01
" ~/ d% H/ f5 \ ^9 G( x=========$ o/ B4 B6 ~$ z
/ g4 B( d6 d. b
This method of detection of SoftICE (as well as the following one) is; g- E- J1 @2 C) \' z( O
used by the majority of packers/encryptors found on Internet.
0 ?- d# t7 z' P4 dIt seeks the signature of BoundsChecker in SoftICE
* y% S1 f1 q& L# }9 A( \% [) D" a3 O2 U) B$ M
mov ebp, 04243484Bh ; 'BCHK'5 N6 [$ L! Y& p/ f# r7 b
mov ax, 04h/ }, O2 ^' a9 e5 X' @8 a' r
int 3
[$ Z. |+ q V7 { cmp al,4
7 s6 j+ c' m6 [0 V* P) W jnz SoftICE_Detected
+ P ]1 w! L9 @$ Q. ~6 N j0 O( A. |) f. \* C+ Q3 h% s
___________________________________________________________________________9 N- P+ k; W @" h) k2 W9 P
% O* G1 c' M. z$ `- q) ^' v* U7 H! U
Method 026 h) S: N0 `7 G0 O5 `6 X
=========& f5 J, [2 I* g+ s8 E/ ~7 U! G
2 s, q/ U$ e) q+ \
Still a method very much used (perhaps the most frequent one). It is used
( y- Z5 y( y# P" X, Q' wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 I% A' u0 e: L1 m) Q2 R( p* ror execute SoftICE commands...
: [: \2 s- _( X4 ?3 S6 t- [It is also used to crash SoftICE and to force it to execute any commands
# G' L3 f( Q$ U- r- @+ z(HBOOT...) :-(( & w5 C; h5 H8 S y
4 x* K% }! Z c$ ~- }: ?3 P
Here is a quick description:& v! a1 Y3 ^) Y
-AX = 0910h (Display string in SIce windows)
5 k: B* j. R5 O# ] C% ]" J-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)+ A" Z- f7 r) R- a4 c/ O* j* O
-AX = 0912h (Get breakpoint infos)
. a( M- v# x- c8 G6 }* z' Y M-AX = 0913h (Set Sice breakpoints)
2 H2 } C. F3 D-AX = 0914h (Remove SIce breakoints)
6 D# ^7 R2 \% P: U) w2 c
3 v; B) O# G& R$ [3 @# x2 REach time you'll meet this trick, you'll see:
) R* L4 `) `; U" v8 S-SI = 4647h9 n) f& _& y# _& c4 S1 e. b
-DI = 4A4Dh7 s8 j$ }& ]6 F5 h# h* e
Which are the 'magic values' used by SoftIce.7 j' K. a$ J6 w! T, B
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." t! L( I2 b1 F) [1 N N6 x: {8 E, T) }
4 f. Z& Q/ r6 FHere is one example from the file "Haspinst.exe" which is the dongle HASP W. \$ Y: M+ m* N0 }
Envelope utility use to protect DOS applications:# A* V, t) {/ O+ s) p
; E) w2 Y3 k7 Q5 q: _/ l2 e" G5 R
( r+ [; j' [+ ]* h4C19:0095 MOV AX,0911 ; execute command.: u/ y% O& f2 d( ?+ j+ S0 K. v- W
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).* d' h: Y7 X/ c- \9 H7 v6 k" p
4C19:009A MOV SI,4647 ; 1st magic value.* d2 r" T/ J8 g3 J! R+ F
4C19:009D MOV DI,4A4D ; 2nd magic value.
9 M1 J- I8 W3 ^- }4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)- x4 n6 \. ^* ?. `
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 S; u' q+ C/ M# p2 N
4C19:00A4 INC CX9 b' u9 Z' `7 k5 d! t8 e% ?7 I: o
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
* D& v/ ]6 ~/ q8 l, k8 A4C19:00A8 JB 0095 ; 6 different commands.6 C# x+ T8 ]7 f" v* h. {: k6 D
4C19:00AA JMP 0002 ; Bad_Guy jmp back.5 A0 E ?5 b& [" e" K( a, r
4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
) k% g1 a: U1 k/ \5 G9 z e) s6 d! c! U: O
The program will execute 6 different SIce commands located at ds:dx, which
x9 L$ z3 M8 q7 M y4 S" \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% w# ?/ u7 u! F" T, i" E5 a6 J* Q7 k2 z# O- `7 _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% B6 P! g1 G( a: K) ?4 L5 }& v; R
___________________________________________________________________________, {) | `% y3 V. e. N% |3 T0 k5 Q
% r+ g* k0 K K/ M( u$ o
# F, Z" q9 C2 M9 V3 U3 D4 Y7 t3 mMethod 033 \* u7 u& j# {2 D& l
=========0 V# T4 ?- z7 d& j4 e. o7 |
3 E# z6 s) w8 E v
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& T! |: i( u7 q7 |(API Get entry point)
' `1 E+ b: a- h5 ~, j % H Y. s' d$ D" \ M* j
/ N- S6 |7 v. O* r. c xor di,di+ a2 S9 x/ z5 p. l9 o: u* L
mov es,di
) Y! A# _ v0 j$ X! \ mov ax, 1684h
1 U3 @6 M6 H5 f9 L; P! z; K6 d4 V mov bx, 0202h ; VxD ID of winice
0 M/ J0 M; a; I1 @. g int 2Fh& t. ~% o$ R0 X& ~5 g" ^
mov ax, es ; ES:DI -> VxD API entry point6 x+ ^! @: L a$ u! F, t
add ax, di$ I7 N) K) e$ S4 \+ z# s( F" a! x/ Y
test ax,ax' s! m l8 [/ v/ v0 q
jnz SoftICE_Detected
) x$ r) C$ |( e4 V. Q' [; ?; N9 H* Q9 w/ m/ b9 b0 C
___________________________________________________________________________% u6 K8 @9 t+ U2 G0 g: w% f3 ~
8 b% w9 c. T) \$ IMethod 04# N5 N/ ^( r I; I3 l9 h
=========) ]9 h w6 f* ?
" M( _1 \/ O2 ?; P$ f: |( eMethod identical to the preceding one except that it seeks the ID of SoftICE
a; M( w) J" U* [GFX VxD.& g+ ?- V5 @: R# Y0 q4 u$ J2 h
1 [* ]0 a9 P' G4 t xor di,di/ Z$ H6 x5 ]: S+ i3 d) c
mov es,di
, A1 B! {, h) Q mov ax, 1684h
8 `7 |0 Q( r3 X. f mov bx, 7a5Fh ; VxD ID of SIWVID
: D" r1 A: G( e, X) @* }% a int 2fh
4 R) Q) U8 g& u& {; x mov ax, es ; ES:DI -> VxD API entry point) R. N+ d( L0 K) h" {$ N, Q
add ax, di5 S! X' g8 d5 o$ ?- p0 h2 E
test ax,ax( ]4 w3 z& `: |
jnz SoftICE_Detected
# r! J! E6 |- }& k7 M: |# q( E0 P! H. ~% G5 E
__________________________________________________________________________
& n1 V$ z0 R, ?3 d) l/ I/ t" D4 z& s9 y8 V
. e3 U9 r. o& _5 ?- E
Method 05; w# x; h- s, A& s$ O8 g
=========0 K! _* X, V. L: R) h/ n, U4 n
! y) P2 f7 E7 m, u2 [3 {; x! VMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 Q4 i( K* R; {, \, s# w+ U* ddebugger. It calls the int 41h, function 4Fh.
) |, Z/ W' K( R: o$ t( q+ X' C3 V9 yThere are several alternatives.
5 U/ Y8 H8 i2 I
/ A. O6 }$ S0 z8 n4 _The following one is the simplest:
2 v/ F8 f& ]. T
# ]1 H0 k C) m6 ^$ h8 M) U mov ax,4fh
- ^5 ~# K% {: Q$ S int 41h
( ^$ H$ G' q) ~& Q; K6 N0 o cmp ax, 0F386
) B; b- l' _$ p# _, S. k8 x( @ jz SoftICE_detected" \( }& x7 z/ j) G2 z
: V d* ^ S6 v% q* Z2 w7 w9 |- e% H7 ^" q* S% K& z1 G2 Z
Next method as well as the following one are 2 examples from Stone's
t m( _. a& i8 k& Q; d"stn-wid.zip" (www.cracking.net):
5 k, |" d/ I- ~8 x. P ?8 x) s
$ }' ^- v- I7 U2 Q! |, r mov bx, cs x! s7 h8 P, |! T: n# V; F
lea dx, int41handler2
' O/ \1 \- G" x0 {, [/ J v% P3 | xchg dx, es:[41h*4]
6 H- K0 S3 f9 S' O, v6 ` xchg bx, es:[41h*4+2]3 G0 R+ a8 j$ c5 G/ z
mov ax,4fh
& A4 x" }2 L5 \ V' O) F8 } int 41h. d( F: B' `) w4 T( j/ u! ?
xchg dx, es:[41h*4]
" d' e) P, p- w7 x; a xchg bx, es:[41h*4+2]- R6 s# C' A0 K ~) W
cmp ax, 0f386h9 J& w! t4 P# z% O
jz SoftICE_detected
- v/ g; u: b( I
5 z; b1 D& Y* M( d9 `2 t- Xint41handler2 PROC/ M' H9 S. ~+ \! @
iret
- Y' }' T" b0 J iint41handler2 ENDP
3 ^3 Q& M. f" B& j) W& N. }* }, l K" P* V1 F! e0 d9 W
: d* ^/ p- M6 H9 g_________________________________________________________________________
$ t* l8 H* }6 S/ ]3 c
+ \' Q% w1 O- K6 w8 z
: X5 v& h& m/ w) R- e+ YMethod 06
% v6 r" ~3 c; |2 o7 A3 o=========
' F ]9 K7 d% `# }# Q- {3 P7 d, l( o! ?) z$ { d, k/ f
: G& \ F3 n* n. D2nd method similar to the preceding one but more difficult to detect:% w$ S5 s$ d+ N# y% e6 K
K2 w+ S3 q8 T9 m0 ]+ f: e* d4 J6 b( o. d
int41handler PROC
5 y) C! v+ ?3 ^4 `7 i mov cl,al
4 `6 X; L! O& U0 `6 G( m iret1 h2 I2 r* C0 w
int41handler ENDP
2 `7 B3 x4 Z( H R* J9 W& n% G2 q2 ~. G& X7 d' j8 \
# h3 w+ v U, {3 ?1 M
xor ax,ax5 {4 b3 R3 U2 h1 V0 Q ~ w, L
mov es,ax! r7 I7 T1 S' u j8 J
mov bx, cs
- O! F& Z9 E2 X; |: h lea dx, int41handler: \+ L ^; L5 O3 v& E4 P
xchg dx, es:[41h*4]
W5 N0 `/ }( b3 {8 u9 z xchg bx, es:[41h*4+2]
; f, x/ O5 N; W+ |# G# Y in al, 40h
1 z: K# j( E3 t+ | a( O xor cx,cx
0 q! @! V* B: s/ S6 O. S int 41h3 J' D8 z" {( L& V8 L4 ?) F d
xchg dx, es:[41h*4]
' p _6 W7 J/ Z- R xchg bx, es:[41h*4+2]
8 e/ {- b" ?7 t$ j! _% s8 S( J cmp cl,al
$ K0 X% i+ a) [ jnz SoftICE_detected6 J# t! P; A k: `& M) b. f
1 B W7 {9 j7 u" s9 T, n4 }_________________________________________________________________________* R) `3 G9 E& @
: U& M. m' t* w2 I4 I9 ? EMethod 07' R1 ~: t# \2 \ s& l9 W6 t7 w
=========' t3 h3 P: {2 n# `0 d
' H. ~9 I* ?8 L$ h
Method of detection of the WinICE handler in the int68h (V86)
0 f# N6 O1 l8 P2 c8 |" _' i! ]( H W
mov ah,43h
9 p4 X( r* U( f. @$ m int 68h
' D$ g5 T, c+ `1 \: ^2 Z/ J4 a cmp ax,0F386h( C% t* C0 _# e' B! _, g
jz SoftICE_Detected
9 A8 E+ Q. r1 H( q, J5 {) I+ Z1 f& i& A# \2 D% p$ b. E
0 _, g- r4 j5 k7 ^ y. E- m
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: Q6 M6 z5 }2 g& A/ C+ a% A
app like this:7 t$ p4 E3 c& ?! O3 g
; y, B5 L* b3 l% n7 e BPX exec_int if ax==68( ~7 }- q) B7 [: Z* X
(function called is located at byte ptr [ebp+1Dh] and client eip is
7 W! M# R* N+ w* m located at [ebp+48h] for 32Bit apps)( f y# Y7 u' D0 T" Q9 b' C
__________________________________________________________________________2 a4 y) n6 ~% V7 ]1 u
$ A! _0 U6 a( l/ d$ w. ^3 P
/ V1 f9 a& H% i) P- C6 `9 \2 ^
Method 08
5 C1 ]$ g8 j5 {) H* j=========5 h, \/ {6 m9 b0 a) w4 J3 d
' ]. |2 T, y2 ^: Y0 ]0 K4 |It is not a method of detection of SoftICE but a possibility to crash the
+ v0 }3 [0 D% R, ]. ? t5 Rsystem by intercepting int 01h and int 03h and redirecting them to another, ?( H7 k4 ~4 b# D. Q6 y# P
routine.
2 k, q$ T# N3 S7 P! k) lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" c2 K, J- V8 P3 W; G& cto the new routine to execute (hangs computer...)
8 p4 ]1 K; F0 p, `- Q% X+ ]4 m
+ ~3 U5 V+ S! G. \1 i mov ah, 25h
8 |3 L1 o/ \2 V5 m, T3 I, l& t mov al, Int_Number (01h or 03h)
6 U9 q: g/ h! |8 ] mov dx, offset New_Int_Routine
8 [5 s: }% I; C8 { int 21h
! j# }1 q5 T: k2 i- x" C/ b, _# } W) H9 u3 t( ~3 ], `% L5 z) j e8 t
__________________________________________________________________________+ e1 t+ G& s" u ^" c
0 W4 q `/ M9 a6 A5 m' q
Method 09
- z) o2 n9 h `/ d# W/ p) v=========5 m. d% F; P- E" w' D' n
4 f1 H( g. W4 N9 X0 r( r$ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' z2 V, M: z6 qperformed in ring0 (VxD or a ring3 app using the VxdCall).% @- l: X$ H$ i9 V
The Get_DDB service is used to determine whether or not a VxD is installed
8 J* m% L3 y3 @; xfor the specified device and returns a Device Description Block (in ecx) for
0 f! I6 x# R/ s' gthat device if it is installed.
& {6 ]) O+ |4 D+ C+ \ E+ S
. Z6 w9 P: S5 |# e1 j mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 l1 T; M' K* z2 z/ k mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# E& u9 V9 z# p. ?& l/ z
VMMCall Get_DDB! D' f0 j* W# I( [. q) f# O
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
) d `9 E$ n5 K a
8 C1 U- `( ?. F0 ]$ V+ xNote as well that you can easily detect this method with SoftICE:
, v/ a( l& \" z& G, `& ` bpx Get_DDB if ax==0202 || ax==7a5fh
0 u8 ` }0 J% D2 z7 U
, w* `( Z$ i$ d__________________________________________________________________________
- v' G; i- ?" T& y' R& T9 P! A% U
0 G0 G" V, s1 L# fMethod 10
9 r5 f" M1 m$ E; Y: S: j8 U=========! d- H% I K n8 s$ s$ F' b
# ^) ]: p! d7 n
=>Disable or clear breakpoints before using this feature. DO NOT trace with9 c' o+ c3 S1 G
SoftICE while the option is enable!!, q" x; h) d1 ]; i" Y
* ^4 N$ S8 y/ e2 Y/ X+ N/ QThis trick is very efficient:' c# t, h. O }! M1 t: F; V0 x# k
by checking the Debug Registers, you can detect if SoftICE is loaded+ V `% [) `# I6 {; u& {1 @: m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 i/ q& p: e% {2 [' [$ ^there are some memory breakpoints set (dr0 to dr3) simply by reading their* F+ C/ m: O) F% c% s8 D- r
value (in ring0 only). Values can be manipulated and or changed as well4 P$ A* a/ P7 Y, a
(clearing BPMs for instance)
/ H; ^9 t* p/ [% I$ K/ E( S' }1 @4 }8 s
__________________________________________________________________________) ?1 ?5 ~7 N7 F2 D/ {1 E
( [4 E+ B8 Z6 \# l% ^Method 11
! ~( f, N- y- ]& R( q% T/ d=========
- {9 E9 Z5 C) e9 j' ]4 \0 N* L1 {! l( U' `. W1 B: I
This method is most known as 'MeltICE' because it has been freely distributed+ B$ d* E+ O6 B- S& y: j l8 J
via www.winfiles.com. However it was first used by NuMega people to allow* S" \" }$ K9 [3 A$ X
Symbol Loader to check if SoftICE was active or not (the code is located
8 \1 u) J/ a" r+ Z; Linside nmtrans.dll).2 C8 X1 v1 r7 N8 G- }& V
( b, _! o" G# ]. x- lThe way it works is very simple:
8 [2 \4 g$ ^+ s. y! eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ u; r7 e( k' [* K1 w/ d3 WWinNT) with the CreateFileA API.
) W6 O# u! {: C' r% P0 D8 V) J% J( j, u. ~, \9 ?" K
Here is a sample (checking for 'SICE'):. g; {9 k5 R/ y$ C1 C. G
$ }$ p2 {. B& C# P j" GBOOL IsSoftIce95Loaded()' Q4 {- _% F$ A! x+ R
{
6 [1 E9 N, h" O e HANDLE hFile;
& Q- Z/ L; `; e' r+ E! M: \4 J hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- M# {8 S5 P: ]4 E1 A/ e% d2 l
FILE_SHARE_READ | FILE_SHARE_WRITE,
: X% Z; S3 o( h3 d' r. @* f NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: @; H. ?2 d2 ]8 @' e/ C if( hFile != INVALID_HANDLE_VALUE )5 O" V; s: V1 P- X4 @, [9 U
{
6 G$ f3 T& W; z9 l. B9 t) |, B CloseHandle(hFile);
# M$ }9 C" ^5 `4 ^ return TRUE;4 ^+ W0 A! y5 f! s" o; d
}5 }1 P$ }9 u- `2 R% Q
return FALSE;
6 r4 T9 l& K5 \6 a}
9 v2 L9 ]' C% A% j5 [
' f7 w1 m4 M/ c1 _- e/ E: ^Although this trick calls the CreateFileA function, don't even expect to be8 b3 [& g3 u; R6 l1 C( k& L
able to intercept it by installing a IFS hook: it will not work, no way!) ]# A* _+ }1 [8 t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) g3 X% N0 n9 z" ~0 E- H% T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! d# m$ Z7 T! }9 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) l7 S+ S- X ?. Z3 wfield.
$ G. C2 |& W! `" NIn fact, its purpose is not to load/unload VxDs but only to send a
9 A* O f" l8 C$ L/ Y* ? NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& h$ v" |3 E* z x& d/ `! Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* c C# u7 F2 Y A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! U' b( X3 f: d* s$ ~If the VxD is loaded, it will always clear eax and the Carry flag to allow" c" Z6 I7 I+ R, |4 w* E' E
its handle to be opened and then, will be detected.. u9 Z* ^/ d3 S& T$ F9 ~$ W
You can check that simply by hooking Winice.exe control proc entry point( { V9 P; h( }3 V) m2 H" n4 V
while running MeltICE.$ b3 o# h7 P6 X; \$ I7 D) c& U4 Z% \
/ W. K9 }4 }9 `) F
l9 e% {* @$ \, v9 H6 n 00401067: push 00402025 ; \\.\SICE
) o9 | C! q# \. X' m8 f# ~ 0040106C: call CreateFileA
: f7 b1 @- M; f, u 00401071: cmp eax,-001) z, U/ r6 y! q; r3 i
00401074: je 00401091
3 m% Z6 i. @* R4 l" F
J2 `' e5 _, E+ B% C
3 r/ _- H }( y2 c5 A k$ \There could be hundreds of BPX you could use to detect this trick.
+ ~1 w5 v$ x- Z5 e-The most classical one is:5 G: j, P( U F8 @/ Z
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||4 p8 p; M: |& x o! S; Q6 x0 W
*(esp->4+4)=='NTIC'; U" A' d# r; f1 m' t* c C
6 ~% A) l) r: Q! X-The most exotic ones (could be very slooooow :-(# _5 |* U1 ? Z/ l
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
& ?+ g: H' O, e- c2 | v ;will break 3 times :-(/ M& q1 f$ e% ^8 K+ F/ X1 q
, O/ L$ K5 ^4 ?$ t" o* _-or (a bit) faster: ' J- _4 T1 Q" j: ]2 S
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* ?; i6 k! t) G1 x- m0 @* h6 _+ ?
$ q e/ F& I; Y1 ?; u. L BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'
) M T0 f. C, K* M' ]$ |0 u ;will break 3 times :-(
/ S% J: W+ D' F% Z0 e5 T
# X3 ^+ `9 x5 i/ V-Much faster:2 | Y4 R9 I7 y9 n% _) K1 i
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'% ~6 f) a8 a& \/ `; c1 C0 o) D! ?
( B( L- @2 X% ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- l0 a+ {4 w( A9 Q
function to do the same job:8 Q" r+ w3 l+ O+ _3 o
( J; H7 T8 F$ t. I* L push 00 ; OF_READ
/ Z) M4 o+ g% d p4 \9 M; P mov eax,[00656634] ; '\\.\SICE',0* O: b$ z- C5 M
push eax
+ X" h* q6 I& U1 ~ call KERNEL32!_lopen
# R$ V0 Y2 v( N, S# l inc eax
: @% T; B" w4 j) K jnz 00650589 ; detected
) ?0 S6 |) h. R push 00 ; OF_READ* J! T& n- m4 v$ O# d1 L' J& `1 j
mov eax,[00656638] ; '\\.\SICE'
; H& C0 T4 J+ j' R push eax* |0 m# }; J6 N& c, B% g" S& o, Y
call KERNEL32!_lopen6 `! Q# h2 Q* d2 e) [
inc eax, {9 w3 r# X; _5 |
jz 006505ae ; not detected% j" Z$ J0 d1 s$ d D- }) l4 Y
( [7 K# |2 x9 {$ P
) x2 }; y8 P; U) s__________________________________________________________________________
, h4 ]$ g3 `& w( |+ I: Z% D( I: e) H( P2 \& h
Method 12
1 C2 p s: U- T3 D8 ]) ^1 m1 p* t, t=========
}1 Y0 o5 u G5 t) W d2 h# j" r- A/ Z, @. B+ Q3 u% e
This trick is similar to int41h/4fh Debugger installation check (code 05, C) d Y9 C6 `
& 06) but very limited because it's only available for Win95/98 (not NT)
/ r! m |6 l8 y* pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; ~0 Q! X6 D0 Z$ u5 q; t% X; ?
: e: j4 J. b9 W* g push 0000004fh ; function 4fh
5 m8 L! |7 x v1 a$ |# W push 002a002ah ; high word specifies which VxD (VWIN32)
' X) N v8 M% W# K2 ] ; low word specifies which service9 ]6 H4 |9 z9 x5 Q$ e/ k
(VWIN32_Int41Dispatch)
0 T5 O6 i! v9 V7 K1 N+ b Q. H9 d call Kernel32!ORD_001 ; VxdCall
; o3 n, V2 b' m! ` I2 w! l* N- h cmp ax, 0f386h ; magic number returned by system debuggers0 `! i% R# ?. Z5 l
jz SoftICE_detected/ \6 A& Y" j/ O9 h
. s* s' A* A, f* ~8 b* W
Here again, several ways to detect it:6 a5 Y7 q/ O- w4 L( K/ j7 h
6 D. A* P, d* D/ i& Q6 t8 c
BPINT 41 if ax==4f2 Y! c5 n3 P- _, R
- w; k: \# y& d, q% J$ W8 V
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one$ {& b4 n. s4 b$ Y
5 J- Z. V1 Q! s: D! r BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A F; s; k/ f( A* M7 k+ G j2 |
! I- g( g1 ?5 U0 C+ t$ h6 | BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
) q4 R" ~" O" H& l
' \' T6 f$ p( e# A__________________________________________________________________________& C& @; ^; a; s" |
0 [, }1 ]: y/ i# w" SMethod 13: J9 E/ M/ i& Z! J
=========5 D- [- S, i# D; U* I q
3 p' m* [, j, M( L9 YNot a real method of detection, but a good way to know if SoftICE is
( ^$ y# w' F! Q/ {# o6 V+ rinstalled on a computer and to locate its installation directory.
9 R1 _1 d6 w0 D; u5 z8 }It is used by few softs which access the following registry keys (usually #2) :6 K6 [; g4 _1 p, b, {+ G
/ d6 j6 C( l" t5 X2 k+ Y* o) M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& Z& ]' U; M- r" f& a" H/ ^: A6 C\Uninstall\SoftICE
& r& h, C* n0 N# z8 ~* O4 H/ _1 R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
{- P! C! ? d; h1 `4 h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 ]( V0 o8 ?0 f& `% \\App Paths\Loader32.Exe2 w% o( g Q3 \. Q/ j
5 u) s! h. v* X7 j
- c* H* ], z# O! C# ~4 R" x: C5 dNote that some nasty apps could then erase all files from SoftICE directory
0 r! o& B, Y3 j1 |1 S. e(I faced that once :-(, a3 h( H4 P2 T
t2 V& e- A4 |% v$ V
Useful breakpoint to detect it:
* l/ S6 q( i/ o9 V
h" V3 }# U" d& [) o BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
* R$ S; T5 U2 [$ Q2 T' Y1 ~, ]& U1 {4 p$ l7 i% I
__________________________________________________________________________
, I# X$ E+ z& i$ }+ m0 C% _# X, ~# J" v' v: A5 {% g
! N) L( u! g/ ~" Q; C
Method 14
/ m% y: [6 F9 e! r" F=========1 X3 c! f0 \1 @- D) E/ z; s
0 F) d, M+ Q9 B" b1 D( @7 a; F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ F) Q: e1 V9 ?
is to determines whether a debugger is running on your system (ring0 only)./ E" }6 I* B, f. S8 K z8 T
) M( C# j. F/ @7 l3 T) h( r+ ?$ Q
VMMCall Test_Debug_Installed. V8 I+ n# l! C6 I
je not_installed
$ k4 a& q0 x4 ?5 H" n) J8 s4 i
6 q3 Y. |, b% ^" Q, ^6 x* o/ eThis service just checks a flag.
$ H& m8 H# y3 U</PRE></TD></TR></TBODY></TABLE> |