<TABLE width=500>
@$ U& ?) F/ w<TBODY>9 z! g# q: r' c; @+ V$ M
<TR>
( v# O* X& O$ F1 W$ X* ?<TD><PRE>Method 01 , i7 I6 a. Q; G8 O3 X
=========
! {7 Q! a' U- N6 D9 r
+ t/ A5 S2 i7 TThis method of detection of SoftICE (as well as the following one) is
$ w4 |! o0 W2 eused by the majority of packers/encryptors found on Internet." Z- g% ?! K3 H+ |7 q! U! G7 f: f
It seeks the signature of BoundsChecker in SoftICE
- S6 q4 k+ g; h2 h2 j6 C+ {! P
/ X7 q' D* ?' S* c1 I mov ebp, 04243484Bh ; 'BCHK'% i( |$ l: {( j
mov ax, 04h0 X; ?: L0 j7 T4 k, }6 U
int 3 + H- V: o, s7 v$ {/ K& O: q0 m
cmp al,48 o6 m! \5 D g
jnz SoftICE_Detected
R2 ~4 y) a5 `# x- [* D; ^5 o2 M5 a$ ^
___________________________________________________________________________
# F. o9 D6 s- I. I
! S) K; V4 V# F+ G9 n- ]1 h3 UMethod 02
! B- h8 w" b; s=========( c- S8 ], m6 G$ N3 @" ^- |& ]
( B: y' D9 C5 }4 J9 u. g
Still a method very much used (perhaps the most frequent one). It is used
- G- v& d$ I! o6 y" T/ }" Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ T& z6 C8 z& X: L6 z" Z+ l+ Y) uor execute SoftICE commands...; h6 f- f6 p- r. G$ Z% ]2 Y' O
It is also used to crash SoftICE and to force it to execute any commands
+ D+ K9 p7 d# a7 K- i* h& `8 Z(HBOOT...) :-((
* @7 s9 @) v# L/ S5 S6 r% [- I; Z8 C K% H8 w% P
Here is a quick description:+ B' x3 q( k: j- o# R. n: F& M
-AX = 0910h (Display string in SIce windows)" `6 s8 n, T# B! e3 }
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
J+ r: }0 d& N-AX = 0912h (Get breakpoint infos)
" A/ `/ a! M; x2 G. M2 |7 m-AX = 0913h (Set Sice breakpoints)8 g w3 t/ M9 D' m8 ~
-AX = 0914h (Remove SIce breakoints)' E. l' g& u* M5 s
1 W" e$ o* J* s. P0 ?
Each time you'll meet this trick, you'll see:
2 _; S1 @* ^+ h6 M- n3 n% }! O: c-SI = 4647h2 @5 k8 y% k8 i3 T
-DI = 4A4Dh
) T$ g) e9 P K$ |* YWhich are the 'magic values' used by SoftIce.5 N& C, M: V) H1 W; y8 P0 V. f- a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: m! j+ q" Z4 D% O, J8 X4 L' s r# o& j Y. s5 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP' Y) q1 w: B: E m! e3 N7 ~
Envelope utility use to protect DOS applications:
: E( _0 a$ \6 W/ z. C6 E; `
8 u6 e, b: A: f$ {& _$ B' C: g% D& Q$ N4 R: ? z! o1 j5 l ~
4C19:0095 MOV AX,0911 ; execute command.
. d+ @3 I8 g9 P8 Q6 M2 e8 D4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
+ h- d! e* }9 q! d$ d6 { O4C19:009A MOV SI,4647 ; 1st magic value.
. B5 r, y( v& E1 Q' o- \0 X# n4C19:009D MOV DI,4A4D ; 2nd magic value.2 g- j8 q" g3 O+ ]% p+ Q
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)) Z/ k% L3 V5 A. K5 `0 U1 N
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute/ Y- S! X' }- F5 u/ f
4C19:00A4 INC CX
+ E+ o9 V5 M; M' x1 Q4 a4C19:00A5 CMP CX,06 ; Repeat 6 times to execute v3 I9 s& o' ? G! a7 n/ I4 h% F
4C19:00A8 JB 0095 ; 6 different commands.
& D% k& {& d Z1 n2 l; D& `: l2 _4C19:00AA JMP 0002 ; Bad_Guy jmp back.
% }4 |0 y6 R* U0 P! I0 a* E4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
2 R: P q9 k6 p# W% L* n2 Z( c
3 V6 Z: X5 Y. V' u$ M% `The program will execute 6 different SIce commands located at ds:dx, which T/ ]9 V% A" ?( y& R: ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& Y" B$ `! { [5 Q5 W
" L' b, A8 {1 i) p$ G7 B5 r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) q' T: l8 o% ~9 K& D: s
___________________________________________________________________________
* k9 ~* y: @! A/ S4 `& H1 K* o2 ?
q1 ~+ k) [) p: L1 q1 C2 x" l- ]# `2 E- l
Method 03) X P. v* b. Y; T
=========
- k. Q( V: n1 g! {9 L* K
! d6 u4 Q9 ^9 rLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 B) w$ D }) J# Z& `% W(API Get entry point)1 H; K* J( _2 D
& s+ t3 i) [7 e! X& C
3 k) D( Q3 E2 V xor di,di, J9 P4 k. n ~
mov es,di2 J" ~: |$ v6 L( v' F# u @
mov ax, 1684h
+ l" I/ P/ p. G' b mov bx, 0202h ; VxD ID of winice# A+ L& ?5 _" T+ S( V5 Q8 O* ]
int 2Fh* b% z( e% K+ l3 @
mov ax, es ; ES:DI -> VxD API entry point
7 H% ~: m% c( |- d' k add ax, di
) d0 W: K( L' A test ax,ax
6 U/ i: l+ r1 g jnz SoftICE_Detected
' p) O# S8 B# Q
# W0 |! r& | r) Z5 a( v___________________________________________________________________________
7 {" A5 L8 s, _4 R9 a' r2 W7 X
* j& X+ u/ U4 ]. ~Method 04
9 m/ U6 b! o: I4 g2 G! g=========) R7 C% c) J3 S: q; N1 d5 i
+ ]4 X1 \2 _- U- g2 IMethod identical to the preceding one except that it seeks the ID of SoftICE
$ H* L1 p% L. Z2 dGFX VxD.) J7 t1 X( e9 W$ \
5 r; t. h- B2 U' c! \" Q) e7 Y
xor di,di
6 U$ m8 E9 P0 I. A+ ^ mov es,di# k6 F6 `% }- y% s- m
mov ax, 1684h : _; Y5 _% Y* f. t" r2 s1 q
mov bx, 7a5Fh ; VxD ID of SIWVID
- B/ w/ S% ]/ x; k. o/ J int 2fh3 j, B& K. A# J+ T; u+ G
mov ax, es ; ES:DI -> VxD API entry point
4 s) b8 [( Q0 n$ d0 d5 C" f add ax, di1 C) {! x' e# W$ _
test ax,ax k& ^! A! V* a6 O- O2 e/ V
jnz SoftICE_Detected, i5 u# z- L$ \6 T
' m) Z) j' O5 M ^6 a, }; Y__________________________________________________________________________3 G$ [* E+ }* m% v) [
; o! O$ e( k* m3 |1 f- \
% ?0 Q9 z) a: m0 D' n/ D% WMethod 05
& d& a% Q! C+ Z3 l& X) m2 f=========. F) j. n2 z' C' } O2 ~
3 b* P/ @1 `7 I, u
Method seeking the 'magic number' 0F386h returned (in ax) by all system; n# \1 w1 G! _& t
debugger. It calls the int 41h, function 4Fh.
8 y N `# {1 ^7 }- P1 i& FThere are several alternatives.
8 }: s8 Z0 ]3 g! s0 w
, P- B0 ]2 z# Z, [5 b# m7 `The following one is the simplest:
1 {! U. J0 U2 H' D x- f' u+ q0 ?6 M1 s6 G$ m: G
mov ax,4fh! e5 E* x+ w( `+ @/ k
int 41h
8 F4 U& w( r6 p9 c cmp ax, 0F386: W( q5 E" o- |7 ]4 J
jz SoftICE_detected
7 e \* Y: @& O# a' o1 t: {/ o7 n* k/ t, B1 g/ `7 g M
0 j; i* z; H% n2 {Next method as well as the following one are 2 examples from Stone's
2 c5 Y0 B8 K+ g/ ?; w' | Y1 ^"stn-wid.zip" (www.cracking.net):
. _( ]5 l" e4 T2 O' f' c; z! U" ^: R2 K3 p) t8 ^. J
mov bx, cs9 }$ q7 G% A, O2 z7 Q3 `- Y) a
lea dx, int41handler2
& m, G+ x/ S- S. G xchg dx, es:[41h*4]
! b+ N$ S5 H2 j$ M- Y' x# J1 G xchg bx, es:[41h*4+2]* |( z; t+ q" n) c6 Y8 \
mov ax,4fh/ I0 e4 v& ?6 U! D3 P* r
int 41h3 ^5 G7 s# M& b( U% G
xchg dx, es:[41h*4]
+ i7 J8 E2 L* ~+ m: p xchg bx, es:[41h*4+2]9 K2 _' @$ \' Y' I( F
cmp ax, 0f386h4 E) d) e7 I5 W1 {7 K
jz SoftICE_detected9 r, l4 i F3 A
7 v' a7 K( c9 \$ f$ z0 l9 `$ tint41handler2 PROC& { X. B# R# L2 A$ t6 N
iret" S- @! Y" m. i9 f% }9 J8 a, {9 G
int41handler2 ENDP
- A) b# G* c5 u$ Q4 \( j% e& I9 l+ Q3 W& ]( x
$ H& N7 E5 A1 R Z7 p
_________________________________________________________________________
0 G, k9 e( ?1 U* C
! n+ Y6 T4 X* s0 [6 Z7 B( K2 L P
Method 063 [9 L: `8 i# S E1 t7 ^# P
=========5 d$ p/ h0 R1 T" {6 P0 l4 K+ D
8 [9 U, c9 N6 ~: E8 `) p' I
9 i- C2 ?. T2 i) y6 P, z
2nd method similar to the preceding one but more difficult to detect:
( S1 ^/ A) y L+ z: F6 ]8 O2 W& y& t% _. o. a
& J& U$ E6 J; N
int41handler PROC
* T+ z- I& G3 J& M2 M mov cl,al
8 ]" L3 m7 w$ C5 k iret
& j6 U' J) ] Y% Z" E7 Eint41handler ENDP# o+ i) l# Y3 x( \9 i$ Q1 w d$ b
7 V4 G% {2 G8 i
* M+ h7 } d* t! S3 @ xor ax,ax$ t$ x; L# {* t. `- t0 J a; N
mov es,ax
4 @. V" E: ~( e mov bx, cs
' _9 n, e% G/ e% r lea dx, int41handler
) G) b5 K9 m2 g r+ Y* N5 I' J xchg dx, es:[41h*4]% q+ q( m9 a, i8 a. w( R
xchg bx, es:[41h*4+2]
. Q/ [' X9 y; D8 ~ in al, 40h2 v( r5 i) n& V$ i
xor cx,cx2 d* [' v- p: i: A0 J- b' }4 a
int 41h
; A! c4 _& I( A( a$ h" ?# R/ L xchg dx, es:[41h*4]
! i" T9 B/ ?1 T0 I. b( X xchg bx, es:[41h*4+2]
" o$ M# N [' {; K5 I cmp cl,al
8 t5 y1 J5 u% j% J6 s jnz SoftICE_detected
6 q! X* m8 m; O; `- f! c4 I* \$ b& I- @9 P+ b
_________________________________________________________________________5 {0 F& E* q7 i+ m/ ~! @
8 y1 p W9 M: l1 S+ B8 jMethod 07
1 P& D0 @) j \$ T7 V=========# e9 W. u* e; R+ W
' ]$ @+ {4 ?' t- i1 P5 @
Method of detection of the WinICE handler in the int68h (V86)& Z0 z0 I1 ^) s# M; e/ c
" `" N, W5 r7 p. e! Z5 r
mov ah,43h" o! n* _+ P& [2 d0 I8 e; \
int 68h
5 O+ t' P) B$ }% D% N0 U. w' j cmp ax,0F386h+ K3 X7 V1 T4 f; c" |' j. G/ L
jz SoftICE_Detected* v$ D4 J9 c- U. i) K
8 @; o3 A0 F9 X9 q
5 Y: r& k% C7 P' P+ `: W7 T) P=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" x+ o- V/ }" ]9 ^) z# [9 h' s
app like this:. s6 [& ?9 ?# S. ~, W( D5 Q% Q
5 f4 L8 c: m3 K9 J7 T
BPX exec_int if ax==68
3 i2 L) j9 I9 D8 n x (function called is located at byte ptr [ebp+1Dh] and client eip is ?3 m$ N5 [* {8 Z0 [
located at [ebp+48h] for 32Bit apps)
1 R$ h9 x6 N6 Z; A' G* q__________________________________________________________________________2 T6 I' k9 t' y
+ r2 m% o3 ~! z3 a4 K- r6 f8 g4 x) r1 I" A8 A5 n$ w
Method 08
1 v; T* E2 N- ]& R l% N( D5 B=========4 S/ H' B7 X, Q8 F+ @& w. D( h) t0 W
; l _' O" B5 P; v) F" M6 PIt is not a method of detection of SoftICE but a possibility to crash the1 ]! r8 h, F0 W; {1 v
system by intercepting int 01h and int 03h and redirecting them to another
( A2 B+ r& f. Lroutine.
; k; T( v' P s; S7 [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: }$ ~; d( ~6 n+ R* ?3 x' ^: v A$ Q
to the new routine to execute (hangs computer...)- R/ d. M4 K7 M: _8 k6 {& W& O
& D; D6 M6 l1 f3 H* m h1 o mov ah, 25h
1 p2 U0 U' \7 u2 {- a3 T$ J( B mov al, Int_Number (01h or 03h)
# k$ W8 y- L6 { mov dx, offset New_Int_Routine
. `5 l( Y6 {, G0 y7 f3 u, }% ] int 21h
* ?' {% U9 T e. }9 K6 V5 |8 S
* }- z( o: D1 Q* K. ~4 i__________________________________________________________________________+ e! E% _9 ]2 w0 f5 R Y
, b- i/ V; Z) v0 i+ a9 |Method 09
6 S4 a( p" W) L: E7 q. g2 O=========4 V6 S: w A2 I5 H& Q
: D5 X. }, s8 f; g9 N0 P2 u. PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 @9 g( I: `3 r* {$ T
performed in ring0 (VxD or a ring3 app using the VxdCall).4 L4 U1 C6 |3 k8 M/ g
The Get_DDB service is used to determine whether or not a VxD is installed& @5 B2 S& E0 `% K! r$ D
for the specified device and returns a Device Description Block (in ecx) for
. l7 b5 M: B8 ^& I% {that device if it is installed.2 x2 h) ?9 g6 w5 Z' e
1 m3 r1 g% G# u W3 x& k& j
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID# J1 ?! i) r* H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! U2 d; T; M7 }4 H$ O3 W8 v8 e$ U/ j
VMMCall Get_DDB$ y& E( Y/ o0 ?& w5 d/ Q3 _3 T( P
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
+ O; N/ O5 [; D6 I3 ?
* X* X3 Z* x: E- ENote as well that you can easily detect this method with SoftICE:% a9 }( U9 M, {6 G3 n9 k
bpx Get_DDB if ax==0202 || ax==7a5fh
S3 h O# B0 x4 I4 p
" @( L: m8 j4 N8 j- M1 U__________________________________________________________________________" u) S' y2 I2 h* ~ U5 C" _) ]
/ ]5 \% r7 t( y9 D0 ?9 @5 |! @2 pMethod 10
2 E! a/ [3 i* H" R7 L0 n=========
+ c9 _0 ?1 Q# k2 X% E+ @# A, }& j( r! c' h5 _) F3 E" e# H+ L
=>Disable or clear breakpoints before using this feature. DO NOT trace with, Q+ V. {7 @' V2 S6 w1 J
SoftICE while the option is enable!!. ? V% r/ a$ e a( s. n! k i3 O
+ V) c X. @, d2 @0 }* \' vThis trick is very efficient:& G% I& h L# a! @6 e) _
by checking the Debug Registers, you can detect if SoftICE is loaded$ a$ F9 K6 o+ y8 h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: c7 f& X" a$ ?! {1 i( Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) u% p+ i d: a" X' Ovalue (in ring0 only). Values can be manipulated and or changed as well
4 A: G; a6 ^4 G6 v; z& c3 K. B(clearing BPMs for instance)
# W0 o' v, N" L. h
9 F. z' h& M+ r3 H& }" B' j__________________________________________________________________________4 V$ ]( p; g3 l$ Q ^- n: p
# m Y8 ~( \9 QMethod 116 D! }1 ~$ ]7 D; ?( N( m) D3 t# S l
=========9 B8 s+ Y* a. u3 V3 g: s2 x0 y$ R# l
# g, s6 z& x, \: ~
This method is most known as 'MeltICE' because it has been freely distributed
. g! A9 m$ ?# _% k; d; xvia www.winfiles.com. However it was first used by NuMega people to allow
7 T5 }3 Y6 `& _: w! ]Symbol Loader to check if SoftICE was active or not (the code is located( Q& G$ c& F! a, f6 S! f, |( ~
inside nmtrans.dll).' u5 ` j* x, T* l' ^6 f3 l
2 a4 g3 O) f# b- S: L J9 F5 S' L+ |
The way it works is very simple:
' e) C; y, t6 o- T$ _* v$ \It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 v5 ]! {+ O' z& C1 u$ u& h; a6 ^
WinNT) with the CreateFileA API.. d6 H0 f4 u: I2 c- E1 F
4 U6 w4 ~6 m' l
Here is a sample (checking for 'SICE'):6 W, j4 \1 { P* e, ]
7 p- z4 l3 a4 O7 n. y5 L$ z+ VBOOL IsSoftIce95Loaded()
# ^8 \# W+ F9 z{
) q7 y6 @1 y- T1 X1 t- ]: S5 J HANDLE hFile; u4 F7 ^) O B$ f5 _
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 c/ l& g \5 ~6 g; Z% ?4 \% F; d
FILE_SHARE_READ | FILE_SHARE_WRITE,: `6 K5 c% U& w, E- X
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 s( z7 X; G5 ]8 m- n I if( hFile != INVALID_HANDLE_VALUE )- v. L4 U' o; g) b2 u1 A l \! ?- @
{+ x+ `' v6 q( E
CloseHandle(hFile);
; o$ e: s% a4 \$ z return TRUE;
8 o/ |' @# m% M: n g6 ^4 [ }
( g0 F, y4 A R4 [ return FALSE;
$ c4 [" y* \: K9 l7 V G k}
# q0 `4 q- Z" d+ X/ F+ W" J. K
9 s2 o P; q( V8 FAlthough this trick calls the CreateFileA function, don't even expect to be
& s6 h$ j |. U4 @( e" Y+ lable to intercept it by installing a IFS hook: it will not work, no way!
" @$ q: {+ o m( q/ k) M% wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) s6 z! J! {7 L8 V( Q7 a7 B! w! T( T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). j) b! g0 h2 t/ I* g+ f' e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 E8 x0 b2 ]% n Z! `field.
/ E1 G7 p% S' O2 KIn fact, its purpose is not to load/unload VxDs but only to send a ! P0 I* B# |# {. [0 c- h: [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& l7 F; B2 P5 l/ `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 N# r5 S: l3 M$ R: H* }$ {to load/unload a non-dynamically loadable driver such as SoftICE ;-)." Y0 J. x3 J7 v1 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow: I. i" D4 o, U) `
its handle to be opened and then, will be detected.
9 W: Z1 r6 S: @6 \7 r$ R8 lYou can check that simply by hooking Winice.exe control proc entry point
3 P# C6 N3 d- |4 s: Jwhile running MeltICE.
7 ^: K" X( Z# k8 @5 W5 `! N1 D: J6 z! z: [: {
5 @' [% F9 l. e: m
00401067: push 00402025 ; \\.\SICE2 K! u+ |- X: y
0040106C: call CreateFileA$ ^' b: R# L/ a$ z! K! Y
00401071: cmp eax,-001+ K4 h- A' H* s9 [3 K Z
00401074: je 004010917 ?/ `) g' _5 R' x( e5 t* \* p3 V
# I; S6 ~" [2 Y- m1 Q8 v/ f3 S
/ Q% |6 F! U4 G, q" \& \4 A3 y; g( DThere could be hundreds of BPX you could use to detect this trick.
$ O. C, g+ ~. U) c6 ]-The most classical one is:' [0 d8 z. k' F0 t5 u; a4 U* {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
1 ]) f! Y4 S6 v% a *(esp->4+4)=='NTIC'7 J: [; `3 b, ^ S5 S0 e$ Q
; R/ L! k8 t$ E4 j( I* V3 M% q
-The most exotic ones (could be very slooooow :-(
: L1 f- r7 A( v6 K: A BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
S: E$ r7 S! N4 B2 O4 @ ;will break 3 times :-(
& S4 ~* F; D& ?$ f1 Z5 o) D, \0 E3 d5 S# R" O) J
-or (a bit) faster:
+ {7 B+ ]9 M2 k1 D8 g/ z6 A3 w! L BPINT 30 if (*edi=='SICE' || *edi=='SIWV') h3 Y% L. v+ t( E0 r
, C2 m/ Z% ]6 E0 B: ?$ `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' ) }) c3 q# H! F# h: C5 x3 `! I
;will break 3 times :-(0 A; [" x t N2 E/ Y7 U3 l! T
' _) ?9 `# d A- e* f! ] f, F& Y) S
-Much faster:! G* O! a+ k, B" o
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'4 k' [1 A) u0 ~# w+ H+ U
/ p# }& G! g& U: d) J! x8 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 r j% E8 |6 N/ \( _function to do the same job:+ h: Y4 L% l3 m. F# u' L* X
5 g% u, G8 |/ ]5 h
push 00 ; OF_READ
0 c" y$ d6 X C4 e mov eax,[00656634] ; '\\.\SICE',0& L/ v2 ]- j; E
push eax
, b, @$ R$ N/ N1 }- O0 c2 s( H call KERNEL32!_lopen
. l( v3 a0 `) Y: y. W" Z inc eax
8 A7 X- k7 k& I: _ c jnz 00650589 ; detected% E4 f8 [9 p2 Y, r! X
push 00 ; OF_READ. _6 ^( Q3 j, a7 x
mov eax,[00656638] ; '\\.\SICE'
. p+ \, }1 M3 O' o5 s+ ~ push eax
V% r; F( e x/ w: R5 \7 ?& f" x call KERNEL32!_lopen
( C6 a5 n! m: f! ~/ ?% ] inc eax8 [+ r! c9 @0 \; |& A4 d% _
jz 006505ae ; not detected
0 N! O9 d* r: V9 v, c4 d! E! j: {6 s. m, [% Q9 A0 `* q+ z
( X: V4 o' }( N__________________________________________________________________________
6 `2 z. D" a/ K! C8 z% i# V
6 y) k8 S" g' ?Method 12
7 V+ q5 t) X; Q=========& F$ s* }4 r- b$ s6 L9 `+ Y
$ e2 y6 X" h5 p7 g; S2 f7 U
This trick is similar to int41h/4fh Debugger installation check (code 05
# m" e. a+ b7 J3 U8 C; c& 06) but very limited because it's only available for Win95/98 (not NT)
- x% S: U4 ~! ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 w6 b4 {7 U5 L
1 h; U, h6 m) O: l$ Q0 ~, c" \
push 0000004fh ; function 4fh
/ M0 w" `9 L' a5 K7 p- p push 002a002ah ; high word specifies which VxD (VWIN32)( h9 E3 a& R8 O* P6 i# Y
; low word specifies which service! W. H1 X4 F! a- h# _
(VWIN32_Int41Dispatch)% X/ u; y6 @2 K, [+ j
call Kernel32!ORD_001 ; VxdCall- T- L) H0 c2 H5 H
cmp ax, 0f386h ; magic number returned by system debuggers
# }* }1 e) K! j- d jz SoftICE_detected
; d% O; i- W( [: P" e
5 o" U; W5 {5 K' w& I* I. OHere again, several ways to detect it:
* Q! o/ L& [0 x+ P3 D- `" H1 ?0 d4 [
BPINT 41 if ax==4f8 J) p3 U+ [& `6 e% ]. G: P. c
0 J1 O: W& D" v# h1 U
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one y' Q$ y$ ^. X7 y9 a3 g2 |0 N7 [3 |
" p! f e/ n9 r5 k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
* ]5 O% A) T, e9 s$ r: V( O( f I& h! i
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!' Y6 p0 |) B5 c$ \9 O6 E
% V8 T1 a+ q7 x
__________________________________________________________________________' P( @0 U0 @, E+ Y5 s
- j1 Q+ v" C3 U! j8 O7 x
Method 135 y# T% t: X! q
=========: k- n. A( [( ]7 k
0 p! S1 a- ?, x! ? ]
Not a real method of detection, but a good way to know if SoftICE is
) a3 y0 V8 \+ ?) Einstalled on a computer and to locate its installation directory.
" Y; t' g* h) m2 R) [1 T4 TIt is used by few softs which access the following registry keys (usually #2) :$ }0 ]) O6 S, D) l
x% W8 M8 F7 l' K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 t' N! Z U8 Y5 Y% j" \\Uninstall\SoftICE
# Q- L U' S3 n, N& [3 E5 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ U+ G# n; |3 P! e4 l' n3 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 s" @0 g" k. X0 M. z3 P\App Paths\Loader32.Exe S# D: x7 i4 H+ \; c
- |( X% d c# I) C, C$ g W+ W
1 o2 j0 y+ q* n* j' O" q" |# ^Note that some nasty apps could then erase all files from SoftICE directory
% I) Y5 n; y8 K* B" `3 g% y& N' c0 z(I faced that once :-(
2 N* g$ e& d( V7 ~! j0 A( ~& Q4 ?
: F& x. b2 O! G7 E, G1 E6 KUseful breakpoint to detect it:
; ]7 ?: s: ]0 W& O2 r
% ~' c. v- A( e1 o; ? BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
% {. B' o- V' H2 T
* L" C& f& }5 k7 l__________________________________________________________________________: j8 m8 a q7 h2 g$ Q0 ?( I( ~
# k* S3 o6 `( s, e! J
! J3 y6 y$ \: x2 q2 AMethod 14 # K X% D: x3 l7 l. J' F3 i6 |$ g
=========3 w) Z5 E* }% o1 F0 g( I, u; e
% m2 i0 D) f2 M( c* V$ [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# y* v6 \$ R7 |! P: A; B6 E. c
is to determines whether a debugger is running on your system (ring0 only).
2 q0 ?2 Q B/ @6 r6 ^' g3 J0 E) t1 t* l. T6 V2 z
VMMCall Test_Debug_Installed; C) @* O( y. E& b1 R
je not_installed
9 E$ l' }) W3 l) L
" V( u. u9 ~. {This service just checks a flag.3 B- d+ `" c* Q" ~
</PRE></TD></TR></TBODY></TABLE> |