<TABLE width=500>( ]- C" U+ X, S$ i1 T# x( c
<TBODY>
# @+ k. f- [3 ~$ O5 K<TR>
3 k& s+ \+ s) P+ x* m<TD><PRE>Method 01
( y! Y' S# U; Y! `) j, S=========% d1 e2 k5 n% P. D! A
0 R, m% G, i' f& L' gThis method of detection of SoftICE (as well as the following one) is
" R* C0 c/ ?8 Y) N" z6 t! Lused by the majority of packers/encryptors found on Internet.
$ N" T8 j ~7 E! V$ p' D9 m6 H4 nIt seeks the signature of BoundsChecker in SoftICE
% @6 ]$ n' J" L3 d# ^8 y3 b
* C# _/ v+ g, x: q3 k mov ebp, 04243484Bh ; 'BCHK'/ j& j$ n9 X E4 l0 n: l# J
mov ax, 04h# ?2 d+ E! B+ o3 g
int 3
7 m) t9 g7 ~0 Q5 R cmp al,4# u/ q" [; p1 j w$ h1 ~
jnz SoftICE_Detected
3 _6 |/ P* m8 D+ ^, X/ [4 X, i2 _' x( h5 p
___________________________________________________________________________
: z, g7 u: x3 C* \# K) v+ b, D7 l' i8 {) l$ B4 z7 s2 j# z
Method 02
2 p6 h# r! w: E" }8 C# O=========8 x- B$ G* G' y
) v2 @& H6 j7 j+ X1 g) z5 FStill a method very much used (perhaps the most frequent one). It is used
, N* f) V( ^6 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 O- w! t, b& o( |5 V( b6 B
or execute SoftICE commands...8 L S4 q/ { k9 h5 A( U/ o w
It is also used to crash SoftICE and to force it to execute any commands
* b6 N8 {4 U+ u: T% \# s) I(HBOOT...) :-(( 3 d5 E/ n. K! r1 |
% a, i5 L. S) c" {; f
Here is a quick description:2 ^6 F$ [! m. h5 c/ W
-AX = 0910h (Display string in SIce windows)3 P3 d" g, Y5 X% j& j% H: v: v
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)7 e/ m3 j1 l x# g, i4 h" s2 r
-AX = 0912h (Get breakpoint infos)
) n+ x$ P2 `: E& Q. d-AX = 0913h (Set Sice breakpoints)1 j4 E5 ?6 d% W
-AX = 0914h (Remove SIce breakoints)
& g9 M* |7 O# ~& Y0 E* R1 G" z7 U# K6 i" Q( e
Each time you'll meet this trick, you'll see:
3 M( M. F/ z% J-SI = 4647h
' V* v, i0 O6 q3 Q-DI = 4A4Dh. N9 X1 w% j! I: _0 G/ D, |: B
Which are the 'magic values' used by SoftIce.& y; O. m4 y& R) p$ G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- T; b4 S( s4 ^1 L& n, P6 N4 \
- F0 ~2 `$ `' B: y+ K3 } k) _Here is one example from the file "Haspinst.exe" which is the dongle HASP
& X3 B4 b# f. c% f v1 MEnvelope utility use to protect DOS applications:% L w& Q% P3 W5 G
! p# b0 b: G9 n: d s2 X P
/ m% J0 [' o8 o& I" k& ]* J' X4C19:0095 MOV AX,0911 ; execute command.
7 F r/ r( B$ K4 @4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
# Z2 _# y6 `. p( V. b5 `- P2 i4C19:009A MOV SI,4647 ; 1st magic value.: f" ?4 H) [3 P. T
4C19:009D MOV DI,4A4D ; 2nd magic value.
5 H E; [0 H' w( C* l4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)3 s- Q, f+ J! G
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute2 U! r6 ~" T9 N' C
4C19:00A4 INC CX
, m/ m/ P) K- E+ C# J C1 ~+ s8 j4C19:00A5 CMP CX,06 ; Repeat 6 times to execute2 N( L2 p3 B3 x4 {( e3 X! e
4C19:00A8 JB 0095 ; 6 different commands.( |1 i) n1 e7 r
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
8 @4 W) y- T) D7 ?. n/ i6 `4C19:00AD MOV BX,SP ; Good_Guy go ahead :), N; ^' ^* b$ N: {- n( @( J
; p' ]5 A! K# Y9 M1 C1 b! N! o! cThe program will execute 6 different SIce commands located at ds:dx, which
, {, }( i+ T0 S; ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT., A7 g1 t0 m+ z3 C- E4 ?" v+ ]4 ~
+ L0 q# c' L4 ]* `# D2 i% j4 t% i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. b% c! H: c. \9 O- B% E___________________________________________________________________________/ a: V; q5 k, E2 C R4 b
4 y J+ r2 @. `0 M0 U. }+ L* z* t4 h
. @$ I- _, A8 t6 l4 R0 B3 B' SMethod 03, U3 d: _7 H& l6 T0 y! U
=========
2 p) J8 j: Y U3 T6 e/ {1 o
2 R. p# H; m7 O# bLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 C0 y2 c9 F, ]4 W, F: m9 K- n(API Get entry point), Z' a6 e( E6 n1 ?% O
# Z. ]2 H" s4 m' @# ^# F
! t2 Z" \; ?' ]% [# H% f/ M
xor di,di1 M' G( D# i9 O
mov es,di0 \8 T% V; M* R; u
mov ax, 1684h ; }( z; ]# e& L' g/ ]" T. e; v
mov bx, 0202h ; VxD ID of winice
" A: d6 T' \* k6 m int 2Fh
3 L8 C1 _7 Y* M. { mov ax, es ; ES:DI -> VxD API entry point, O* \) W$ `" m9 A* y* L7 {, {* ~
add ax, di- J$ d# A! @" `$ {/ n' O; B
test ax,ax3 q4 C9 t1 K9 ~1 s" _/ q
jnz SoftICE_Detected
, N X5 Y5 f0 h' I& ?; a, m) p, E( q/ J6 Y2 R
___________________________________________________________________________* q9 J* A) q% J5 S2 |# p
% }( v& U) d5 X" G" P8 ~Method 04/ f6 j% K5 L/ E1 x, w
=========
0 V7 d6 c! T$ g* M5 B$ ^2 z/ z j. m
Method identical to the preceding one except that it seeks the ID of SoftICE
: Q/ P; u9 Y; t, z* Y/ ^# JGFX VxD.
5 }* h6 _3 b/ }$ J2 G6 a2 e$ z) @# Z/ t6 }0 y. H
xor di,di
+ S0 k/ W1 L) ]9 ?9 o: q4 n0 x# V mov es,di
0 E$ l2 q# G {! U( x9 ~. p mov ax, 1684h 2 i& X/ v, n6 T0 i8 L
mov bx, 7a5Fh ; VxD ID of SIWVID; J- ?; ~2 \, K( @
int 2fh
" [* K* Z( ^' d' W6 ? Z- }% V mov ax, es ; ES:DI -> VxD API entry point
/ p" ~5 e% N0 v7 ]# T add ax, di6 N+ k( b0 i9 c
test ax,ax
9 M' A- ?4 c8 M jnz SoftICE_Detected
7 W2 ?& x2 }6 `: o( t4 r6 _" U- X t4 ~7 p: \$ {6 S) i
__________________________________________________________________________0 [5 Z2 P& r2 M' b% Z
6 K8 p9 L. X! w- D5 n
2 `6 a% Y( ]/ x- {
Method 057 p) E" V/ ~. E6 m5 Q# X1 f, h4 I
=========3 a1 w2 p0 |+ \/ }4 A. ^9 O6 J
9 a$ r3 L( h9 ~9 W# |+ V% C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: _9 B8 ?: o8 R7 W' T9 Mdebugger. It calls the int 41h, function 4Fh.
: N5 _& q0 z, uThere are several alternatives. : N3 U {! U; N& s Q
( i. i/ z/ J6 O$ _. x/ dThe following one is the simplest:& s' M* Y8 V4 { l/ r; B, n
6 p- Y: z# X; d ` mov ax,4fh
7 G$ N2 l9 ^0 l( `7 n+ F" C; M int 41h& |3 D0 D6 K; L( Y1 E; B
cmp ax, 0F386
6 J+ Z+ l( i- i$ ? jz SoftICE_detected
# ^' p x: p) l+ q: q$ [1 w/ _* k$ f
# a% u6 ~* j. z$ |. c
Next method as well as the following one are 2 examples from Stone's
2 b3 L/ ?1 l" M1 E2 R) s7 I"stn-wid.zip" (www.cracking.net):6 S5 U% D' n9 ]. s4 _
& X. O; }; u8 g& X$ c mov bx, cs0 W% Z+ o4 i! s! |4 `: p2 I
lea dx, int41handler2& t+ k( a5 h2 t l8 v
xchg dx, es:[41h*4], f) [7 E; f/ g
xchg bx, es:[41h*4+2]5 y6 n& z- E# q3 p* _
mov ax,4fh
$ L" A) p, X$ o% M1 Q% a5 L% O. ?7 I int 41h9 a- d( H. i6 D" \
xchg dx, es:[41h*4]4 g' Y" L) z" V. r+ r7 `: e
xchg bx, es:[41h*4+2]. q* w6 _& t+ n9 _0 p
cmp ax, 0f386h! T7 u% _2 h) B- z' t
jz SoftICE_detected; N3 C2 Q1 r; b7 W1 D# |$ Q
1 }; |& A6 C& y& S+ H8 jint41handler2 PROC
" U; F8 {* ^. h/ p iret1 F; O/ `' ?5 s9 ]4 k, k( N
int41handler2 ENDP' f/ C$ ]( g( ?
) T+ l& g) z" x' ]' Z5 M
3 F/ n q- F# d& |! T, Z5 B" q_________________________________________________________________________) _. M1 k; k! r8 C- K" j6 U$ R1 A
9 N& Z7 [* c0 t5 t5 R
7 ]2 X3 I, n p5 n( `) J/ ?9 W5 z
Method 06 b- y; M& L, ?0 }3 F
=========% j6 o1 T. H& ^4 B( h- B" W9 P
) R' `$ [, `6 ^/ c2 T3 S1 i( W# A* G
4 i! ?! r9 r% ~* V! h5 G
2nd method similar to the preceding one but more difficult to detect:
+ H5 _$ ?4 d% ?/ H7 T0 O- h
6 f( M; X# h0 J% e2 L+ {% y+ n5 p; n1 C" d7 t: `( G1 ~# U
int41handler PROC* M- F2 P' ~5 m7 e' @
mov cl,al: S( q8 |9 H3 U
iret
2 K k1 p2 }8 Y# @int41handler ENDP9 _- z _2 D( k. Z0 E3 K0 I3 Y
w& `( Q$ J$ ]( z/ q/ x
0 K$ t) z2 O0 q/ _/ o; D) c xor ax,ax
. i1 }& t7 i X( F mov es,ax
% h/ _% o8 i a1 O6 @ mov bx, cs
' L6 V$ D7 B$ l O% } lea dx, int41handler T8 g4 `, i9 g3 ^: h/ x: t& a
xchg dx, es:[41h*4]; b1 }7 F' x* h: G& l
xchg bx, es:[41h*4+2]" _) J, u3 R Y8 K
in al, 40h
# ?$ t% s" K2 P3 j, H6 m$ L+ C xor cx,cx
+ l3 y T U$ g* R; d int 41h3 m' T; N6 k# s; q
xchg dx, es:[41h*4]' w2 `! F5 R+ E8 _
xchg bx, es:[41h*4+2]0 g: Y- ]. a* M
cmp cl,al
' i& n9 f- x0 `2 q0 B* V* s( M& x( u6 h jnz SoftICE_detected
# P' \+ A; D: t1 G9 ~- D5 F2 U/ p' |0 X
_________________________________________________________________________
7 u! m# }1 Q* C- M! i7 i) C
$ Q, K- |( J2 ~Method 073 X M3 ^5 l9 n6 S, U# y0 Q
=========6 l+ S1 `2 w$ r4 L( W- f
O+ E+ z" V n. R
Method of detection of the WinICE handler in the int68h (V86); L2 B# w. r5 t z2 T5 f* u7 T
v. T$ \7 {% r% @1 }4 |6 T8 A ` mov ah,43h- _4 K7 d5 {* c2 T1 ]" }" d
int 68h: s/ r" U& R2 o* Z$ q
cmp ax,0F386h
: M' d1 c% ~! t! a' r& G! c jz SoftICE_Detected* Q0 Q* d5 {! A2 N5 f3 R$ {/ |
- F2 `: T% `% A' K {
. B+ V- e/ C$ V- i
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: h3 ^/ L8 C8 ]% U* C* t
app like this:! Q) x6 Z u1 V8 W
4 O8 X. I2 I9 W8 Z3 K7 j0 ?
BPX exec_int if ax==68
$ N$ W9 d3 c5 a& G f4 o (function called is located at byte ptr [ebp+1Dh] and client eip is6 I+ h x- [5 ]( d/ T
located at [ebp+48h] for 32Bit apps)2 ?" p; e8 r$ n J d+ O
__________________________________________________________________________
1 f; E9 [1 z3 J( F- N! m. `8 V
' N. m* W& `. n( o1 k8 L: _7 G9 p8 [; N/ A- j
Method 08
( T& E; X2 m( L n2 P! n$ f g9 G=========
8 \) o, h. d" R1 W& n! @' O3 d ^0 p
It is not a method of detection of SoftICE but a possibility to crash the
: T- b- A9 Z4 ]$ l+ l7 r3 y6 q' Qsystem by intercepting int 01h and int 03h and redirecting them to another
- `6 X2 _ g2 {! H. j* mroutine.
# {0 a. Z0 B7 H/ I/ j! {3 g8 k" cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ h6 |5 o, t+ s1 ^) Lto the new routine to execute (hangs computer...)5 R! d* W- p/ B
9 f/ V2 X" j4 s, N, l- _/ e0 P
mov ah, 25h: C* b/ n3 m# P. C5 E
mov al, Int_Number (01h or 03h)9 ~6 f. s8 ]# Y2 ~ s; x9 A( p
mov dx, offset New_Int_Routine% ?" K6 c# ]# C1 ]6 b0 j
int 21h( F1 A9 S( w5 s& B7 n, r6 f
3 }8 ^4 k% v, {__________________________________________________________________________/ Z9 g8 n( R; K- _ z
/ A+ x) L" Q* t/ Z! a! dMethod 09( k" z- v7 q* ~ {: V( h
=========
r* G, X6 j" b9 d$ g. d2 A% P1 G% o% @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 o9 t* u* {, x2 aperformed in ring0 (VxD or a ring3 app using the VxdCall).3 I, n4 q! _7 m6 L5 _5 H" P
The Get_DDB service is used to determine whether or not a VxD is installed: u: K4 m0 @+ d) R& y- _8 s
for the specified device and returns a Device Description Block (in ecx) for
( Q- i/ c ?8 X @& E0 I/ S6 Ithat device if it is installed.
7 w- G4 T, ^ o6 j& c S/ H( J, _ D3 ^& E6 W9 G# c) u; h
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 F5 ?) S" S2 o; u9 @' @6 w5 O
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 I- p8 G- P& e4 y VMMCall Get_DDB
+ Q2 P- D0 W, h1 T: n/ ] mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed9 V* h% |! b( M
# N5 P' U3 l# V$ ]- P
Note as well that you can easily detect this method with SoftICE:
; M0 U0 K. B" _ bpx Get_DDB if ax==0202 || ax==7a5fh
. N% ?- l0 f' d! ?$ b# y) c3 c/ s1 K" g; r
__________________________________________________________________________# L+ u& {9 O+ p# {# L. M4 f
/ N- y/ J4 T! u' {' R; z
Method 10" \( w- y& H/ ]; _9 b' F# c$ y
=========
X- D! D f& K4 c5 V* p1 E4 |5 ]! B& Y+ v1 h0 r; D' t1 j
=>Disable or clear breakpoints before using this feature. DO NOT trace with. u+ H2 i9 H* Z5 w$ k6 E
SoftICE while the option is enable!!2 p+ q* E% {+ C+ f5 W" |0 h3 a, ~
# X6 X9 H& B8 n* X& y+ ?/ YThis trick is very efficient:
3 t8 a, `3 n; T# L- }' lby checking the Debug Registers, you can detect if SoftICE is loaded
, w5 M& _" O9 [$ O/ r/ e+ }0 C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! F, K+ ^7 \+ J) o3 H0 y' }; g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, M& g# C! h+ i% Rvalue (in ring0 only). Values can be manipulated and or changed as well
- l3 u/ z: A! C! R(clearing BPMs for instance)
5 K- V; b0 e2 K, [( h- m- ?: w: ?- F
, `) O% e$ h$ X8 k__________________________________________________________________________
: f5 P7 K8 o: l8 o Z9 ]; P5 W
) J. z2 ^$ S. d& {5 z% aMethod 11
+ O N# J/ i7 L8 S% y% s=========" N5 D+ G% f- r; f
9 C2 v( y- |9 d. n7 k
This method is most known as 'MeltICE' because it has been freely distributed# T8 e9 |% ^3 x8 t
via www.winfiles.com. However it was first used by NuMega people to allow
, K- a4 }0 R. N- n9 uSymbol Loader to check if SoftICE was active or not (the code is located: T4 ?: _& I' L" k& T
inside nmtrans.dll).
/ I; ?8 I# m# o" S# N
' L, U! C! p) dThe way it works is very simple:0 ~, j# D+ o# t+ q c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ F( X9 q$ H8 H6 Z; cWinNT) with the CreateFileA API.
5 ?! z2 A( {3 N% Q6 s* d% Y }* p( }2 K! Y6 p; z, U& F6 Q* w
Here is a sample (checking for 'SICE'):) Q& |4 r1 g5 a, @% v; ]0 o2 J1 o
; Q' z- r) Q, G! x1 y& A: RBOOL IsSoftIce95Loaded()
, c/ {* P0 d; C2 X" J{ t" x$ g- T) _& K9 `, `4 X
HANDLE hFile; ; K* V, W4 e8 B- g
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 U% U# @; E7 [) e& \' w- N
FILE_SHARE_READ | FILE_SHARE_WRITE,+ c( _2 {. y6 @% _
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% k t, N3 F; g1 m( G
if( hFile != INVALID_HANDLE_VALUE ) J5 R3 Q+ _; L9 r9 D$ Z6 z
{: [, D4 t+ D7 V A# N4 i, i0 g" t. H2 T
CloseHandle(hFile);
2 q7 Y7 g* d! X) ^ return TRUE;
; a0 i/ c: i, ^3 R( T8 R, O }
5 T: s- U3 D* t! V2 U, P return FALSE;
. H/ {' `. h# R' ^4 }+ z* y}& g( ] I6 z/ K" F: m8 [
! O N9 B; `( W
Although this trick calls the CreateFileA function, don't even expect to be
# ^1 r. a2 H. N9 ^9 m' j, S+ Rable to intercept it by installing a IFS hook: it will not work, no way!
1 v9 Q3 K! A( NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. `# `5 P; J8 ?3 U7 t' [6 \) Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- d+ V v0 Z! W: Y+ r. d: @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- A0 P- w8 Q: e
field.
" `) P q+ K9 u+ V% LIn fact, its purpose is not to load/unload VxDs but only to send a : A3 ^2 N, a1 w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& Y: A* l# Q: Q/ Y0 B4 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! b! }6 _- f7 n- x+ ?- [to load/unload a non-dynamically loadable driver such as SoftICE ;-).% }0 N8 B% f6 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: ^ X8 R- z* Q) I8 N2 {its handle to be opened and then, will be detected.
. Z j7 z) t. z" }4 wYou can check that simply by hooking Winice.exe control proc entry point
3 o" ^' w- J. T4 lwhile running MeltICE.) z3 C# [+ m( w2 w& H7 U+ r
- b' Z' |6 @5 p7 h8 \
5 u0 P& f4 d7 t& h: r
00401067: push 00402025 ; \\.\SICE
' g8 Y- q6 Q+ I4 R/ W5 o 0040106C: call CreateFileA$ T1 N; W5 I: H9 T* ~. U) v. ?( z
00401071: cmp eax,-0014 ^" B4 H) [" E& p4 v
00401074: je 00401091. n- j& R" j4 N) R- Q& u
3 W4 Z- z4 f; V- o, A& x- X/ _
9 X; R, [" v. CThere could be hundreds of BPX you could use to detect this trick.
, _7 C/ h' c8 M5 k-The most classical one is:9 b8 C( b* M9 q2 o) {
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
3 Y+ W: _0 Q4 ?, }) Y *(esp->4+4)=='NTIC'
( s9 G0 f# ~" b1 A5 V& C: Y! Q$ F& q1 I Z) T, s# ~* O
-The most exotic ones (could be very slooooow :-(
1 i$ J+ E0 y4 c- r0 x! I BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') % [. j0 e6 R+ q8 O2 Q. ?
;will break 3 times :-(1 \/ _& g3 M- n( M+ `8 t0 D/ K
& b0 ` [2 r. N8 }( i: }# |" u-or (a bit) faster:
! L! ~ _8 R P) Q BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 ~/ |7 w' d* m( T, Q# h7 w) O( m2 v1 N' s) z0 X% `
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 8 c8 m- L: o4 Z6 D
;will break 3 times :-(
# @% s, x+ ^7 Y7 S; v0 J5 [
; B2 X) A& P. [, _4 R2 }2 c2 a-Much faster:
( E: y) c2 l* w/ a% ]$ x BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
) i& ^2 f0 i4 P& `9 v7 G$ J- B& P0 f T+ ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 Q7 E/ j7 m- N3 g% sfunction to do the same job:
6 ~8 X* z! s6 J* [/ x- D; W8 U6 d: @0 [- B3 |4 l: l6 U3 O
push 00 ; OF_READ* b& \9 j/ m7 p
mov eax,[00656634] ; '\\.\SICE',0: _. B( a4 h6 L$ H" R0 T5 o: a
push eax! I% X9 X2 @9 f6 B9 \' C& c
call KERNEL32!_lopen+ c% R4 w/ B' Y" Y% j
inc eax/ F) g( B. C& Z# |, U! z' N
jnz 00650589 ; detected% M+ U* k; i% p+ D$ J% N3 o. y3 B8 W
push 00 ; OF_READ
6 b- l2 q6 X2 F7 W6 K' r$ o mov eax,[00656638] ; '\\.\SICE'- c4 f6 q6 i( {* M6 L
push eax/ N; A! q; v8 x7 w( ?7 @9 G: k! F
call KERNEL32!_lopen1 h6 K. @1 G& s6 Y
inc eax
& V+ i9 H1 K; P( S0 m2 E* R jz 006505ae ; not detected4 P" ` y m4 s7 c5 E c
% b/ X% S, M) S- B. N; q6 a! A0 k& n" z
__________________________________________________________________________0 H) W1 V: Z3 }" q+ H8 A: O
! v9 J! W; U* S! qMethod 12
1 W! s% ?6 X4 M/ M% P: R7 }=========
2 s9 B+ h, m8 Z$ m3 e3 _9 `" E
: p% ^+ O& A- [6 V( Q2 }2 g. R+ `1 i/ }" oThis trick is similar to int41h/4fh Debugger installation check (code 05* V9 g, z" O5 o3 k. h2 Y5 \. a
& 06) but very limited because it's only available for Win95/98 (not NT)
' T5 q& |1 F2 g( }+ r! ?% [: Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 |! [( a$ J* m" j9 `- X
5 }9 S* ^" ` g4 |9 y, Z push 0000004fh ; function 4fh
j w+ c3 M7 ? push 002a002ah ; high word specifies which VxD (VWIN32). L& |- i' L. F6 i" Z
; low word specifies which service: B+ M I7 m8 h) j# I" e8 R& ^2 A
(VWIN32_Int41Dispatch)
$ s- N7 Z& f9 J: v, t4 z call Kernel32!ORD_001 ; VxdCall- y* I5 U. Q0 M, k: Q! b
cmp ax, 0f386h ; magic number returned by system debuggers o) e) `, V& F3 _
jz SoftICE_detected
$ E: v# z. B# X( t8 G h2 ?
& N8 f; [7 h( i% w6 aHere again, several ways to detect it:# o& T) P1 i+ _% j. C$ C2 d$ O8 p
# ^: a- i4 s& r5 ^! w2 ]0 n
BPINT 41 if ax==4f1 C' u5 ]% o& p
. Z7 M5 @4 ~4 E7 {# X BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one- ^# l5 a0 ]1 l/ g" p* z% ^
) } { v# _2 O
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A3 e8 z* _- F0 o0 h* Y2 ]3 ~
8 t, g. ?. T. ]0 p8 @' W+ q* Z BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
4 i- q: x$ |* Q6 c! x% R- ~
/ Q% d) B( t( R( U__________________________________________________________________________
( |/ w$ }5 h. z( G5 i- g2 L$ f0 {0 u7 x) }" H+ e* k
Method 13, X% r; T. N3 e; D
=========5 ~! B2 d. m; V5 u
( {; A9 r5 \ o& [8 W' VNot a real method of detection, but a good way to know if SoftICE is4 G, T$ H' ?/ M& p5 p2 t: B& R+ I
installed on a computer and to locate its installation directory.* _; o1 \( S! A4 y4 U" e& p
It is used by few softs which access the following registry keys (usually #2) :
! T5 J$ C2 p; _8 S8 e. v- c3 k, U- d" O2 b7 P5 L* ^1 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
j4 l3 B) |1 m3 r4 N8 e\Uninstall\SoftICE8 Q; ]# E. Q1 W t" j. a7 K5 Y3 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. [) J& g( f% U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! Y" o7 I) `& X7 u5 _6 F+ j
\App Paths\Loader32.Exe" L. }; f2 o3 s* P# i* z) \
/ R% G. n0 a5 s' g4 s- x
( V/ d8 ]' O& q$ h. [Note that some nasty apps could then erase all files from SoftICE directory
6 V0 e m! p7 I5 a% \+ L3 D(I faced that once :-(
/ p. d6 ^5 l+ n, m& K! k# j/ @4 E' s
Useful breakpoint to detect it:
2 y# Y! P: b* @7 I3 j0 T1 w$ T+ m/ F3 G8 \+ u0 |
BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 O1 d% Y7 w. A
& F5 g; B- Y( I8 \__________________________________________________________________________. t: F+ n1 F* X$ Y; C
h- _# p1 \0 ^) w; B- H7 Y8 k! h0 s% f- Z0 ]% ?
Method 14
9 i8 @+ \) i: \! f0 f, T) A7 k9 ?=========9 y# P5 X; O8 E- Q
/ F" H a6 w) {0 }0 F; z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, U% ?6 O2 X# D3 {0 Pis to determines whether a debugger is running on your system (ring0 only).7 k# `6 t( ^0 @) |1 p5 u
$ ]! S5 J2 G$ p& c8 H VMMCall Test_Debug_Installed0 Y4 J( C% L9 y
je not_installed
7 j, t: m) R- ?9 @5 ~! e, z4 A8 t9 R7 _# X
This service just checks a flag./ Z8 T0 ^. G9 q3 S% @! i8 `. P+ c+ B
</PRE></TD></TR></TBODY></TABLE> |